From e487aac57405460d0178e1ffa9c312b82299b1e1 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 07:40:25 -0500 Subject: [PATCH 1/7] Add exceptions for apache2, ChatGPT, and Discord among others Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-macos.sql | 5 ++++- detection/evasion/hidden-executable.sql | 3 ++- detection/evasion/unexpected-hidden-system-paths.sql | 6 ++++-- .../unexpected-long-running-security-framework-macos.sql | 1 + .../initial_access/unexpected-diskimage-source-macos.sql | 2 ++ detection/persistence/unexpected-listening-port-linux.sql | 1 + 6 files changed, 14 insertions(+), 4 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 82a3ad6..8a0d78d 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -103,7 +103,10 @@ WHERE pos.pid IN ( AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main' ) AND NOT ( - unsigned_exception = '500,6,32768,gvproxy,gvproxy' + unsigned_exception IN ( + '500,6,32768,gvproxy,gvproxy', + '500,17,123,gvproxy,gvproxy' + ) AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy' ) GROUP BY p0.cmdline diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index c165035..0e59b74 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -82,7 +82,8 @@ WHERE ( '~/.terraform', '~/.tflint.d', '~/.vs-kubernetes', - '~/.krew' + '~/.krew', + '~/.fzf' ) AND NOT top3_dir IN ( '~/.arkade/bin', diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index f9077a6..bc3c55a 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -78,8 +78,10 @@ WHERE '/.mozilla/', '/tmp/.accounts-agent/', '/tmp/.audio-agent/', - -- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 - '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82', + -- Xcode; + -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 + -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946 + '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', '/tmp/.bazelci/', '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', '/tmp/.content-agent/', diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 652580e..137b4ef 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -85,6 +85,7 @@ WHERE -- Focus on longer-running programs AND exception_key NOT IN ( '0,velociraptor,a.out,', '500,cloud_sql_proxy,a.out,', + '500,docker,docker,', '500,sdzoomplugin,,', '500,sdaudioswitch,,', '500,gopls,a.out,', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index a1dc166..225e93e 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -183,6 +183,7 @@ WHERE 'cron.com', 'discord.com', 'dl.discordapp.net', + 'dl2.discordapp.net', 'dl.google.com', 'duckduckgo.com', 'dygma.com', @@ -213,6 +214,7 @@ WHERE 'obsidian.md', 'obsproject.com', 'opalcamera.com', + 'openai.com', 'persistent.oaistatic.com', 'portswigger-cdn.net', 'posit.co', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 26d19f1..042e112 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -175,6 +175,7 @@ WHERE '8009,6,0,java', '80,6,0,docker-proxy', '80,6,101,nginx', + '80,6,0,apache2', '80,6,33,apache2', '80,6,60,nginx', '8080,6,0,coredns', From afb1facdf1c64e01652c8278190f3e84de166532 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 08:50:30 -0500 Subject: [PATCH 2/7] Add chainlink to unexpected-talkers-macos Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-macos.sql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 8a0d78d..bfb1f71 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -109,4 +109,8 @@ WHERE pos.pid IN ( ) AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy' ) + AND NOT ( + unsigned_exception = '500,0,0,chainlink,chainlink' + AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink' + ) GROUP BY p0.cmdline From 4b47a29a2c00a4501b616c5fd2cb1118ebc584bb Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 08:57:52 -0500 Subject: [PATCH 3/7] Sort Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/evasion/hidden-executable.sql | 16 ++++++++-------- ...ted-long-running-security-framework-macos.sql | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 0e59b74..39e4f5d 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -64,26 +64,26 @@ WHERE ( OR f.directory LIKE '%/.%' ) AND NOT top2_dir IN ( + '~/.cursor', '~/.dropbox-dist', + '~/.fzf', '~/.goenv', '~/.gradle/jdks', + '~/.krew', '~/.local', '~/.pnpm', + '~/.pulumi', '~/.rbenv', '~/.rustup', - '~/.pulumi', - '~/Code', - '~/code', - '~/.cursor', - '~/Projects', - '~/src', '~/.sdkman', '~/.supermaven', '~/.terraform', '~/.tflint.d', '~/.vs-kubernetes', - '~/.krew', - '~/.fzf' + '~/Code', + '~/Projects', + '~/code', + '~/src' ) AND NOT top3_dir IN ( '~/.arkade/bin', diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 137b4ef..53b0524 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -86,11 +86,11 @@ WHERE -- Focus on longer-running programs '0,velociraptor,a.out,', '500,cloud_sql_proxy,a.out,', '500,docker,docker,', - '500,sdzoomplugin,,', - '500,sdaudioswitch,,', '500,gopls,a.out,', + '500,sdaudioswitch,,', + '500,sdaudioswitch,sdaudioswitch,', '500,sdmicmute,sdmicmute,', - '500,sdaudioswitch,sdaudioswitch,' + '500,sdzoomplugin,,' ) AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,___Test%.test,a.out' From 18e9879b01eef7650726bd2be844ac79d01d063f Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 10:28:00 -0500 Subject: [PATCH 4/7] Add deskflow-server and additional repos directory Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/credentials/macos_keyboard_sniffer.sql | 3 ++- detection/execution/unexpected-execdir-macos.sql | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/detection/credentials/macos_keyboard_sniffer.sql b/detection/credentials/macos_keyboard_sniffer.sql index e784bd9..a5238ab 100644 --- a/detection/credentials/macos_keyboard_sniffer.sql +++ b/detection/credentials/macos_keyboard_sniffer.sql @@ -79,7 +79,8 @@ WHERE 'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)', 'skhd,skhd,', 'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)', - 'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)' + 'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)', + 'deskflow-server,deskflow-server,' ) GROUP BY p0.path diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 9964959..c91bbcf 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -111,6 +111,7 @@ WHERE '~/Applications (Parallels)/', '~/bin/', '~/.cargo/', + '~/chainguard_repos/', '~/code/', '~/Code/', '~/.config/', From 4abd265459d70846d388c48c7028fba8daf860bf Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 11:33:49 -0500 Subject: [PATCH 5/7] Address PR comments Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-macos.sql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index bfb1f71..6b8962e 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -112,5 +112,7 @@ WHERE pos.pid IN ( AND NOT ( unsigned_exception = '500,0,0,chainlink,chainlink' AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink' + AND remote_port = 0 + AND protocol = 0 ) GROUP BY p0.cmdline From 5acc2b922c5c0dff8bf0d63062953f5fd4a4bb97 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 11:35:32 -0500 Subject: [PATCH 6/7] Add msedge Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-linux.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index e5b5599..d63bffa 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -83,6 +83,7 @@ WHERE protocol > 0 ) AND NOT exception_key IN ( '123,17,500,chronyd,0u,0g,chronyd', + '19305,6,500,msedge,0u,0g,msedge', '4070,6,500,spotify,u,g,spotify', '49152,6,500,ContinuityCaptureAgent,Software Signing', '587,6,500,perl,0u,0g,git-send-email', From 1d7a67da0f7d9d4920f14a22a3ca31a21e43a50a Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 13:06:38 -0500 Subject: [PATCH 7/7] Add cg to unexpected-dns-traffic-events, add ubuntu-advantage Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- .../c2/unexpected-dns-traffic-events.sql | 47 ++++++++++--------- .../unexpected-uid0-daemon-linux.sql | 1 + 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 3a83f32..213523e 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -76,37 +76,38 @@ WHERE -- Exceptions that specifically talk to one server AND exception_key NOT IN ( - 'coredns,0.0.0.0,53', - 'syncthing,46.162.192.181,53', - 'Socket Process,8.8.8.8,53', - 'com.docker.backend,8.8.8.8,53', - 'ZoomPhone,8.8.8.8,53', - 'ZoomPhone,200.48.225.130,53', - 'gvproxy,170.247.170.2,53', + 'AssetCacheLocatorService,0.0.0.0,53', 'CapCut,8.8.8.8,53', - 'ZaloCall,8.8.8.8,53', - 'Telegram,8.8.8.8,53', - 'com.docker.vpnkit,8.8.8.8,53', - 'WebexHelper,8.8.8.8,53', + 'EpicWebHelper,8.8.4.4,53', + 'EpicWebHelper,8.8.8.8,53', 'Meeting Center,8.8.8.8,53', 'ServiceExtension,8.8.8.8,53', - 'nuclei,1.0.0.1,53', + 'Signal Helper (Renderer),8.8.8.8,53', + 'Socket Process,8.8.8.8,53', + 'Telegram,8.8.8.8,53', + 'WebexHelper,8.8.8.8,53', + 'WhatsApp,1.1.1.1,53', + 'ZaloCall,8.8.8.8,53', + 'ZoomPhone,200.48.225.130,53', + 'ZoomPhone,8.8.8.8,53', + 'adguard_dns,1.0.0.1,53', + 'brave,8.8.8.8,53', + 'cg,108.177.98.95,53', + 'com.docker.backend,8.8.8.8,53', + 'com.docker.vpnkit,8.8.8.8,53', + 'coredns,0.0.0.0,53', + 'coredns,8.8.8.8,53', 'distnoted,8.8.8.8,53', + 'gvproxy,170.247.170.2,53', + 'helm,185.199.108.133,53', 'limactl,8.8.8.8,53', 'msedge,8.8.8.8,53', - 'brave,8.8.8.8,53', - 'adguard_dns,1.0.0.1,53', - 'helm,185.199.108.133,53', - 'coredns,8.8.8.8,53', + 'nuclei,1.0.0.1,53', + 'plugin-container,8.8.8.8,53', 'signal-desktop,8.8.8.8,53', 'slack,8.8.8.8,53', - 'zed,8.8.8.8,53', - 'EpicWebHelper,8.8.4.4,53', - 'EpicWebHelper,8.8.8.8,53', - 'Signal Helper (Renderer),8.8.8.8,53', - 'plugin-container,8.8.8.8,53', - 'WhatsApp,1.1.1.1,53', - 'AssetCacheLocatorService,0.0.0.0,53' + 'syncthing,46.162.192.181,53', + 'zed,8.8.8.8,53' ) -- Local DNS servers and custom clients go here AND basename NOT IN ( diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 7401ab1..9d5c80a 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -313,6 +313,7 @@ WHERE 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', 'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755', + 'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755', 'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555', 'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755', 'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',