RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix broken updates to exotic-commands-macos

This commit is contained in:
Thomas Stromberg 2023-02-09 17:06:09 -05:00
parent a8ed058d4d
commit a1105fec93
Failed to extract signature
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/execution/exotic-commands-macos.sql
View File

@ -74,7 +74,7 @@ WHERE
OR REGEX_MATCH (p.name, "(pwn|xig|xmr)", 1) != "" -- malicious processes OR REGEX_MATCH (p.name, "(pwn|xig|xmr)", 1) != "" -- malicious processes
OR REGEX_MATCH ( OR REGEX_MATCH (
p.cmdline, p.cmdline,
"(sshd|bitspin|lushput|incbit|traitor|msfvenom|urllib.urlopen|nohup.*tmp|chrome.*--load-extension|tail -f /dev/null|)", "(bitspin|lushput|incbit|traitor|msfvenom|urllib.urlopen|nohup.*tmp|chrome.*--load-extension|tail -f /dev/null|)",
1 1
) != "" -- suspicious things ) != "" -- suspicious things
OR REGEX_MATCH ( OR REGEX_MATCH (

4
detection/execution/unexpected-execdir-macos.sql
View File

@ -189,7 +189,7 @@ WHERE
'Software Signing' 'Software Signing'
) -- Locally built executables ) -- Locally built executables
AND NOT ( AND NOT (
signature.identifier = "a.out" s.identifier = "a.out"
AND homedir LIKE '~/%' AND homedir LIKE '~/%'
AND pp.name LIKE '%sh' AND p1.name LIKE '%sh'
) )