Merge pull request #419 from egibs/20241101-exceptions

Add rules for bambu-studio, extensions, firefox-bin, goland, xdg, and more
chainguard-dev · Nov 1, 2024 · 12019d4 · 12019d4
2 parents 331e363 + be9e4f7
commit 12019d4
Show file tree

Hide file tree

Showing 8 changed files with 14 additions and 2 deletions.
diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql
@@ -79,9 +79,10 @@ WHERE
   )
   -- Other exceptions
   AND exception_key NOT IN (
+    'Arc Helper,1.0.0.1,53',
     'coredns,0.0.0.0,53',
+    'goland,149.112.112.10,53',
     'nessusd,50.16.123.71,53',
-    'Arc Helper,1.0.0.1,53',
     'syncthing,46.162.192.181,53'
   )
   -- Local DNS servers and custom clients go here

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -195,6 +195,7 @@ WHERE protocol > 0
     '8443,6,500,firefox,0u,0g,firefox',
     '8801,17,500,zoom,0u,0g,zoom',
     '8801,17,500,zoom.real,u,g,zoom.real',
+    '8883,6,500,bambu-studio,u,g,bambustu_main',
     '88,6,500,syncthing,0u,0g,syncthing',
     '8987,6,500,whois,0u,0g,whois',
     '9,17,0,launcher,0u,0g,launcher',

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -104,6 +104,7 @@ WHERE pos.pid IN (
   )
   AND NOT (
     unsigned_exception IN (
+      '500,0,0,gvproxy,gvproxy',
       '500,6,0,gvproxy,gvproxy',
       '500,6,32768,gvproxy,gvproxy',
       '500,17,123,gvproxy,gvproxy'

diff --git a/detection/evasion/unusual-executable-name-linux.sql b/detection/evasion/unusual-executable-name-linux.sql
@@ -99,6 +99,7 @@ WHERE
     "nm-dispatcher",
     "xdg-dbus-proxy",
     "xdg-desktop-portal",
+    "xdg-desktop-portal-xapp",
     "xdg-desktop-portal-gnome",
     "xdg-desktop-portal-gtk",
     "xdg-desktop-portal-kde",

diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql
@@ -103,6 +103,7 @@ WHERE
     "com.docker.extensions",
     "dynamiclinkmanager",
     'firefox',
+    'firefox-bin',
     "gmenudbusmenuproxy",
     "irqbalance",
     "kactivitymanagerd",

diff --git a/detection/execution/tiny-executable.sql b/detection/execution/tiny-executable.sql
@@ -33,3 +33,7 @@ WHERE
   AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
   AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
   AND NOT file.path IN ('/', '/usr/bin/ruby')
+  AND NOT (
+    file.path = '/sbin/ldconfig'
+    AND pp.euid = 1000
+  )
diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql
@@ -98,4 +98,6 @@ WHERE -- Focus on longer-running programs
   AND NOT exception_key LIKE '500,nvim,bob-%,'
   AND NOT exception_key LIKE '500,sm-agent,sm_agent-%'
   AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,'
+  AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,'
+  AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,'
 GROUP BY p0.pid
diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
@@ -199,7 +199,8 @@ WHERE
     '9090,6,500,controlplane',
     '9153,6,0,coredns',
     '9300,6,500,authentik-proxy',
-    '9880,6,500,rootlesskit'
+    '9880,6,500,rootlesskit',
+    '9999,6,500,python3'
   )
   AND NOT (
     p.path LIKE '/ko-app/%'