RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 19:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #375 from egibs/20240718-exceptions

Browse Source 
Add exceptions for 1Password, Docker's kubectl, Loom, ngrok, SAFEQ, and Zed
This commit is contained in:
Thomas Strömberg 2024-07-23 11:16:56 -04:00 committed by GitHub
commit aff147c740
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/c2/unexpected-https-macos.sql
View File

@ -140,7 +140,9 @@ WHERE
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
'500,syncthing,syncthing,,syncthing',
'500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
'500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed'
'500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
'500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl'
)
AND NOT alt_exception_key IN (
'0,velociraptor,velociraptor,0u,0g',

7
detection/c2/unexpected-talkers-macos.sql
View File

@ -193,8 +193,11 @@ WHERE pos.protocol > 0
'500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'0,6,853,at.obdev.littlesnitch.networkextension,at.obdev.littlesnitch.networkextension,0u,0g',
'500,6,21,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck'
'0,6,853,at.obdev.littlesnitch.networkextension,at.obdev.littlesnitch.networkextension,Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R),at.obdev.littlesnitch.networkextension',
'500,6,21,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
'500,6,7881,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed',
'0,6,7300,safeqclientcore,safeqclientcore,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9),safeqclientcore',
'500,6,80,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out'
) -- Useful for unsigned binaries
AND NOT alt_exception_key IN (
'0,6,80,tailscaled,tailscaled,500u,80g',

5
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -339,7 +339,10 @@ WHERE
'true,Yuri Konotopov <ykonotopov@gnome.org>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg',
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle',
'true,AgileBits,1Password \xE2\x80\x93 Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
'true,,Loom \xE2\x80\x93 Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp'
)
AND NOT (
exception_key IN (