From 89315309010b366bd6f71492ef52e2beadb535d4 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 4 Nov 2022 11:52:24 -0400 Subject: [PATCH] Populate the initial set of exceptions --- detection/evasion/hidden-home-library-dir.sql | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql index ae59a93..659d76f 100644 --- a/detection/evasion/hidden-home-library-dir.sql +++ b/detection/evasion/hidden-home-library-dir.sql @@ -15,18 +15,34 @@ SELECT file.mtime, file.uid, file.ctime, + REPLACE(file.directory, u.directory, '~') AS homedir, file.gid, hash.sha256, - magic.data + magic.data, + signature.identifier, + signature.authority FROM file LEFT JOIN hash ON file.path = hash.path + LEFT JOIN users u ON file.uid = u.uid LEFT JOIN magic ON file.path = magic.path + LEFT JOIN signature ON file.path = signature.path WHERE ( - file.path LIKE '/Users/%/Library/%%/.%/%' - OR file.path LIKE '/Users/%/Library/.%/%' - OR file.path LIKE '/home/%/Library/%%/.%/.%' + file.path LIKE '/Users/%/Library/%%/.%/%%' + OR file.path LIKE '/Users/%/Library/.%/%%' + OR file.path LIKE '/Users/%/Library/%%/.%/.%' ) AND file.path NOT LIKE '%/../%' AND file.path NOT LIKE '%/./%' +AND NOT homedir IN ( + '~/Library/Accessibility/.com.apple.RTTTranscripts_SUPPORT/_EXTERNAL_DATA', + '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA', + '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA', + '~/Library/Group Containers/.SiriTodayViewExtension/Library', + '~/Library/Group Containers/.SiriTodayViewExtension', + '~/Library/Caches/.sigstore/gitsign', + '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library', + '~/Library/GroupContainersAlias/.SiriTodayViewExtension' +) +AND NOT homedir LIKE '~/Library/.icedove/%'