Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
2024-11-20 13:45:50 -06:00 · 2024-11-20 13:45:50 -06:00 · a24c3d2333
parent d078e4a1ca
commit a24c3d2333
8 changed files with 15 additions and 3 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -102,6 +102,7 @@ WHERE
    'Signal Helper (Renderer),8.8.8.8,53',
    'signal-desktop,8.8.8.8,53',
    'slack,8.8.8.8,53',
+    'snapd,185.125.188.54,53',
    'Socket Process,8.8.8.8,53',
    'syncthing,46.162.192.181,53',
    'Telegram,8.8.8.8,53',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -105,7 +105,9 @@ WHERE
    '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
    '500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
-    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
+    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
+    '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
+    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
  )
  AND NOT (
    unsigned_exception = '500,6,80,main,main'
@ -121,7 +123,9 @@ WHERE
      '500,0,0,chainlink,chainlink',
      '500,17,123,gvproxy,gvproxy',
      '500,0,0,,',
-      '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
+      '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
+      '500,6,443,cloud_sql_proxy,cloud_sql_proxy',
+      '500,6,32768,cloud_sql_proxy,cloud_sql_proxy'
  )
 GROUP BY
  p0.cmdline
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -56,5 +56,6 @@ WHERE
  AND p.name NOT LIKE 'osqtool%'
  AND f.path NOT LIKE '%/go/bin/%'
  AND f.path NOT LIKE '%/osqueryi'
+  AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
 GROUP by
  p.pid
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@ -49,6 +49,7 @@ WHERE
    'jpg',
    'json',
    'key',
+    'md',
    'mov',
    'mp3',
    'mp4',
--- a/detection/persistence/suspicious-systemd-unit.sql
+++ b/detection/persistence/suspicious-systemd-unit.sql
@ -155,6 +155,7 @@ rule systemd_small_multiuser_not_in_dependency_tree : high {
    $not_systemd = "ExecStart=systemd-"
    $not_lima = "Description=lima-guestagent"
    $not_check_sb = "Description=Service to check for secure boot key enrollment"
+    $not_touchee_gg = "ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/touchegg --daemon"
  condition:
    filesize < 384 and $execstart and $multiuser and none of ($not_*)
 }
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -108,6 +108,7 @@ WHERE
    'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
    'bpfilter_umh,/bpfilter_umh,0,,,',
    'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
+    'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
    'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
    'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
    'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
@ -308,6 +309,7 @@ WHERE
    'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
    'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
    'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
+    'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
    'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
    'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
    'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -351,7 +351,8 @@ WHERE -- Focus on longer-running programs
    'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
    'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
    'Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
-    'Software Signing'
+    'Software Signing',
+    'Developer ID Application: PaperCut Software International Pty Ltd (B5N3YV5P2H)'
  )
  AND NOT (
    p0.path = '/Library/Printers/DYMO/Utilities/pnpd'
--- a/detection/privesc/unexpected-setxid-process.sql
+++ b/detection/privesc/unexpected-setxid-process.sql
@ -30,6 +30,7 @@ WHERE
    '/bin/ps',
    '/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
    '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
+    '/Library/Application Support/Google/GoogleUpdater/Current/GoogleUpdater.app/Contents/Helpers/launcher',
    '/opt/1Password/1Password-BrowserSupport',
    '/usr/lib/opt/1Password/1Password-BrowserSupport',
    '/opt/1Password/1Password-KeyringHelper',