From 335aca58b7bed6355d4089254a9e54a976af4d6e Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Thu, 7 Nov 2024 10:00:40 -0500 Subject: [PATCH] false positive reduction: apt, auditd, dockerd, etc. --- detection/c2/unexpected-dns-traffic-events.sql | 1 + detection/c2/unexpected-talkers-macos.sql | 1 + detection/evasion/unexpected-hidden-system-paths.sql | 1 + detection/persistence/unexpected-device-linux.sql | 1 + detection/persistence/unexpected-uid0-daemon-linux.sql | 6 ++++++ 5 files changed, 10 insertions(+) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 4b82c6e..9050025 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -87,6 +87,7 @@ WHERE 'coredns,0.0.0.0,53', 'coredns,8.8.8.8,53', 'distnoted,8.8.8.8,53', + 'dockerd,162.159.140.238,53', 'EpicWebHelper,8.8.4.4,53', 'EpicWebHelper,8.8.8.8,53', 'gvproxy,170.247.170.2,53', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 90c23a8..005a4ac 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -95,6 +95,7 @@ WHERE pos.pid IN ( '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', '500,Developer ID Application: Cisco (DE8Y96K9QP)', '500,Developer ID Application: Google LLC (EQHXZ8M8AV)', + '500,Developer ID Application: Sky UK Limited (GJ24C8864F)', '500,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)' ) diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 492cb59..c3c98a1 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -64,6 +64,7 @@ WHERE '/dev/.mdadm/', '/.equarantine/', '/etc/.bootcount', + '/dev/.blkid.tab', '/etc/.clean', '/etc/.java/', '/etc/.resolv.conf.systemd-resolved.bak', diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql index a1726e6..ee3b403 100644 --- a/detection/persistence/unexpected-device-linux.sql +++ b/detection/persistence/unexpected-device-linux.sql @@ -143,6 +143,7 @@ WHERE ( '/dev/kmsg,character', '/dev/kvm,character', '/dev/libmtp--.,character', + '/dev/libmtp--,character', '/dev/log,socket', '/dev/loop,block', '/dev/loop-control,character', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 9a9c24b..d6b0dcb 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -92,11 +92,13 @@ WHERE 'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755', 'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755', 'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755', + 'apt,/usr/bin/apt,0,user.slice,user-1000.slice,0755', 'atd,/usr/sbin/atd,0,system.slice,atd.service,0755', 'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755', 'atop,/usr/bin/atop,0,system.slice,atop.service,0755', 'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755', 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755', + 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750', 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', 'blueman-mechanism.service,Bluetooth management mechanism,,200', 'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755', @@ -134,6 +136,7 @@ WHERE 'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755', 'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555', 'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755', + 'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755', 'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755', 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', @@ -292,6 +295,7 @@ WHERE 'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755', 'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755', 'su,/usr/bin/su,0,user.slice,user-1000.slice,4755', + 'su,/usr/bin/su,1000,user.slice,user-0.slice,4755', 'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755', 'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555', 'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755', @@ -302,6 +306,7 @@ WHERE 'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555', 'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755', 'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755', + 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755', 'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755', 'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555', 'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755', @@ -330,6 +335,7 @@ WHERE 'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700', 'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755', 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', + 'whiptail,/usr/bin/whiptail,0,user.slice,user-1000.slice,0755', 'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',