Improve unexpected-chmod-exec-event performance

2023-09-05 12:14:47 -04:00 · 2023-09-05 12:14:47 -04:00 · f17381eaa3
parent d49d9487de
commit f17381eaa3
2 changed files with 10 additions and 7 deletions
--- a/detection/execution/unexpected-chmod-exec-event-linux.sql
+++ b/detection/execution/unexpected-chmod-exec-event-linux.sql
@ -8,7 +8,7 @@
 --
 -- tags: transient process events
 -- platform: linux
-- interval: 180
+-- interval: 300
 SELECT
  IFNULL(
    REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1),
@ -92,8 +92,8 @@ WHERE
    FROM
      process_events
    WHERE
-      time > (strftime('%s', 'now') -180)
-      AND pe.syscall = "execve"
+      time > (strftime('%s', 'now') -300)
+      AND syscall = "execve"
      AND (
        cmdline LIKE '%chmod% 7%'
        OR cmdline LIKE '%chmod% +rwx%'
@ -105,6 +105,7 @@ WHERE
      AND cmdline NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
      AND cmdline NOT LIKE 'chmod 700 /home/%/snap/%/%/.config'
  )
+  AND pe.time > (strftime('%s', 'now') -300)
  AND pe.syscall = "execve"
  AND f.type != 'directory'
  AND p1_cgroup NOT LIKE '/system.slice/docker-%'
--- a/detection/execution/unexpected-chmod-exec-event-macos.sql
+++ b/detection/execution/unexpected-chmod-exec-event-macos.sql
@ -8,7 +8,7 @@
 --
 -- tags: transient process events
 -- platform: darwin
-- interval: 180
+-- interval: 300
 SELECT
  IFNULL(
    REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1),
@ -90,9 +90,9 @@ WHERE
    FROM
      process_events
    WHERE
-      time > (strftime('%s', 'now') -180)
-      AND pe.status = 0
-      AND pe.parent > 0
+      time > (strftime('%s', 'now') -300)
+      AND status = 0
+      AND parent > 0
      AND (
        cmdline LIKE '%chmod% 7%'
        OR cmdline LIKE '%chmod% +rwx%'
@ -102,6 +102,8 @@ WHERE
      )
      AND cmdline != 'chmod 0777 /Users/Shared/logitune'
  )
+  AND pe.time > (strftime('%s', 'now') -300)
+  AND pe.syscall = "execve"
  AND f.type != 'directory'
 GROUP BY
  p0_pid