RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #380 from tstromberg/udev 

linux udevd: replace file-size based detection with YARA rules
This commit is contained in:
Thomas Strömberg 2024-08-26 12:49:37 -04:00 committed by GitHub
parent 7d468b6166 16dd18a1ea
commit 0d46dcb083
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 76 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
detection/persistence/suspicious-udev-runner-linux.sql Normal file
View File

@ -0,0 +1,76 @@
-- Look for sketchy udev entries, inspired by sedexp
--
-- references:
-- * https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
-- * https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
--
-- tags: volume filesystem
-- platform: linux
-- tags: volume filesystem
SELECT file.path,
file.size,
file.btime,
file.ctime,
file.mtime,
hash.sha256,
yara.*
FROM file
JOIN yara ON file.path = yara.path
LEFT JOIN hash ON file.path = hash.path
WHERE file.path IN (
SELECT file.path
FROM file
WHERE file.path LIKE '/etc/udev/rules.d/%'
OR file.path LIKE '/usr/lib/udev/rules.d/%'
OR file.path LIKE '/lib/udev/rules.d/%'
OR file.path LIKE '/usr/local/lib/udev/rules.d/%'
GROUP BY file.inode
)
AND yara.sigrule = '
rule udev_memory_device_runner : critical {
meta:
description = "runs program once built-in memory device is created"
strings:
$action_add = "ACTION==\"add\""
$major = "ENV{MAJOR}==\"1\""
$run = "RUN+="
condition:
all of them
}
rule udev_at_runner : critical {
meta:
description = "runs program via at"
reference = "https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/"
strings:
$add = "ACTION==\"add\""
$run_at = "RUN+=\"/usr/bin/at "
$run_at2 = "RUN+=\"at "
condition:
$add and any of ($run*)
}
rule udev_unusual_small_runner : high {
meta:
description = "small udev entry that runs program based on unusual parameters"
strings:
$action_run = "RUN+="
$not_attrs = "ATTRS{"
$not_kernel = "KERNEL=="
$not_block = "SUBSYSTEM==\"block\""
$not_bridge = "RUN+=\"bridge-network-interface\""
condition:
filesize < 96 and all of ($action*) and none of ($not*)
}
rule udev_major_runner : high {
meta:
description = "runs program once major device number is created, may have false-positives"
strings:
$action_add = "ACTION==\"add\""
$major = "ENV{MAJOR}=="
$run = "RUN+="
condition:
all of them
}'
AND yara.count > 0

89
detection/persistence/unexpected-small-udev-entry-linux.sql
View File

@ -1,89 +0,0 @@
-- Unexpected small udev rule entries
--
-- Typically vendor-provided udev rules are more verbose.
--
-- references:
-- * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
-- * https://attack.mitre.org/techniques/T1547/ (Boot or Logon Autostart Execution)
--
-- false positives:
-- * rules installed by 3rd party software
--
-- tags: persistent filesystem state
-- platform: linux
SELECT
file.path,
uid,
gid,
mode,
mtime,
ctime,
type,
size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
file.path LIKE '/usr/lib/udev/rules.d/%'
AND file.size < 180
AND file.path NOT IN (
'/usr/lib/udev/rules.d/10-switch.rules',
'/usr/lib/udev/rules.d/20-crystalhd.rules',
'/usr/lib/udev/rules.d/30-linksys-ae1200.rules',
'/usr/lib/udev/rules.d/40-redhat-disable-dell-ir-camera.rules',
'/usr/lib/udev/rules.d/45-i2c-tools.rules',
'/usr/lib/udev/rules.d/50-apport.rules',
'/usr/lib/udev/rules.d/60-bridge-network-interface.rules',
'/usr/lib/udev/rules.d/60-ddcutil-i2c.rules',
'/usr/lib/udev/rules.d/60-ddcutil.rules',
'/usr/lib/udev/rules.d/60-drm.rules',
'/usr/lib/udev/rules.d/60-incus-agent.rules',
'/usr/lib/udev/rules.d/60-net.rules',
'/usr/lib/udev/rules.d/60-rfkill.rules',
'/usr/lib/udev/rules.d/60-sunshine-ublue.rules',
'/usr/lib/udev/rules.d/61-accelerometer.rules',
'/usr/lib/udev/rules.d/61-mutter.rules',
'/usr/lib/udev/rules.d/65-persistent-net-nbft.rules',
'/usr/lib/udev/rules.d/66-saned.rules',
'/usr/lib/udev/rules.d/70-hypervfcopy.rules',
'/usr/lib/udev/rules.d/70-hypervkvp.rules',
'/usr/lib/udev/rules.d/70-hypervvss.rules',
'/usr/lib/udev/rules.d/70-rpiboot.rules',
'/usr/lib/udev/rules.d/70-spice-vdagentd.rules',
'/usr/lib/udev/rules.d/70-spice-webdavd.rules',
'/usr/lib/udev/rules.d/70-titan-key.rules',
'/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules',
'/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules',
'/usr/lib/udev/rules.d/71-betop-controllers.rules',
'/usr/lib/udev/rules.d/71-nacon-controllers.rules',
'/usr/lib/udev/rules.d/71-pid_codes-controllers.rules',
'/usr/lib/udev/rules.d/71-sony-vr.rules',
'/usr/lib/udev/rules.d/72-intel-mipi-ipu6-camera.rules',
'/usr/lib/udev/rules.d/75-davincipanel.rules',
'/usr/lib/udev/rules.d/75-probe_mtd.rules',
'/usr/lib/udev/rules.d/75-sdx.rules',
'/usr/lib/udev/rules.d/51-ocfs2.rules',
'/usr/lib/udev/rules.d/81-kvm-rhel.rules',
'/usr/lib/udev/rules.d/85-hdparm.rules',
'/usr/lib/udev/rules.d/85-regulatory.rules',
'/usr/lib/udev/rules.d/88-neutron_hifi_dac.rules',
'/usr/lib/udev/rules.d/90-daxctl-device.rules',
'/usr/lib/udev/rules.d/90-rdma-umad.rules',
'/usr/lib/udev/rules.d/90-usb-microbit.rules',
'/usr/lib/udev/rules.d/90-wireshark-usbmon.rules',
'/usr/lib/udev/rules.d/91-drm-modeset.rules',
'/usr/lib/udev/rules.d/92-viia.rules',
'/usr/lib/udev/rules.d/95-udev-late.rules',
'/usr/lib/udev/rules.d/96-e2scrub.rules',
'/usr/lib/udev/rules.d/99-BlackmagicDevices.rules',
'/usr/lib/udev/rules.d/99-DavinciPanel.rules',
'/usr/lib/udev/rules.d/99-fuse3.rules',
'/usr/lib/udev/rules.d/99-fuse.rules',
'/usr/lib/udev/rules.d/99-libsane1.rules',
'/usr/lib/udev/rules.d/99-lxd-agent.rules',
'/usr/lib/udev/rules.d/99-nfs.rules',
'/usr/lib/udev/rules.d/99-qemu-guest-agent.rules'
)