From ee6c5325776c54be9c113f0e62001750af7636ba Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 30 Oct 2022 09:40:52 -0400 Subject: [PATCH] Add exception for Twitter on Mac --- detection/evasion/empty_environ_macos.sql | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/detection/evasion/empty_environ_macos.sql b/detection/evasion/empty_environ_macos.sql index d938576..806c979 100644 --- a/detection/evasion/empty_environ_macos.sql +++ b/detection/evasion/empty_environ_macos.sql @@ -36,6 +36,11 @@ WHERE -- This time should match the interval -- Filter out transient processes that may not have an envs entry by the time we poll for it AND p.start_time < (strftime('%s', 'now') - 5) AND p.path NOT LIKE '/System/Library/%' + -- This condition happens a fair bit on macOS, particularly electron apps + AND NOT ( + p.path LIKE '/Applications/%.app/Contents/%/Contents/MacOS/%' + AND signature.authority = 'Apple Mac OS Application Signing' + ) AND NOT ( signature.identifier LIKE 'com.apple.%' AND signature.authority = 'Software Signing' @@ -44,10 +49,10 @@ WHERE -- This time should match the interval '500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)', '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing', '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing', - '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing' + '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing', + '500,TwitterNotificationServiceExtension,maccatalyst.com.atebits.Tweetie2.NotificationServiceExtension,Apple Mac OS Application Signing' ) AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)' AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)' - GROUP BY p.pid HAVING count == 0; \ No newline at end of file