From 46ef9668d7073fb188e354ef63f59062907fb288 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sun, 30 Oct 2022 09:39:48 -0400
Subject: [PATCH] Add exception for 'go run'

---
 detection/c2/unexpected-https-client-linux.sql | 4 ++++
 detection/evasion/touched-executable-linux.sql | 1 +
 2 files changed, 5 insertions(+)

diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index 7e270f4..8541d9e 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -136,5 +136,9 @@ WHERE
     AND s.remote_address LIKE '151.101.%'
     AND s.state = 'ESTABLISHED'
   )
+  AND NOT (
+    exception_key = '500,/tmp/main,500u,500g,main'
+    AND p.path LIKE '/tmp/go-build%/exe/main'
+  )
 GROUP BY
   p.cmdline
diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index a27e746..4c0904c 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -34,5 +34,6 @@ WHERE
   AND f.path NOT LIKE '/snap/%'
   AND f.path NOT LIKE '/home/%'
   AND f.path != '/usr/local/bin/chainctl'
+  AND f.path NOT LIKE '/tmp/go-build%/exe/main'
 GROUP by
   p.pid