RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-18 02:17:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove newer access time check, add Sublime/Microsoft exclusion

Browse Source
This commit is contained in:
Thomas Stromberg 2022-11-16 10:56:58 -05:00
parent 2f30604c07
commit febf6cfebd
Failed to extract signature
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
detection/evasion/touched-executable-macos.sql
View File

@ -43,9 +43,9 @@ WHERE
OR (
(btime_ctime_days_diff < -365)
AND (btime_ctime_days_diff < -1000)
) -- access time is older than start time
OR start_atime_days_diff > 90 -- access time is newer than start time
OR start_atime_days_diff < -10
)
-- access time is older than start time
OR start_atime_days_diff > 90
) -- Vendors that create software packages that look like a touched file.
AND NOT signature.authority IN (
'Apple Mac OS Application Signing',
@ -56,8 +56,10 @@ WHERE
'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Galvanix (5BRAQAFB8B)',
'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',