From 78ec36eca0a0d10160145d4bb526b164a50a3d4a Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Wed, 20 Nov 2024 14:02:05 -0600
Subject: [PATCH] Add elastic-endpoint

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/evasion/touched-executable-linux.sql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index 40e766b..dda67a0 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -57,5 +57,6 @@ WHERE
   AND f.path NOT LIKE '%/go/bin/%'
   AND f.path NOT LIKE '%/osqueryi'
   AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
+  AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint'
 GROUP by
   p.pid