refactor to reduce false positives

2024-12-22 13:52:07 +00:00 · 2024-10-16 09:44:19 -04:00 · 2024-10-16 09:44:19 -04:00 · 9f4b8a0b69
commit 9f4b8a0b69
parent 14a9098a9a
3 changed files with 12 additions and 8 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -62,6 +62,7 @@ WHERE
  )
  -- Some applications hard-code a safe DNS resolver, or allow the user to configure one
  AND s.remote_address NOT IN (
+    '1.1.1.1', -- Cloudflare
    '100.100.100.100', -- Tailscale Magic DNS
    '208.67.220.123', -- OpenDNS FamilyShield
    '75.75.75.75', -- Comcast
@ -122,6 +123,7 @@ WHERE
    'limactl',
    'mDNSResponder',
    'melange',
+    'syncthing',
    'nessusd',
    'nuclei',
    'systemd-resolved',
--- a/detection/evasion/hidden-launchd-files-macos.sql
+++ b/detection/evasion/hidden-launchd-files-macos.sql
@ -38,6 +38,6 @@ WHERE
  )
  -- Kandji temp file
  AND NOT (
-    file.filename LIKE '/Library/LaunchAgents/.dat.nosync%'
+    file.path LIKE '/Library/LaunchAgents/.dat.nosync%'
    AND size = 242
  )
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@ -65,24 +65,23 @@ WHERE
      -- Regular apps
      AND NOT path LIKE '/Applications/%.app/%'
      -- Other oddball binary paths
-      AND NOT path LIKE '/opt/homebrew/Cellar/%'
+      AND NOT path LIKE '/opt/%'
      AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
-      AND NOT path LIKE '/Users/%/go/src/%/%.test'
-      AND NOT (
-        path LIKE '/Users/%/homebrew/Cellar/%'
-        AND name IN ('limactl', 'Python', 'bash')
-      )
+      AND NOT path LIKE '/Users/%/go/%'
+      AND NOT path LIKE '/Users/%/dev/%'
+      AND NOT path LIKE '/Users/%/src/%'
+      AND NOT path LIKE '/Users/%/homebrew/Cellar/%'
      AND NOT (
        path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
        AND name = 'cpu'
      )
-      AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet')
  )
  AND pmm.path LIKE '%Security.framework%'
  AND exception_key NOT IN (
    '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
    '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
    '0,nix,nix,',
+    '500,dirmngr,dirmngr,',
    '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
    '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
    '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
@ -156,6 +155,7 @@ WHERE
    '500,keyboxd,,',
    '500,keyboxd,keyboxd,',
    '500,ko,,',
+    '500,dirmngr,,',
    '500,ko,a.out,',
    '500,kubectl,a.out,',
    '500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
@ -243,6 +243,8 @@ WHERE
    AND p0.path LIKE '/Users/%/go/bin/%'
  )
  AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
+  AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,'
+  AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
  AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
  AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
  AND NOT exception_key LIKE '500,___%,a.out,'