RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-03-03 17:27:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #52 from tstromberg/fp44

Browse Source 
Add exceptions for Jetbrains/Delve, more for Steam
This commit is contained in:
Thomas Strömberg 2022-10-30 12:01:22 -04:00 committed by GitHub
commit 3a6b152ab8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -80,6 +80,7 @@ WHERE
'/dev/nvidiactl', '/dev/nvidiactl',
'/dev/ptmx', '/dev/ptmx',
'/dev/pts/ptmx', '/dev/pts/ptmx',
'/dev/shm/u1000-ValveIPCSharedObj-Steam',
'/dev/random', '/dev/random',
'/dev/rfkill', '/dev/rfkill',
'/dev/snd/seq', '/dev/snd/seq',
@ -97,6 +98,7 @@ WHERE
AND NOT dir_exception IN ( AND NOT dir_exception IN (
'/dev/bus/usb,pcscd', '/dev/bus/usb,pcscd',
'/dev/input,acpid', '/dev/input,acpid',
'/dev/shm,gameoverlayui',
'/dev/input,gnome-shell', '/dev/input,gnome-shell',
'/dev/input,systemd', '/dev/input,systemd',
'/dev/input,systemd-logind', '/dev/input,systemd-logind',

17
detection/evasion/unexpected-dev-executables-linux.sql
View File

@ -4,8 +4,7 @@
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ -- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
-- --
-- tags: persistent state filesystem -- tags: persistent state filesystem
SELECT SELECT file.path,
file.path,
file.directory, file.directory,
uid, uid,
gid, gid,
@ -14,12 +13,10 @@ SELECT
file.size, file.size,
hash.sha256, hash.sha256,
magic.data magic.data
FROM FROM file
file
LEFT JOIN hash on file.path = hash.path LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path LEFT JOIN magic ON file.path = magic.path
WHERE WHERE (
(
-- This list is the result of multiple queries combined and can likely be minimized -- This list is the result of multiple queries combined and can likely be minimized
file.path LIKE '/dev/%%' file.path LIKE '/dev/%%'
OR file.path LIKE '/dev/%%/%%' OR file.path LIKE '/dev/%%/%%'
@ -50,3 +47,11 @@ WHERE
AND file.path LIKE '/dev/shm/pulse-shm-%' AND file.path LIKE '/dev/shm/pulse-shm-%'
AND file.size > 60000000 AND file.size > 60000000
) )
-- Seen with Steam
AND NOT (
file.uid = 1000
AND file.gid = 100
AND file.mode = 0755
AND file.path LIKE '/dev/shm/u1000-Shm_%'
AND file.size > 10000000
)

7
detection/evasion/unexpected-var-executables-macos.sql
View File

@ -85,3 +85,10 @@ WHERE
AND file.size < 3000 AND file.size < 3000
AND file.mode = 0755 AND file.mode = 0755
) )
-- JetBrains (Delve)
AND NOT (
file.path LIKE '/var/folders/%/T/dlvLauncher.sh'
AND magic.data LIKE 'Bourne-Again shell script%'
AND file.size < 1024
AND file.mode = 0744
)

1
detection/execution/exotic-command-events-linux.sql
View File

@ -136,3 +136,4 @@ WHERE
-- Seen on Ubuntu -- Seen on Ubuntu
AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg' AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg'
AND NOT cmd LIKE 'rm -f /var/tmp/mkinitramfs_%' AND NOT cmd LIKE 'rm -f /var/tmp/mkinitramfs_%'
AND NOT cmd LIKE 'rm -f -- /tmp/%'