RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

overwritten memory: filter out pathless kernel bits

This commit is contained in:
Thomas Stromberg 2023-02-17 17:20:20 -05:00
parent c2b0423606
commit 5949ad1551
Failed to extract signature
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
detection/evasion/overwritten-memory-map-ddexec-linux.sql
View File

@ -32,15 +32,15 @@ SELECT
p2_hash.sha256 AS p2_sha256 p2_hash.sha256 AS p2_sha256
FROM FROM
processes p0 processes p0
LEFT JOIN process_memory_map pmm ON p0.pid = pmm.pid JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE WHERE
pmm.offset = 0 p0.path != ""
AND pmm.offset = 0
AND pmm.device = '00:00' AND pmm.device = '00:00'
AND pmm.permissions = 'r--p' AND pmm.permissions = 'r--p'
AND pmm.pseudo = 0 AND pmm.pseudo = 0