RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #96 from tstromberg/dec15

Browse Source 
Clear more false positives: Signal, Kitty, KIND, Acrobat, etc
This commit is contained in:
Thomas Strömberg 2022-12-15 10:21:49 -05:00 committed by GitHub
commit 26a800d52b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 99 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -68,7 +68,6 @@ WHERE
'75.75.75.75', -- Comcast
'75.75.76.76', -- Comcast
'68.105.28.13' -- Cox
)
-- Exceptions that specifically talk to one server
AND exception_key NOT IN (

11
detection/c2/unexpected-https-client-linux.sql
View File

@ -78,6 +78,7 @@ WHERE
'0,/usr/packagekitd,0u,0g,packagekitd',
'0,/usr/pacman,0u,0g,pacman',
'0,/usr/python3.10,0u,0g,dnf',
'0,/usr/python3.10,0u,0g,dnf-automatic',
'0,/usr/python3.10,0u,0g,yum',
'0,/usr/python3.11,0u,0g,dnf',
'0,/usr/rpi-imager,0u,0g,rpi-imager',
@ -87,16 +88,15 @@ WHERE
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,/usr/http,0u,0g,https',
'106,/usr/geoclue,0u,0g,geoclue',
'500,/app/signal-desktop,u,g,signal-desktop',
'500,/app/slack,u,g,slack',
'500,/app/spotify,u,g,spotify',
'500,/home/promoter,500u,500g,promoter',
'500,/app/thunderbird,u,g,thunderbird',
'500,/app/zoom.real,u,g,zoom.real',
'500,/home/cargo,500u,500g,cargo',
'500,/home/chainctl,500u,100g,chainctl',
'500,/home/chainctl,500u,500g,chainctl',
'500,/home/code,500u,500g,code',
'500,/usr/pacman,0u,0g,pacman',
'500,/home/cosign,500u,500g,cosign',
'500,/home/gitsign,500u,500g,gitsign',
'500,/home/go,500u,500g,go',
@ -104,8 +104,7 @@ WHERE
'500,/home/java,500u,500g,java',
'500,/home/jcef_helper,500u,500g,jcef_helper',
'500,/home/ko,500u,500g,ko',
'0,/usr/python3.10,0u,0g,dnf-automatic',
'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
'500,/home/promoter,500u,500g,promoter',
'500,/home/python3,500u,500g,python3',
'500,/home/steam,500u,100g,steam',
'500,/home/steamwebhelper,500u,100g,steamwebhelper',
@ -116,6 +115,7 @@ WHERE
'500,/ko-app/controlplane,u,g,controlplane',
'500,/opt/1password,0u,0g,1password',
'500,/opt/Brackets,0u,0g,Brackets',
'500,/opt/brave,0u,0g,brave',
'500,/opt/chrome,0u,0g,chrome',
'500,/opt/Discord,0u,0g,Discord',
'500,/opt/firefox,0u,0g,firefox',
@ -158,6 +158,7 @@ WHERE
'500,/usr/goa-daemon,0u,0g,goa-daemon',
'500,/usr/gsd-datetime,0u,0g,gsd-datetime',
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
'500,/usr/java,0u,0g,java',
'500,/usr/java,u,g,java',
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
@ -167,7 +168,9 @@ WHERE
'500,/usr/lens,0u,0g,lens',
'500,/usr/nautilus,0u,0g,nautilus',
'500,/usr/obs,0u,0g,obs',
'500,/usr/pacman,0u,0g,pacman',
'500,/usr/python3,0u,0g,python3',
'500,/usr/python3.10,0u,0g,python3',
'500,/usr/reporter-ureport,0u,0g,reporter-urepor',
'500,/usr/rpi-imager,0u,0g,rpi-imager',
'500,/usr/signal-desktop,0u,0g,signal-desktop',

3
detection/c2/unexpected-talkers-linux.sql
View File

@ -91,6 +91,7 @@ WHERE
'22,6,500,/home/cargo,500u,500g,cargo',
'22,6,500,/usr/cargo,0u,0g,cargo',
'22,6,500,/usr/ssh,0u,0g,ssh',
'22,6,0,/usr/ssh,0u,0g,ssh',
'27034,6,500,/home/steam,500u,100g,steam',
'27035,6,500,/home/steam,500u,100g,steam',
'32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
@ -146,7 +147,7 @@ WHERE
'8801,17,500,/opt/zoom,0u,0g,zoom',
'993,6,500,/app/thunderbird,u,g,thunderbird',
'993,6,500,/usr/thunderbird,0u,0g,thunderbird'
)
)
AND NOT (
p.name = 'syncthing'
AND f.filename = 'syncthing'

10
detection/c2/unexpected-talkers-macos.sql
View File

@ -147,8 +147,8 @@ WHERE
'443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,17,500,Evernote Helper,,',
'443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'443,6,500,PlexMobile,com.plexapp.plex,Apple iPhone OS Application Signing',
'443,17,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
'443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,17,500,Slack Helper,,',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
@ -191,6 +191,7 @@ WHERE
'443,6,500,gh,gh,',
'443,6,500,git,com.apple.git,Software Signing',
'443,6,500,git,git,',
'443,6,500,GitHub Desktop Helper,com.github.GitHubClient.helper,Developer ID Application: GitHub (VEKTX9H2N7)',
'443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
'443,6,500,git-remote-http,,',
@ -220,12 +221,12 @@ WHERE
'443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)',
'443,6,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,PlexMobile,com.plexapp.plex,Apple iPhone OS Application Signing',
'443,6,500,prober,a.out,',
'443,6,500,provisio,,',
'443,6,500,pulumi-resource-gcp,a.out,',
'443,6,500,pulumi-resource-github,a.out,',
'443,6,500,python2.7,python2.7,',
'443,6,500,GitHub Desktop Helper,com.github.GitHubClient.helper,Developer ID Application: GitHub (VEKTX9H2N7)',
'443,6,500,python3.10,python3.10,',
'443,6,500,Python,com.apple.python3,Software Signing',
'443,6,500,Python,org.python.python,',
@ -235,6 +236,7 @@ WHERE
'443,6,500,release-notes,a.out,',
'443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing',
'443,6,500,scorecard-darwin-amd64,,',
'443,6,500,Signal Helper (Renderer),org.whispersystems.signal-desktop.helper.Renderer,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,6,500,Slack Helper,,',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
@ -248,12 +250,12 @@ WHERE
'443,6,500,trivy,a.out,',
'443,6,500,vegeta,a.out,',
'443,6,500,vim,vim,',
'443,6,500,wolfictl,a.out,',
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'443,6,500,zsh,com.apple.zsh,Software Signing',
'53,17,500,docker-credential-gcr,a.out,',
'53,17,500,trivy,,',
'6000,6,500,ssh,,',
'443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'6000,6,500,ssh,com.apple.openssh,Software Signing',
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
@ -262,6 +264,8 @@ WHERE
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'80,6,500,webhook.test,a.out,'
)
-- Steam uses ports in the 27xxx range
AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)'
-- There are many signing hashes for git
AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'

1
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -163,6 +163,7 @@ WHERE
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/video,obs',
'/dev/video,brave',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,pipewire',
'/dev/video,vlc',

5
detection/evasion/empty_root_environ_linux.sql
View File

@ -42,7 +42,10 @@ WHERE
'sshd',
'zypak-sandbox'
)
AND NOT (p.name LIKE 'systemd-%' AND p.parent=1)
AND NOT (
p.name LIKE 'systemd-%'
AND p.parent = 1
)
AND NOT pp.cmdline LIKE 'bwrap %'
AND NOT p.cmdline LIKE '%--type=zygote%'
AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'

9
detection/evasion/name_path_mismatch.sql
View File

@ -45,8 +45,8 @@ WHERE
'name=blueman-applet,file=python3,500',
'name=blueman-tray,file=python3,500',
'name=cat,file=coreutils,500',
'name=cc,file=gcc,0',
'name=chrome-gnome-s,file=python3,500',
'name=restorecon,file=setfiles,0',
'name=Chroot,file=firefox,500',
'name=code-oss,file=electron,500',
'name=exe,file=rootlessport,500',
@ -56,13 +56,11 @@ WHERE
'name=gjs,file=gjs-console,120',
'name=gjs,file=gjs-console,42',
'name=gjs,file=gjs-console,500',
'name=sh,file=busybox,0',
'name=cc,file=gcc,0',
'name=systemd-udevd,file=udevadm,500',
'name=gnome-characte,file=gjs-console,500',
'name=gnome-character,file=gjs-console,500',
'name=gnome-tweak-to,file=python3,500',
'name=gsettings-hel,file=gsettings-help,500',
'name=iptables,file=xtables-nft-mu,0',
'name=Isolated,file=firefox,500',
'name=Isolated,file=thunderbird,500',
'name=MainThread,file=plugin-contain,500',
@ -77,14 +75,17 @@ WHERE
'name=pipewire-pulse,file=pipewire,500',
'name=Privileged,file=firefox,500',
'name=RDD,file=firefox,500',
'name=restorecon,file=setfiles,0',
'name=sd_espeak-ng-m,file=sd_espeak-ng,500',
'name=sessionclean,file=dash,0',
'name=sh,file=busybox,0',
'name=sh,file=dash,0',
'name=sh,file=dash,500',
'name=slic3r_main,file=prusa-slicer,500',
'name=Socket,file=firefox,500',
'name=streamdeck,file=python3,500',
'name=systemd-udevd,file=udevadm,0',
'name=systemd-udevd,file=udevadm,500',
'name=terminator,file=python3,500',
'name=Thunar,file=thunar,500',
'name=unattended-upg,file=python3,0',

1
detection/evasion/touched-executable-macos.sql
View File

@ -86,6 +86,7 @@ WHERE
)
OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
OR p.path LIKE '/Applications/%.app/Contents/MacOS/%'
OR p.path LIKE '/Applications/%.app/Contents/Frameworks/%/Versions/A/Resources/%'
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%'
OR p.path LIKE '/Users/%/google-cloud-sdk/bin/%'

1
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -71,7 +71,6 @@ WHERE -- NOTE:We intentionally want to preserve missing files
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
',,/usr/bin/nmblookup,',
',,/usr/libexec/discoveryd,'
)
AND NOT (
signature.identifier LIKE 'cargo-%'

2
detection/execution/exotic-command-events-linux.sql
View File

@ -9,7 +9,6 @@
-- tags: transient process events
-- platform: linux
-- interval: 30
SELECT
p.pid,
p.path,
@ -148,3 +147,4 @@ WHERE
AND NOT cmd LIKE 'pkill -f cut -c3%'
AND NOT cmd LIKE 'dirname %history'
AND NOT cmd LIKE 'tail /%history'
AND NOT cmd LIKE 'find . -executable -type f -name %grep -l GNU Libtool%touch -r%'

5
detection/execution/exotic-command-events-macos.sql
View File

@ -27,10 +27,10 @@ SELECT
hash.sha256,
pp.path AS parent_path,
pp.name AS parent_name,
TRIM(pp.cmdline) AS parent_cmd,
pp.euid AS parent_euid,
ppp.path AS gparent_path,
ppp.name AS gparent_name,
TRIM(p.cmdline) AS parent_cmd,
pp.euid AS parent_euid,
phash.sha256 AS parent_sha256,
gphash.sha256 AS gparent_sha256
FROM
@ -100,6 +100,7 @@ WHERE
OR (
cmd LIKE '%sh -i'
AND NOT parent_name IN ('sh', 'java')
AND NOT parent_cmd LIKE "%pipenv shell"
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'

1
detection/execution/exotic-commands.sql
View File

@ -76,6 +76,7 @@ WHERE
OR (
cmd LIKE '%sh -i'
AND NOT parent_name IN ('sh', 'java')
AND NOT parent_cmd LIKE '%pipenv shell'
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'

13
detection/execution/recently-created-executables-linux.sql
View File

@ -47,11 +47,9 @@ WHERE
'/opt/google/chrome/chrome_crashpad_handler',
'/opt/google/chrome/nacl_helper',
'/opt/Lens/chrome_crashpad_handler',
'/usr/lib/flatpak-session-helper',
'/opt/Lens/lens',
'/opt/sublime_text/sublime_text',
'/usr/bin/alacritty',
'/usr/sbin/avahi-daemon',
'/usr/bin/bash',
'/usr/bin/cargo',
'/usr/bin/containerd',
@ -59,11 +57,9 @@ WHERE
'/usr/bin/docker',
'/usr/bin/dockerd',
'/usr/bin/docker-proxy',
'/usr/lib/flatpak-session-helper',
'/usr/bin/gedit',
'/usr/bin/gnome-keyring-daemon',
'/usr/bin/kbfsfuse',
'/usr/sbin/alsactl',
'/usr/bin/keybase',
'usr/bin/keybase-redirector',
'/usr/bin/nm-applet',
@ -74,14 +70,17 @@ WHERE
'/usr/bin/tailscaled',
'/usr/bin/udevadm',
'/usr/bin/wpa_supplicant',
'/usr/lib64/electron/electron',
'/usr/lib64/firefox/firefox',
'/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/at-spi2-registryd',
'/usr/lib/at-spi-bus-launcher',
'/usr/libexec/bluetooth/bluetoothd',
'/usr/libexec/docker/docker-proxy',
'/usr/libexec/fwupd/fwupd',
'/usr/libexec/snapd/snapd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/lib/flatpak-session-helper',
'/usr/lib/fwupd/fwupd',
'/usr/lib/gdm',
'/usr/lib/gdm-session-worker',
@ -94,6 +93,8 @@ WHERE
'/usr/lib/slack/slack',
'/usr/lib/snapd/snapd',
'/usr/lib/systemd/systemd',
'/usr/bin/wireplumber',
'/usr/lib/xdg-desktop-portal-gtk',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-logind',
'/usr/lib/systemd/systemd-oomd',
@ -102,6 +103,8 @@ WHERE
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/local/bin/kind',
'/usr/sbin/alsactl',
'/usr/sbin/avahi-daemon',
'/usr/sbin/chronyd',
'/usr/sbin/cupsd',
'/usr/sbin/tailscaled',
@ -115,7 +118,7 @@ WHERE
AND NOT p.path LIKE '/home/%/terraform-provider-%'
AND NOT p.path LIKE '/home/%/%.test'
AND NOT p.path LIKE '/home/%/Projects/%'
AND NOT p.path LIKE '/home/%/node_modules/.bin/exec-bin/%'
AND NOT p.path LIKE '/home/%/node_modules/.bin/%'
AND NOT p.path LIKE '/nix/store/%/bin/%'
AND NOT p.path LIKE '/usr/local/bin/%'
AND NOT p.path LIKE '/opt/%'

1
detection/execution/recently-created-executables-macos.sql
View File

@ -106,6 +106,7 @@ WHERE
AND NOT p.path LIKE '%/.vscode/extensions/%'
AND NOT p.path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
AND NOT p.path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper'
AND NOT p.path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper'
AND NOT (
p.path LIKE '/Users/%'
AND p.uid > 499

21
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -119,33 +119,40 @@ WHERE
'~/Applications (Parallels)/',
'~/bin/',
'~/.cargo/',
'~/.rustup/',
'~/chainguard/',
'~/code/',
'~/Code/',
'~/.config/',
'~/git/',
'~/github/',
'~/go/',
'~/Parallels/',
'~/google-cloud-sdk/',
'~/homebrew/',
'~/.kuberlr/',
'~/Library/',
'~/.local/',
'~/Parallels/',
'~/projects/',
'~/.pulumi/',
'~/.pyenv/',
'~/.rustup/',
'~/src/',
'~/.tflint.d/',
'~/.vscode/',
'~/.vs-kubernetes/',
'~/Code/'
'~/.vs-kubernetes/'
)
-- Locally built executables
AND NOT (
signature.identifier = "a.out"
signature.identifier = 'a.out'
AND homedir LIKE '~/%'
AND pp.name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code')
)
AND NOT (
signature.authority = ''
AND homedir LIKE '~/%'
AND pp.name IN ('fish', 'sh', 'bash', 'zsh')
AND p.cmdline LIKE './%'
)
AND dir NOT LIKE '../%' -- data issue
AND dir NOT LIKE '/Applications/%'
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
@ -164,7 +171,9 @@ WHERE
AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
AND homedir NOT LIKE '~/%/node_modules/.pnpm/%'
AND homedir NOT LIKE '~/%repo%'
AND homedir NOT LIKE '~/%sigstore%'
AND homedir NOT LIKE '~/%/bin'
AND signature.authority NOT IN (
'Apple iPhone OS Application Signing',
'Apple Mac OS Application Signing',

2
detection/execution/unexpected-execdir-macos.sql
View File

@ -136,7 +136,6 @@ WHERE
AND homedir LIKE '~/%'
AND pp.name LIKE '%sh'
)
AND dir NOT LIKE '/Applications/%'
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
AND dir NOT LIKE '/private/tmp/go-build%/exe'
@ -154,7 +153,6 @@ WHERE
AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
AND homedir NOT LIKE '~/%/node_modules/.pnpm/%'
-- Allow these anywhere (put last because it's slow to query signatures)
AND signature.authority NOT IN (
'Apple iPhone OS Application Signing',

2
detection/execution/unexpected-osascript-calls.sql
View File

@ -63,7 +63,7 @@ WHERE
)
AND NOT (
parent_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth login'
OR parent_cmd LIKE '%/bin/gcloud auth login'
OR parent_cmd LIKE '%/bin/gcloud auth%login'
)
AND NOT (
exception_key = ',,osascript -s se -l JavaScript'

3
detection/execution/unexpected-setuid-binaries.sql
View File

@ -107,6 +107,9 @@ WHERE
AND uid = 0
AND gid = 0
AND file.path IN (
'/bin/at',
'/bin/atq',
'/bin/atrm',
'/bin/chage',
'/bin/chfn',
'/bin/chsh',

2
detection/impact/unexpected-etc-hosts.sql
View File

@ -29,6 +29,8 @@ WHERE
'ff00::0'
)
AND address NOT LIKE '127.%'
AND address NOT LIKE '192.168.%'
AND address NOT LIKE '10.%'
AND hostnames NOT LIKE 'localhost.%'
AND hostnames NOT LIKE '%.svc'
AND hostnames NOT LIKE '%.%-%.%.dev'

2
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -46,6 +46,8 @@ WHERE
'fcix.net',
'xtom.com',
'gaomon.net',
'notion-static.com',
'notion.so',
'oracle.com',
'akmedia.digidesign.com',
'canon.co.uk',

2
detection/initial_access/unexpected-shell-parents.sql
View File

@ -54,6 +54,7 @@ WHERE
'i3bar',
'i3blocks',
'java',
'kitty',
'ko',
'kubectl',
'lightdm',
@ -90,7 +91,6 @@ WHERE
'yum',
'zellij',
'zsh'
)
AND parent_path NOT IN (
'/Applications/Docker.app/Contents/MacOS/Docker',

5
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -59,17 +59,19 @@ WHERE
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, webRequestBlocking',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,<all_urls>, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage',
'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
@ -174,6 +176,7 @@ WHERE
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',

6
detection/persistence/unexpected-launchd-program.sql
View File

@ -40,3 +40,9 @@ WHERE
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)'
)
AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent')
AND NOT (
l.path = '/Library/LaunchDaemons/com.docker.socket.plist'
AND program_authority = 'Software Signing'
AND program_identifier = 'com.apple.ln'
AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock'
)

3
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -150,5 +150,4 @@ WHERE
AND p.path NOT LIKE '/nix/store/%/libexec/%'
AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
-- Exclude processes running inside of Docker containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
;
AND NOT p.cgroup_path LIKE '/system.slice/docker-%';

7
detection/privesc/unexpected-elevated-children-events_linux.sql
View File

@ -16,6 +16,7 @@ SELECT
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
p.cmdline AS child_cmdline,
p.time,
pp.cgroup_path,
pp.start_time,
p.euid AS child_euid,
file.mode AS child_mode,
@ -38,6 +39,7 @@ WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid
AND p.path NOT IN (
'/',
'/bin/ps',
'/usr/bin/doas',
'/usr/bin/fusermount',
@ -59,6 +61,11 @@ WHERE
AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
AND NOT pp.cmdline = '/usr/lib/systemd/systemd --user'
-- used by kind
AND NOT (
p.path = '/usr/bin/bash'
AND p.cmdline = '/bin/bash /usr/local/bin/mount-product-files'
)
AND NOT (
child_name = 'polkit-agent-helper-1'
AND parent_path = '/usr/bin/gnome-shell'

15
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -44,3 +44,18 @@ WHERE
'/usr/bin/sudo',
'/usr/local/bin/doas'
)
-- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
AND NOT (
p.cmdline IN (
'/usr/sbin/cupsd -l',
'/usr/libexec/mdmclient daemon',
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
)
-- More very weird data that keeps showing up: gopls starting everything!
-- I think this may be due to some bad joining
AND NOT (
pp.cmdline LIKE '%/go/bin/gopls -mode=stdio'
AND pp.path LIKE '/Users/%/go/bin/gopls'
AND pp.euid > 500
)

1
detection/privesc/unexpected-privileged-containers.sql
View File

@ -26,6 +26,7 @@ WHERE
AND image NOT LIKE 'kindest/node:%'
AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
AND image NOT LIKE 'docker.io/rancher/k3s:%'
AND image NOT LIKE 'melange-%'
-- this one makes me sad. It's due to limitations running bubblewrap in a container
AND image NOT IN (
'cgr.dev/chainguard/melange',