mark https-linux extra, minor query tuning

2024-10-11 09:55:04 -04:00 · 2024-10-11 09:55:04 -04:00 · c60c8ccf39
parent 66a43c8080
commit c60c8ccf39
5 changed files with 12 additions and 37 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -67,7 +67,8 @@ WHERE
    '75.75.75.75', -- Comcast
    '75.75.76.76', -- Comcast
    '68.105.28.13', -- Cox
-    '80.248.7.1' -- 21st Century (NG)
+    '80.248.7.1', -- 21st Century (NG)
+    '34.160.111.32' -- wolfi.dev
  )
  -- Exceptions that specifically talk to one server
  AND exception_key NOT IN (
@ -125,7 +126,7 @@ WHERE
    'systemd-resolved',
    'WhatsApp'
  )
-  AND p.name NOT IN ('Jabra Direct Helper')
+  AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi')
  -- Chromium/Electron apps seem to send stray packets out like nobodies business
  AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper'
  -- Workaround for the GROUP_CONCAT subselect adding a blank ent
--- a/detection/c2/unexpected-https-linux.sql
+++ b/detection/c2/unexpected-https-linux.sql
@ -6,7 +6,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
-- tags: transient state net often
+-- tags: transient state net often extra
 -- platform: linux
 SELECT
  s.remote_address,
--- a/detection/evasion/hidden-executable.sql
+++ b/detection/evasion/hidden-executable.sql
@ -70,6 +70,7 @@ WHERE
  AND NOT f.directory LIKE '%/node_modules/.bin/%'
  AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
  AND NOT f.directory LIKE '%/.pnpm/%'
+  AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/%'
  AND NOT f.directory LIKE '%/.cache/selenium/chromedriver/%'
  AND NOT f.directory LIKE '%/.provisio/bin/%'
  AND NOT f.directory LIKE '%/.rustup/%'
--- a/detection/execution/tiny-executable-events.sql
+++ b/detection/execution/tiny-executable-events.sql
@ -45,9 +45,9 @@ WHERE
    '/sbin/ldconfig',
    '/usr/sbin/ldconfig',
    '/usr/bin/c_rehash',
-    '/home/smoser/bin/firefox',
    '/usr/sbin/update-ca-certificates'
  )
+  AND NOT p.path LIKE '%/bin/firefox'
  AND NOT (
    p.path LIKE '/Users/%'
    AND magic.data LIKE 'POSIX shell script%'
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -50,10 +50,12 @@ WHERE
  bytes_read_rate > 2500000
  AND age > 180
  AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
-  AND p0.path NOT LIKE '/System/Library/%'
-  AND p0.path NOT LIKE '/System/Applications/%'
-  AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
+  AND p0.path NOT LIKE '%/bin/%'
+  AND p0.path NOT LIKE '/usr/%'
  AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
+  AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
+  AND p0.path NOT LIKE '/System/Applications/%'
+  AND p0.path NOT LIKE '/System/Library/%'
  AND p0.name NOT IN (
    'BDLDaemon',
    'Disk Inventory X',
@ -158,36 +160,7 @@ WHERE
    '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
    '/Library/Elastic/Endpoint/elastic-endpoint',
    '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
-    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
-    '/usr/bin/apt',
-    '/usr/bin/darktable',
-    '/usr/bin/dockerd',
-    '/usr/bin/gnome-shell',
-    '/usr/bin/gnome-software',
-    '/usr/bin/rsync',
-    '/usr/bin/teskdisk',
-    '/usr/bin/topgrade',
-    '/usr/bin/udevadm',
-    '/usr/bin/update-notifier',
-    '/usr/lib64/electron/electron',
-    '/usr/libexec/aned',
-    '/usr/libexec/biomesyncd',
-    '/usr/libexec/coreduetd',
-    '/usr/libexec/diskimagesiod',
-    '/usr/libexec/diskmanagementd',
-    '/usr/libexec/flatpak-system-helper',
-    '/usr/libexec/logd',
-    '/usr/libexec/logd_helper',
-    '/usr/libexec/packagekitd',
-    '/usr/libexec/PerfPowerServices',
-    '/usr/libexec/signpost_reporter',
-    '/usr/libexec/snapd/snapd',
-    '/usr/libexec/syspolicyd',
-    '/usr/libexec/tracker-extract-3',
-    '/usr/libexec/tracker-miner-fs-3',
-    '/usr/lib/systemd/systemd',
-    '/usr/sbin/spindump',
-    '/usr/sbin/systemstats'
+    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent'
  )
  AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension'
  AND NOT p0.path LIKE '/Users/%/Library/Application Support/Google/GoogleUpdater/%/GoogleUpdater.app/Contents/MacOS/GoogleUpdater'