RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Relax checks enough to pass tests

This commit is contained in:
Thomas Stromberg 2024-10-11 10:38:07 -04:00
parent c65ddc8c0c
commit 71282a0a62
Failed to extract signature
5 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/evasion/unexpected-process-extension-linux.sql
View File

@ -79,6 +79,7 @@ WHERE
'nox', 'nox',
'basic', 'basic',
'real', 'real',
'test',
'AppImage', 'AppImage',
'ext' 'ext'
) )

2
detection/evasion/unusual-executable-name-linux.sql
View File

@ -84,7 +84,7 @@ WHERE
REGEX_MATCH (pname, "(\W)$", 1) != "" REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)" AND pname NOT LIKE "%)"
) )
AND pext NOT IN ("", "gui", "cli", "us", "node", "com") AND pext NOT IN ("", "gui", "cli", "us", "node", "com", "test")
) )
AND NOT pname LIKE '.%-wrapped' AND NOT pname LIKE '.%-wrapped'
AND NOT pname LIKE '__debug_bin%' AND NOT pname LIKE '__debug_bin%'

2
detection/execution/recently-created-executables-long-lived-linux.sql
View File

@ -45,7 +45,7 @@ WHERE
p0.start_time > 0 p0.start_time > 0
AND f.ctime > 0 AND f.ctime > 0
AND p0.start_time > (strftime('%s', 'now') - 43200) AND p0.start_time > (strftime('%s', 'now') - 43200)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200 AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
AND p0.start_time >= MAX(f.ctime, f.ctime) AND p0.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
-- These are binaries that are known to get updated and subsequently executed -- These are binaries that are known to get updated and subsequently executed

2
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -78,7 +78,7 @@ WHERE
AND NOT path LIKE '/usr/local/kolide-k2/bin/%' AND NOT path LIKE '/usr/local/kolide-k2/bin/%'
AND NOT path LIKE '%/cloud_sql_proxy' AND NOT path LIKE '%/cloud_sql_proxy'
) )
AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200 AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
AND f.ctime > 0 AND f.ctime > 0
AND NOT ( AND NOT (
p0.euid > 499 p0.euid > 499

3
detection/initial_access/unexpected-shell-parents.sql
View File

@ -7,7 +7,7 @@
-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter) -- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) -- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
-- --
-- tags: process events -- tags: process events extra
-- interval: 60 -- interval: 60
-- platform: posix -- platform: posix
SELECT SELECT
@ -186,6 +186,7 @@ WHERE
'zellij', 'zellij',
'zsh' 'zsh'
) )
AND p1_path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
AND p1_path NOT IN ( AND p1_path NOT IN (
'/Applications/Docker.app/Contents/MacOS/Docker', '/Applications/Docker.app/Contents/MacOS/Docker',
'/Applications/Docker.app/Contents/MacOS/install', '/Applications/Docker.app/Contents/MacOS/install',