RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-04-07 17:51:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #47 from tstromberg/fp

Browse Source 
talkrs/empty environ: Filter out more Electron apps
This commit is contained in:
Thomas Strömberg 2022-10-29 19:57:03 -04:00 committed by GitHub
commit c7f5a23fad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-talkers-macos.sql
View File

@ -233,6 +233,7 @@ WHERE
'443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)', '443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)', '443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,17,500,Evernote Helper,,',
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,trivy,a.out,', '443,6,500,trivy,a.out,',
'443,6,500,vegeta,a.out,', '443,6,500,vegeta,a.out,',

13
detection/evasion/empty_environ_macos.sql
View File

@ -32,8 +32,7 @@ FROM processes p
LEFT JOIN hash ON p.path = hash.path LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path LEFT JOIN signature ON p.path = signature.path
WHERE -- This time should match the interval WHERE -- This time should match the interval
p.start_time > (strftime('%s', 'now') - 605) p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it
-- Filter out transient processes that may not have an envs entry by the time we poll for it
AND p.start_time < (strftime('%s', 'now') - 5) AND p.start_time < (strftime('%s', 'now') - 5)
AND p.path NOT LIKE '/System/Library/%' AND p.path NOT LIKE '/System/Library/%'
AND NOT ( AND NOT (
@ -41,13 +40,23 @@ WHERE -- This time should match the interval
AND signature.authority = 'Software Signing' AND signature.authority = 'Software Signing'
) )
AND NOT exception_key IN ( AND NOT exception_key IN (
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)', '500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
'500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing', '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
'500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing', '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
'500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
'500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing' '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing'
) )
AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)' AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)'
AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)' AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)'
-- Electron apps
AND NOT (
p.path LIKE '/Applications/%Helper%'
AND (
exception_key LIKE '500,%Helper%,Renderer,Developer ID Application: % (%)'
OR exception_key LIKE '500,%Helper%,helper,Developer ID Application: % (%)'
)
)
GROUP BY p.pid GROUP BY p.pid
HAVING count == 0; HAVING count == 0;