RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use p0_cmd instead of p0.cmdline

This commit is contained in:
Thomas Stromberg 2023-03-17 06:37:18 -04:00
parent 7ee331b399
commit 2bfd736d37
Failed to extract signature
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/execution/exotic-command-events-linux.sql
View File

@ -107,7 +107,7 @@ WHERE
OR p0_cmd LIKE '%iptables -P % ACCEPT%'
OR p0_cmd LIKE '%iptables -F%'
OR p0_cmd LIKE '%chattr -i%'
OR p0.cmdline LIKE '%dd if=/dev/%'
OR p0_cmd LIKE '%dd if=/dev/%'
OR p0_cmd LIKE '%cat /dev/null >%'
OR p0_cmd LIKE '%truncate -s0 %'
OR (