From 29d563f2dfd0d04ae4dd2d6b28f903cee45b006e Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 20 Jan 2023 09:29:10 -0500
Subject: [PATCH] Add more examples of legit executables, namely ibus-* and
 *Manager

---
 .../recently-created-executables-linux.sql       | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql
index a506f11..c53cf8f 100644
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@@ -58,9 +58,11 @@ WHERE
     '/usr/bin/docker',
     '/usr/bin/dockerd',
     '/usr/bin/docker-proxy',
-    '/usr/bin/gedit',
-    '/usr/bin/gnome-keyring-daemon',
     '/usr/bin/fusermount3',
+    '/usr/bin/gedit',
+    '/usr/bin/gjs-console',
+    '/usr/bin/gnome-keyring-daemon',
+    '/usr/bin/ibus-daemon',
     '/usr/bin/kbfsfuse',
     '/usr/bin/keybase',
     '/usr/bin/keybase-redirector',
@@ -70,6 +72,7 @@ WHERE
     '/usr/bin/pavucontrol',
     '/usr/bin/pipewire',
     '/usr/bin/pipewire-pulse',
+    '/usr/bin/python3.11',
     '/usr/bin/rpi-imager',
     '/usr/bin/snap',
     '/usr/bin/tailscaled',
@@ -85,10 +88,14 @@ WHERE
     '/usr/libexec/bluetooth/bluetoothd',
     '/usr/libexec/docker/docker-proxy',
     '/usr/libexec/fwupd/fwupd',
+    '/usr/libexec/ibus-dconf',
+    '/usr/libexec/ibus-engine-simple',
+    '/usr/libexec/ibus-extension-gtk3',
+    '/usr/libexec/ibus-portal',
+    '/usr/libexec/ibus-x11',
     '/usr/libexec/snapd/snapd',
     '/usr/libexec/sssd/sssd_kcm',
     '/usr/libexec/tracker-extract-3',
-    '/usr/lib/tracker-extract-3',
     '/usr/libexec/tracker-miner-fs-3',
     '/usr/lib/flatpak-session-helper',
     '/usr/lib/fwupd/fwupd',
@@ -110,6 +117,7 @@ WHERE
     '/usr/lib/systemd/systemd-timesyncd',
     '/usr/lib/systemd/systemd-userdbd',
     '/usr/lib/systemd/systemd-userwork',
+    '/usr/lib/tracker-extract-3',
     '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
     '/usr/lib/xdg-desktop-portal-gtk',
     '/usr/lib/xf86-video-intel-backlight-helper',
@@ -118,6 +126,8 @@ WHERE
     '/usr/sbin/avahi-daemon',
     '/usr/sbin/chronyd',
     '/usr/sbin/cupsd',
+    '/usr/sbin/ModemManager',
+    '/usr/sbin/NetworkManager',
     '/usr/sbin/rngd',
     '/usr/sbin/tailscaled',
     '/usr/share/code/chrome_crashpad_handler',