Add enough exceptions to make this useful

2025-01-10 07:39:26 +00:00 · 2023-01-04 11:58:54 -05:00 · 2023-01-04 11:58:54 -05:00 · 1dbd98c57e
commit 1dbd98c57e
parent 0ad0b3be8c
1 changed files with 12 additions and 2 deletions
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -12,7 +12,7 @@
 -- platform: posix
 SELECT pe.path AS child_path,
    REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
-    pe.cmdline AS child_cmd,
+    TRIM(pe.cmdline) AS child_cmd,
    pe.pid AS child_pid,
    p.cgroup_path AS child_cgroup,
    p.parent AS parent_pid,
@ -105,10 +105,20 @@ WHERE child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'osascript')
            'zellij',
            'zsh'
        )
+        OR parent_name LIKE 'terraform-provider-%'
        -- Do not add shells to this list if you want your query to detect
        -- bad programs that were started from a shell.
        OR gparent_name IN (
            'env',
            'git'
        )
-    )
+        -- Homebrew, except we don't want to allow all of ruby
+        OR child_cmd IN (
+            'sh -c /bin/stty size 2>/dev/null',
+            'sh -c python3.7 --version 2>&1',
+            'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
+        )
+        OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
+        OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'
+    )
+GROUP BY pe.pid