Skip to content

Commit

Permalink
Merge pull request #418 from egibs/20241031-exceptions
Browse files Browse the repository at this point in the history
More exceptions to cut down on alert noise
  • Loading branch information
egibs authored Oct 31, 2024
2 parents d52f919 + b121d1f commit 331e363
Show file tree
Hide file tree
Showing 9 changed files with 33 additions and 16 deletions.
32 changes: 17 additions & 15 deletions detection/c2/unexpected-dns-traffic-events.sql
Original file line number Diff line number Diff line change
Expand Up @@ -76,38 +76,40 @@ WHERE

-- Exceptions that specifically talk to one server
AND exception_key NOT IN (
'AssetCacheLocatorService,0.0.0.0,53',
'CapCut,8.8.8.8,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'Meeting Center,8.8.8.8,53',
'ServiceExtension,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'Socket Process,8.8.8.8,53',
'Telegram,8.8.8.8,53',
'WebexHelper,8.8.8.8,53',
'WhatsApp,1.1.1.1,53',
'ZaloCall,8.8.8.8,53',
'ZoomPhone,200.48.225.130,53',
'ZoomPhone,8.8.8.8,53',
'adguard_dns,1.0.0.1,53',
'AssetCacheLocatorService,0.0.0.0,53',
'brave,8.8.8.8,53',
'CapCut,8.8.8.8,53',
'cg,108.177.98.95,53',
'ChatGPT,8.8.8.8,53',
'com.docker.backend,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'coredns,0.0.0.0,53',
'coredns,8.8.8.8,53',
'distnoted,8.8.8.8,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'gvproxy,170.247.170.2,53',
'helm,185.199.108.133,53',
'limactl,8.8.8.8,53',
'Meeting Center,8.8.8.8,53',
'msedge,8.8.8.8,53',
'nuclei,1.0.0.1,53',
'plugin-container,8.8.8.8,53',
'ServiceExtension,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'slack,8.8.8.8,53',
'Socket Process,8.8.8.8,53',
'syncthing,46.162.192.181,53',
'zed,8.8.8.8,53'
'Telegram,8.8.8.8,53',
'WebexHelper,8.8.8.8,53',
'WhatsApp,1.1.1.1,53',
'ZaloCall,8.8.8.8,53',
'zed,8.8.8.8,53',
'ZoomPhone,200.48.225.130,53',
'ZoomPhone,200.48.225.146,53',
'ZoomPhone,8.8.8.8,53'
)
-- Local DNS servers and custom clients go here
AND basename NOT IN (
Expand Down
1 change: 1 addition & 0 deletions detection/c2/unexpected-talkers-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ WHERE protocol > 0
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
'8080,6,500,idea,0u,0g,idea',
'8080,6,500,python3.11,0u,0g,speedtest-cli',
'8080,6,500,speedtest,500u,500g,speedtest',
'8443,6,500,chrome,0u,0g,chrome',
Expand Down
7 changes: 7 additions & 0 deletions detection/c2/unexpected-talkers-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ WHERE pos.pid IN (
)
AND NOT (
unsigned_exception IN (
'500,6,0,gvproxy,gvproxy',
'500,6,32768,gvproxy,gvproxy',
'500,17,123,gvproxy,gvproxy'
)
Expand All @@ -115,4 +116,10 @@ WHERE pos.pid IN (
AND remote_port = 0
AND protocol = 0
)
AND NOT (
unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
AND p0.path LIKE '/nix/store/%-telegram-desktop-%'
AND remote_port = 0
AND protocol = 0
)
GROUP BY p0.cmdline
2 changes: 2 additions & 0 deletions detection/evasion/hidden-executable.sql
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@ WHERE (
AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%'
AND NOT f.path LIKE '/nix/store/%/%-wrapped'
AND NOT (
f.path LIKE '/nix/store/%'
Expand All @@ -124,4 +125,5 @@ WHERE (
AND NOT homedir LIKE '~/.local/share/AppImage/ZenBrowser.AppImage'
AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS'
GROUP BY f.path
1 change: 1 addition & 0 deletions detection/evasion/unexpected-hidden-system-paths.sql
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@ WHERE
AND file.path NOT LIKE '%/.build-id/'
AND file.path NOT LIKE '%/.dwz/'
AND file.path NOT LIKE '%/.updated'
AND file.path NOT LIKE '/tmp/.dropbox-dist-%'
AND file.filename NOT LIKE '.%.swo'
AND file.filename NOT LIKE '.%.swp'
AND file.path NOT LIKE '%/google-cloud-sdk/.install/'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,4 +97,5 @@ WHERE -- Focus on longer-running programs
AND NOT exception_key LIKE '500,___Test%.test,a.out'
AND NOT exception_key LIKE '500,nvim,bob-%,'
AND NOT exception_key LIKE '500,sm-agent,sm_agent-%'
AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,'
GROUP BY p0.pid
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ WHERE
'superhuman.com',
'tableplus.com',
'textexpander.com',
'tosmediaserver.schwab.com',
'transmissionbt.com',
'ubuntu.com',
'ultimaker.com',
Expand Down
3 changes: 2 additions & 1 deletion detection/persistence/unexpected-chrome-extensions.sql
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ WHERE state = 1
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje',
'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo',
'true,,Evaboot,edccjhikjlfoakbbijgomgnoflcjgfjh',
'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc',
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
Expand Down Expand Up @@ -381,4 +382,4 @@ WHERE state = 1
)
AND chrome_extensions.path LIKE '%/Microsoft Edge/%'
)
GROUP BY exception_key
GROUP BY exception_key
1 change: 1 addition & 0 deletions detection/persistence/unexpected-uid0-daemon-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ WHERE
'lxcfs,/usr/bin/lxcfs,0,system.slice,lxcfs.service,0755',
'lxc-monitord,/usr/libexec/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'lxc-monitord,/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'make,/usr/bin/make,0,user.slice,user-1000.slice,0755',
'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
Expand Down

0 comments on commit 331e363

Please sign in to comment.