RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-22 13:52:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor to reduce false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2024-10-16 09:44:19 -04:00
parent 14a9098a9a
commit 9f4b8a0b69
Failed to extract signature
3 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -62,6 +62,7 @@ WHERE
) )
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one -- Some applications hard-code a safe DNS resolver, or allow the user to configure one
AND s.remote_address NOT IN ( AND s.remote_address NOT IN (
'1.1.1.1', -- Cloudflare
'100.100.100.100', -- Tailscale Magic DNS '100.100.100.100', -- Tailscale Magic DNS
'208.67.220.123', -- OpenDNS FamilyShield '208.67.220.123', -- OpenDNS FamilyShield
'75.75.75.75', -- Comcast '75.75.75.75', -- Comcast
@ -122,6 +123,7 @@ WHERE
'limactl', 'limactl',
'mDNSResponder', 'mDNSResponder',
'melange', 'melange',
'syncthing',
'nessusd', 'nessusd',
'nuclei', 'nuclei',
'systemd-resolved', 'systemd-resolved',

2
detection/evasion/hidden-launchd-files-macos.sql
View File

@ -38,6 +38,6 @@ WHERE
) )
-- Kandji temp file -- Kandji temp file
AND NOT ( AND NOT (
file.filename LIKE '/Library/LaunchAgents/.dat.nosync%' file.path LIKE '/Library/LaunchAgents/.dat.nosync%'
AND size = 242 AND size = 242
) )

16
detection/execution/unexpected-security-framework-program-macos.sql → detection/execution/unexpected-long-running-security-framework-macos.sql
View File

@ -65,24 +65,23 @@ WHERE
-- Regular apps -- Regular apps
AND NOT path LIKE '/Applications/%.app/%' AND NOT path LIKE '/Applications/%.app/%'
-- Other oddball binary paths -- Other oddball binary paths
AND NOT path LIKE '/opt/homebrew/Cellar/%' AND NOT path LIKE '/opt/%'
AND NOT path LIKE '/usr/local/Cellar/%/bin/%' AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
AND NOT path LIKE '/Users/%/go/src/%/%.test' AND NOT path LIKE '/Users/%/go/%'
AND NOT ( AND NOT path LIKE '/Users/%/dev/%'
path LIKE '/Users/%/homebrew/Cellar/%' AND NOT path LIKE '/Users/%/src/%'
AND name IN ('limactl', 'Python', 'bash') AND NOT path LIKE '/Users/%/homebrew/Cellar/%'
)
AND NOT ( AND NOT (
path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu' path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
AND name = 'cpu' AND name = 'cpu'
) )
AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet')
) )
AND pmm.path LIKE '%Security.framework%' AND pmm.path LIKE '%Security.framework%'
AND exception_key NOT IN ( AND exception_key NOT IN (
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,nix,nix,', '0,nix,nix,',
'500,dirmngr,dirmngr,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
@ -156,6 +155,7 @@ WHERE
'500,keyboxd,,', '500,keyboxd,,',
'500,keyboxd,keyboxd,', '500,keyboxd,keyboxd,',
'500,ko,,', '500,ko,,',
'500,dirmngr,,',
'500,ko,a.out,', '500,ko,a.out,',
'500,kubectl,a.out,', '500,kubectl,a.out,',
'500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing', '500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
@ -243,6 +243,8 @@ WHERE
AND p0.path LIKE '/Users/%/go/bin/%' AND p0.path LIKE '/Users/%/go/bin/%'
) )
AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,' AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,'
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,' AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,' AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
AND NOT exception_key LIKE '500,___%,a.out,' AND NOT exception_key LIKE '500,___%,a.out,'