Merge pull request #417 from egibs/20241030-exceptions

Add exceptions for apache2, ChatGPT, and Discord among others
2024-10-30 14:24:51 -05:00 · 2024-10-30 14:24:51 -05:00 · d52f919599
parent f12e6d9258 1d7a67da0f
commit d52f919599
11 changed files with 61 additions and 40 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -76,37 +76,38 @@ WHERE

  -- Exceptions that specifically talk to one server
  AND exception_key NOT IN (
-    'coredns,0.0.0.0,53',
-    'syncthing,46.162.192.181,53',
-    'Socket Process,8.8.8.8,53',
-    'com.docker.backend,8.8.8.8,53',
-    'ZoomPhone,8.8.8.8,53',
-    'ZoomPhone,200.48.225.130,53',
-    'gvproxy,170.247.170.2,53',
+    'AssetCacheLocatorService,0.0.0.0,53',
    'CapCut,8.8.8.8,53',
-    'ZaloCall,8.8.8.8,53',
-    'Telegram,8.8.8.8,53',
-    'com.docker.vpnkit,8.8.8.8,53',
-    'WebexHelper,8.8.8.8,53',
-    'Meeting Center,8.8.8.8,53',
-    'ServiceExtension,8.8.8.8,53',
-    'nuclei,1.0.0.1,53',
-    'distnoted,8.8.8.8,53',
-    'limactl,8.8.8.8,53',
-    'msedge,8.8.8.8,53',
-    'brave,8.8.8.8,53',
-    'adguard_dns,1.0.0.1,53',
-    'helm,185.199.108.133,53',
-    'coredns,8.8.8.8,53',
-    'signal-desktop,8.8.8.8,53',
-    'slack,8.8.8.8,53',
-    'zed,8.8.8.8,53',
    'EpicWebHelper,8.8.4.4,53',
    'EpicWebHelper,8.8.8.8,53',
+    'Meeting Center,8.8.8.8,53',
+    'ServiceExtension,8.8.8.8,53',
    'Signal Helper (Renderer),8.8.8.8,53',
-    'plugin-container,8.8.8.8,53',
+    'Socket Process,8.8.8.8,53',
+    'Telegram,8.8.8.8,53',
+    'WebexHelper,8.8.8.8,53',
    'WhatsApp,1.1.1.1,53',
-    'AssetCacheLocatorService,0.0.0.0,53'
+    'ZaloCall,8.8.8.8,53',
+    'ZoomPhone,200.48.225.130,53',
+    'ZoomPhone,8.8.8.8,53',
+    'adguard_dns,1.0.0.1,53',
+    'brave,8.8.8.8,53',
+    'cg,108.177.98.95,53',
+    'com.docker.backend,8.8.8.8,53',
+    'com.docker.vpnkit,8.8.8.8,53',
+    'coredns,0.0.0.0,53',
+    'coredns,8.8.8.8,53',
+    'distnoted,8.8.8.8,53',
+    'gvproxy,170.247.170.2,53',
+    'helm,185.199.108.133,53',
+    'limactl,8.8.8.8,53',
+    'msedge,8.8.8.8,53',
+    'nuclei,1.0.0.1,53',
+    'plugin-container,8.8.8.8,53',
+    'signal-desktop,8.8.8.8,53',
+    'slack,8.8.8.8,53',
+    'syncthing,46.162.192.181,53',
+    'zed,8.8.8.8,53'
  )
  -- Local DNS servers and custom clients go here
  AND basename NOT IN (
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -83,6 +83,7 @@ WHERE protocol > 0
  )
  AND NOT exception_key IN (
    '123,17,500,chronyd,0u,0g,chronyd',
+    '19305,6,500,msedge,0u,0g,msedge',
    '4070,6,500,spotify,u,g,spotify',
    '49152,6,500,ContinuityCaptureAgent,Software Signing',
    '587,6,500,perl,0u,0g,git-send-email',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -103,7 +103,16 @@ WHERE pos.pid IN (
    AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
  )
  AND NOT (
-    unsigned_exception = '500,6,32768,gvproxy,gvproxy'
+    unsigned_exception IN (
+      '500,6,32768,gvproxy,gvproxy',
+      '500,17,123,gvproxy,gvproxy'
+    )
    AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy'
  )
+  AND NOT (
+    unsigned_exception = '500,0,0,chainlink,chainlink'
+    AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
+    AND remote_port = 0
+    AND protocol = 0
+  )
 GROUP BY p0.cmdline
--- a/detection/credentials/macos_keyboard_sniffer.sql
+++ b/detection/credentials/macos_keyboard_sniffer.sql
@ -79,7 +79,8 @@ WHERE
    'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)',
    'skhd,skhd,',
    'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)',
-    'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)'
+    'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
+    'deskflow-server,deskflow-server,'
  )
 GROUP BY
  p0.path
--- a/detection/evasion/hidden-executable.sql
+++ b/detection/evasion/hidden-executable.sql
@ -72,25 +72,26 @@ WHERE (
  AND NOT homepath LIKE '~/%x86_64%'
  AND NOT top3_dir LIKE '~/.%/extensions'
  AND NOT top2_dir IN (
+    '~/.cursor',
    '~/.dropbox-dist',
+    '~/.fzf',
    '~/.goenv',
    '~/.gradle/jdks',
+    '~/.krew',
    '~/.local',
    '~/.pnpm',
+    '~/.pulumi',
    '~/.rbenv',
    '~/.rustup',
-    '~/.pulumi',
-    '~/Code',
-    '~/code',
-    '~/.cursor',
-    '~/Projects',
-    '~/src',
    '~/.sdkman',
    '~/.supermaven',
    '~/.terraform',
    '~/.tflint.d',
    '~/.vs-kubernetes',
-    '~/.krew'
+    '~/Code',
+    '~/Projects',
+    '~/code',
+    '~/src'
  )
  AND NOT top3_dir IN (
    '~/.bin',
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -78,8 +78,10 @@ WHERE
    '/.mozilla/',
    '/tmp/.accounts-agent/',
    '/tmp/.audio-agent/',
-    -- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
-    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82',
+    -- Xcode;
+    -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
+    -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946
+    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F',
    '/tmp/.bazelci/',
    '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
    '/tmp/.content-agent/',
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -111,6 +111,7 @@ WHERE
    '~/Applications (Parallels)/',
    '~/bin/',
    '~/.cargo/',
+    '~/chainguard_repos/',
    '~/code/',
    '~/Code/',
    '~/.config/',
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@ -86,11 +86,12 @@ WHERE -- Focus on longer-running programs
  AND exception_key NOT IN (
    '0,velociraptor,a.out,',
    '500,cloud_sql_proxy,a.out,',
-    '500,sdzoomplugin,,',
-    '500,sdaudioswitch,,',
+    '500,docker,docker,',
    '500,gopls,a.out,',
+    '500,sdaudioswitch,,',
+    '500,sdaudioswitch,sdaudioswitch,',
    '500,sdmicmute,sdmicmute,',
-    '500,sdaudioswitch,sdaudioswitch,'
+    '500,sdzoomplugin,,'
  )
  AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
  AND NOT exception_key LIKE '500,___Test%.test,a.out'
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -183,6 +183,7 @@ WHERE
    'cron.com',
    'discord.com',
    'dl.discordapp.net',
+    'dl2.discordapp.net',
    'dl.google.com',
    'duckduckgo.com',
    'dygma.com',
@ -213,6 +214,7 @@ WHERE
    'obsidian.md',
    'obsproject.com',
    'opalcamera.com',
+    'openai.com',
    'persistent.oaistatic.com',
    'portswigger-cdn.net',
    'posit.co',
--- a/detection/persistence/unexpected-listening-port-linux.sql
+++ b/detection/persistence/unexpected-listening-port-linux.sql
@ -175,6 +175,7 @@ WHERE
    '8009,6,0,java',
    '80,6,0,docker-proxy',
    '80,6,101,nginx',
+    '80,6,0,apache2',
    '80,6,33,apache2',
    '80,6,60,nginx',
    '8080,6,0,coredns',
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -313,6 +313,7 @@ WHERE
    'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
    'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
    'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
+    'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
    'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
    'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
    'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',