diff --git a/detection/execution/unexpected-chmod-exec-event-linux.sql b/detection/execution/unexpected-chmod-exec-event-linux.sql index 27725c1..d5d3564 100644 --- a/detection/execution/unexpected-chmod-exec-event-linux.sql +++ b/detection/execution/unexpected-chmod-exec-event-linux.sql @@ -8,7 +8,7 @@ -- -- tags: transient process events -- platform: linux --- interval: 180 +-- interval: 300 SELECT IFNULL( REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1), @@ -92,8 +92,8 @@ WHERE FROM process_events WHERE - time > (strftime('%s', 'now') -180) - AND pe.syscall = "execve" + time > (strftime('%s', 'now') -300) + AND syscall = "execve" AND ( cmdline LIKE '%chmod% 7%' OR cmdline LIKE '%chmod% +rwx%' @@ -105,6 +105,7 @@ WHERE AND cmdline NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%' AND cmdline NOT LIKE 'chmod 700 /home/%/snap/%/%/.config' ) + AND pe.time > (strftime('%s', 'now') -300) AND pe.syscall = "execve" AND f.type != 'directory' AND p1_cgroup NOT LIKE '/system.slice/docker-%' diff --git a/detection/execution/unexpected-chmod-exec-event-macos.sql b/detection/execution/unexpected-chmod-exec-event-macos.sql index 4a7e7f9..ff81c23 100644 --- a/detection/execution/unexpected-chmod-exec-event-macos.sql +++ b/detection/execution/unexpected-chmod-exec-event-macos.sql @@ -8,7 +8,7 @@ -- -- tags: transient process events -- platform: darwin --- interval: 180 +-- interval: 300 SELECT IFNULL( REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1), @@ -90,9 +90,9 @@ WHERE FROM process_events WHERE - time > (strftime('%s', 'now') -180) - AND pe.status = 0 - AND pe.parent > 0 + time > (strftime('%s', 'now') -300) + AND status = 0 + AND parent > 0 AND ( cmdline LIKE '%chmod% 7%' OR cmdline LIKE '%chmod% +rwx%' @@ -102,6 +102,8 @@ WHERE ) AND cmdline != 'chmod 0777 /Users/Shared/logitune' ) + AND pe.time > (strftime('%s', 'now') -300) + AND pe.syscall = "execve" AND f.type != 'directory' GROUP BY p0_pid