From 202ce6be45ac7c8a4f78b92bc265a638d34bafaf Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 15 Dec 2023 17:19:38 -0500
Subject: [PATCH] Ignore syncthing, nuclei, fix typos

---
 detection/evasion/hidden-home-libappsupport.sql           | 1 +
 detection/evasion/unexpected-user-executables-macos.sql   | 4 ++--
 detection/execution/unexpected-execdir-macos.sql          | 2 +-
 detection/persistence/unexpected-listening-port-macos.sql | 1 +
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql
index 85c35dd..cb00c41 100644
--- a/detection/evasion/hidden-home-libappsupport.sql
+++ b/detection/evasion/hidden-home-libappsupport.sql
@@ -52,6 +52,7 @@ WHERE
     '~/Library/Application Support/CleanMyMac X Menu',
     '~/Library/Application Support/CleanMyMac X',
     '~/Library/Application Support/Code',
+    '~/Library/Application Support/nuclei',
     '~/Library/Application Support/Docker Desktop',
     '~/Library/Application Support/DropboxElectron',
     '~/Library/Application Support/GitHub Desktop',
diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql
index fb1f39a..a4db4a4 100644
--- a/detection/evasion/unexpected-user-executables-macos.sql
+++ b/detection/evasion/unexpected-user-executables-macos.sql
@@ -183,7 +183,7 @@ WHERE
     '/Users/Shared/LogiOptionsPlus/cache',
     '/Users/Shared/Red Giant/Uninstall'
   )
-  AND NOT directory LIKE '/Users/%/.docker/cli-plugins'
-  AND NOT directory LIKE '/Users/%/.nix-profile/bin'
+  AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
+  AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
 GROUP BY
   f.path
diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
index 5c19880..2ed728d 100644
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@@ -65,7 +65,7 @@ WHERE
     SELECT
       pid
     FROM
-      processesP
+      processes
     WHERE
       pid > 0
       AND REGEX_MATCH (
diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql
index f42cde8..3442132 100644
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@@ -54,6 +54,7 @@ WHERE
   AND NOT exception_key IN (
     '10011,6,0,launchd,Software Signing',
     '10011,6,0,webfilterproxyd,Software Signing',
+    '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)',
     '1024,6,0,systemmigrationd,Software Signing',
     '1313,6,500,hugo,',
     '1338,6,500,registry,',