From a0413051458aacd795ebcd1352f60d5c84ea74af Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 14 Sep 2023 16:39:35 -0400
Subject: [PATCH] Improve base64/crontab detection

---
 detection/execution/exotic-command-events-linux.sql | 2 ++
 detection/execution/exotic-command-events-macos.sql | 1 +
 2 files changed, 3 insertions(+)

diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index 4767ec6..b118075 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -129,6 +129,8 @@ WHERE
     OR p0_cmd LIKE '%rm -rf /boot%'
     OR p0_cmd LIKE '%nohup /bin/bash%'
     OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
+    OR p0_cmd LIKE '%echo%|%base64 -d %|%'
+    OR p0_cmd LIKE '%@reboot%crontab%'
     OR p0_cmd LIKE '%UserKnownHostsFile=/dev/null%' -- Crypto miners
     OR p0_cmd LIKE '%monero%'
     OR p0_cmd LIKE '%nanopool%'
diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
index 72cf1af..430b0b7 100644
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -128,6 +128,7 @@ WHERE
       AND p0_cmd NOT LIKE '% history'
     )
     OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
+    OR p0_cmd LIKE '%echo%|%base64 -d %|%'
     OR p0_cmd LIKE '%launchctl bootout%'
     OR p0_cmd LIKE '%chflags uchg%'
     OR (