Remove some false positives

2022-10-17 17:31:47 -04:00 · 2022-10-17 17:31:47 -04:00 · 58dec12a49
parent 9c233f5248
commit 58dec12a49
6 changed files with 42 additions and 99 deletions
--- a/detection/c2/unexpected-listening-port-macos.sql
+++ b/detection/c2/unexpected-listening-port-macos.sql
@ -89,6 +89,7 @@ WHERE
    '49152,6,500,GarageBand,Apple Mac OS Application Signing',
    '49152,6,500,IPNExtension,Apple Mac OS Application Signing',
    '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
+    '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
    '49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
    '49152,6,500,Music,Software Signing',
    '49152,6,500,node,',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -195,6 +195,7 @@ WHERE
    '443,6,500,gh',
    '443,6,500,git-remote-http',
    '443,6,500,gitsign',
+    '443,6,0,trivy',
    '443,6,500,gnome-shell',
    '443,6,500,gnome-software',
    '443,6,500,go',
--- a/detection/credentials/unexpected-sensitive-file-access-linux.sql
+++ b/detection/credentials/unexpected-sensitive-file-access-linux.sql
@ -71,6 +71,7 @@ WHERE
    file_uid == process_uid
    AND exception_key IN (
      'aws,aws,~/.aws',
+      'python3,python3,~/.config/gcloud',
      'chrome_crashpad_handler,chrome_crashpad,',
      'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
      'chrome,chrome,~/.config/google-chrome',
--- a/detection/execution/tiny-executable-events.sql
+++ b/detection/execution/tiny-executable-events.sql
@ -29,3 +29,5 @@ WHERE
  p.time > (strftime('%s', 'now') -30)
  AND file.size > 0
  AND file.size < 10000
+  -- Removes a false-positive we've seen on Linux, generated through 'runc init'
+  AND NOT (p.path = "/" AND file.size = 4096)
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -7,8 +7,7 @@
 --   * Backup software
 --
 -- tags: transient process
-SELECT
-  p.name,
+SELECT p.name,
  p.path,
  p.cmdline,
  p.on_disk,
@ -19,11 +18,9 @@ SELECT
  p.cwd,
  (strftime('%s', 'now') - start_time) AS age,
  disk_bytes_read / (strftime('%s', 'now') - start_time) AS bytes_per_second
-FROM
-  processes p
+FROM processes p
  LEFT JOIN hash ON p.path = hash.path
-WHERE
-  bytes_per_second > 2000000
+WHERE bytes_per_second > 2000000
  AND age > 180
  AND p.path NOT LIKE '/Applications/%.app/Contents/%'
  AND p.path NOT LIKE '/System/Library/%'
@ -31,26 +28,37 @@ WHERE
  AND p.path NOT LIKE '/Library/Apple/System/Library/%'
  AND name NOT IN (
    'bash',
+    'chrome',
    'emacs',
    'firefox',
    'fish',
-    'gopls',
    'GoogleSoftwareUpdateAgent',
-    'nautilus',
-    'qemu-system-x86-64',
-    'qemu-system-x86',
-    'slack',
+    'gopls',
    'java',
-    'wineserver',
+    'launcher',
+    'LogiFacecamService',
+    'nautilus',
    'nix',
-    'ykman-gui',
    'osqueryd',
+    'qemu-system-x86',
+    'qemu-system-x86-64',
+    'slack',
+    'wineserver',
+    'ykman-gui',
    'zsh'
  )
-  AND NOT (
-    name = 'aned'
-    AND cmdline = '/usr/libexec/aned'
-    AND parent = 1
+  AND NOT p.path IN (
+    '/usr/bin/gnome-shell',
+    '/usr/bin/udevadm',
+    '/usr/libexec/aned',
+    '/usr/libexec/logd',
+    '/usr/libexec/packagekitd',
+    '/usr/libexec/PerfPowerServices',
+    '/usr/libexec/signpost_reporter',
+    '/usr/libexec/syspolicyd',
+    '/usr/lib/systemd/systemd',
+    '/usr/sbin/spindump',
+    '/usr/sbin/systemstats'
  )
  AND NOT (
    name = 'bindfs'
@ -60,10 +68,6 @@ WHERE
    name = 'jetbrains-toolb'
    AND p.path LIKE '/tmp/.mount_jet%/jetbrains-toolbox'
  )
-  AND NOT (
-    name = 'chrome'
-    AND p.path = '/opt/google/chrome/chrome'
-  )
  AND NOT (
    name = 'com.apple.MobileSoftwareUpdate.UpdateBrainService'
    AND p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.MobileSoftwareUpdate.UpdateBrainService.%.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.UpdateBrainService'
@ -76,91 +80,24 @@ WHERE
    name = 'go'
    AND cmdline LIKE 'go run %'
  )
-  AND NOT (
-    name = 'gopls'
-    AND p.path LIKE '/home/%/bin/gopls'
-  )
-  AND NOT (
-    name = 'gopls'
-    AND p.path LIKE '/home/%/gopls/gopls'
-  )
-  AND NOT (
-    name = 'gopls'
-    AND p.path LIKE '/Users/%/bin/gopls'
-  )
-  AND NOT (
-    name = 'gopls'
-    AND p.path LIKE '/Users/%/gopls/gopls'
-  )
  AND NOT (
    name = 'kernel_task'
    AND p.path = ''
    AND parent IN (0, 1)
    AND on_disk = -1
  )
-  AND NOT (
-    name = 'launcher'
-    AND p.path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
-  )
-  AND NOT (
-    name = 'logd'
-    AND cmdline = '/usr/libexec/logd'
-    AND parent = 1
-  )
-  AND NOT (name = 'LogiFacecamService')
  AND NOT (
    name = 'node'
    AND cwd LIKE '%/console-ui/app'
  )
-  AND NOT (
-    name = 'osqueryd'
-    AND p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
-  )
-  AND NOT (
-    name = 'packagekitd'
-    AND p.path = '/usr/libexec/packagekitd'
-  )
-  AND NOT (
-    name = 'PerfPowerServices'
-    AND p.path = '/usr/libexec/PerfPowerServices'
-  )
  AND NOT (
    name = 'ruby'
    AND cmdline LIKE '%brew.rb upgrade'
  )
-  AND NOT (
-    name = 'signpost_reporter'
-    AND cmdline = '/usr/libexec/signpost_reporter'
-    AND parent = 1
-  )
-  AND NOT (
-    name = 'snapd'
-    AND p.path = '/usr/lib/snaptd/snaptd'
-  )
-  AND NOT (
-    name = 'spindump'
-    AND p.path = '/usr/sbin/spindump'
-  )
-  AND NOT (
-    name = 'syspolicyd'
-    AND p.path = '/usr/libexec/syspolicyd'
-    AND parent = 1
-  )
-  AND NOT (
-    name = 'systemd-udevd'
-    AND p.path = '/usr/bin/udevadm'
-  )
-  AND NOT (
-    name = 'systemd'
-    AND p.path = '/usr/lib/systemd/systemd'
-  )
-  AND NOT (
-    name = 'systemstats'
-    AND p.path = '/usr/sbin/systemstats'
-  )
-  AND NOT (p.path = '/usr/bin/gnome-shell')
  AND NOT (
    name = 'terraform-ls'
    AND cmdline LIKE 'terraform-ls serve%'
  )
-  AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
+  AND NOT (
+    p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java'
+  )
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -30,33 +30,35 @@ WHERE
    'alacritty',
    'bash',
    'build-script-build',
+    'chezmoi',
    'clang-11',
-    'Code - Insiders Helper (Renderer)',
    'Code Helper (Renderer)',
+    'Code - Insiders Helper (Renderer)',
    'collect2',
    'conmon',
    'containerd-shim',
    'dash',
    'demoit',
    'direnv',
-    'chezmoi',
+    'doas',
+    'electron',
    'find',
    'FinderSyncExtension',
    'fish',
    'go',
    'goland',
+    'helm',
    'java',
    'ko',
    'kubectl',
-    'doas',
    'make',
    'monorail',
-    'nix-daemon',
    'nix',
    'nix-build',
-    'package_script_service',
+    'nix-daemon',
    'node',
    'nvim',
+    'package_script_service',
    'perl',
    'PK-Backend',
    'python',
@ -64,18 +66,17 @@ WHERE
    'sdzoomplugin',
    'sh',
    'skhd',
+    'sshd',
    'swift',
    'systemd',
-    'helm',
    'terminator',
    'test2json',
-    'tmux:server',
    'tmux',
+    'tmux:server',
    'vi',
    'vim',
    'watch',
    'wezterm-gui',
-    'sshd',
    'xargs',
    'xcrun',
    'xfce4-terminal',