RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 17:37:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove 'launchctl load' as an exotic event (too noisy)

Browse Source
This commit is contained in:
Thomas Stromberg 2023-02-02 20:44:14 -05:00
parent 1cf0a1e89d
commit 668f012a92
Failed to extract signature
1 changed files with 0 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
detection/execution/exotic-command-events-macos.sql
View File

@ -130,7 +130,6 @@ WHERE
AND p0_cmd LIKE '%history'
)
OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
OR p0_cmd LIKE '%launchctl load%'
OR p0_cmd LIKE '%launchctl bootout%'
OR p0_cmd LIKE '%chflags uchg%'
OR (
@ -162,18 +161,9 @@ WHERE
p0_cmd IN (
'/bin/launchctl bootout gui/501 /Library/LaunchAgents/com.logi.optionsplus.plist',
'/bin/launchctl bootout system/com.docker.socket',
'/bin/launchctl load /Library/LaunchDaemons/com.logi.optionsplus.updater.plist',
'/bin/launchctl load -wF /Library/LaunchAgents/com.adobe.GC.AGM.plist',
'/bin/launchctl load -w /Library/LaunchDaemons/com.docker.socket.plist',
'/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'git history',
'launchctl asuser 501 launchctl load /System/Library/LaunchAgents/com.apple.SafariBookmarksSyncAgent.plist',
'launchctl load /Library/LaunchDaemons/us.zoom.ZoomDaemon.plist',
'launchctl load /System/Library/LaunchAgents/com.apple.SafariBookmarksSyncAgent.plist',
'launchctl load -w /Library/LaunchDaemons/com.opalcamera.cameraExtensionShim.plist',
'launchctl load -w /Library/LaunchDaemons/com.opalcamera.OpalCamera.installUpdate.daemon.plist',
'/Library/Apple/System/Library/StagedFrameworks/Safari/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History',
'sudo launchctl load /Library/LaunchDaemons/us.zoom.ZoomDaemon.plist',
'/usr/bin/csrutil report',
'/usr/bin/csrutil status',
'/usr/bin/pkill -F /private/var/run/lima/shared_socket_vmnet.pid',
@ -182,14 +172,10 @@ WHERE
) -- The source of these commands is still a mystery to me.
OR pe.parent = -1
)
AND NOT p0_cmd LIKE '/bin/launchctl load -wF /Users/%/Library/PreferencePanes/../LaunchAgents/com.adobe.GC.Invoker-1.0.plist'
AND NOT p0_cmd LIKE '/bin/launchctl load -w /Users/%/Library/LaunchAgents/keybase.%.plist'
AND NOT p0_cmd LIKE '-history%'
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/periodic.%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/_updatedb%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
AND NOT p0_cmd LIKE '%launchctl load -w /Library/LaunchAgents/com.opalcamera.vcam.assistant.plist'
AND NOT p0_cmd LIKE '%launchctl load -w /Library/LaunchAgents/com.opalcamera.OpalCamera.startOnUsbPlugged.agent.plist'
AND NOT p0_cmd LIKE 'rm -f /tmp/insttmp_%'
AND NOT p0_cmd LIKE '/bin/cp %history%sessions/%'
AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'