RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-04 03:31:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow Software Signing procs to be empty

Browse Source
This commit is contained in:
Thomas Stromberg 2022-11-16 10:56:36 -05:00
parent f78cca5844
commit 2f30604c07
Failed to extract signature
1 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
detection/evasion/empty_environ_macos.sql
View File

@ -37,15 +37,8 @@ WHERE -- This time should match the interval
p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it
AND p.start_time < (strftime('%s', 'now') - 5) AND p.start_time < (strftime('%s', 'now') - 5)
AND p.path NOT LIKE '/System/Library/%' AND p.path NOT LIKE '/System/Library/%'
AND NOT (
(
p.path LIKE '/Library/Apple/%'
OR signature.identifier LIKE 'com.apple.%'
OR signature.identifier LIKE 'Safari%'
)
AND signature.authority = 'Software Signing'
)
AND signature.authority NOT IN ( AND signature.authority NOT IN (
'Software Signing',
'Apple Mac OS Application Signing', 'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', 'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',