macOS: Add exceptions for SUSE/rancher and DHCP servers

2025-02-03 11:11:36 +00:00 · 2022-11-04 19:04:31 -04:00 · 2022-11-04 19:04:31 -04:00 · cafe37af26
commit cafe37af26
parent 0e4f49ce78
3 changed files with 6 additions and 0 deletions
--- a/detection/c2/unexpected-listening-port-macos.sql
+++ b/detection/c2/unexpected-listening-port-macos.sql
@ -107,6 +107,10 @@ WHERE
    '5900,6,0,screensharingd,Software Signing',
    '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)',
    '631,6,0,cupsd,Software Signing',
+    '67,17,0,launchd,Software Signing',
+    '67,17,0,bootpd,Software Signing',
+    '53,6,65,mDNSResponder,Software Signing',
+    '547,17,500,dhcp6d,Software Signing',
    '68,17,0,configd,Software Signing',
    '7000,6,500,ControlCenter,Software Signing',
    '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -41,6 +41,7 @@ WHERE
  AND p.start_time >= MAX(f.ctime, f.ctime)
  AND signature.authority NOT IN (
    'Apple Mac OS Application Signing',
+    'Developer ID Application: SUSE LLC (2Q6FHJR3H3)',
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -126,6 +126,7 @@ WHERE
  AND dir NOT LIKE '/Library/%/sbin' -- Nessus
  AND dir NOT LIKE '/Library/SystemExtensions/%'
  AND dir NOT LIKE '/nix/store/%'
+  AND dir NOT LIKE '/opt/%/bin'
  AND dir NOT LIKE '/opt/homebrew/Caskroom/%'
  AND dir NOT LIKE '/opt/homebrew/Cellar/%'
  AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'