RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add two Docker checks that can catch Traitor

This commit is contained in:
Thomas Stromberg 2022-10-14 09:16:48 -04:00
parent dc9493ee1e
commit 3c6d4968e1
Failed to extract signature
4 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/credentials/macos_keyboard_sniffer.sql
View File

@ -33,6 +33,7 @@ WHERE
event_tapped IN ('EventKeyDown', 'EventKeyUp')
AND authority != 'Software Signing'
AND NOT exception_key IN (
'BetterTouchTool,com.hegenberg.BetterTouchTool,Developer ID Application: folivora.AI GmbH (DAFVSXZ82P)',
'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',

3
detection/credentials/unexpected-sensitive-file-access-linux.sql
View File

@ -54,7 +54,8 @@ WHERE
f.uid != ''
AND pf.filename != ''
AND (
pof.path LIKE '/home/%/.ssh/%'
pof.path IN ('/var/run/docker.sock')
OR pof.path LIKE '/home/%/.ssh/%'
OR pof.path LIKE '/home/%/.mozilla/firefox/%'
OR pof.path LIKE '/home/%/.config/google-chrome/%'
OR pof.path LIKE '/root/.ssh/%'

18
detection/privesc/docker-container-mounting-root.sql Normal file
View File

@ -0,0 +1,18 @@
-- Detect the execution of a Docker containing mounting the root filesystem
--
-- references:
-- * https://attack.mitre.org/techniques/T1611/
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
--
-- This attack is very quick, so the likelihood of finding a culprit is entirely
-- dependent on the polling time.
--
-- platform: linux
-- tags: ephemeral often
SELECT
command, image_id, path, security_options, started_at, image
FROM
docker_containers
WHERE
privileged = 1
AND image NOT LIKE 'kindest/node:%';

16
detection/privesc/sketchy-docker-image-creator.sql Normal file
View File

@ -0,0 +1,16 @@
-- Detect the execution of a Docker containing mounting the root filesystem
--
-- references:
-- * https://attack.mitre.org/techniques/T1611/
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
--
-- This attack is very quick, so the likelihood of finding a culprit is entirely
-- dependent on the polling time. The number of "tags" you see associated to an image
-- may reflect the number of times the attack has been attempted.
--
-- platform: linux
-- tags: ephemeral often
SELECT * FROM docker_image_history
WHERE created > (strftime('%s', 'now') -86400)
-- This signature is used by Traitor: https://github.com/liamg/traitor/
AND created_by LIKE "%/bin/sh%/lol%";