Merge pull request #75 from tstromberg/more-flushing2

Add exceptions for terraform, hugo, macOS updates
2025-01-10 07:39:26 +00:00 · 2022-11-08 14:33:24 -05:00 · 2022-11-08 14:33:24 -05:00 · 0513cf159f
commit 0513cf159f
parent 5457c7584a c9605d1c98
7 changed files with 9 additions and 0 deletions
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -97,6 +97,7 @@ WHERE
  AND NOT name IN (
    'chrome',
    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
+    'com.apple.NRD.UpdateBrainService',
    'containerd',
    'cargo',
    'esbuild',
--- a/detection/execution/unexpected-execdir-events-linux.sql
+++ b/detection/execution/unexpected-execdir-events-linux.sql
@ -46,6 +46,7 @@ WHERE
  AND dirname NOT LIKE '/usr/local/%libexec'
  and dirname NOT LIKE '/usr/local/Cellar/%'
  AND dirname NOT LIKE '/usr/lib/%'
+  AND dirname NOT LIKE '%/.terraform/providers/%'
  AND dirname NOT LIKE '/usr/lib64/%'
  AND dirname NOT LIKE '/tmp/%/bin'
  AND dirname NOT LIKE '/usr/local/go/pkg/tool/%'
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -137,6 +137,7 @@ WHERE
  AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
  AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
  AND dir NOT LIKE '/private/var/folders/%/bin'
+  AND dir NOT LIKE '%/.terraform/providers/%'
  AND dir NOT LIKE '/private/var/folders/%/Contents/%'
  AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
  AND dir NOT LIKE '/private/var/folders/%/go-build%'
--- a/detection/execution/unexpected-execdir-linux.sql
+++ b/detection/execution/unexpected-execdir-linux.sql
@ -58,6 +58,7 @@ WHERE
  AND dirname NOT LIKE '/nix/store/%'
  AND dirname NOT LIKE '/opt/%'
  AND dirname NOT LIKE '/snap/%'
+  AND dirname NOT LIKE '%/.terraform/providers/%'
  AND dirname NOT LIKE '/tmp/%/bin'
  AND dirname NOT LIKE '/tmp/go-build%'
  AND dirname NOT LIKE '/usr/lib/%'
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -108,6 +108,7 @@ WHERE
    '~/Library/',
    '~/.local/',
    '~/projects/',
+    '~/git/',
    '~/src/',
    '~/.tflint.d/',
    '~/.vscode/',
@ -131,6 +132,7 @@ WHERE
  AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
  AND dir NOT LIKE '/private/var/folders/%/go-build%'
  AND dir NOT LIKE '/private/var/folders/%/GoLand'
+  AND dir NOT LIKE '%/.terraform/providers/%'
  AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
  AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
  AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin'
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -43,6 +43,7 @@ WHERE
    'fleet_backend',
    'fsdaemon',
    'GoogleSoftwareUpdateAgent',
+    'com.apple.NRD.UpdateBrainService',
    'gopls',
    'grype',
    'java',
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -132,7 +132,9 @@ WHERE
  )
  AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
  AND NOT p.cmdline LIKE '%gcloud config config-helper%'
+  AND NOT p.cmdline LIKE '%hugo/hugo server%'
  AND NOT pp.cmdline LIKE '/Applications/Warp.app/%'
+  AND NOT pp.cmdline = 'npm run start'
  AND NOT pp.cmdline LIKE '%brew.rb%'
  AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%'
  AND NOT pp.cmdline LIKE '%Code Helper%'