RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,024 Commits 1 Branch 31 Tags 5.7 MiB
Commit Graph

590 Commits

Author SHA1 Message Date
Thomas Stromberg 5e3d1d22bd
Simplify execution queries 2023-09-20 18:24:40 -04:00
Thomas Stromberg e6f14457fc
Further simplify exotic-command-events-linux 2023-09-20 18:11:50 -04:00
Thomas Stromberg 2bbc2f6c97
split detection pack into subpacks 2023-09-20 17:43:39 -04:00
Thomas Strömberg 547fe50fca
Merge pull request #314 from tstromberg/yara 
YARA rules everywhere!
 2023-09-20 17:13:43 -04:00
Thomas Stromberg 6781b46375
YARA rules everywhere! 2023-09-20 17:03:21 -04:00
Thomas Stromberg 8a383a9963
exotic commands: simplify to avoid Kolide complexity cutoff 2023-09-20 09:50:10 -04:00
Thomas Stromberg b39fca4e9f
fpr: RSA keys, tcpdump, login, crane, souregraph, etc 2023-09-20 09:30:46 -04:00
Thomas Stromberg d0e73093ae
Use correct column name 2023-09-20 08:07:57 -04:00
Thomas Stromberg 4e820ae59e
Improve FDM/cred theft detection 2023-09-20 08:03:25 -04:00
Thomas Strömberg ddb37c066a
Merge pull request #310 from tstromberg/fpr-sep18 
unexpected talker events: address easy false positives
 2023-09-19 17:48:09 -04:00
Thomas Strömberg e958c9f2ac
Merge pull request #311 from tstromberg/hidden-cwd-events 
new check: hidden cwd events
 2023-09-19 17:48:01 -04:00
Thomas Stromberg bfdc509243 new check: hidden cwd events 2023-09-19 17:18:35 -04:00
Thomas Stromberg f656aef8be unexpected talker events: address easy false positives 2023-09-19 17:17:58 -04:00
Thomas Stromberg 9722d9f156 new check: Unexpected talker events 2023-09-19 15:57:21 -04:00
Thomas Stromberg cf175ec48d More checks for unusual process names inspired by Earth Lusca 2023-09-18 14:14:40 -04:00
Thomas Strömberg 9963a4e3c6
Merge pull request #307 from tstromberg/fpr-sep14 
fpr: sourcegraph, nginx, factorio, fan control, emacs, nushell
 2023-09-14 17:16:30 -04:00
Thomas Strömberg 6adfb1d109
Merge pull request #304 from tstromberg/infostealerz 
Add primitive name-based detection for possible InfoStealers
 2023-09-14 17:14:07 -04:00
Thomas Stromberg f16c3cdf53 fpr: sourcegraph, nginx, factorio, fan control, emacs, nushell 2023-09-14 17:13:12 -04:00
Thomas Stromberg a041305145 Improve base64/crontab detection 2023-09-14 16:39:35 -04:00
Thomas Stromberg e2d6fa58a7
Add primitive name-based detection for possible InfoStealers 2023-09-12 10:19:22 -04:00
Thomas Strömberg b93654a9c9
Merge pull request #303 from tstromberg/faster-chmod-detection 
Improve unexpected-chmod-exec-event performance
 2023-09-05 12:42:08 -04:00
Thomas Stromberg f17381eaa3
Improve unexpected-chmod-exec-event performance 2023-09-05 12:14:47 -04:00
Thomas Stromberg 190e8adcfd Merge to master 2023-09-01 17:34:36 -04:00
Thomas Stromberg b889cde6d5 Additional fixes for Ventura & Capture One 2023-09-01 17:27:27 -04:00
Thomas Stromberg 84125c4bb1
Remove recently common false positives 2023-09-01 17:09:47 -04:00
Thomas Stromberg 188bc78f4c Fix errors 2023-08-15 18:29:27 -04:00
Thomas Stromberg dce2eb2af5 Add many exceptions 2023-08-15 18:13:06 -04:00
Thomas Stromberg ce2f0f06cb
fpr; Keybase, grype, UpdateBrainService, OpenOffice, sqlproxy 2023-07-20 10:56:49 -04:00
Thomas Stromberg 921cdc521e
fpr: nvidia drivers, su, agetty, crystalhd, hercules, etc 2023-07-19 15:22:43 -04:00
Thomas Stromberg 485f69a61c fpr: Revolt, Bearly, user executables, melange 2023-07-13 19:43:35 -04:00
Thomas Stromberg d310dac7cc Fix velociraptor exception 2023-07-12 19:30:05 -04:00
Thomas Stromberg 870ea132ee Decrease search depth for performance 2023-07-12 19:29:48 -04:00
Thomas Stromberg b22625d38a Add more velociraptor exceptions 2023-07-12 17:42:02 -04:00
Thomas Stromberg 979cef837b fix missing comma 2023-07-12 17:40:06 -04:00
Thomas Stromberg a0e4183bf4 fpr: Velociraptor, nessus, kandji, java, SteelSeries, etc 2023-07-12 17:38:26 -04:00
Thomas Strömberg 656df2055e
Merge pull request #296 from tstromberg/process-ext 
Add rustbucket comment
 2023-07-12 16:46:24 -04:00
Thomas Stromberg 6acc441dcf Add rustbucket comment 2023-07-12 16:46:00 -04:00
Thomas Strömberg 6182f2957e
Merge pull request #295 from tstromberg/process-ext 
netutil calls: add nscurl
 2023-07-12 16:45:49 -04:00
Thomas Stromberg 8e73ef70d2 netutil calls: add nscurl 2023-07-12 16:45:09 -04:00
Thomas Strömberg edbe3fa1f6
Merge pull request #294 from tstromberg/process-ext 
macOS sysutils: add csrutil, ditto, unzip, whoami, system_profiler
 2023-07-12 16:44:50 -04:00
Thomas Stromberg bb5f597b2a macOS sysutils: add csrutil, ditto, unzip, whoami, system_profiler 2023-07-12 16:44:15 -04:00
Thomas Strömberg 46199c7d9b
Merge pull request #293 from tstromberg/process-ext 
new detector: unexpected process extension linux
 2023-07-12 16:28:47 -04:00
Thomas Stromberg a7cd9abaf3 new detector: unexpected process extension linux 2023-07-12 16:06:05 -04:00
Thomas Stromberg 430f397f1e fpr: Velociraptor, Hyprland, iio 2023-07-12 15:00:36 -04:00
Thomas Stromberg 9d93799cb5
Add 'management' to the list of permissions to check for 2023-07-05 12:47:00 -04:00
Thomas Stromberg 97bfc30b92
Update false positive list, add mtime/btime 2023-07-05 12:26:14 -04:00
Thomas Stromberg c9f0b2bee5
fpr: Steam, Presenting, Wavebox, multipass, parallels, cargo, dnf, Kindle, DaveTheDiver 2023-07-03 07:16:14 -04:00
Thomas Stromberg d74405c817
fpr: Brave, Adobe, Signal, Kandji, SteelSeries, etc 2023-06-30 16:38:31 -04:00
Thomas Strömberg c71952d3a8
Merge pull request #286 from tstromberg/jokerspy 
New detectors based on JokerSpy research
 2023-06-30 15:40:00 -04:00
Thomas Stromberg ce03badae4
Reformat 2023-06-30 15:38:56 -04:00