From 942de97801b4e2ad0d0b5b26133afadcaef4e2ed Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <ruben.it-services@proton.me>
Date: Tue, 11 Mar 2025 13:51:23 +0100
Subject: [PATCH 1/2] [FN Tuning] Shared Object Created or Changed by
 Previously Unknown Process

---
 .../persistence_shared_object_creation.toml     | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml
index 20cd6be2503..2f7bf5ac7c1 100644
--- a/rules/linux/persistence_shared_object_creation.toml
+++ b/rules/linux/persistence_shared_object_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/06/09"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/03/11"
 
 [transform]
 [[transform.osquery]]
@@ -160,17 +160,20 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
-host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
-file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
+host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename" or "file_write_event") and
+(file.extension:"so" or file.name:*.so.*) and
+file.path:(
+  /dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or
+  /usr/lib/x86_64-linux-gnu/* or /lib/i386-linux-gnu/* or /usr/lib/i386-linux-gnu/* or /lib/* or /lib64/*
+) and not (
   process.name:(
     "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
     platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
-    "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or
-    "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" or crio or ssm-agent-worker or packagekitd
+    "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or
+    "ssm-agent-worker" or "packagekitd"
   ) or 
-  (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or
+  (process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or
   process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")
 )
 '''

From 3ed5856089701c2126e47d047eae435c2dfc3585 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Tue, 8 Apr 2025 18:07:32 +0200
Subject: [PATCH 2/2] Update process exclusions in TOML file

---
 rules/linux/persistence_shared_object_creation.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml
index 2f7bf5ac7c1..b61d0740084 100644
--- a/rules/linux/persistence_shared_object_creation.toml
+++ b/rules/linux/persistence_shared_object_creation.toml
@@ -170,10 +170,10 @@ file.path:(
   process.name:(
     "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
     platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
-    "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or
-    "ssm-agent-worker" or "packagekitd"
+    "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or "packagekitd"
   ) or 
   (process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or
+  (process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) or 
   process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")
 )
 '''