Merge pull request #306 from tstromberg/apt36-desktop

Improve base64/crontab detection
chainguard-dev · Sep 14, 2023 · e97f2fd · e97f2fd
2 parents a9eba00 + a041305
commit e97f2fd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
@@ -129,6 +129,8 @@ WHERE
     OR p0_cmd LIKE '%rm -rf /boot%'
     OR p0_cmd LIKE '%nohup /bin/bash%'
     OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
+    OR p0_cmd LIKE '%echo%|%base64 -d %|%'
+    OR p0_cmd LIKE '%@reboot%crontab%'
     OR p0_cmd LIKE '%UserKnownHostsFile=/dev/null%' -- Crypto miners
     OR p0_cmd LIKE '%monero%'
     OR p0_cmd LIKE '%nanopool%'

diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
@@ -128,6 +128,7 @@ WHERE
       AND p0_cmd NOT LIKE '% history'
     )
     OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
+    OR p0_cmd LIKE '%echo%|%base64 -d %|%'
     OR p0_cmd LIKE '%launchctl bootout%'
     OR p0_cmd LIKE '%chflags uchg%'
     OR (