From 71282a0a62ab33aa8085993488bbf1b4cdf038bb Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 11 Oct 2024 10:38:07 -0400
Subject: [PATCH] Relax checks enough to pass tests

---
 detection/evasion/unexpected-process-extension-linux.sql       | 1 +
 detection/evasion/unusual-executable-name-linux.sql            | 2 +-
 .../recently-created-executables-long-lived-linux.sql          | 2 +-
 .../recently-created-executables-long-lived-macos.sql          | 2 +-
 detection/initial_access/unexpected-shell-parents.sql          | 3 ++-
 5 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql
index ee7cfd6..b36416b 100644
--- a/detection/evasion/unexpected-process-extension-linux.sql
+++ b/detection/evasion/unexpected-process-extension-linux.sql
@@ -79,6 +79,7 @@ WHERE
     'nox',
     'basic',
     'real',
+    'test',
     'AppImage',
     'ext'
   )
diff --git a/detection/evasion/unusual-executable-name-linux.sql b/detection/evasion/unusual-executable-name-linux.sql
index 49172b2..0731252 100644
--- a/detection/evasion/unusual-executable-name-linux.sql
+++ b/detection/evasion/unusual-executable-name-linux.sql
@@ -84,7 +84,7 @@ WHERE
       REGEX_MATCH (pname, "(\W)$", 1) != ""
       AND pname NOT LIKE "%)"
     )
-    AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
+    AND pext NOT IN ("", "gui", "cli", "us", "node", "com", "test")
   )
   AND NOT pname LIKE '.%-wrapped'
   AND NOT pname LIKE '__debug_bin%'
diff --git a/detection/execution/recently-created-executables-long-lived-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql
index 2579ca4..871332f 100644
--- a/detection/execution/recently-created-executables-long-lived-linux.sql
+++ b/detection/execution/recently-created-executables-long-lived-linux.sql
@@ -45,7 +45,7 @@ WHERE
   p0.start_time > 0
   AND f.ctime > 0
   AND p0.start_time > (strftime('%s', 'now') - 43200)
-  AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
+  AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
   AND p0.start_time >= MAX(f.ctime, f.ctime)
   AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
   -- These are binaries that are known to get updated and subsequently executed
diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql
index 4b4bd25..16ca878 100644
--- a/detection/execution/recently-created-executables-long-lived-macos.sql
+++ b/detection/execution/recently-created-executables-long-lived-macos.sql
@@ -78,7 +78,7 @@ WHERE
       AND NOT path LIKE '/usr/local/kolide-k2/bin/%'
       AND NOT path LIKE '%/cloud_sql_proxy'
   )
-  AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
+  AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
   AND f.ctime > 0
   AND NOT (
     p0.euid > 499
diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql
index 7e5abdf..f99114c 100644
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@@ -7,7 +7,7 @@
 --   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
 --   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --
--- tags: process events
+-- tags: process events extra
 -- interval: 60
 -- platform: posix
 SELECT
@@ -186,6 +186,7 @@ WHERE
     'zellij',
     'zsh'
   )
+  AND p1_path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
   AND p1_path NOT IN (
     '/Applications/Docker.app/Contents/MacOS/Docker',
     '/Applications/Docker.app/Contents/MacOS/install',