mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-24 14:52:06 +00:00
fpr: Slack, Gnome, Sigstore, Logitune, etc
This commit is contained in:
parent
c096acee92
commit
32328c91f1
@ -160,6 +160,7 @@ WHERE
|
||||
'500,gnome-recipes,0u,0g,gnome-recipes',
|
||||
'500,gnome-shell,0u,0g,gnome-shell',
|
||||
'500,gnome-software,0u,0g,gnome-software',
|
||||
'0,go,0u,0g,go',
|
||||
'500,go,0u,0g,go',
|
||||
'500,go,500u,500g,go',
|
||||
'500,goa-daemon,0u,0g,goa-daemon',
|
||||
|
@ -123,6 +123,7 @@ WHERE
|
||||
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
|
||||
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
|
||||
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
|
||||
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
|
||||
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
|
||||
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
|
||||
'500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
|
||||
@ -147,6 +148,7 @@ WHERE
|
||||
'500,apko,apko,0u,0g',
|
||||
'500,apko,apko,500u,20g',
|
||||
'500,chainctl,chainctl,0u,0g',
|
||||
'500,git,git,0u,500g',
|
||||
'500,chainctl,chainctl,500u,20g',
|
||||
'500,chainlink,chainlink,500u,20g',
|
||||
'500,aws,aws,0u,0g',
|
||||
|
@ -198,6 +198,7 @@ WHERE
|
||||
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
|
||||
'80,6,500,spotify,u,g,spotify',
|
||||
'80,6,500,steam,500u,100g,steam',
|
||||
'80,6,500,java,0u,0g,java',
|
||||
'80,6,500,steam,500u,500g,steam',
|
||||
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
|
||||
'80,6,500,terraform,0u,0g,terraform',
|
||||
@ -271,6 +272,12 @@ WHERE
|
||||
exception_key = '32768,6,500,ssh,0u,0g,ssh'
|
||||
AND s.remote_port = 40022
|
||||
)
|
||||
-- Qualys
|
||||
AND NOT (
|
||||
exception_key = '80,6,0,curl,0u,0g,curl'
|
||||
AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'
|
||||
AND child_cmd LIKE ' curl -sS -H Metadata:true http://169.254.169.254/metadata/instance%'
|
||||
)
|
||||
AND NOT (
|
||||
s.remote_port = 80
|
||||
AND (
|
||||
|
@ -185,7 +185,7 @@ WHERE
|
||||
AND NOT (
|
||||
(
|
||||
pos.remote_port IN (80, 999)
|
||||
OR pos.remote_port > 3000
|
||||
OR pos.remote_port > 1024
|
||||
)
|
||||
AND id_exception_key IN (
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
|
||||
|
@ -150,6 +150,7 @@ WHERE
|
||||
'grype',
|
||||
'idea',
|
||||
'Install',
|
||||
'terraform-provider-apko',
|
||||
'java',
|
||||
'jetbrains-toolb',
|
||||
'launcher',
|
||||
|
@ -38,3 +38,4 @@ WHERE
|
||||
AND file.path NOT LIKE '/root/.debug/.build-id/%'
|
||||
AND file.path NOT LIKE '/home/%/.config/%/.git%'
|
||||
AND file.path NOT LIKE '/home/%/.config/.gsd-keyboard.settings-ported'
|
||||
AND file.path NOT LIKE '/home/%/.config/.org.chromium.Chromium.%'
|
||||
|
@ -194,6 +194,10 @@ WHERE
|
||||
AND p0.path NOT LIKE '%/.%'
|
||||
AND p0.path NOT LIKE '%Cache%'
|
||||
)
|
||||
AND NOT homepath LIKE '~/%/terraform-provider-%'
|
||||
AND NOT homepath LIKE '~/src/%'
|
||||
AND NOT homepath LIKE '~/github/%'
|
||||
AND NOT homepath LIKE '~/go/src/%'
|
||||
-- Arc
|
||||
AND NOT (
|
||||
p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'
|
||||
|
@ -52,6 +52,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
|
||||
'curl,500,nvim,nvim',
|
||||
'curl,307,bash,nix',
|
||||
'curl,500,bash,bash',
|
||||
'curl,0,sh,qualys-scan-uti',
|
||||
'curl,500,bash,fakeroot',
|
||||
'curl,500,bash,fish',
|
||||
'curl,500,bash,nix-daemon',
|
||||
|
@ -103,6 +103,7 @@ WHERE
|
||||
OR p1_cmd LIKE '%aws %sso%'
|
||||
OR p1_cmd LIKE '%gcloud% auth %login%'
|
||||
OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
|
||||
OR p1_cmd LIKE '/bin/sh %/opt/homebrew/bin/git-gui%'
|
||||
OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'
|
||||
OR p1_name IN ('yubikey-agent')
|
||||
OR (
|
||||
@ -117,6 +118,5 @@ WHERE
|
||||
'osascript -e user locale of (get system info)',
|
||||
'/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges'
|
||||
)
|
||||
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
@ -60,9 +60,9 @@ WHERE
|
||||
'cargo',
|
||||
'chrome',
|
||||
'clamscan',
|
||||
'dnf',
|
||||
'code',
|
||||
'com.apple.NRD.UpdateBrainService',
|
||||
'dnf',
|
||||
'docker',
|
||||
'electron',
|
||||
'emacs',
|
||||
@ -102,6 +102,7 @@ WHERE
|
||||
'spotify',
|
||||
'steam',
|
||||
'systemd',
|
||||
'terraform-provider-apko',
|
||||
'thunderbird',
|
||||
'tilt',
|
||||
'unattended-upgr',
|
||||
|
@ -198,6 +198,7 @@ WHERE
|
||||
'/bin/bash /usr/local/bin/mount-product-files',
|
||||
'/bin/sh -c black .',
|
||||
'/bin/sh -c lsb_release -a --short',
|
||||
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
|
||||
'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
|
||||
'/bin/sh -c scutil --get ComputerName',
|
||||
"/bin/sh -c defaults delete 'com.cisco.webexmeetingsapp'",
|
||||
@ -250,6 +251,7 @@ WHERE
|
||||
'bash,500,com.docker.dev-envs,com.docker.backend',
|
||||
'bash,500,Foxit PDF Reader,launchd',
|
||||
'bash,500,script,bash',
|
||||
'sh,500,LogiTune,launchd',
|
||||
'bash,500,docker-builder,bash',
|
||||
'bash,500,Hyprland,gdm-wayland-session',
|
||||
'bash,500,gnome-session-binary,systemd',
|
||||
|
@ -49,6 +49,7 @@ WHERE
|
||||
'mov',
|
||||
'mp3',
|
||||
'mp4',
|
||||
'Dockerfile',
|
||||
'mpeg',
|
||||
'mpg',
|
||||
'ods',
|
||||
|
@ -7,7 +7,8 @@
|
||||
-- * Almost unlimited: any extension that isn't on your whitelist
|
||||
--
|
||||
-- tags: persistent seldom browser
|
||||
SELECT name,
|
||||
SELECT
|
||||
name,
|
||||
profile,
|
||||
chrome_extensions.description AS 'descr',
|
||||
persistent AS persists,
|
||||
@ -28,11 +29,13 @@ SELECT name,
|
||||
identifier
|
||||
) AS exception_key,
|
||||
hash.sha256
|
||||
FROM users
|
||||
FROM
|
||||
users
|
||||
CROSS JOIN chrome_extensions USING (uid)
|
||||
LEFT JOIN file ON chrome_extensions.path = file.path
|
||||
LEFT JOIN hash ON chrome_extensions.path = hash.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
-- These extensions need the most review.
|
||||
from_webstore != 'true'
|
||||
OR perms LIKE '%google.com%'
|
||||
@ -48,6 +51,7 @@ WHERE (
|
||||
AND exception_key NOT IN (
|
||||
-- Deprecated Google Extension
|
||||
'false,AgileBits,1Password – Password Manager,dppgmdbiimibapkepcbdbmkaabgiofem',
|
||||
'false,,Sigstore close post-auth tabs,',
|
||||
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
|
||||
'false,,base64 encode or decode selected text,',
|
||||
'false,,Edge relevant text changes,jmjflgjpcpepeafmmgdpfkogkghcpiha',
|
||||
@ -220,4 +224,5 @@ WHERE (
|
||||
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
|
||||
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
|
||||
)
|
||||
GROUP BY exception_key
|
||||
GROUP BY
|
||||
exception_key
|
||||
|
@ -61,6 +61,7 @@ WHERE
|
||||
AND NOT exception_key IN (
|
||||
'0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
|
||||
'0,snapd,/var/lib/snapd',
|
||||
'120,gnome-shell,/run/user/120',
|
||||
'200,NRDUpdated,/private~/SplunkHistory',
|
||||
'200,softwareupdated,/private~/SplunkHistory',
|
||||
'500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db',
|
||||
|
@ -294,6 +294,7 @@ WHERE -- Focus on longer-running programs
|
||||
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
||||
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
|
||||
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
||||
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
|
||||
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
|
||||
|
@ -7,7 +7,7 @@
|
||||
-- related:
|
||||
-- * unexpected-privilege-escalation.sql
|
||||
--
|
||||
-- tags: events process escalation
|
||||
-- tags: events process escalation disabled
|
||||
-- platform: darwin
|
||||
-- interval: 300
|
||||
SELECT -- Child
|
||||
@ -113,6 +113,7 @@ WHERE
|
||||
'amfid,0,com.docker.backend,Docker',
|
||||
'biometrickitd,0,LogiTune,launchd',
|
||||
'bioutil,0,callservicesd,launchd',
|
||||
'com.apple.geod,0,fmfd,launchd',
|
||||
'trustd,205,trustd,launchd',
|
||||
'CAReportingService,0,LogiTune,launchd',
|
||||
'efilogin-helper,0,containermanagerd,launchd',
|
||||
|
Loading…
Reference in New Issue
Block a user