RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-13 17:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #33 from tstromberg/recent-updates

Browse Source 
CloudNativeSecurityCon Day 1 False-Positive Cleanup
This commit is contained in:
Thomas Strömberg 2022-10-24 11:10:42 -04:00 committed by GitHub
commit ed84a59a66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/c2/unexpected-https-client-linux.sql
View File

@ -102,12 +102,14 @@ WHERE
'500,/usr/gitsign,0u,0g,gitsign',
'500,/usr/gnome-software,0u,0g,gnome-software',
'500,/usr/go,500u,500g,go',
'500,/usr/java,0u,0g,java',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/slack,0u,0g,slack',
'500,/usr/syncthing,0u,0g,syncthing',
'500,/usr/terraform,0u,0g,terraform',
'500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,/usr/xmobar,0u,0g,xmobar'
'500,/usr/xmobar,0u,0g,xmobar',
'500,/usr/yay,0u,0g,yay'
)
-- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'

3
detection/c2/unexpected-talkers-linux.sql
View File

@ -90,6 +90,9 @@ WHERE
'5228,6,500,/opt/chrome,0u,0g,chrome',
'5228,6,500,/usr/chrome,0u,0g,chrome',
'8000,6,500,/opt/chrome,0u,0g,chrome',
'80,6,0,/usr/packagekitd,0u,0g,packagekitd',
'80,6,0,/usr/python3.10,0u,0g,yum',
'80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm',
'8000,6,500,/usr/firefox,0u,0g,firefox',
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',

1
detection/c2/unexpected-talkers-macos.sql
View File

@ -135,6 +135,7 @@ WHERE
'43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'443,17,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,17,500,Slack Helper,,',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',

3
detection/execution/recently-created-executables-linux.sql
View File

@ -40,6 +40,8 @@ WHERE
AND NOT p.path IN (
'',
'/opt/google/chrome/chrome',
'/opt/google/chrome/chrome_crashpad_handler',
'/opt/google/chrome/nacl_helper',
'/usr/bin/containerd',
'/usr/bin/dockerd',
'/usr/bin/gedit',
@ -49,6 +51,7 @@ WHERE
'/usr/bin/udevadm',
'/usr/lib/at-spi2-registryd',
'/usr/lib/at-spi-bus-launcher',
'/usr/libexec/docker/docker-proxy',
'/usr/libexec/fwupd/fwupd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/lib/fwupd/fwupd',

1
detection/exfil/high_disk_bytes_read.sql
View File

@ -60,6 +60,7 @@ WHERE
AND NOT p.path IN (
'/usr/bin/dockerd',
'/usr/bin/gnome-shell',
'/usr/libexec/coreduetd',
'/usr/bin/udevadm',
'/usr/libexec/aned',
'/usr/libexec/logd',

1
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -65,6 +65,7 @@ WHERE
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,<all_urls>, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',