RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-13 17:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #29 from tstromberg/reformat3

Browse Source 
noop: Run 'make reformat' on exotic-commands
This commit is contained in:
Thomas Strömberg 2022-10-24 10:02:15 -04:00 committed by GitHub
commit 7db5a93273
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
detection/execution/exotic-commands.sql
View File

@ -48,7 +48,10 @@ WHERE
OR cmd LIKE '%nohup%tmp%'
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%--load-extension%'
OR (cmd LIKE '%UserKnownHostsFile=/dev/null%' AND NOT parent_name='limactl')
OR (
cmd LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT parent_name = 'limactl'
)
-- Crypto miners
OR cmd LIKE '%c3pool%'
OR cmd LIKE '%cryptonight%'
@ -70,7 +73,10 @@ WHERE
OR cmd LIKE '%fsockopen%'
OR cmd LIKE '%openssl%quiet%'
OR cmd LIKE '%pty.spawn%'
OR (cmd LIKE '%sh -i' AND NOT parent_name='sh')
OR (
cmd LIKE '%sh -i'
AND NOT parent_name = 'sh'
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR cmd LIKE '%Socket.fork%'