From eeeaeecda194093c9d93657828f1fdad41e8bd81 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 17 Nov 2022 07:20:19 -0500
Subject: [PATCH] Add exceptions for Microsoft teams, ldconfig, fix go build
 paths

---
 .../c2/unexpected-https-client-linux.sql      | 15 +++++----
 .../collection/high-disk-bytes-written.sql    |  1 +
 detection/evasion/empty_environ_linux.sql     |  1 +
 detection/evasion/hidden-cwd.sql              |  7 ++--
 detection/evasion/name_path_mismatch.sql      |  2 +-
 .../evasion/parent-missing-from-disk.sql      |  1 +
 .../evasion/touched-executable-linux.sql      |  5 ++-
 .../execution/exotic-command-events-linux.sql |  5 ++-
 .../execution/exotic-command-events-macos.sql |  2 +-
 detection/execution/exotic-commands.sql       |  2 +-
 .../recently-created-executables-linux.sql    | 33 ++++++++++---------
 .../execution/tiny-executable-events.sql      |  1 +
 12 files changed, 45 insertions(+), 30 deletions(-)

diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index 77678d5..384c764 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -98,10 +98,13 @@ WHERE
     '500,/home/java,500u,500g,java',
     '500,/home/jcef_helper,500u,500g,jcef_helper',
     '500,/home/ko,500u,500g,ko',
+    '500,/home/python3,500u,500g,python3',
     '500,/home/steam,500u,100g,steam',
     '500,/home/steamwebhelper,500u,100g,steamwebhelper',
+    '500,/home/terraform,500u,500g,terraform',
     '500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
     '500,/ko-app/chainctl,u,g,chainctl',
+    '500,/ko-app/controller,u,g,controller',
     '500,/ko-app/controlplane,u,g,controlplane',
     '500,/opt/1password,0u,0g,1password',
     '500,/opt/Brackets,0u,0g,Brackets',
@@ -109,6 +112,7 @@ WHERE
     '500,/opt/Discord,0u,0g,Discord',
     '500,/opt/firefox,0u,0g,firefox',
     '500,/opt/firefox,0u,0g,Socket Process',
+    '500,/opt/Keybase,0u,0g,Keybase',
     '500,/opt/kubectl,0u,0g,kubectl',
     '500,/opt/slack,0u,0g,slack',
     '500,/opt/snap-store,0u,0g,snap-store',
@@ -116,6 +120,8 @@ WHERE
     '500,/opt/todoist,0u,0g,todoist',
     '500,/opt/zoom,0u,0g,zoom',
     '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
+    '500,/tmp/obsidian,u,g,obsidian',
+    '500,/tmp/terraform,500u,500g,terraform',
     '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,/usr/bom,500u,500g,bom',
     '500,/usr/cargo,0u,0g,cargo',
@@ -143,25 +149,22 @@ WHERE
     '500,/usr/gsd-datetime,0u,0g,gsd-datetime',
     '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
     '500,/usr/java,0u,0g,java',
-    '500,/ko-app/controller,u,g,controller',
     '500,/usr/java,u,g,java',
     '500,/usr/kbfsfuse,0u,0g,kbfsfuse',
     '500,/usr/keybase,0u,0g,keybase',
+    '500,/usr/ko,u,g,ko',
     '500,/usr/kubectl,500u,500g,kubectl',
     '500,/usr/lens,0u,0g,lens',
-    '500,/usr/signal-desktop,u,g,signal-desktop',
     '500,/usr/nautilus,0u,0g,nautilus',
     '500,/usr/obs,0u,0g,obs',
     '500,/usr/reporter-ureport,0u,0g,reporter-urepor',
     '500,/usr/rpi-imager,0u,0g,rpi-imager',
-    '500,/usr/ko,u,g,ko',
     '500,/usr/signal-desktop,0u,0g,signal-desktop',
-    '500,/tmp/terraform,500u,500g,terraform',
-    '500,/home/terraform,500u,500g,terraform',
+    '500,/usr/signal-desktop,u,g,signal-desktop',
     '500,/usr/slack,0u,0g,slack',
     '500,/usr/spotify,0u,0g,spotify',
-    '500,/tmp/obsidian,u,g,obsidian',
     '500,/usr/syncthing,0u,0g,syncthing',
+    '500,/usr/teams,0u,0g,teams',
     '500,/usr/terraform,0u,0g,terraform',
     '500,/usr/trivy,0u,0g,trivy',
     '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql
index b776ee5..fbc2585 100644
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@@ -106,6 +106,7 @@ WHERE
     'fsdaemon',
     'go',
     'goland',
+    'qemu-system-aarch64',
     'gopls',
     'grype',
     'java',
diff --git a/detection/evasion/empty_environ_linux.sql b/detection/evasion/empty_environ_linux.sql
index b906c42..0777d36 100644
--- a/detection/evasion/empty_environ_linux.sql
+++ b/detection/evasion/empty_environ_linux.sql
@@ -42,6 +42,7 @@ WHERE -- This time should match the interval
     'gnome-terminal-',
     'sshd',
     'zoom.real',
+    'teams',
     'zoom',
     'zypak-sandbox'
   )
diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql
index 92f8378..3a71721 100644
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@@ -103,11 +103,12 @@ WHERE
     OR dir LIKE '~/.%'
     OR dir LIKE '~/code/%'
     OR dir LIKE '~/%/.github%'
-    OR dir LIKE '~/%/src/%'
-    OR dir LIKE '~/%/.modcache/%'
-    OR dir LIKE '~/.gradle/%'
     OR dir LIKE '~/%/github.com/%'
+    OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
+    OR dir LIKE '~/.gradle/%'
     OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
+    OR dir LIKE '~/%/.modcache/%'
+    OR dir LIKE '~/%/src/%'
     OR dir LIKE '~/src/%'
     OR dir LIKE '~/%/.terraform%'
     OR dir LIKE '/tmp/.mount_%'
diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql
index 2921de8..a202e73 100644
--- a/detection/evasion/name_path_mismatch.sql
+++ b/detection/evasion/name_path_mismatch.sql
@@ -40,7 +40,7 @@ FROM
 WHERE
   short_filename != short_name
   AND NOT cmd LIKE '/nix/store/%/bin/bash%' -- Serial masqueraders
-  AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3')
+  AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3', 'perl')
   AND exception_key NOT IN (
     'name=blueman-applet,file=python3,500',
     'name=blueman-tray,file=python3,500',
diff --git a/detection/evasion/parent-missing-from-disk.sql b/detection/evasion/parent-missing-from-disk.sql
index bb38b23..27b147c 100644
--- a/detection/evasion/parent-missing-from-disk.sql
+++ b/detection/evasion/parent-missing-from-disk.sql
@@ -59,6 +59,7 @@ WHERE
   AND parent_path NOT LIKE '/app/extra/%'
   AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
   AND parent_path NOT LIKE '/tmp/.mount_%/%'
+  AND parent_path NOT LIKE '%google-cloud-sdk/.install/.backup%'
   AND NOT (
     parent_name LIKE 'kworker/%+events_unbound'
     AND child_name IN ('modprobe')
diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index 4c0904c..3312496 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -33,7 +33,10 @@ WHERE
   AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
   AND f.path NOT LIKE '/snap/%'
   AND f.path NOT LIKE '/home/%'
-  AND f.path != '/usr/local/bin/chainctl'
+  AND f.path NOT IN (
+    '/usr/local/bin/chainctl',
+    '/opt/google/endpoint-verification/bin/apihelper'
+  )
   AND f.path NOT LIKE '/tmp/go-build%/exe/main'
 GROUP by
   p.pid
diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index ae3dc78..d27bfcf 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -101,7 +101,10 @@ WHERE
     OR cmd LIKE '%fsockopen%'
     OR cmd LIKE '%openssl%quiet%'
     OR cmd LIKE '%pty.spawn%'
-    OR cmd LIKE '%sh -i'
+    OR (
+      cmd LIKE '%sh -i'
+      AND NOT parent_name IN ('sh', 'java')
+    )
     OR cmd LIKE '%socat%'
     OR cmd LIKE '%SOCK_STREAM%'
     OR (
diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
index 863f5ea..49e6f4c 100644
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -95,7 +95,7 @@ WHERE
     OR cmd LIKE '%pty.spawn%'
     OR (
       cmd LIKE '%sh -i'
-      AND NOT parent_name = 'sh'
+      AND NOT parent_name IN ('sh', 'java')
     )
     OR cmd LIKE '%socat%'
     OR cmd LIKE '%SOCK_STREAM%'
diff --git a/detection/execution/exotic-commands.sql b/detection/execution/exotic-commands.sql
index f74367a..04b80f3 100644
--- a/detection/execution/exotic-commands.sql
+++ b/detection/execution/exotic-commands.sql
@@ -75,7 +75,7 @@ WHERE
   OR cmd LIKE '%pty.spawn%'
   OR (
     cmd LIKE '%sh -i'
-    AND NOT parent_name = 'sh'
+    AND NOT parent_name IN ('sh', 'java')
   )
   OR cmd LIKE '%socat%'
   OR cmd LIKE '%SOCK_STREAM%'
diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql
index 9bc63fc..d882b58 100644
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@@ -45,25 +45,29 @@ WHERE
     '/opt/google/chrome/chrome',
     '/opt/google/chrome/chrome_crashpad_handler',
     '/opt/google/chrome/nacl_helper',
+    '/opt/Lens/chrome_crashpad_handler',
+    '/opt/Lens/lens',
+    '/opt/sublime_text/sublime_text',
+    '/usr/bin/alacritty',
     '/usr/bin/bash',
     '/usr/bin/cargo',
-    '/usr/bin/kbfsfuse',
     '/usr/bin/containerd',
     '/usr/bin/containerd-shim-runc-v2',
+    '/usr/bin/docker',
     '/usr/bin/dockerd',
-    '/usr/bin/keybase',
-    'usr/bin/keybase-redirector',
     '/usr/bin/docker-proxy',
-    '/opt/Lens/chrome_crashpad_handler',
     '/usr/bin/gedit',
     '/usr/bin/gnome-keyring-daemon',
+    '/usr/bin/kbfsfuse',
+    '/usr/bin/keybase',
+    'usr/bin/keybase-redirector',
+    '/usr/bin/nm-applet',
     '/usr/bin/obs',
     '/usr/bin/pavucontrol',
     '/usr/bin/pipewire',
     '/usr/bin/rpi-imager',
     '/usr/bin/tailscaled',
     '/usr/bin/udevadm',
-    '/opt/sublime_text/sublime_text',
     '/usr/bin/wpa_supplicant',
     '/usr/lib64/firefox/firefox',
     '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
@@ -73,38 +77,35 @@ WHERE
     '/usr/libexec/fwupd/fwupd',
     '/usr/libexec/snapd/snapd',
     '/usr/libexec/sssd/sssd_kcm',
-    '/usr/bin/nm-applet',
-    '/usr/share/code/chrome_crashpad_handler',
     '/usr/lib/fwupd/fwupd',
     '/usr/lib/gdm',
     '/usr/lib/gdm-session-worker',
     '/usr/lib/gdm-x-session',
     '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
-    '/usr/lib/polkit-1/polkitd',
     '/usr/lib/libreoffice/program/oosplash',
+    '/usr/lib/libreoffice/program/soffice.bin',
+    '/usr/lib/polkit-1/polkitd',
     '/usr/lib/slack/chrome_crashpad_handler',
-    '/usr/share/code/code',
     '/usr/lib/slack/slack',
-    '/opt/Lens/lens',
     '/usr/lib/snapd/snapd',
     '/usr/lib/systemd/systemd',
     '/usr/lib/systemd/systemd-journald',
-    '/usr/bin/docker',
-    '/usr/local/bin/kind',
     '/usr/lib/systemd/systemd-logind',
-    '/usr/lib/libreoffice/program/soffice.bin',
-    '/usr/lib/libreoffice/program/oosplash',
     '/usr/lib/systemd/systemd-oomd',
     '/usr/lib/systemd/systemd-resolved',
     '/usr/lib/systemd/systemd-timesyncd',
     '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
     '/usr/lib/xf86-video-intel-backlight-helper',
+    '/usr/local/bin/kind',
     '/usr/sbin/chronyd',
     '/usr/sbin/cupsd',
     '/usr/sbin/tailscaled',
-    '/usr/share/spotify-client/spotify'
+    '/usr/share/code/chrome_crashpad_handler',
+    '/usr/share/code/code',
+    '/usr/share/spotify-client/spotify',
+    '/usr/share/teams/team'
   )
-  AND NOT p.path LIKE '%-go-build%'
+  AND NOT p.path LIKE '/tmp/go-build%'
   AND NOT p.path LIKE '/home/%/bin/%'
   AND NOT p.path LIKE '/home/%/terraform-provider-%'
   AND NOT p.path LIKE '/home/%/%.test'
diff --git a/detection/execution/tiny-executable-events.sql b/detection/execution/tiny-executable-events.sql
index 81ae7a6..aa147b8 100644
--- a/detection/execution/tiny-executable-events.sql
+++ b/detection/execution/tiny-executable-events.sql
@@ -38,6 +38,7 @@ WHERE
   AND p.path NOT LIKE '%.sh'
   AND p.path NOT LIKE '%.py'
   AND p.path NOT LIKE '%.rb'
+  AND p.path != '/sbin/ldconfig'
   AND NOT (
     p.path LIKE '/Users/%'
     AND magic.data LIKE 'POSIX shell script%'