From 157d7d28507525fe62a4b0c45814b6903e15edd5 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 27 Aug 2024 12:06:48 -0400
Subject: [PATCH] Add ExecStop=/opt exception

---
 .../persistence/suspicious-systemd-unit.sql   | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql
index 18e4d4c..f968128 100644
--- a/detection/persistence/suspicious-systemd-unit.sql
+++ b/detection/persistence/suspicious-systemd-unit.sql
@@ -47,21 +47,21 @@ rule systemd_execstart_elsewhere : medium {
     hash_2024_2024_Spinning_YARN_yarn_fragments = "723326f8551f2a92ccceeec93859f58df380a3212e7510bc64181f2a0743231c"
   strings:
     $execstart = /ExecStart=\/[\w\/]{1,128}/
-    $not_usr_sbin = "ExecStart=/usr/sbin/"
-    $not_sbin = "ExecStart=/sbin/"
-    $not_usr_lib = "ExecStart=/usr/lib/"
+    $not_bin = "ExecStart=/bin/"
+    $not_bin_true = "ExecStart=/bin/true"
+    $not_etc_rcd = "ExecStart=/etc/rc.d/rc.local"
+    $not_etc_rc_local = "ExecStart=/etc/rc.local"
+    $not_init_d = "ExecStart=/etc/init.d/"
     $not_lib = "ExecStart=/lib/"
-    $not_usr_bin = "ExecStart=/usr/bin/"
+    $not_motd = "ExecStart=/etc/update-motd.d/"
     $not_opt = "ExecStart=/opt/"
+    $not_sbin = "ExecStart=/sbin/"
+    $not_usr_bin = "ExecStart=/usr/bin/"
     $not_usr_libexec = "ExecStart=/usr/libexec/"
+    $not_usr_lib = "ExecStart=/usr/lib/"
     $not_usr_local = "ExecStart=/usr/local/"
+    $not_usr_sbin = "ExecStart=/usr/sbin/"
     $not_usr_share = "ExecStart=/usr/share/"
-    $not_bin_true = "ExecStart=/bin/true"
-    $not_etc_rcd = "ExecStart=/etc/rc.d/rc.local"
-    $not_etc_rc_local = "ExecStart=/etc/rc.local"
-    $not_bin = "ExecStart=/bin/"
-    $not_motd = "ExecStart=/etc/update-motd.d/"
-    $not_init_d = "ExecStart=/etc/init.d/"
   condition:
     filesize < 102400 and $execstart and none of ($not_*)
 }
@@ -72,13 +72,14 @@ rule systemd_execstop_elsewhere : medium {
 	description = "Runs program from unexpected directory at stop"
   strings:
     $execstop = /ExecStop=\/[\w\.\_\-]{2,64}/
-    $not_usr_sbin = "ExecStop=/usr/sbin/"
+    $not_lib = "ExecStop=/lib/"
+    $not_opt = "ExecStart=/opt/"
     $not_sbin = "ExecStop=/sbin/"
-    $not_usr_lib = "ExecStop=/usr/lib/"
     $not_usr_libexec = "ExecStop=/usr/libexec/"
-    $not_usr_share = "ExecStop=/usr/share/"
+    $not_usr_lib = "ExecStop=/usr/lib/"
     $not_usr_local = "ExecStop=/usr/local/"
-    $not_lib = "ExecStop=/lib/"
+    $not_usr_sbin = "ExecStop=/usr/sbin/"
+    $not_usr_share = "ExecStop=/usr/share/"
   condition:
     filesize < 384 and $execstop and none of ($not*)
 }