From 41e68657e9faf7e6cf6786617e29bd01c5e55a23 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 13 Jan 2023 13:49:41 -0500
Subject: [PATCH] Include more commands

---
 detection/execution/exotic-commands.sql | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection/execution/exotic-commands.sql b/detection/execution/exotic-commands.sql
index c16e5bc..19f7c5d 100644
--- a/detection/execution/exotic-commands.sql
+++ b/detection/execution/exotic-commands.sql
@@ -66,11 +66,14 @@ WHERE
   OR cmd LIKE '%iptables -P % ACCEPT%'
   OR cmd LIKE '%iptables -F%'
   OR cmd LIKE '%chattr -ia%'
+  OR cmd LIKE '%chflags uchg%'
   OR cmd LIKE '%chmod 777 %'
   OR cmd LIKE '%bpftool%'
   OR cmd LIKE '%touch%acmr%'
   OR cmd LIKE '%ld.so.preload%'
   OR cmd LIKE '%urllib.urlopen%'
+  OR cmd LIKE '%launchctl list%'
+  OR cmd LIKE '%launchctl load%'
   OR cmd LIKE '%nohup%tmp%'
   OR cmd LIKE '%set visible of front window to false%'
   OR cmd LIKE '%chrome%--load-extension%'
@@ -108,3 +111,5 @@ WHERE
   OR cmd LIKE '%socat%'
   OR cmd LIKE '%SOCK_STREAM%'
   OR INSTR(cmd, '%Socket.%') > 0
+  -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
+  OR cmd LIKE '%tail -f /dev/null%'