RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-03 03:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add unpathed exception to sysctl.proc_translated, remove exception_key

Browse Source
This commit is contained in:
Thomas Stromberg 2023-01-09 10:54:44 -05:00
parent c7e4252af1
commit b6a34d4084
Failed to extract signature
1 changed files with 2 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
detection/execution/unexpected-sysctl-calls.sql
View File

@ -29,22 +29,7 @@ SELECT
'.*/(.*)',
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
CONCAT (
MIN(pe.euid, 500),
',',
REGEX_MATCH (
IIF(pp.path != NULL, pp.path, ppe.path),
'.*/(.*)',
1
),
',',
REGEX_MATCH (
IIF(gp.path != NULL, gp.path, gpe.path),
'.*/(.*)',
1
)
) AS exception_key
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
@ -62,6 +47,7 @@ FROM
AND NOT p.parent IS NULL
AND NOT child_cmd IN (
'sysctl -n hw.optional.arm64',
'sysctl -n sysctl.proc_translated',
'/usr/sbin/sysctl kern.hv_support',
'/usr/sbin/sysctl -n hw.cputype',
'/usr/sbin/sysctl sysctl.proc_translated'