From a24c3d23335586cb2383439dea6cc562c43acc51 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Wed, 20 Nov 2024 13:45:50 -0600
Subject: [PATCH 1/2] Add exceptions for Autodesk, cloud_sql_proxy, .md
 downloads, TF providers in /tmp/, and more

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/c2/unexpected-dns-traffic-events.sql            | 1 +
 detection/c2/unexpected-talkers-macos.sql                 | 8 ++++++--
 detection/evasion/touched-executable-linux.sql            | 1 +
 detection/initial_access/unexpected-webmail-downloads.sql | 1 +
 detection/persistence/suspicious-systemd-unit.sql         | 1 +
 detection/persistence/unexpected-uid0-daemon-linux.sql    | 2 ++
 detection/persistence/unexpected-uid0-daemon-macos.sql    | 3 ++-
 detection/privesc/unexpected-setxid-process.sql           | 1 +
 8 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql
index a3a3aec..76dee1d 100644
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@@ -102,6 +102,7 @@ WHERE
     'Signal Helper (Renderer),8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
+    'snapd,185.125.188.54,53',
     'Socket Process,8.8.8.8,53',
     'syncthing,46.162.192.181,53',
     'Telegram,8.8.8.8,53',
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index efca1d5..4f125de 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -105,7 +105,9 @@ WHERE
     '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
     '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
-    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
+    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
+    '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
+    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
   )
   AND NOT (
     unsigned_exception = '500,6,80,main,main'
@@ -121,7 +123,9 @@ WHERE
       '500,0,0,chainlink,chainlink',
       '500,17,123,gvproxy,gvproxy',
       '500,0,0,,',
-      '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
+      '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
+      '500,6,443,cloud_sql_proxy,cloud_sql_proxy',
+      '500,6,32768,cloud_sql_proxy,cloud_sql_proxy'
   )
 GROUP BY
   p0.cmdline
diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index fb3ceda..40e766b 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -56,5 +56,6 @@ WHERE
   AND p.name NOT LIKE 'osqtool%'
   AND f.path NOT LIKE '%/go/bin/%'
   AND f.path NOT LIKE '%/osqueryi'
+  AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
 GROUP by
   p.pid
diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql
index a6d2d86..e8fd403 100644
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@@ -49,6 +49,7 @@ WHERE
     'jpg',
     'json',
     'key',
+    'md',
     'mov',
     'mp3',
     'mp4',
diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql
index 0831604..0fb9008 100644
--- a/detection/persistence/suspicious-systemd-unit.sql
+++ b/detection/persistence/suspicious-systemd-unit.sql
@@ -155,6 +155,7 @@ rule systemd_small_multiuser_not_in_dependency_tree : high {
     $not_systemd = "ExecStart=systemd-"
     $not_lima = "Description=lima-guestagent"
     $not_check_sb = "Description=Service to check for secure boot key enrollment"
+    $not_touchee_gg = "ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/touchegg --daemon"
   condition:
     filesize < 384 and $execstart and $multiuser and none of ($not_*)
 }
diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql
index 8e2ae9c..24b2df4 100644
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@@ -108,6 +108,7 @@ WHERE
     'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
     'bpfilter_umh,/bpfilter_umh,0,,,',
     'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
+    'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
     'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
     'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
     'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
@@ -308,6 +309,7 @@ WHERE
     'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
     'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
     'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
+    'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
     'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
     'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
     'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql
index f389bea..312a448 100644
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@@ -351,7 +351,8 @@ WHERE -- Focus on longer-running programs
     'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
     'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
     'Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
-    'Software Signing'
+    'Software Signing',
+    'Developer ID Application: PaperCut Software International Pty Ltd (B5N3YV5P2H)'
   )
   AND NOT (
     p0.path = '/Library/Printers/DYMO/Utilities/pnpd'
diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql
index 140de8e..8f52134 100644
--- a/detection/privesc/unexpected-setxid-process.sql
+++ b/detection/privesc/unexpected-setxid-process.sql
@@ -30,6 +30,7 @@ WHERE
     '/bin/ps',
     '/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
     '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
+    '/Library/Application Support/Google/GoogleUpdater/Current/GoogleUpdater.app/Contents/Helpers/launcher',
     '/opt/1Password/1Password-BrowserSupport',
     '/usr/lib/opt/1Password/1Password-BrowserSupport',
     '/opt/1Password/1Password-KeyringHelper',

From 78ec36eca0a0d10160145d4bb526b164a50a3d4a Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Wed, 20 Nov 2024 14:02:05 -0600
Subject: [PATCH 2/2] Add elastic-endpoint

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/evasion/touched-executable-linux.sql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index 40e766b..dda67a0 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -57,5 +57,6 @@ WHERE
   AND f.path NOT LIKE '%/go/bin/%'
   AND f.path NOT LIKE '%/osqueryi'
   AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
+  AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint'
 GROUP by
   p.pid