From b121d1f96c68b575ab3cdc94bad893bb9756ea74 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:31:34 -0500 Subject: [PATCH] More exceptions to cut down on alert noise Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- .../c2/unexpected-dns-traffic-events.sql | 32 ++++++++++--------- detection/c2/unexpected-talkers-linux.sql | 1 + detection/c2/unexpected-talkers-macos.sql | 7 ++++ detection/evasion/hidden-executable.sql | 2 ++ .../unexpected-hidden-system-paths.sql | 1 + ...-long-running-security-framework-macos.sql | 1 + .../unexpected-diskimage-source-macos.sql | 1 + .../unexpected-chrome-extensions.sql | 3 +- .../unexpected-uid0-daemon-linux.sql | 1 + 9 files changed, 33 insertions(+), 16 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 213523e..4b82c6e 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -76,38 +76,40 @@ WHERE -- Exceptions that specifically talk to one server AND exception_key NOT IN ( - 'AssetCacheLocatorService,0.0.0.0,53', - 'CapCut,8.8.8.8,53', - 'EpicWebHelper,8.8.4.4,53', - 'EpicWebHelper,8.8.8.8,53', - 'Meeting Center,8.8.8.8,53', - 'ServiceExtension,8.8.8.8,53', - 'Signal Helper (Renderer),8.8.8.8,53', - 'Socket Process,8.8.8.8,53', - 'Telegram,8.8.8.8,53', - 'WebexHelper,8.8.8.8,53', - 'WhatsApp,1.1.1.1,53', - 'ZaloCall,8.8.8.8,53', - 'ZoomPhone,200.48.225.130,53', - 'ZoomPhone,8.8.8.8,53', 'adguard_dns,1.0.0.1,53', + 'AssetCacheLocatorService,0.0.0.0,53', 'brave,8.8.8.8,53', + 'CapCut,8.8.8.8,53', 'cg,108.177.98.95,53', + 'ChatGPT,8.8.8.8,53', 'com.docker.backend,8.8.8.8,53', 'com.docker.vpnkit,8.8.8.8,53', 'coredns,0.0.0.0,53', 'coredns,8.8.8.8,53', 'distnoted,8.8.8.8,53', + 'EpicWebHelper,8.8.4.4,53', + 'EpicWebHelper,8.8.8.8,53', 'gvproxy,170.247.170.2,53', 'helm,185.199.108.133,53', 'limactl,8.8.8.8,53', + 'Meeting Center,8.8.8.8,53', 'msedge,8.8.8.8,53', 'nuclei,1.0.0.1,53', 'plugin-container,8.8.8.8,53', + 'ServiceExtension,8.8.8.8,53', + 'Signal Helper (Renderer),8.8.8.8,53', 'signal-desktop,8.8.8.8,53', 'slack,8.8.8.8,53', + 'Socket Process,8.8.8.8,53', 'syncthing,46.162.192.181,53', - 'zed,8.8.8.8,53' + 'Telegram,8.8.8.8,53', + 'WebexHelper,8.8.8.8,53', + 'WhatsApp,1.1.1.1,53', + 'ZaloCall,8.8.8.8,53', + 'zed,8.8.8.8,53', + 'ZoomPhone,200.48.225.130,53', + 'ZoomPhone,200.48.225.146,53', + 'ZoomPhone,8.8.8.8,53' ) -- Local DNS servers and custom clients go here AND basename NOT IN ( diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index d63bffa..8245c83 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -188,6 +188,7 @@ WHERE protocol > 0 '8080,6,500,brave,0u,0g,brave', '8080,6,500,chrome,0u,0g,chrome', '8080,6,500,firefox,0u,0g,firefox', + '8080,6,500,idea,0u,0g,idea', '8080,6,500,python3.11,0u,0g,speedtest-cli', '8080,6,500,speedtest,500u,500g,speedtest', '8443,6,500,chrome,0u,0g,chrome', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 6b8962e..e73bfee 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -104,6 +104,7 @@ WHERE pos.pid IN ( ) AND NOT ( unsigned_exception IN ( + '500,6,0,gvproxy,gvproxy', '500,6,32768,gvproxy,gvproxy', '500,17,123,gvproxy,gvproxy' ) @@ -115,4 +116,10 @@ WHERE pos.pid IN ( AND remote_port = 0 AND protocol = 0 ) + AND NOT ( + unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped' + AND p0.path LIKE '/nix/store/%-telegram-desktop-%' + AND remote_port = 0 + AND protocol = 0 + ) GROUP BY p0.cmdline diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index f46736c..3dc3c31 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -115,6 +115,7 @@ WHERE ( AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%' AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%' AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%' + AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%' AND NOT f.path LIKE '/nix/store/%/%-wrapped' AND NOT ( f.path LIKE '/nix/store/%' @@ -124,4 +125,5 @@ WHERE ( AND NOT homedir LIKE '~/.local/share/AppImage/ZenBrowser.AppImage' AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%' AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS' + AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS' GROUP BY f.path diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index bc3c55a..492cb59 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -218,6 +218,7 @@ WHERE AND file.path NOT LIKE '%/.build-id/' AND file.path NOT LIKE '%/.dwz/' AND file.path NOT LIKE '%/.updated' + AND file.path NOT LIKE '/tmp/.dropbox-dist-%' AND file.filename NOT LIKE '.%.swo' AND file.filename NOT LIKE '.%.swp' AND file.path NOT LIKE '%/google-cloud-sdk/.install/' diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 5927884..1a7e48b 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -97,4 +97,5 @@ WHERE -- Focus on longer-running programs AND NOT exception_key LIKE '500,___Test%.test,a.out' AND NOT exception_key LIKE '500,nvim,bob-%,' AND NOT exception_key LIKE '500,sm-agent,sm_agent-%' + AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,' GROUP BY p0.pid diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 225e93e..bdd9a2f 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -235,6 +235,7 @@ WHERE 'superhuman.com', 'tableplus.com', 'textexpander.com', + 'tosmediaserver.schwab.com', 'transmissionbt.com', 'ubuntu.com', 'ultimaker.com', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 5279a12..688a94f 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -157,6 +157,7 @@ WHERE state = 1 'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg', 'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje', 'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo', + 'true,,Evaboot,edccjhikjlfoakbbijgomgnoflcjgfjh', 'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep', 'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc', 'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe', @@ -381,4 +382,4 @@ WHERE state = 1 ) AND chrome_extensions.path LIKE '%/Microsoft Edge/%' ) -GROUP BY exception_key \ No newline at end of file +GROUP BY exception_key diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 9d5c80a..9a9c24b 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -211,6 +211,7 @@ WHERE 'lxcfs,/usr/bin/lxcfs,0,system.slice,lxcfs.service,0755', 'lxc-monitord,/usr/libexec/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755', 'lxc-monitord,/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755', + 'make,/usr/bin/make,0,user.slice,user-1000.slice,0755', 'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755', 'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755', 'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',