diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index ea0f55d..f137baf 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -3,7 +3,7 @@ -- references: -- * https://attack.mitre.org/techniques/T1071/004/ (C2: Application Layer Protocol: DNS) -- --- interval: 120 +-- interval: 300 -- tags: persistent events net -- -- NOTE: The interval above must match WHERE clause to avoid missing events @@ -19,6 +19,7 @@ SELECT s.action, s.status, p.name, + COALESCE(REGEX_MATCH (p.path, '.*/(.*)', 1), p.path) AS basename, p.path, p.cmdline AS child_cmd, p.cwd, @@ -33,7 +34,7 @@ FROM LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON p.path = hash.path WHERE - s.time > (strftime('%s', 'now') -120) + s.time > (strftime('%s', 'now') -300) AND remote_port IN (53, 5353) AND remote_address NOT LIKE '%:%' AND s.remote_address NOT LIKE '172.1%' @@ -62,19 +63,6 @@ WHERE -- Some applications hard-code a safe DNS resolver, or allow the user to configure one AND s.remote_address NOT IN ( '100.100.100.100', -- Tailscale Magic DNS - '1.1.1.1', -- Cloudflare - '1.1.1.2', -- Cloudflare - '8.8.8.8', -- Google - '8.8.4.4', -- Google (backup) - '4.2.2.1', -- Level 3 - '4.2.2.2', -- Level 3 - '4.2.2.3', -- Level 3 - '4.2.2.4', -- Level 3 - '4.2.2.5', -- Level 3 - '4.2.2.6', -- Level 3 - '208.67.220.220', -- OpenDNS - '208.67.222.222', -- OpenDNS - '208.67.222.123', -- OpenDNS '208.67.220.123', -- OpenDNS FamilyShield '75.75.75.75', -- Comcast '75.75.76.76', -- Comcast @@ -85,33 +73,22 @@ WHERE AND exception_key NOT IN ( 'coredns,0.0.0.0,53', 'syncthing,46.162.192.181,53', - 'Code Helper,208.67.222.123,53', - 'Code Helper,68.105.29.11,53', - 'Opera Helper,77.111.247.77,53', - 'chrome,74.125.250.47,53', - 'AssetCacheLocatorService,0.0.0.0,53', - 'Jabra Direct Helper,208.67.222.123,53' + 'AssetCacheLocatorService,0.0.0.0,53' ) - AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53' - AND p.name != 'nessusd' -- Local DNS servers and custom clients go here - -- Electron apps - AND p.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/% Helper' - AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper' - AND p.path NOT LIKE '/Volumes/Google Chrome/%.app/Contents/MacOS/% Helper' - AND p.path NOT IN ( - '/Library/Nessus/run/sbin/nessusd', - '/opt/google/chrome/chrome', - '/usr/bin/apko', - '/usr/bin/melange', - '/sbin/apk', - '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking', - '/usr/lib/systemd/systemd-resolved' + AND basename NOT IN ( + 'chrome', + 'Jabra Direct Helper', + 'nessusd', + 'apko', + 'melange', + 'com.apple.WebKit.Networking', + 'apk', + 'systemd-resolved' ) - -- Chromium apps can send stray DNS packets - AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' - AND p.path NOT LIKE '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/%/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper' - AND p.path NOT LIKE '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/%/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper' + AND p.name NOT IN ('Jabra Direct Helper') + -- Chromium/Electron apps seem to send stray packets out like nobodies business + AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper' -- Workaround for the GROUP_CONCAT subselect adding a blank ent GROUP BY s.remote_address,