RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-18 03:54:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,311 Commits 1 Branch 31 Tags 5.8 MiB
78ec36eca0
Commit Graph

779 Commits

Author SHA1 Message Date
egibs
9367f41f81
Remove 1Password and Loom exception duplicates; add Vim for Google Docs 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-22 07:41:21 -05:00
egibs
7a1c723e98
Use emdashes 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-19 07:18:40 -05:00
egibs
3de6559b5f
Add exceptions for 1Password and Loom Chrome extensions 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 16:59:05 -05:00
egibs
cf4f0d62c2
Add ngrok to unexpected-talkers-macos 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 13:39:07 -05:00
egibs
c9ae0805e2
Add exceptions for Docker's kubectl, ngrok, SAFEQ, and Zed 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 07:25:04 -05:00
egibs
cfb7142803
Add Cyberduck 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-15 14:40:57 -05:00
egibs
71d2857db2
Add allows for various alerts seen 2024-07-15 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-15 13:27:27 -05:00
Thomas Stromberg
bb79251001
Merge branch 'main' into fpr-jul12 2024-07-12 17:08:41 -04:00
Thomas Stromberg
134782202d
Add google-cloud-sdk log-streaming 2024-07-12 17:02:36 -04:00
Thomas Stromberg
61fe50ce72
Add google-cloud-sdk log-streaming 2024-07-12 17:01:34 -04:00
Thomas Stromberg
ddd3041a64
Add rpm-ostreed-automatic service 2024-07-12 16:58:31 -04:00
Thomas Stromberg
6c292f11af
fpr: kas, bitnami, redis, bincapz, kolide, docker, whatsapp 2024-07-12 16:55:49 -04:00
egibs
03789d2957
Add LittleSnitch exception_key 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-12 13:12:43 -05:00
Thomas Stromberg
4df51743d0
fpr: lima, rpm-ostree, gitsign, kde, python, etc 2024-07-01 21:56:28 -04:00
Thomas Stromberg
910590ed6b
fpr: PCP, SDDM, Chrome, etc 2024-06-28 10:31:27 -04:00
Thomas Stromberg
6fe74680a0
fpr: June 28 - final rule tuning 2024-06-28 10:08:04 -04:00
Thomas Stromberg
00fa80a0d9
Massive false-positive reduction, particularly for uBlue 2024-06-27 09:23:52 -04:00
Thomas Stromberg
18e05c5a4c
fpr: June 25 2024-06-25 20:48:09 -04:00
Thomas Stromberg
4aeff07118
More SilverBlue/Elastic allows 2024-05-23 21:22:59 -04:00
Thomas Stromberg
ab2535717f
fpr: Fedora Silverblue, MHLinkServer, new terminals 2024-05-23 17:26:33 -04:00
Thomas Stromberg
03ea3bcff2
mark command-events & execdir-events as 'extra' due to high CPU usage 2024-04-29 09:33:06 -04:00
Thomas Stromberg
5dd614f54c
fpr: MHLink, k3d, BlueFin, query tuning 2024-04-26 16:14:02 -04:00
Thomas Stromberg
5ef3c88213
Overdue False Positive Reduction 2024-03-29 10:12:36 -04:00
Thomas Stromberg
b61869c062
Merge branch 'main' into springbreak 2024-03-29 08:07:15 -04:00
Thomas Stromberg
0e5c8ec11e
Allows for Docker, Yubico, /dev/zero 2024-03-29 08:07:01 -04:00
Thomas Strömberg
a673c28222
Merge pull request #362 from tstromberg/kandji 
Performance tuning, mark some Linux queries as 'extra'
 2024-03-15 19:07:10 -04:00
Thomas Stromberg
3447f95d9e
Performance tuning, mark some Linux queries as 'extra' 2024-03-15 19:06:16 -04:00
Thomas Strömberg
6eb5b9ebdb
Merge pull request #361 from tstromberg/kandji 
Allow Kandji to do weird things with expect
 2024-03-15 15:35:44 -04:00
Thomas Stromberg
9342485881
Allow Kandji to do weird things with expect 2024-03-15 15:30:40 -04:00
Thomas Stromberg
d3352610f4 fpr: snapd, cups, ubuntu, etc 2024-03-07 16:33:01 -05:00
Thomas Stromberg
2bdc79bc2b fix typo 2024-02-26 17:29:23 -05:00
Thomas Stromberg
342d813bf8 fpr: Docker Desktop, code-oss, incus, etc 2024-02-26 17:26:56 -05:00
Thomas Stromberg
a266879668 Merge branch 'main' into feb16-fpr 2024-02-23 16:25:24 -05:00
Thomas Stromberg
5507ae1458 fpr: Firefox, Rapid7, Incus 2024-02-23 16:25:18 -05:00
Thomas Strömberg
d1f6aede22
Merge pull request #356 from tstromberg/ktaint 
Ignore taint code 4096 (out-of-tree driver)
 2024-02-23 15:10:23 -05:00
Thomas Stromberg
af07ef9888
Ignore taint code 4096 (out-of-tree driver) 2024-02-22 11:48:53 -05:00
Thomas Stromberg
f22d27b1a6
fix Chrome merge conflict 2024-02-16 17:23:23 -05:00
Thomas Stromberg
f72e6424c0 Run reformat 2024-02-16 17:21:00 -05:00
Thomas Stromberg
b1e05d6612 merge conflict 2024-02-16 17:17:45 -05:00
Thomas Stromberg
f87a8e8197 fpr: Elastic, IR, Velociraptor, BitDefender, incus, Adguard 2024-02-16 17:14:11 -05:00
Thomas Stromberg
a0624c0870
Add Elastic exceptions for osqueryd/packetbeat 2024-02-05 10:49:52 -05:00
Thomas Stromberg
12a55753b5
fpr: Elastic Defend, gcloud, Warp, etc 2024-02-05 10:45:17 -05:00
Thomas Stromberg
25c579aa1d
Add TTP details from https://www.sentinelone.com/blog/backdoor-activator-malware-running-rife-through-torrents-of-macos-apps/ 2024-02-01 13:04:07 -05:00
Thomas Stromberg
8693fb6d4f
Add more rapid7 excludes 2024-01-26 14:24:11 -05:00
Thomas Stromberg
517b5719c6
address merge conflict 2024-01-26 14:15:53 -05:00
Thomas Stromberg
e42ea9a4bc
massive fpr: Rapid7, Elastic, everything 2024-01-26 14:07:37 -05:00
Thomas Stromberg
594bc78833
Add firefox DNS resolution 2024-01-22 10:41:35 -05:00
Thomas Stromberg
4cb050f4cc
Add elastic endpoint 2024-01-22 10:40:23 -05:00
Thomas Stromberg
5d31e8da5f
fpr: psi, arduino, bitdefender, keybase, cody, etc 2024-01-22 10:36:01 -05:00
Thomas Stromberg
2762503030
Add missing comma 2024-01-18 17:18:05 -05:00
Thomas Stromberg
ceec1718f9
fpr: snap, mutedeck, idea, Chrome exts 2024-01-18 17:15:37 -05:00
Thomas Strömberg
eaf42fbcd7
Merge pull request #348 from tstromberg/rapid7-elastic-bob 
fpr: elastic, rapid7, zwift
 2024-01-10 11:21:02 -05:00
Thomas Stromberg
3cc2af51c1
fpr: elastic, rapid7, zwift 2024-01-10 11:20:04 -05:00
Thomas Strömberg
568cb3c988
Merge pull request #346 from tstromberg/fix-kolide-err 
Rename current_time column to now_ts to avoid Kolide import issue
 2024-01-10 09:42:59 -05:00
Thomas Stromberg
36c2286717
Rename current_time column to now_ts to avoid Kolide import issue 2024-01-10 09:42:29 -05:00
Thomas Stromberg
fa4e0d0510
recently downloaded go-crypt: Fix YARA error 2024-01-09 17:22:33 -05:00
Thomas Stromberg
27a0d55737
fpr: syncthing 2024-01-09 16:19:52 -05:00
Thomas Stromberg
229a32a61e
fpr: sourcegraph,phantombuster,iterm,cody,stickers 2024-01-09 16:14:00 -05:00
Thomas Stromberg
875125fc94
Add exceptions for Elastic Defend & Rapid7 InsightIDR 2024-01-08 19:07:57 -05:00
Thomas Stromberg
c2c29a1a52
Optimize performance with Google Chrome image mounted 2024-01-08 18:47:36 -05:00
Thomas Stromberg
1304d66783
Add more Elastic exceptions 2024-01-08 17:55:30 -05:00
Thomas Stromberg
336a1fca4a
Add exceptions for Elastic Defend 2024-01-08 17:18:25 -05:00
Jed Salazar
243303ef75
Add Macdown as an exception to minimal-socket-client-macos 
Signed-off-by: Jed Salazar <jedsalazar@gmail.com>
 2023-12-20 12:14:54 -07:00
Thomas Stromberg
202ce6be45
Ignore syncthing, nuclei, fix typos 2023-12-15 17:19:38 -05:00
Thomas Stromberg
8b9894ec74
filter out CSV from yara 2023-12-15 17:12:50 -05:00
Thomas Stromberg
800e4aa2cc
fpr: kind of everything 2023-12-15 17:10:06 -05:00
Thomas Stromberg
2c783f17f4
exotic events linux: remove uptime join, use empty string 2023-12-12 12:56:09 -05:00
Thomas Stromberg
877b2c495b
exotic events linux: double interval, reduce hash lookups 2023-12-12 12:33:38 -05:00
Thomas Stromberg
310e51d2a2
fpr: Capture One, Grammarly, Mullvad, etc 2023-12-08 17:12:27 -05:00
Thomas Stromberg
40078d357a
fpr: ThingsWidgetExtension 2023-11-02 11:17:58 -04:00
Thomas Stromberg
5802021124
Optimize YARA process queries by deduping paths 2023-11-02 09:53:26 -04:00
Thomas Stromberg
6e1e7f29c2
fpr: dbeaver, AwesomeScreenshot, Hyper, etc 2023-11-02 09:39:41 -04:00
Thomas Stromberg
0060bb087e
fpr: aws, java, arch, cody, google, wireshark, etc 2023-10-31 11:40:10 -04:00
Thomas Strömberg
51baf32292
Merge pull request #331 from tstromberg/fpr-oct25 
fpr: rootlesskit, sshd, Fedora, Oracle Linux
 2023-10-25 13:42:56 -04:00
Thomas Stromberg
23fadda33b
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 13:42:22 -04:00
Thomas Stromberg
d7990dd063
fpr: Electron, Github 2023-10-25 09:49:07 -04:00
Thomas Stromberg
7d9aced380
fpr: mtr, vscode, cpptools, cron, firefox 2023-10-25 09:18:04 -04:00
Thomas Stromberg
9e6df92e3f
fpr: osquery release spam 2023-10-24 18:32:03 -04:00
Thomas Stromberg
3c2be1c16e
fpr: Kolide, qemu, bash, monday, macOS 2023-10-24 18:01:36 -04:00
Thomas Stromberg
bf66053d5c
fpr: containerd, hyper, Docker, Chromium, spotify, busycal 2023-10-02 16:11:44 -04:00
Thomas Stromberg
42c0a15e2a Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 11:45:27 -04:00
Thomas Stromberg
5f2680ca8b
fpr: Monday, Splunk, Gnome, Git, Grammarly, etc 2023-10-02 11:35:11 -04:00
Thomas Stromberg
ed473f438d
Broaden the talker exception list 2023-09-26 16:41:47 -04:00
Thomas Stromberg
f73263bece
fpr: docker, fish, Stream Deck, rsync, lima, macOS 2023-09-26 15:14:38 -04:00
Thomas Strömberg
25f7c2cacd
Merge pull request #321 from tstromberg/unusual-location- 
Add detector for listening from an unusual location
 2023-09-26 13:13:21 -04:00
Thomas Strömberg
c3df9bdea5
Merge pull request #320 from tstromberg/lima-ubuntu-fpr 
Reduce false positives on Ubuntu + Lima
 2023-09-26 13:13:13 -04:00
Thomas Stromberg
d3efd381f0
Add detector for listening from an unusual location 2023-09-26 13:12:51 -04:00
Thomas Stromberg
a7f0b3001d
Reduce false positives on Ubuntu + Lima 2023-09-26 13:09:22 -04:00
Thomas Stromberg
6b4700c3dd
Address issues which kept these alerts from firing 2023-09-24 22:02:34 -04:00
Thomas Stromberg
5e3d1d22bd
Simplify execution queries 2023-09-20 18:24:40 -04:00
Thomas Stromberg
e6f14457fc
Further simplify exotic-command-events-linux 2023-09-20 18:11:50 -04:00
Thomas Stromberg
2bbc2f6c97
split detection pack into subpacks 2023-09-20 17:43:39 -04:00
Thomas Strömberg
547fe50fca
Merge pull request #314 from tstromberg/yara 
YARA rules everywhere!
 2023-09-20 17:13:43 -04:00
Thomas Stromberg
6781b46375
YARA rules everywhere! 2023-09-20 17:03:21 -04:00
Thomas Stromberg
8a383a9963
exotic commands: simplify to avoid Kolide complexity cutoff 2023-09-20 09:50:10 -04:00
Thomas Stromberg
b39fca4e9f
fpr: RSA keys, tcpdump, login, crane, souregraph, etc 2023-09-20 09:30:46 -04:00
Thomas Stromberg
d0e73093ae
Use correct column name 2023-09-20 08:07:57 -04:00
Thomas Stromberg
4e820ae59e
Improve FDM/cred theft detection 2023-09-20 08:03:25 -04:00
Thomas Strömberg
ddb37c066a
Merge pull request #310 from tstromberg/fpr-sep18 
unexpected talker events: address easy false positives
 2023-09-19 17:48:09 -04:00
Thomas Strömberg
e958c9f2ac
Merge pull request #311 from tstromberg/hidden-cwd-events 
new check: hidden cwd events
 2023-09-19 17:48:01 -04:00
Thomas Stromberg
bfdc509243 new check: hidden cwd events 2023-09-19 17:18:35 -04:00
Thomas Stromberg
f656aef8be unexpected talker events: address easy false positives 2023-09-19 17:17:58 -04:00
Thomas Stromberg
9722d9f156 new check: Unexpected talker events 2023-09-19 15:57:21 -04:00
Thomas Stromberg
cf175ec48d More checks for unusual process names inspired by Earth Lusca 2023-09-18 14:14:40 -04:00
Thomas Strömberg
9963a4e3c6
Merge pull request #307 from tstromberg/fpr-sep14 
fpr: sourcegraph, nginx, factorio, fan control, emacs, nushell
 2023-09-14 17:16:30 -04:00
Thomas Strömberg
6adfb1d109
Merge pull request #304 from tstromberg/infostealerz 
Add primitive name-based detection for possible InfoStealers
 2023-09-14 17:14:07 -04:00
Thomas Stromberg
f16c3cdf53 fpr: sourcegraph, nginx, factorio, fan control, emacs, nushell 2023-09-14 17:13:12 -04:00
Thomas Stromberg
a041305145 Improve base64/crontab detection 2023-09-14 16:39:35 -04:00
Thomas Stromberg
e2d6fa58a7
Add primitive name-based detection for possible InfoStealers 2023-09-12 10:19:22 -04:00
Thomas Strömberg
b93654a9c9
Merge pull request #303 from tstromberg/faster-chmod-detection 
Improve unexpected-chmod-exec-event performance
 2023-09-05 12:42:08 -04:00
Thomas Stromberg
f17381eaa3
Improve unexpected-chmod-exec-event performance 2023-09-05 12:14:47 -04:00
Thomas Stromberg
190e8adcfd Merge to master 2023-09-01 17:34:36 -04:00
Thomas Stromberg
b889cde6d5 Additional fixes for Ventura & Capture One 2023-09-01 17:27:27 -04:00
Thomas Stromberg
84125c4bb1
Remove recently common false positives 2023-09-01 17:09:47 -04:00
Thomas Stromberg
188bc78f4c Fix errors 2023-08-15 18:29:27 -04:00
Thomas Stromberg
dce2eb2af5 Add many exceptions 2023-08-15 18:13:06 -04:00
Thomas Stromberg
ce2f0f06cb
fpr; Keybase, grype, UpdateBrainService, OpenOffice, sqlproxy 2023-07-20 10:56:49 -04:00
Thomas Stromberg
921cdc521e
fpr: nvidia drivers, su, agetty, crystalhd, hercules, etc 2023-07-19 15:22:43 -04:00
Thomas Stromberg
485f69a61c fpr: Revolt, Bearly, user executables, melange 2023-07-13 19:43:35 -04:00
Thomas Stromberg
d310dac7cc Fix velociraptor exception 2023-07-12 19:30:05 -04:00
Thomas Stromberg
870ea132ee Decrease search depth for performance 2023-07-12 19:29:48 -04:00
Thomas Stromberg
b22625d38a Add more velociraptor exceptions 2023-07-12 17:42:02 -04:00
Thomas Stromberg
979cef837b fix missing comma 2023-07-12 17:40:06 -04:00
Thomas Stromberg
a0e4183bf4 fpr: Velociraptor, nessus, kandji, java, SteelSeries, etc 2023-07-12 17:38:26 -04:00
Thomas Strömberg
656df2055e
Merge pull request #296 from tstromberg/process-ext 
Add rustbucket comment
 2023-07-12 16:46:24 -04:00
Thomas Stromberg
6acc441dcf Add rustbucket comment 2023-07-12 16:46:00 -04:00
Thomas Strömberg
6182f2957e
Merge pull request #295 from tstromberg/process-ext 
netutil calls: add nscurl
 2023-07-12 16:45:49 -04:00
Thomas Stromberg
8e73ef70d2 netutil calls: add nscurl 2023-07-12 16:45:09 -04:00
Thomas Strömberg
edbe3fa1f6
Merge pull request #294 from tstromberg/process-ext 
macOS sysutils: add csrutil, ditto, unzip, whoami, system_profiler
 2023-07-12 16:44:50 -04:00
Thomas Stromberg
bb5f597b2a macOS sysutils: add csrutil, ditto, unzip, whoami, system_profiler 2023-07-12 16:44:15 -04:00
Thomas Strömberg
46199c7d9b
Merge pull request #293 from tstromberg/process-ext 
new detector: unexpected process extension linux
 2023-07-12 16:28:47 -04:00
Thomas Stromberg
a7cd9abaf3 new detector: unexpected process extension linux 2023-07-12 16:06:05 -04:00
Thomas Stromberg
430f397f1e fpr: Velociraptor, Hyprland, iio 2023-07-12 15:00:36 -04:00
Thomas Stromberg
9d93799cb5
Add 'management' to the list of permissions to check for 2023-07-05 12:47:00 -04:00
Thomas Stromberg
97bfc30b92
Update false positive list, add mtime/btime 2023-07-05 12:26:14 -04:00
Thomas Stromberg
c9f0b2bee5
fpr: Steam, Presenting, Wavebox, multipass, parallels, cargo, dnf, Kindle, DaveTheDiver 2023-07-03 07:16:14 -04:00
Thomas Stromberg
d74405c817
fpr: Brave, Adobe, Signal, Kandji, SteelSeries, etc 2023-06-30 16:38:31 -04:00
Thomas Strömberg
c71952d3a8
Merge pull request #286 from tstromberg/jokerspy 
New detectors based on JokerSpy research
 2023-06-30 15:40:00 -04:00
Thomas Stromberg
ce03badae4
Reformat 2023-06-30 15:38:56 -04:00
Thomas Stromberg
cebf617c82 fpr: terragrunt, mdnsResponder, Spotify, Zoom, etc 2023-06-14 10:58:41 -04:00
Thomas Stromberg
2d8abbaed9 Improve targeting of Unexpected Chrome Extensions 2023-06-14 10:32:11 -04:00
Thomas Stromberg
32328c91f1 fpr: Slack, Gnome, Sigstore, Logitune, etc 2023-06-12 10:10:57 -04:00
Thomas Strömberg
c096acee92
Merge pull request #282 from tstromberg/dns 
Cleanup unexpected-dns-traffic-events
 2023-06-09 09:46:20 -04:00
Thomas Stromberg
b5e765efed Cleanup unexpected-dns-traffic-events 2023-06-09 08:56:17 -04:00
Thomas Strömberg
1654c03677
Merge pull request #281 from tstromberg/less-persist 
recently created: set cutoff to 12h, exclude SteelSeries
 2023-06-09 07:55:46 -04:00
Thomas Stromberg
ccdd5e2d4f set cutoff to 12h, exclude SteelSeries 2023-06-09 07:42:30 -04:00
Thomas Strömberg
57cc0ec64d
Merge pull request #279 from tstromberg/minecraft 
false positive: Minecraft
 2023-06-09 07:35:05 -04:00
Thomas Stromberg
838e0f6a4d recently created: set cut-off to 30 minutes 2023-06-09 07:29:00 -04:00
Thomas Stromberg
35433beb05 false positive: Minecraft 2023-06-09 07:28:05 -04:00
Thomas Strömberg
bdecfa4996
Merge pull request #278 from tstromberg/multipass 
launchd: Add Canonical exception
 2023-06-09 07:17:22 -04:00