Ignore syncthing, nuclei, fix typos

2024-12-17 19:44:31 +00:00 · 2023-12-15 17:19:38 -05:00 · 2023-12-15 17:19:38 -05:00 · 202ce6be45
commit 202ce6be45
parent 8b9894ec74
4 changed files with 5 additions and 3 deletions
--- a/detection/evasion/hidden-home-libappsupport.sql
+++ b/detection/evasion/hidden-home-libappsupport.sql
@ -52,6 +52,7 @@ WHERE
    '~/Library/Application Support/CleanMyMac X Menu',
    '~/Library/Application Support/CleanMyMac X',
    '~/Library/Application Support/Code',
+    '~/Library/Application Support/nuclei',
    '~/Library/Application Support/Docker Desktop',
    '~/Library/Application Support/DropboxElectron',
    '~/Library/Application Support/GitHub Desktop',
--- a/detection/evasion/unexpected-user-executables-macos.sql
+++ b/detection/evasion/unexpected-user-executables-macos.sql
@ -183,7 +183,7 @@ WHERE
    '/Users/Shared/LogiOptionsPlus/cache',
    '/Users/Shared/Red Giant/Uninstall'
  )
-  AND NOT directory LIKE '/Users/%/.docker/cli-plugins'
-  AND NOT directory LIKE '/Users/%/.nix-profile/bin'
+  AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
+  AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
 GROUP BY
  f.path
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -65,7 +65,7 @@ WHERE
    SELECT
      pid
    FROM
-      processesP
+      processes
    WHERE
      pid > 0
      AND REGEX_MATCH (
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@ -54,6 +54,7 @@ WHERE
  AND NOT exception_key IN (
    '10011,6,0,launchd,Software Signing',
    '10011,6,0,webfilterproxyd,Software Signing',
+    '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)',
    '1024,6,0,systemmigrationd,Software Signing',
    '1313,6,500,hugo,',
    '1338,6,500,registry,',