Add exception for 'go run'

2025-01-07 05:49:28 +00:00 · 2022-10-30 09:39:48 -04:00 · 2022-10-30 09:39:48 -04:00 · 46ef9668d7
commit 46ef9668d7
parent 889ad9a5fd
2 changed files with 5 additions and 0 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -136,5 +136,9 @@ WHERE
    AND s.remote_address LIKE '151.101.%'
    AND s.state = 'ESTABLISHED'
  )
+  AND NOT (
+    exception_key = '500,/tmp/main,500u,500g,main'
+    AND p.path LIKE '/tmp/go-build%/exe/main'
+  )
 GROUP BY
  p.cmdline
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -34,5 +34,6 @@ WHERE
  AND f.path NOT LIKE '/snap/%'
  AND f.path NOT LIKE '/home/%'
  AND f.path != '/usr/local/bin/chainctl'
+  AND f.path NOT LIKE '/tmp/go-build%/exe/main'
 GROUP by
  p.pid