Merge pull request #54 from tstromberg/fp44

False-positive updates: tailscale, snapd, WPILib, darkfiles
2025-03-03 09:17:38 +00:00 · 2022-11-01 07:15:50 -04:00 · 2022-11-01 07:15:50 -04:00 · b262708555
commit b262708555
parent eee571888b 4464254d62
6 changed files with 15 additions and 7 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -76,6 +76,7 @@ WHERE
    '0,/usr/python3.10,0u,0g,dnf',
    '0,/usr/python3.10,0u,0g,yum',
    '0,/usr/rpi-imager,0u,0g,rpi-imager',
+    '0,/usr/snapd,0u,0g,snapd',
    '0,/usr/tailscaled,0u,0g,tailscaled',
    '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
    '105,/usr/http,0u,0g,https',
@ -84,12 +85,15 @@ WHERE
    '500,/app/zoom.real,u,g,zoom.real',
    '500,/home/chainctl,500u,100g,chainctl',
    '500,/home/chainctl,500u,500g,chainctl',
+    '500,/home/code,500u,500g,code',
    '500,/home/gitsign,500u,500g,gitsign',
    '500,/home/go,500u,500g,go',
    '500,/home/grype,500u,500g,grype',
+    '500,/home/java,500u,500g,java',
    '500,/home/jcef_helper,500u,500g,jcef_helper',
    '500,/home/steam,500u,100g,steam',
    '500,/home/steamwebhelper,500u,100g,steamwebhelper',
+    '500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
    '500,/ko-app/chainctl,u,g,chainctl',
    '500,/ko-app/controlplane,u,g,controlplane',
    '500,/opt/1password,0u,0g,1password',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -107,6 +107,7 @@ WHERE
    '80,6,500,/home/steam,500u,100g,steam',
    '80,6,500,/opt/chrome,0u,0g,chrome',
    '27034,6,500,/home/steam,500u,100g,steam',
+    '32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
    '80,6,500,/opt/firefox,0u,0g,firefox',
    '80,6,500,/usr/chrome,0u,0g,chrome',
    '80,6,500,/usr/curl,0u,0g,curl',
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -27,7 +27,7 @@ FROM
  processes p
  LEFT JOIN hash ON p.path = hash.path
 WHERE
-  bytes_per_second > 2500000
+  bytes_per_second > 3000000
  AND age > 120
  AND pid > 2
  AND p.path NOT IN (
@ -98,6 +98,7 @@ WHERE
    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
    'containerd',
    'esbuild',
+    'darkfiles',
    'firefox',
    'fsdaemon',
    'go',
--- a/detection/evasion/empty_environ_macos.sql
+++ b/detection/evasion/empty_environ_macos.sql
@ -63,10 +63,10 @@ WHERE -- This time should match the interval
  )
  AND NOT exception_key IN (
    '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
+    '500,gsleep,sleep,',
    '500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
    '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
    '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing',
-    '500,gsleep,sleep,',
    '500,TwitterNotificationServiceExtension,maccatalyst.com.atebits.Tweetie2.NotificationServiceExtension,Apple Mac OS Application Signing'
  )
  -- Electron apps
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -44,27 +44,28 @@ WHERE
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
-    'Developer ID Application: GPGTools GmbH (PKV8ZPD836)',
    'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
    'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
+    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
    'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)',
    'Developer ID Application: Galvanix (5BRAQAFB8B)',
    'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',
    'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
-    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
-    'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
-    'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
-    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
    'Developer ID Application: GitHub (VEKTX9H2N7)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: GPGTools GmbH (PKV8ZPD836)',
+    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
+    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
    'Developer ID Application: Michael Jones (YD6LEYT6WZ)',
+    'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
    'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
    'Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
    'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
    'Developer ID Application: Yubico Limited (LQA3CS5MM7)',
+    'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
    'Software Signing'
  )
  AND NOT p.path LIKE '/Applications/%.app/%'
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -68,6 +68,7 @@ WHERE
  )
  AND NOT cmd LIKE 'osascript -e set zoomStatus to "closed"%'
  AND NOT cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%'
+  AND NOT cmd LIKE 'osascript openChrome.applescript http%://localhost%'
  AND NOT cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %'
  AND NOT cmd LIKE 'osascript -e%tell application "System Preferences"%reveal anchor "shortcutsTab"%"com.apple.preference.keyboard"'
 GROUP BY