RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-26 23:10:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #260 from tstromberg/fpr-may11

Browse Source 
fpr: Chrome, Kolide
This commit is contained in:
Thomas Strömberg 2023-05-12 16:43:23 -04:00 committed by GitHub
commit 94947a252f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/evasion/unexpected-tmp-executables-linux.sql
View File

@ -90,6 +90,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
OR file.path LIKE "%/lib/%.so.%" OR file.path LIKE "%/lib/%.so.%"
OR file.path LIKE "%/lib64/%.so.%" OR file.path LIKE "%/lib64/%.so.%"
OR file.path LIKE "%/lib64/%.so" OR file.path LIKE "%/lib64/%.so"
OR file.path LIKE '/tmp/staged-updates%launcher'
OR file.path LIKE "%/melange%" OR file.path LIKE "%/melange%"
OR file.path LIKE "%/sbin/%" OR file.path LIKE "%/sbin/%"
OR file.path LIKE "%/bin/busybox" OR file.path LIKE "%/bin/busybox"

15
detection/execution/unexpected-sysutils-macos.sql
View File

@ -73,15 +73,16 @@ WHERE
AND pe.cmdline IS NOT NULL AND pe.cmdline IS NOT NULL
AND pe.status == 0 AND pe.status == 0
AND pe.path IN ( AND pe.path IN (
'/usr/sbin/sysctl', '/usr/bin/dscl',
'/usr/bin/security',
'/usr/libexec/security_authtrampoline',
'/usr/bin/openssl',
'/usr/bin/uuidgen',
'/usr/bin/funzip', '/usr/bin/funzip',
'/usr/sbin/ioreg', '/usr/bin/openssl',
'/usr/bin/security',
'/usr/bin/sqlite3', '/usr/bin/sqlite3',
'/usr/bin/sw_vers' '/usr/bin/sw_vers',
'/usr/bin/uuidgen',
'/usr/libexec/security_authtrampoline',
'/usr/sbin/ioreg',
'/usr/sbin/sysctl'
) )
AND p.parent > 0 AND p.parent > 0
AND NOT p0_cmd IN ( AND NOT p0_cmd IN (

3
detection/privesc/unexpected-setxid-process.sql
View File

@ -32,6 +32,7 @@ WHERE
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd', '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/opt/1Password/1Password-BrowserSupport', '/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper', '/opt/1Password/1Password-KeyringHelper',
'/opt/google/chrome/chrome-sandbox',
'/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent', '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
'/usr/bin/doas', '/usr/bin/doas',
'/usr/bin/fusermount', '/usr/bin/fusermount',
@ -44,7 +45,9 @@ WHERE
'/usr/bin/su', '/usr/bin/su',
'/usr/bin/sudo', '/usr/bin/sudo',
'/usr/bin/top', '/usr/bin/top',
'/usr/lib/electron/chrome-sandbox',
'/usr/lib/polkit-1/polkit-agent-helper-1', '/usr/lib/polkit-1/polkit-agent-helper-1',
'/usr/lib/slack/chrome-sandbox',
'/usr/lib/xf86-video-intel-backlight-helper', '/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib/Xorg.wrap', '/usr/lib/Xorg.wrap',
'/usr/sbin/traceroute' '/usr/sbin/traceroute'