Relax checks enough to pass tests

chainguard-dev · Oct 11, 2024 · 71282a0 · 71282a0
1 parent c65ddc8
commit 71282a0
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 4 deletions.
diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql
@@ -79,6 +79,7 @@ WHERE
     'nox',
     'basic',
     'real',
+    'test',
     'AppImage',
     'ext'
   )

diff --git a/detection/evasion/unusual-executable-name-linux.sql b/detection/evasion/unusual-executable-name-linux.sql
@@ -84,7 +84,7 @@ WHERE
       REGEX_MATCH (pname, "(\W)$", 1) != ""
       AND pname NOT LIKE "%)"
     )
-    AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
+    AND pext NOT IN ("", "gui", "cli", "us", "node", "com", "test")
   )
   AND NOT pname LIKE '.%-wrapped'
   AND NOT pname LIKE '__debug_bin%'

diff --git a/detection/execution/recently-created-executables-long-lived-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql
@@ -45,7 +45,7 @@ WHERE
   p0.start_time > 0
   AND f.ctime > 0
   AND p0.start_time > (strftime('%s', 'now') - 43200)
-  AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
+  AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
   AND p0.start_time >= MAX(f.ctime, f.ctime)
   AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
   -- These are binaries that are known to get updated and subsequently executed

diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql
@@ -78,7 +78,7 @@ WHERE
       AND NOT path LIKE '/usr/local/kolide-k2/bin/%'
       AND NOT path LIKE '%/cloud_sql_proxy'
   )
-  AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
+  AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
   AND f.ctime > 0
   AND NOT (
     p0.euid > 499

diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql
@@ -7,7 +7,7 @@
 --   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
 --   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --
--- tags: process events
+-- tags: process events extra
 -- interval: 60
 -- platform: posix
 SELECT
@@ -186,6 +186,7 @@ WHERE
     'zellij',
     'zsh'
   )
+  AND p1_path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
   AND p1_path NOT IN (
     '/Applications/Docker.app/Contents/MacOS/Docker',
     '/Applications/Docker.app/Contents/MacOS/install',