RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: SA keys, libgtop, haproxy, gvproxy, slirp

Browse Source
This commit is contained in:
Thomas Stromberg 2023-03-14 16:05:16 -04:00
parent 2f16dda2a7
commit 09652bd91f
Failed to extract signature
13 changed files with 70 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
detection/c2/unexpected-https-client-linux.sql
View File

@ -70,6 +70,8 @@ WHERE
'0,flatpak-system-helper,0u,0g,flatpak-system-',
'0,kmod,0u,0g,depmod',
'0,launcher,0u,0g,launcher',
'500,containerd,u,g,containerd',
'500,slirp4netns,0u,0g,slirp4netns',
'0,launcher,500u,500g,launcher',
'0,ldconfig,0u,0g,ldconfig',
'0,nessusd,0u,0g,nessusd',
@ -110,12 +112,15 @@ WHERE
'500,chrome,0u,0g,chrome',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,code,0u,0g,code',
'500,slirp4netns,0u,0g,slirp4netns',
'500,grafana,u,g,grafana',
'500,code,500u,500g,code',
'500,cosign,500u,500g,cosign',
'500,cosign-linux-amd64,0u,0g,cosign',
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,curl,0u,0g,curl',
'500,tilt,500u,500g,tilt',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',

7
detection/c2/unexpected-talkers-linux.sql
View File

@ -238,6 +238,13 @@ WHERE
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'brave'
AND f.filename = 'brave'
AND s.remote_port > 3000
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'firefox'
AND f.filename = 'firefox'

1
detection/c2/unexpected-talkers-macos.sql
View File

@ -158,6 +158,7 @@ WHERE
'443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,17,500,Slack Helper,,',
'123,17,500,gvproxy,,',
'443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',

5
detection/evasion/name_path_mismatch.sql
View File

@ -84,7 +84,10 @@ WHERE p0.path != ""
)
AND NOT exception_key IN (
"0,udevadm,systemd-udevd",
"125,systemd,(sd-pam)",
"500,rootlesskit,exe",
"500,systemd,(sd-pam)"
"500,rootlessport,exe",
"500,systemd,(sd-pam)",
"500,udevadm,systemd-udevd"
)
GROUP by exception_key

5
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -25,6 +25,7 @@ SELECT
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
p1.path AS p1_path,
p1.name AS p1_name,
p1.cmdline AS p1_cmd,
@ -77,11 +78,11 @@ WHERE
) -- These alerts were unfortunately useless - lots of spam on macOS
AND NOT (
p1.path LIKE '/app/%'
AND p0.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
AND p1.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
)
AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
AND p1.path NOT LIKE '/tmp/.mount_%/%'
AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'

1
detection/execution/recently-created-executables-linux.sql
View File

@ -130,6 +130,7 @@ WHERE
'/bin/containerd',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-logind',
'/usr/lib/systemd/systemd-homed',
'/usr/lib/systemd/systemd-oomd',
'/usr/lib/systemd/systemd-resolved',
'/usr/lib/systemd/systemd-timesyncd',

3
detection/execution/unexpected-execdir-linux.sql
View File

@ -7,6 +7,7 @@
-- platform: linux
SELECT -- Child
p0.pid AS p0_pid,
p0.cgroup_path AS p0_cgroup,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
@ -51,6 +52,8 @@ WHERE
1
) IS NULL -- Docker
AND NOT path LIKE '/tmp/%/osqtool'
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
AND NOT cgroup_path LIKE '/system.slice/docker-%' -- Interactive terminal
AND NOT (
cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-Alacritty-%.scope'

1
detection/execution/unexpected-setuid-binaries.sql
View File

@ -241,6 +241,7 @@ FROM
'/usr/bin/umount',
'/usr/bin/vmware-user-suid-wrapper',
'/usr/bin/vmware-user',
'/usr/libexec/libgtop_server2',
'/usr/lib/mail-dotlock',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib/Xorg.wrap',

2
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -158,6 +158,7 @@ WHERE
'getty.target,Login Prompts,,450',
'graphical.target,Graphical Interface,,450',
'gssproxy.service,GSSAPI Proxy Daemon,,450',
'haproxy.service,HAProxy Load Balancer,,1350',
"ifupdown-pre.service,Helper to synchronize boot up for ifupdown,,225",
'iio-sensor-proxy.service,IIO Sensor Proxy service,,225',
'import-state.service,Import network configuration from initramfs,,225',
@ -364,6 +365,7 @@ WHERE
'systemd-random-seed.service,Load/Save Random Seed,,1125',
'systemd-remount-fs.service,Remount Root and Kernel File Systems,,675',
'systemd-resolved.service,Network Name Resolution,systemd-resolve,1575',
'systemd-resolved.service,Network Name Resolution,systemd-resolve,1800',
'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,,675',
'systemd-suspend.service,System Suspend,,450',
'systemd-sysctl.service,Apply Kernel Variables,,675',

1
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -185,5 +185,6 @@ WHERE
-- Exclude processes running inside of Docker containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
AND NOT p.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
GROUP BY
exception_key

3
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -123,8 +123,6 @@ WHERE
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
'fusermount3,/usr/bin/fusermount3,1000,user.slice,user-1000.slice,4755',
'fusermount3,/usr/bin/fusermount3,127,user.slice,user-127.slice,4755',
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
@ -234,6 +232,7 @@ WHERE
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
)
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY
p0.pid

8
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -60,15 +60,15 @@ FROM
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN signature s ON pe.path = s.path
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN processes p1 ON pe.parent = p1.pid AND p1.start_time <= pe.start_time
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.start_time <= pe.start_time
AND pe1.cmdline != ''
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
LEFT JOIN signature pe_sig1 ON pe1.path = pe_sig1.path
-- Grandparents (via 3 paths)
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid AND p1_p2.start_time <= p1.start_time
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid AND pe1_p2.start_time <= pe1.start_time
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path

46
policy/gcp-service-account-keys-mdfind.sql
View File

@ -8,10 +8,11 @@ SELECT
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
u.username,
ea.value AS url
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
JOIN file ON mdfind.path = file.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
@ -22,6 +23,11 @@ WHERE
mdfind.query = "kMDItemFSName == '*.json'"
AND (
file.filename LIKE "%-%-%.json"
OR file.filename LIKE '%service%.json'
OR file.filename LIKE '%acct%.json'
OR file.filename LIKE '%key%.json'
OR file.filename LIKE '%account%.json'
OR file.filename LIKE '%-sa.json'
OR file.filename LIKE 'sa%.json'
OR file.filename LIKE '%s%r%v%acc%t%json'
OR file.filename LIKE '%prod.json'
@ -29,25 +35,47 @@ WHERE
)
AND file.size BETWEEN 2311 AND 2385 -- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(file.filename, CONCAT (u.username, "-")) == 1 -- Don't alert on tokens that begin with the users full name and a dash
AND NOT (
LENGTH(u.username) > 4
AND INSTR(file.filename, SUBSTR(u.username, 3,8)) > 0
)
AND NOT INSTR(
file.filename,
REPLACE(LOWER(TRIM(u.description)), " ", "-")
) == 1 -- Common locations of test or demo keys
) == 1
-- Common locations of test or demo keys
AND NOT file.directory LIKE '%/go/pkg/%'
AND NOT file.directory LIKE '%/go/src/%'
AND NOT file.directory LIKE '%/pkg/mod/%'
AND NOT file.directory LIKE '%/aws-sdk/apis'
AND NOT file.directory LIKE '%/mock-infras/%'
AND NOT file.directory LIKE '%/testdata%'
AND NOT file.directory LIKE '%/third_party/%'
AND NOT file.directory LIKE '%/generated/%'
AND NOT file.directory LIKE '%/json%'
AND NOT file.directory LIKE '%/schemas'
AND NOT file.directory LIKE '/Users/%/Library/Application Support/%'
AND NOT file.directory LIKE '%demo' -- Common filenames that are non-controversial
AND NOT file.filename IN (
'service-account-file.json',
'redshift-2012-12-01.waiters2.json',
'update-all-transforms.json',
'update-arrayremove-multi.json',
'organizations-2016-11-28.paginators.json'
AND NOT file.directory LIKE '%demo'
AND NOT file.filename LIKE 'ntia-conformance-%'
AND NOT file.filename LIKE '%spdx%'
-- Common filenames that are non-controversial
-- AND NOT file.filename LIKE 'redshift-%'
-- AND NOT file.filename LIKE 'update-%'
-- AND NOT file.filename LIKE 'pool-%'
-- AND NOT file.filename LIKE 'organizations-%'
-- AND NOT file.filename LIKE '%-paginators.json'
-- Well known demo keys
AND NOT hash.sha256 IN (
'2d330d059f4af4d314a85418fb031ee628f41dcf3e31fbce46858e52e73180c4',
'8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809',
'998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528',
'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472',
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
'11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
'2d330d059f4af4d314a85418fb031ee628f41dcf3e31fbce46858e52e73180c4',
'b68896dc8e8c23ade371cf8b5c9d25853d81b4cfa5baa2bc0200d9242a903d80',
'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2',
'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14'
)
GROUP BY
file.path