RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-28 16:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #275 from tstromberg/fpr-jun8

Browse Source 
Add exceptions for common hidden directories
This commit is contained in:
Thomas Strömberg 2023-06-08 20:28:48 -04:00 committed by GitHub
commit e16a74cdc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
detection/evasion/hidden-executable.sql
View File

@ -6,6 +6,7 @@
-- tags: transient -- tags: transient
-- platform: posix -- platform: posix
SELECT SELECT
f.directory,
-- Child -- Child
p0.pid AS p0_pid, p0.pid AS p0_pid,
p0.path AS p0_path, p0.path AS p0_path,
@ -43,8 +44,23 @@ WHERE
OR f.filename LIKE '.%' OR f.filename LIKE '.%'
OR f.directory LIKE '%/.%' OR f.directory LIKE '%/.%'
) )
AND NOT f.directory LIKE '%/.bin'
AND NOT f.directory LIKE '%/.bin-unwrapped'
AND NOT f.directory LIKE '%/.cargo/bin'
AND NOT f.directory LIKE '%/.config/nvm/%/bin'
AND NOT f.directory LIKE '%/.local/%'
AND NOT f.directory LIKE '%/node_modules/.bin/%'
AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
AND NOT f.directory LIKE '%/.pnpm/%'
AND NOT f.directory LIKE '%/.rustup/%'
AND NOT f.directory LIKE '%/.terraform'
AND NOT f.directory LIKE '%/.terraform/%'
AND NOT f.directory LIKE '%/.vscode/extensions/%'
AND NOT f.directory LIKE '%/.vscode-insiders/extensions/%'
AND NOT f.path LIKE '/home/%/.config/bluejeans-v2/BluejeansHelper'
AND NOT f.path LIKE '/nix/store/%/%-wrapped' AND NOT f.path LIKE '/nix/store/%/%-wrapped'
AND NOT ( AND NOT (
f.path LIKE '/nix/store/%' f.path LIKE '/nix/store/%'
AND p0.name LIKE '%-wrappe%' AND p0.name LIKE '%-wrappe%'
) )
GROUP BY f.path