From 9f4b8a0b69c37b97b4900d08256a5a8ff4935e82 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 16 Oct 2024 09:44:19 -0400 Subject: [PATCH] refactor to reduce false positives --- detection/c2/unexpected-dns-traffic-events.sql | 2 ++ detection/evasion/hidden-launchd-files-macos.sql | 2 +- ...ed-long-running-security-framework-macos.sql} | 16 +++++++++------- 3 files changed, 12 insertions(+), 8 deletions(-) rename detection/execution/{unexpected-security-framework-program-macos.sql => unexpected-long-running-security-framework-macos.sql} (96%) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 044f5e7..b42e46f 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -62,6 +62,7 @@ WHERE ) -- Some applications hard-code a safe DNS resolver, or allow the user to configure one AND s.remote_address NOT IN ( + '1.1.1.1', -- Cloudflare '100.100.100.100', -- Tailscale Magic DNS '208.67.220.123', -- OpenDNS FamilyShield '75.75.75.75', -- Comcast @@ -122,6 +123,7 @@ WHERE 'limactl', 'mDNSResponder', 'melange', + 'syncthing', 'nessusd', 'nuclei', 'systemd-resolved', diff --git a/detection/evasion/hidden-launchd-files-macos.sql b/detection/evasion/hidden-launchd-files-macos.sql index 7d4b2d0..2fea61f 100644 --- a/detection/evasion/hidden-launchd-files-macos.sql +++ b/detection/evasion/hidden-launchd-files-macos.sql @@ -38,6 +38,6 @@ WHERE ) -- Kandji temp file AND NOT ( - file.filename LIKE '/Library/LaunchAgents/.dat.nosync%' + file.path LIKE '/Library/LaunchAgents/.dat.nosync%' AND size = 242 ) diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql similarity index 96% rename from detection/execution/unexpected-security-framework-program-macos.sql rename to detection/execution/unexpected-long-running-security-framework-macos.sql index ff5e89a..ec436f7 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -65,24 +65,23 @@ WHERE -- Regular apps AND NOT path LIKE '/Applications/%.app/%' -- Other oddball binary paths - AND NOT path LIKE '/opt/homebrew/Cellar/%' + AND NOT path LIKE '/opt/%' AND NOT path LIKE '/usr/local/Cellar/%/bin/%' - AND NOT path LIKE '/Users/%/go/src/%/%.test' - AND NOT ( - path LIKE '/Users/%/homebrew/Cellar/%' - AND name IN ('limactl', 'Python', 'bash') - ) + AND NOT path LIKE '/Users/%/go/%' + AND NOT path LIKE '/Users/%/dev/%' + AND NOT path LIKE '/Users/%/src/%' + AND NOT path LIKE '/Users/%/homebrew/Cellar/%' AND NOT ( path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu' AND name = 'cpu' ) - AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet') ) AND pmm.path LIKE '%Security.framework%' AND exception_key NOT IN ( '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,nix,nix,', + '500,dirmngr,dirmngr,', '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', @@ -156,6 +155,7 @@ WHERE '500,keyboxd,,', '500,keyboxd,keyboxd,', '500,ko,,', + '500,dirmngr,,', '500,ko,a.out,', '500,kubectl,a.out,', '500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing', @@ -243,6 +243,8 @@ WHERE AND p0.path LIKE '/Users/%/go/bin/%' ) AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,' + AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,' + AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,' AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,' AND NOT exception_key LIKE '500,___%,a.out,'