Skip to content

Commit

Permalink
Merge pull request #428 from egibs/20241120-fpr
Browse files Browse the repository at this point in the history
Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more
  • Loading branch information
egibs authored Nov 20, 2024
2 parents d078e4a + 78ec36e commit 81571d0
Show file tree
Hide file tree
Showing 8 changed files with 16 additions and 3 deletions.
1 change: 1 addition & 0 deletions detection/c2/unexpected-dns-traffic-events.sql
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ WHERE
'Signal Helper (Renderer),8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'slack,8.8.8.8,53',
'snapd,185.125.188.54,53',
'Socket Process,8.8.8.8,53',
'syncthing,46.162.192.181,53',
'Telegram,8.8.8.8,53',
Expand Down
8 changes: 6 additions & 2 deletions detection/c2/unexpected-talkers-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,9 @@ WHERE
'500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
'500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
'500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
'500,Developer ID Application: Autodesk (XXKJ396S2Y)',
'500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
)
AND NOT (
unsigned_exception = '500,6,80,main,main'
Expand All @@ -121,7 +123,9 @@ WHERE
'500,0,0,chainlink,chainlink',
'500,17,123,gvproxy,gvproxy',
'500,0,0,,',
'500,0,0,.Telegram-wrapped,.Telegram-wrapped'
'500,0,0,.Telegram-wrapped,.Telegram-wrapped',
'500,6,443,cloud_sql_proxy,cloud_sql_proxy',
'500,6,32768,cloud_sql_proxy,cloud_sql_proxy'
)
GROUP BY
p0.cmdline
2 changes: 2 additions & 0 deletions detection/evasion/touched-executable-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -56,5 +56,7 @@ WHERE
AND p.name NOT LIKE 'osqtool%'
AND f.path NOT LIKE '%/go/bin/%'
AND f.path NOT LIKE '%/osqueryi'
AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint'
GROUP by
p.pid
1 change: 1 addition & 0 deletions detection/initial_access/unexpected-webmail-downloads.sql
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ WHERE
'jpg',
'json',
'key',
'md',
'mov',
'mp3',
'mp4',
Expand Down
1 change: 1 addition & 0 deletions detection/persistence/suspicious-systemd-unit.sql
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ rule systemd_small_multiuser_not_in_dependency_tree : high {
$not_systemd = "ExecStart=systemd-"
$not_lima = "Description=lima-guestagent"
$not_check_sb = "Description=Service to check for secure boot key enrollment"
$not_touchee_gg = "ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/touchegg --daemon"
condition:
filesize < 384 and $execstart and $multiuser and none of ($not_*)
}
Expand Down
2 changes: 2 additions & 0 deletions detection/persistence/unexpected-uid0-daemon-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ WHERE
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
'bpfilter_umh,/bpfilter_umh,0,,,',
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
Expand Down Expand Up @@ -308,6 +309,7 @@ WHERE
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
Expand Down
3 changes: 2 additions & 1 deletion detection/persistence/unexpected-uid0-daemon-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,8 @@ WHERE -- Focus on longer-running programs
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
'Software Signing'
'Software Signing',
'Developer ID Application: PaperCut Software International Pty Ltd (B5N3YV5P2H)'
)
AND NOT (
p0.path = '/Library/Printers/DYMO/Utilities/pnpd'
Expand Down
1 change: 1 addition & 0 deletions detection/privesc/unexpected-setxid-process.sql
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ WHERE
'/bin/ps',
'/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/Library/Application Support/Google/GoogleUpdater/Current/GoogleUpdater.app/Contents/Helpers/launcher',
'/opt/1Password/1Password-BrowserSupport',
'/usr/lib/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper',
Expand Down

0 comments on commit 81571d0

Please sign in to comment.