RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-25 06:42:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address merge conflict

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-30 09:44:25 -04:00
commit 5b6a150f81
Failed to extract signature
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-talkers-macos.sql
View File

@ -233,6 +233,7 @@ WHERE
'443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,17,500,Evernote Helper,,',
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,trivy,a.out,',
'443,6,500,vegeta,a.out,',

14
detection/evasion/empty_environ_macos.sql
View File

@ -32,8 +32,7 @@ FROM processes p
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE -- This time should match the interval
p.start_time > (strftime('%s', 'now') - 605)
-- Filter out transient processes that may not have an envs entry by the time we poll for it
p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it
AND p.start_time < (strftime('%s', 'now') - 5)
AND p.path NOT LIKE '/System/Library/%'
-- This condition happens a fair bit on macOS, particularly electron apps
@ -46,13 +45,24 @@ WHERE -- This time should match the interval
AND signature.authority = 'Software Signing'
)
AND NOT exception_key IN (
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
'500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
'500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
'500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
'500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing',
'500,TwitterNotificationServiceExtension,maccatalyst.com.atebits.Tweetie2.NotificationServiceExtension,Apple Mac OS Application Signing'
)
AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)'
AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)'
-- Electron apps
AND NOT (
p.path LIKE '/Applications/%Helper%'
AND (
exception_key LIKE '500,%Helper%,Renderer,Developer ID Application: % (%)'
OR exception_key LIKE '500,%Helper%,helper,Developer ID Application: % (%)'
)
)
GROUP BY p.pid
HAVING count == 0;