RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Optimize YARA process queries by deduping paths

This commit is contained in:
Thomas Stromberg 2023-11-02 09:53:26 -04:00
parent 6e1e7f29c2
commit 5802021124
Failed to extract signature
7 changed files with 89 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
detection/execution/yara-unexpected-miner-process.sql
View File

@ -42,7 +42,17 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 7200)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule miner {
strings:
@ -54,4 +64,4 @@ WHERE
condition:
filesize < 10MB and 1 of them
}'
AND yara.count > 0
AND yara.count > 0

14
detection/execution/yara-unexpected-upx-process.sql
View File

@ -39,7 +39,17 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 7200)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule upx {
strings:
@ -48,4 +58,4 @@ WHERE
condition:
$upx_sig in (0..1024)
}'
AND yara.count > 0
AND yara.count > 0

15
detection/exfil/yara-exec-connect-process-linux.sql
View File

@ -42,9 +42,18 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
AND
yara.sigrule = '
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 7200)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule syscalls {
strings:
$inet_ntoa = "inet_ntoa"

12
detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View File

@ -42,7 +42,17 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 3600)
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 3600)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule cryptexec {
strings:

12
detection/exfil/yara-unexpected-rust-http-exec-process.sql
View File

@ -38,7 +38,17 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 7200)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule http_exec {
strings:

31
detection/persistence/yara-libtomcrypt-process.sql
View File

@ -42,14 +42,23 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 3600)
AND
yara.sigrule = '
rule redflags {
strings:
$libtomcrypt = "LibTomCrypt"
$email = "tomstdenis@gmail.com"
condition:
filesize < 10MB and 1 of them
}'
AND yara.count > 0
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 3600)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule redflags {
strings:
$libtomcrypt = "LibTomCrypt"
$email = "tomstdenis@gmail.com"
condition:
filesize < 10MB and 1 of them
}'
AND yara.count > 0

12
detection/persistence/yara-suspicious-strings-process-linux.sql
View File

@ -42,7 +42,17 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime('%s', 'now') - 7200)
AND path != ""
GROUP BY
path
)
AND yara.sigrule = '
rule redflags {
strings: