False positives: apt-daily, github runner, Slack helper, Foxit, syncthing

2025-03-05 18:27:45 +00:00 · 2023-01-19 11:52:31 -05:00 · 2023-01-19 11:52:31 -05:00 · 710ca28ed9
commit 710ca28ed9
parent e3852a1e1f
10 changed files with 15 additions and 1 deletions
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -121,6 +121,7 @@ WHERE
    '80,6,0,/usr/bash,0u,0g,update-ca-trust',
    '80,6,100,/usr/http,0u,0g,http',
    '80,6,0,/usr/gpg,0u,0g,gpg',
+    '88,6,500,/usr/syncthing,0u,0g,syncthing',
    '80,6,0,/usr/kubelet,u,g,kubelet',
    '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
    '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -285,6 +285,9 @@ WHERE
  -- There are many signing hashes for git
  AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
  AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'
+  -- Github actions-runner
+  AND NOT exception_key LIKE '443,6,500,Runner.Worker,apphost-%'
+  --
  -- nix-shell infects children with open connections
  AND NOT (
    parent_cmd LIKE '%/tmp/nix-shell%'
@ -353,7 +356,7 @@ WHERE
    AND remote_port IN (53, 443, 8009, 4070, 32211)
  )
  AND NOT (
-    remote_port IN (53, 443)
+    remote_port IN (53, 80, 443)
    AND p.name LIKE 'terraform-provider-%'
  )
  AND NOT (
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -145,4 +145,5 @@ WHERE
  AND p.path NOT LIKE '/System/Library/%'
  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
  AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
+  AND NOT cmdline LIKE '%/lib/gcloud.py components update'
  AND NOT cgroup_path LIKE '/system.slice/docker-%'
--- a/detection/evasion/parent-missing-from-disk-linux.sql
+++ b/detection/evasion/parent-missing-from-disk-linux.sql
@ -45,6 +45,7 @@ WHERE
    '/usr/bin/alacritty',
    '/usr/bin/dockerd',
    '/usr/bin/fusermount3',
+    '/usr/bin/osqueryd',
    '/usr/bin/yay',
    '/usr/bin/doas',
    '/usr/bin/gnome-shell',
--- a/detection/evasion/unexpected-dev-executables-linux.sql
+++ b/detection/evasion/unexpected-dev-executables-linux.sql
@ -32,6 +32,7 @@ WHERE (
    OR file.path LIKE '/dev/shm/%/.%/%%'
  )
  AND file.type = 'regular'
+  AND file.size > 64
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
  AND (
--- a/detection/evasion/unexpected-tmp-executables-linux.sql
+++ b/detection/evasion/unexpected-tmp-executables-linux.sql
@ -51,6 +51,7 @@ WHERE (
      OR file.path LIKE '/tmp/kots/%'
      OR file.path LIKE '/tmp/terraformer/%'
      OR file.path LIKE '/tmp/tmp.%'
+      OR file.path LIKE '/tmp/%/dist/%'
      OR file.path LIKE '%/bin/%-gen'
      OR file.path LIKE '/tmp/%/target/debug/build/%'
      OR file.path LIKE '%/ko/%'
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -148,6 +148,7 @@ WHERE
  AND top3_homedir NOT IN (
    '~/Library/Application Support/com.elgato.StreamDeck/',
    '~/Library/Caches/snyk/',
+    '~/Library/Application Support/Foxit Software/',
    '~/Library/Application Support/BraveSoftware/'
  )
  -- Locally built executables
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -39,6 +39,7 @@ WHERE
  AND exception_key NOT IN (
    '0,nix,nix,',
    '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
+    '500,bash,com.apple.bash,Software Signing',
    '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
    '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
    '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
@ -75,6 +76,7 @@ WHERE
    '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
    '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
    '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
+    '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
    '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
    '500,syncthing,syncthing,',
    '500,terraform-provider-google-beta_v4.48.0_x5,a.out,',
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -51,6 +51,8 @@ WHERE
    'dash',
    'demoit',
    'direnv',
+    'Runner.Worker',
+    'Runner.Listener',
    'dnf',
    'doas',
    'Docker Desktop',
--- a/detection/persistence/unexpected-active-systemd-units.sql
+++ b/detection/persistence/unexpected-active-systemd-units.sql
@ -67,6 +67,7 @@ WHERE
        'apcupsd.service,APC UPS Power Control Daemon for Linux,,300',
        'apparmor.service,Load AppArmor profiles,,1100',
        'apport.service,LSB: automatic crash report generation,,500',
+        'apt-daily.service,Daily apt download activities,,300',
        'apt-daily.timer,Daily apt download activities,,100',
        'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,,100',
        'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,,900',