RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more real-world exceptions to unexpected-talkers

This commit is contained in:
Thomas Stromberg 2022-10-20 13:03:46 -04:00
parent 1c38ef430e
commit 186617890c
Failed to extract signature
3 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
detection/c2/unexpected-https-client-linux.sql
View File

@ -60,9 +60,16 @@ WHERE
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-', -- fedoraproject.org
'0,/usr/launcher,0u,0g,launcher',
'0,/usr/dockerd,0u,0g,dockerd',
'0,/usr/packagekitd,0u,0g,packagekitd',
'0,/usr/packagekitd,0u,0g,packagekitd', -- Google
'0,/usr/tailscaled,0u,0g,tailscaled',
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'500,/app/slack,u,g,slack',
'500,/home/chainctl,500u,500g,chainctl',
'500,/ko-app/chainctl,u,g,chainctl',
'500,/ko-app/controlplane,u,g,controlplane',
'500,/opt/chrome,0u,0g,chrome',
'500,/opt/spotify,0u,0g,spotify',
@ -70,10 +77,14 @@ WHERE
'500,/usr/code,0u,0g,code',
'500,/usr/firefox,0u,0g,firefox',
'500,/usr/firefox,0u,0g,.firefox-wrappe',
'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', -- fedoraproject.org
'500,/usr/geoclue,0u,0g,geoclue',
'500,/usr/gnome-software,0u,0g,gnome-software',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/slack,0u,0g,slack',
'500,/app/zoom.real,u,g,zoom.real',
'500,/usr/syncthing,0u,0g,syncthing'
)
GROUP BY
p.cmdline

2
detection/c2/unexpected-talkers-linux.sql
View File

@ -86,10 +86,12 @@ WHERE
'5228,6,500,/opt/chrome,0u,0g,chrome',
'8000,6,500,/opt/chrome,0u,0g,chrome',
'8000,6,500,/usr/firefox,0u,0g,firefox',
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', -- fedoraproject.org
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,500,/opt/chrome,0u,0g,chrome',
'80,6,500,/usr/firefox,0u,0g,firefox',
'5228,6,500,/usr/chrome,0u,0g,chrome', -- Android Market/GCM
'8080,6,500,/opt/chrome,0u,0g,chrome',
'8080,6,500,/usr/firefox,0u,0g,firefox',
'8443,6,500,/opt/chrome,0u,0g,chrome',

3
detection/c2/unexpected-talkers-macos.sql
View File

@ -162,8 +162,10 @@ WHERE
'443,6,500,cosign,a.out,',
'443,6,500,cosign,cosign,',
'443,6,500,crane,,',
'443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,crane,a.out,',
'443,6,500,ctclient,a.out,',
'53,17,500,trivy,,',
'443,6,500,curl,com.apple.curl,Software Signing',
'443,6,500,docker-credential-gcr,a.out,',
'443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@ -171,6 +173,7 @@ WHERE
'443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'443,6,500,gh,a.out,',
'443,6,500,git-remote-http,,',
'443,6,500,gh,gh,',
'443,6,500,git,com.apple.git,Software Signing',
'443,6,500,git,git,',