Skip to content

Commit

Permalink
Merge pull request #417 from egibs/20241030-exceptions
Browse files Browse the repository at this point in the history
Add exceptions for apache2, ChatGPT, and Discord among others
  • Loading branch information
egibs authored Oct 30, 2024
2 parents f12e6d9 + 1d7a67d commit d52f919
Show file tree
Hide file tree
Showing 11 changed files with 58 additions and 37 deletions.
47 changes: 24 additions & 23 deletions detection/c2/unexpected-dns-traffic-events.sql
Original file line number Diff line number Diff line change
Expand Up @@ -76,37 +76,38 @@ WHERE

-- Exceptions that specifically talk to one server
AND exception_key NOT IN (
'coredns,0.0.0.0,53',
'syncthing,46.162.192.181,53',
'Socket Process,8.8.8.8,53',
'com.docker.backend,8.8.8.8,53',
'ZoomPhone,8.8.8.8,53',
'ZoomPhone,200.48.225.130,53',
'gvproxy,170.247.170.2,53',
'AssetCacheLocatorService,0.0.0.0,53',
'CapCut,8.8.8.8,53',
'ZaloCall,8.8.8.8,53',
'Telegram,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'WebexHelper,8.8.8.8,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'Meeting Center,8.8.8.8,53',
'ServiceExtension,8.8.8.8,53',
'nuclei,1.0.0.1,53',
'Signal Helper (Renderer),8.8.8.8,53',
'Socket Process,8.8.8.8,53',
'Telegram,8.8.8.8,53',
'WebexHelper,8.8.8.8,53',
'WhatsApp,1.1.1.1,53',
'ZaloCall,8.8.8.8,53',
'ZoomPhone,200.48.225.130,53',
'ZoomPhone,8.8.8.8,53',
'adguard_dns,1.0.0.1,53',
'brave,8.8.8.8,53',
'cg,108.177.98.95,53',
'com.docker.backend,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'coredns,0.0.0.0,53',
'coredns,8.8.8.8,53',
'distnoted,8.8.8.8,53',
'gvproxy,170.247.170.2,53',
'helm,185.199.108.133,53',
'limactl,8.8.8.8,53',
'msedge,8.8.8.8,53',
'brave,8.8.8.8,53',
'adguard_dns,1.0.0.1,53',
'helm,185.199.108.133,53',
'coredns,8.8.8.8,53',
'nuclei,1.0.0.1,53',
'plugin-container,8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'slack,8.8.8.8,53',
'zed,8.8.8.8,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'plugin-container,8.8.8.8,53',
'WhatsApp,1.1.1.1,53',
'AssetCacheLocatorService,0.0.0.0,53'
'syncthing,46.162.192.181,53',
'zed,8.8.8.8,53'
)
-- Local DNS servers and custom clients go here
AND basename NOT IN (
Expand Down
1 change: 1 addition & 0 deletions detection/c2/unexpected-talkers-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ WHERE protocol > 0
)
AND NOT exception_key IN (
'123,17,500,chronyd,0u,0g,chronyd',
'19305,6,500,msedge,0u,0g,msedge',
'4070,6,500,spotify,u,g,spotify',
'49152,6,500,ContinuityCaptureAgent,Software Signing',
'587,6,500,perl,0u,0g,git-send-email',
Expand Down
11 changes: 10 additions & 1 deletion detection/c2/unexpected-talkers-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,16 @@ WHERE pos.pid IN (
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
)
AND NOT (
unsigned_exception = '500,6,32768,gvproxy,gvproxy'
unsigned_exception IN (
'500,6,32768,gvproxy,gvproxy',
'500,17,123,gvproxy,gvproxy'
)
AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy'
)
AND NOT (
unsigned_exception = '500,0,0,chainlink,chainlink'
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
AND remote_port = 0
AND protocol = 0
)
GROUP BY p0.cmdline
3 changes: 2 additions & 1 deletion detection/credentials/macos_keyboard_sniffer.sql
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,8 @@ WHERE
'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)',
'skhd,skhd,',
'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)',
'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)'
'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
'deskflow-server,deskflow-server,'
)
GROUP BY
p0.path
15 changes: 8 additions & 7 deletions detection/evasion/hidden-executable.sql
Original file line number Diff line number Diff line change
Expand Up @@ -72,25 +72,26 @@ WHERE (
AND NOT homepath LIKE '~/%x86_64%'
AND NOT top3_dir LIKE '~/.%/extensions'
AND NOT top2_dir IN (
'~/.cursor',
'~/.dropbox-dist',
'~/.fzf',
'~/.goenv',
'~/.gradle/jdks',
'~/.krew',
'~/.local',
'~/.pnpm',
'~/.pulumi',
'~/.rbenv',
'~/.rustup',
'~/.pulumi',
'~/Code',
'~/code',
'~/.cursor',
'~/Projects',
'~/src',
'~/.sdkman',
'~/.supermaven',
'~/.terraform',
'~/.tflint.d',
'~/.vs-kubernetes',
'~/.krew'
'~/Code',
'~/Projects',
'~/code',
'~/src'
)
AND NOT top3_dir IN (
'~/.bin',
Expand Down
6 changes: 4 additions & 2 deletions detection/evasion/unexpected-hidden-system-paths.sql
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@ WHERE
'/.mozilla/',
'/tmp/.accounts-agent/',
'/tmp/.audio-agent/',
-- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82',
-- Xcode;
-- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
-- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F',
'/tmp/.bazelci/',
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/.content-agent/',
Expand Down
1 change: 1 addition & 0 deletions detection/execution/unexpected-execdir-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ WHERE
'~/Applications (Parallels)/',
'~/bin/',
'~/.cargo/',
'~/chainguard_repos/',
'~/code/',
'~/Code/',
'~/.config/',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,12 @@ WHERE -- Focus on longer-running programs
AND exception_key NOT IN (
'0,velociraptor,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,sdzoomplugin,,',
'500,sdaudioswitch,,',
'500,docker,docker,',
'500,gopls,a.out,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdmicmute,sdmicmute,',
'500,sdaudioswitch,sdaudioswitch,'
'500,sdzoomplugin,,'
)
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
AND NOT exception_key LIKE '500,___Test%.test,a.out'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ WHERE
'cron.com',
'discord.com',
'dl.discordapp.net',
'dl2.discordapp.net',
'dl.google.com',
'duckduckgo.com',
'dygma.com',
Expand Down Expand Up @@ -213,6 +214,7 @@ WHERE
'obsidian.md',
'obsproject.com',
'opalcamera.com',
'openai.com',
'persistent.oaistatic.com',
'portswigger-cdn.net',
'posit.co',
Expand Down
1 change: 1 addition & 0 deletions detection/persistence/unexpected-listening-port-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ WHERE
'8009,6,0,java',
'80,6,0,docker-proxy',
'80,6,101,nginx',
'80,6,0,apache2',
'80,6,33,apache2',
'80,6,60,nginx',
'8080,6,0,coredns',
Expand Down
1 change: 1 addition & 0 deletions detection/persistence/unexpected-uid0-daemon-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,7 @@ WHERE
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
Expand Down

0 comments on commit d52f919

Please sign in to comment.