RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Simplify execution queries

This commit is contained in:
Thomas Stromberg 2023-09-20 18:24:40 -04:00
parent 7b30ac3208
commit 5e3d1d22bd
Failed to extract signature
2 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -23,7 +23,7 @@ out/odk-detection-evasion.conf: out/osqtool-$(ARCH) $(wildcard detection/evasion
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion
out/odk-detection-execution.conf: out/osqtool-$(ARCH) $(wildcard detection/execution/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-execution.conf pack detection/execution
./out/osqtool-$(ARCH) --max-query-duration=8s --verify -output out/odk-detection-execution.conf pack detection/execution
out/odk-detection-exfil.conf: out/osqtool-$(ARCH) $(wildcard detection/exfil/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-exfil.conf pack detection/exfil

3
detection/execution/exotic-commands-linux.sql
View File

@ -103,9 +103,6 @@ WHERE
p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT p1.name = 'limactl'
) -- Crypto miners
OR p0.cmdline LIKE '%c3pool%'
OR p0.cmdline LIKE '%cryptonight%'
OR p0.cmdline LIKE '%f2pool%'
OR p0.cmdline LIKE '%hashrate%'
OR p0.cmdline LIKE '%hashvault%'
OR p0.cmdline LIKE '%minerd%'