From e487aac57405460d0178e1ffa9c312b82299b1e1 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 07:40:25 -0500 Subject: [PATCH] Add exceptions for apache2, ChatGPT, and Discord among others Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-macos.sql | 5 ++++- detection/evasion/hidden-executable.sql | 3 ++- detection/evasion/unexpected-hidden-system-paths.sql | 6 ++++-- .../unexpected-long-running-security-framework-macos.sql | 1 + .../initial_access/unexpected-diskimage-source-macos.sql | 2 ++ detection/persistence/unexpected-listening-port-linux.sql | 1 + 6 files changed, 14 insertions(+), 4 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 82a3ad6..8a0d78d 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -103,7 +103,10 @@ WHERE pos.pid IN ( AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main' ) AND NOT ( - unsigned_exception = '500,6,32768,gvproxy,gvproxy' + unsigned_exception IN ( + '500,6,32768,gvproxy,gvproxy', + '500,17,123,gvproxy,gvproxy' + ) AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy' ) GROUP BY p0.cmdline diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index c165035..0e59b74 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -82,7 +82,8 @@ WHERE ( '~/.terraform', '~/.tflint.d', '~/.vs-kubernetes', - '~/.krew' + '~/.krew', + '~/.fzf' ) AND NOT top3_dir IN ( '~/.arkade/bin', diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index f9077a6..bc3c55a 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -78,8 +78,10 @@ WHERE '/.mozilla/', '/tmp/.accounts-agent/', '/tmp/.audio-agent/', - -- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 - '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82', + -- Xcode; + -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 + -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946 + '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', '/tmp/.bazelci/', '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', '/tmp/.content-agent/', diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 652580e..137b4ef 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -85,6 +85,7 @@ WHERE -- Focus on longer-running programs AND exception_key NOT IN ( '0,velociraptor,a.out,', '500,cloud_sql_proxy,a.out,', + '500,docker,docker,', '500,sdzoomplugin,,', '500,sdaudioswitch,,', '500,gopls,a.out,', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index a1dc166..225e93e 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -183,6 +183,7 @@ WHERE 'cron.com', 'discord.com', 'dl.discordapp.net', + 'dl2.discordapp.net', 'dl.google.com', 'duckduckgo.com', 'dygma.com', @@ -213,6 +214,7 @@ WHERE 'obsidian.md', 'obsproject.com', 'opalcamera.com', + 'openai.com', 'persistent.oaistatic.com', 'portswigger-cdn.net', 'posit.co', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 26d19f1..042e112 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -175,6 +175,7 @@ WHERE '8009,6,0,java', '80,6,0,docker-proxy', '80,6,101,nginx', + '80,6,0,apache2', '80,6,33,apache2', '80,6,60,nginx', '8080,6,0,coredns',