From 4b47a29a2c00a4501b616c5fd2cb1118ebc584bb Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 08:57:52 -0500 Subject: [PATCH] Sort Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/evasion/hidden-executable.sql | 16 ++++++++-------- ...ted-long-running-security-framework-macos.sql | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 0e59b74..39e4f5d 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -64,26 +64,26 @@ WHERE ( OR f.directory LIKE '%/.%' ) AND NOT top2_dir IN ( + '~/.cursor', '~/.dropbox-dist', + '~/.fzf', '~/.goenv', '~/.gradle/jdks', + '~/.krew', '~/.local', '~/.pnpm', + '~/.pulumi', '~/.rbenv', '~/.rustup', - '~/.pulumi', - '~/Code', - '~/code', - '~/.cursor', - '~/Projects', - '~/src', '~/.sdkman', '~/.supermaven', '~/.terraform', '~/.tflint.d', '~/.vs-kubernetes', - '~/.krew', - '~/.fzf' + '~/Code', + '~/Projects', + '~/code', + '~/src' ) AND NOT top3_dir IN ( '~/.arkade/bin', diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 137b4ef..53b0524 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -86,11 +86,11 @@ WHERE -- Focus on longer-running programs '0,velociraptor,a.out,', '500,cloud_sql_proxy,a.out,', '500,docker,docker,', - '500,sdzoomplugin,,', - '500,sdaudioswitch,,', '500,gopls,a.out,', + '500,sdaudioswitch,,', + '500,sdaudioswitch,sdaudioswitch,', '500,sdmicmute,sdmicmute,', - '500,sdaudioswitch,sdaudioswitch,' + '500,sdzoomplugin,,' ) AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,___Test%.test,a.out'