From c9605d1c98c9da6847579b9d8726a42eb5902714 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 8 Nov 2022 14:32:38 -0500
Subject: [PATCH] Add exceptions for terraform, hugo, macOS updates

---
 detection/collection/high-disk-bytes-written.sql        | 1 +
 detection/execution/unexpected-execdir-events-linux.sql | 1 +
 detection/execution/unexpected-execdir-events-macos.sql | 1 +
 detection/execution/unexpected-execdir-linux.sql        | 1 +
 detection/execution/unexpected-execdir-macos.sql        | 2 ++
 detection/exfil/high_disk_bytes_read.sql                | 1 +
 detection/initial_access/unexpected-shell-parents.sql   | 2 ++
 7 files changed, 9 insertions(+)

diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql
index 91d757f..b776ee5 100644
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@@ -97,6 +97,7 @@ WHERE
   AND NOT name IN (
     'chrome',
     'com.apple.MobileSoftwareUpdate.UpdateBrainService',
+    'com.apple.NRD.UpdateBrainService',
     'containerd',
     'cargo',
     'esbuild',
diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql
index b632284..a0b5cd9 100644
--- a/detection/execution/unexpected-execdir-events-linux.sql
+++ b/detection/execution/unexpected-execdir-events-linux.sql
@@ -46,6 +46,7 @@ WHERE
   AND dirname NOT LIKE '/usr/local/%libexec'
   and dirname NOT LIKE '/usr/local/Cellar/%'
   AND dirname NOT LIKE '/usr/lib/%'
+  AND dirname NOT LIKE '%/.terraform/providers/%'
   AND dirname NOT LIKE '/usr/lib64/%'
   AND dirname NOT LIKE '/tmp/%/bin'
   AND dirname NOT LIKE '/usr/local/go/pkg/tool/%'
diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
index 377d588..6a8962e 100644
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@@ -137,6 +137,7 @@ WHERE
   AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
   AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
   AND dir NOT LIKE '/private/var/folders/%/bin'
+  AND dir NOT LIKE '%/.terraform/providers/%'
   AND dir NOT LIKE '/private/var/folders/%/Contents/%'
   AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
   AND dir NOT LIKE '/private/var/folders/%/go-build%'
diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql
index fd5dd15..4535a73 100644
--- a/detection/execution/unexpected-execdir-linux.sql
+++ b/detection/execution/unexpected-execdir-linux.sql
@@ -58,6 +58,7 @@ WHERE
   AND dirname NOT LIKE '/nix/store/%'
   AND dirname NOT LIKE '/opt/%'
   AND dirname NOT LIKE '/snap/%'
+  AND dirname NOT LIKE '%/.terraform/providers/%'
   AND dirname NOT LIKE '/tmp/%/bin'
   AND dirname NOT LIKE '/tmp/go-build%'
   AND dirname NOT LIKE '/usr/lib/%'
diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
index 33da0af..57ffca7 100644
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@@ -108,6 +108,7 @@ WHERE
     '~/Library/',
     '~/.local/',
     '~/projects/',
+    '~/git/',
     '~/src/',
     '~/.tflint.d/',
     '~/.vscode/',
@@ -131,6 +132,7 @@ WHERE
   AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
   AND dir NOT LIKE '/private/var/folders/%/go-build%'
   AND dir NOT LIKE '/private/var/folders/%/GoLand'
+  AND dir NOT LIKE '%/.terraform/providers/%'
   AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
   AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
   AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin'
diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
index 161c248..a6e9fef 100644
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@@ -43,6 +43,7 @@ WHERE
     'fleet_backend',
     'fsdaemon',
     'GoogleSoftwareUpdateAgent',
+    'com.apple.NRD.UpdateBrainService',
     'gopls',
     'grype',
     'java',
diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql
index eff33b6..866310e 100644
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@@ -132,7 +132,9 @@ WHERE
   )
   AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
   AND NOT p.cmdline LIKE '%gcloud config config-helper%'
+  AND NOT p.cmdline LIKE '%hugo/hugo server%'
   AND NOT pp.cmdline LIKE '/Applications/Warp.app/%'
+  AND NOT pp.cmdline = 'npm run start'
   AND NOT pp.cmdline LIKE '%brew.rb%'
   AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%'
   AND NOT pp.cmdline LIKE '%Code Helper%'