I've created a new detector based on research done by Datadog based on compiler execution within a container. I believe I saw a tweet a few years back from Florian suggesting to avoid regex to make understanding logic a bit easier, but on the off chance it's preferred over the below I believe this should work:
This shouldn't happen legitimately (according to best practices) as builds should be immutable. I've set the priority on this to low as even though that is a recommended best practice, I'm sure there will be FP's in reality.
Changelog
new: Compiler Execution Within Kubernetes Containers
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
I've created a new detector based on research done by Datadog based on compiler execution within a container. I believe I saw a tweet a few years back from Florian suggesting to avoid regex to make understanding logic a bit easier, but on the off chance it's preferred over the below I believe this should work:
.*(\-|\_| )?(gcc|g\+\+|clang|javac|make|nasm|yasm)(\-|\_| )?.*
This shouldn't happen legitimately (according to best practices) as builds should be immutable. I've set the priority on this to low as even though that is a recommended best practice, I'm sure there will be FP's in reality.
Changelog
new: Compiler Execution Within Kubernetes Containers
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions