From f67335babbf68807212977fc73d38c28baffc8f0 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Tue, 29 Oct 2024 14:14:25 -0500
Subject: [PATCH] Add exceptions for Arc, busybox, and Edge; fix existing
 exceptions

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/c2/unexpected-https-macos.sql                   | 1 +
 detection/credentials/unexpected-dev-opener-linux.sql     | 1 +
 detection/evasion/hidden-executable.sql                   | 2 +-
 detection/evasion/unexpected-dev-entries.sql              | 1 +
 detection/persistence/unexpected-device-linux.sql         | 3 ++-
 detection/persistence/unexpected-listening-port-macos.sql | 2 +-
 6 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
index 2cb9099..5e998f7 100644
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@@ -110,6 +110,7 @@ WHERE
     '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
     '0,chainctl,chainctl,,a.out',
     '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
+    '500,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
     '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
     '500,bash,bash,,bash',
diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql
index 5eadf5e..0d4be9e 100644
--- a/detection/credentials/unexpected-dev-opener-linux.sql
+++ b/detection/credentials/unexpected-dev-opener-linux.sql
@@ -171,6 +171,7 @@ WHERE
   AND NOT path_exception IN (
     '/dev/autofs,systemd',
     '/dev/console,agetty',
+    '/dev/console,busybox',
     '/dev/cpu/0/msr,nvidia-powerd',
     '/dev/drm_dp_aux,fwupd',
     '/dev/fb,Xorg',
diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
index 6826342..c165035 100644
--- a/detection/evasion/hidden-executable.sql
+++ b/detection/evasion/hidden-executable.sql
@@ -116,6 +116,7 @@ WHERE (
   AND NOT dir LIKE '%/.terraform/providers/%'
   AND NOT dir LIKE '%/node_modulues/.bin/hugo'
   AND NOT dir LIKE '%/node_modules/.pnpm/%'
+  AND NOT dir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
   AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
   AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
@@ -125,6 +126,5 @@ WHERE (
     AND p0.name LIKE '%-wrappe%'
   )
   AND NOT f.path LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
-  AND NOT f.path LIKE '/private/var/root/.Trash/OneDrive %.app/Contents/StandaloneUpdater.app/Contents/MacOS'
   AND NOT f.path LIKE '/home/%/.local/share/AppImage/ZenBrowser.AppImage'
 GROUP BY f.path
diff --git a/detection/evasion/unexpected-dev-entries.sql b/detection/evasion/unexpected-dev-entries.sql
index 8fe77af..202a3a8 100644
--- a/detection/evasion/unexpected-dev-entries.sql
+++ b/detection/evasion/unexpected-dev-entries.sql
@@ -45,6 +45,7 @@ WHERE
       OR file.path LIKE '/dev/shm/u1000-Valve%'
       OR file.path LIKE '/dev/shm/aomshm.%'
       OR file.path LIKE '/dev/shm/jack_db%'
+      OR file.path LIKE '/dev/shm/.com.microsoft.Edge.*'
     )
   )
   AND NOT (
diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql
index 19b375c..a1726e6 100644
--- a/detection/persistence/unexpected-device-linux.sql
+++ b/detection/persistence/unexpected-device-linux.sql
@@ -193,6 +193,7 @@ WHERE (
     '/dev/sg,character',
     '/dev/sgx_provision',
     '/dev/shm/,directory',
+    '/dev/shm/envoy_shared_memory_,regular',
     '/dev/shm/libpod_lock,regular',
     '/dev/shm/libpod_rootless_lock_,regular',
     '/dev/shm/lttng-ust-wait-,regular',
@@ -284,4 +285,4 @@ WHERE (
     AND uid IN (0,1000,1001)
     AND size IN (32,4096)
   )
-GROUP BY exception_key
\ No newline at end of file
+GROUP BY exception_key
diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql
index 4ad5a59..caafdbc 100644
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@@ -272,7 +272,7 @@ WHERE port != 0
   AND NOT (
     (
       exception_key LIKE '80,6,500,ssh,Software Signing'
-      AND p.cmdline LIKE '%/.colima/_lima/colima-docker/ssh.sock'
+      AND p.cmdline LIKE '%/.colima/_lima/colima-docker/ssh.sock%'
     )
   )
 GROUP BY exception_key