From 4cbfd7c4ae985d5de91794cd380e5d78a46398bc Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Fri, 4 Aug 2023 19:30:18 +0200
Subject: [PATCH] [Rule Tuning] Restricted Shell Breakout (#2999)

---
 rules/linux/execution_shell_evasion_linux_binary.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml
index d556a0488..827a32994 100644
--- a/rules/linux/execution_shell_evasion_linux_binary.toml
+++ b/rules/linux/execution_shell_evasion_linux_binary.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -138,7 +138,9 @@ process where host.os.type == "linux" and event.type == "start" and
     /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
     
   )) or
-  (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or
+  (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not 
+   process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and
+   process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch")) or
   (process.name == "env" and process.args_count == 2 and process.args : "*sh") or
   (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
   (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or