From d7990dd06393b940752db5a8a3562794fe455ef8 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Wed, 25 Oct 2023 09:49:07 -0400
Subject: [PATCH] fpr: Electron, Github

---
 detection/c2/unexpected-talker-events.sql     | 2 ++
 detection/evasion/hidden-cwd-events-linux.sql | 1 +
 2 files changed, 3 insertions(+)

diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
index e7c1984d..eed9e8de 100644
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@@ -121,6 +121,7 @@ WHERE
     '500,0,443,com.apple.NRD.UpdateBrainService',
     '500,0,443,com.google.one.NetworkExtension',
     '500,0,443,curl',
+    '500,0,443,electron',
     '500,0,443,firefox',
     '500,0,443,fwupdmgr',
     '500,0,443,git-remote-http',
@@ -151,6 +152,7 @@ WHERE
     '500,0,5632,ssh',
     '500,0,80,chrome',
     '500,0,80,com.apple.NRD.UpdateBrainService',
+    '500,0,80,electron',
     '500,0,80,firefox',
     '500,0,80,http',
     '500,0,80,io.tailscale.ipn.macsys.network-extension',
diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql
index 64aa5882..826f75d7 100644
--- a/detection/evasion/hidden-cwd-events-linux.sql
+++ b/detection/evasion/hidden-cwd-events-linux.sql
@@ -62,6 +62,7 @@ WHERE
             '.vscode',
             '.vim',
             '.config',
+            '.github',
             '.provisio',
             '.terraform.d',
             '.emacs.d',