From c7cd2c7d8048b3e423ce767b1a7007cc2c95c5fd Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Mon, 1 Jul 2024 15:19:24 -0500 Subject: [PATCH] Resolve datadog-agent kworker false positives (#300) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Resolve datadog-agent kworker false positives Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Better handling of ignore_ref Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update rules/evasion/fake-process-name.yara Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Update rules/evasion/fake-process-name.yara Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Add more precise DataDog process-agent kworker references Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * More specificity Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Consolidate ignores Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Ignore DataDog strings Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Thomas Strömberg --- rules/evasion/fake-process-name.yara | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara index 79cbb820e..49053f034 100644 --- a/rules/evasion/fake-process-name.yara +++ b/rules/evasion/fake-process-name.yara @@ -1,4 +1,3 @@ - rule fake_kworker_val : critical { meta: description = "Pretends to be a kworker kernel thread" @@ -9,8 +8,10 @@ rule fake_kworker_val : critical { $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/ $kworker2 = "kworker" fullword $kworker3 = "[kworker" + // datadog process-agent + $ignore_datadog = /[Dd]ata[Dd]og/ condition: - any of them + any of ($kworker*) and not $ignore_datadog } rule fake_syslogd : critical {