From 40078d357af50db2687daf589bcb572c2fad14d3 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 2 Nov 2023 11:17:58 -0400
Subject: [PATCH] fpr: ThingsWidgetExtension

---
 detection/evasion/unusual-process-name-macos.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
index 5462050e..f778fb1d 100644
--- a/detection/evasion/unusual-process-name-macos.sql
+++ b/detection/evasion/unusual-process-name-macos.sql
@@ -97,6 +97,7 @@ WHERE
   AND NOT pname IN (
     'cpu',
     'com.microsoft.teams2.notificationcenter',
+    'ThingsWidgetExtensionMacAppStore',
     'at.obdev.littlesnitch.endpointsecurity',
     'BetterTouchToolAppleScriptRunner',
     'BetterTouchToolShellScriptRunner',
@@ -106,4 +107,4 @@ WHERE
   )
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
   AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
-  AND NOT s.authority = "Software Signing"
+  AND NOT s.authority IN ("Software Signing","Apple Mac OS Application Signing")