RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-23 22:02:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

FP removal: plymouth, 1Password, firejail, systemd

Browse Source
This commit is contained in:
Thomas Stromberg 2023-01-16 13:55:53 -05:00
parent d415b36b57
commit 42e9f2721b
Failed to extract signature
5 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/evasion/empty_root_environ_linux.sql
View File

@ -41,6 +41,7 @@ WHERE
'systemd-udevd', 'systemd-udevd',
'gdm-session-wor', 'gdm-session-wor',
'fprintd', 'fprintd',
'systemd',
'gpg-agent', 'gpg-agent',
'systemd-userdbd', 'systemd-userdbd',
'nginx', 'nginx',

27
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -44,6 +44,8 @@ WHERE
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,.cargo-wrapped,.cargo-wrapped,', '500,.cargo-wrapped,.cargo-wrapped,',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,', '500,epdfinfo,epdfinfo,',
'500,esbuild,a.out,', '500,esbuild,a.out,',
@ -51,25 +53,22 @@ WHERE
'500,gitsign-credential-cache,a.out,', '500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gopls,a.out,', '500,gopls,a.out,',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,gpg-agent,gpg-agent,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,ipcserver.old,,',
'500,vim,vim,',
'500,gopls,gopls,', '500,gopls,gopls,',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '500,gpg-agent,gpg-agent,',
'500,vim,,', '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,ko,a.out,',
'500,kubectl,a.out,', '500,kubectl,a.out,',
'500,cosign,a.out,',
'500,sdzoomplugin,,',
'500,lua-language-server,lua-language-server,', '500,lua-language-server,lua-language-server,',
'500,sdaudioswitch,sdaudioswitch,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing', '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing', '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,registry-redirect,a.out,', '500,registry-redirect,a.out,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,', '500,scdaemon,scdaemon,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
@ -80,8 +79,12 @@ WHERE
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing' '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,vim,,',
'500,vim,vim,',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
) )
-- TODO: Narrow this down -- TODO: Narrow this down
AND NOT p.path LIKE '/opt/homebrew/Cellar/%' AND NOT p.path LIKE '/opt/homebrew/Cellar/%'

1
detection/execution/unexpected-setuid-binaries.sql
View File

@ -157,6 +157,7 @@ FROM
'/bin/su', '/bin/su',
'/bin/sudo', '/bin/sudo',
'/bin/firejail', '/bin/firejail',
'/sbin/firejail',
'/usr/bin/firejail', '/usr/bin/firejail',
'/usr/sbin/firejail', '/usr/sbin/firejail',
'/bin/sudoedit', '/bin/sudoedit',

22
detection/execution/unexpected-xattr-calls-macos.sql
View File

@ -49,21 +49,17 @@ FROM process_events pe
LEFT JOIN signature ON pp.path = signature.path LEFT JOIN signature ON pp.path = signature.path
LEFT JOIN signature esignature ON ppe.path = esignature.path LEFT JOIN signature esignature ON ppe.path = esignature.path
WHERE pe.path = '/usr/bin/xattr' WHERE pe.path = '/usr/bin/xattr'
AND pe.time > (strftime('%s', 'now') -300) AND pe.time > (strftime('%s', 'now') -30000)
AND cmd != '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app'
AND NOT ( AND NOT (
pe.euid > 500 AND pe.euid > 500
cmd LIKE '%xattr -l %' AND cmd LIKE '%xattr -l %'
)
AND NOT cmd IN (
'/usr/bin/xattr -r -d com.apple.quarantine /Applications/1Password.app'
) )
AND NOT ( AND NOT (
cmd = '/usr/bin/xattr -h' pe.euid > 500
AND cmd = '/usr/bin/xattr -h'
AND parent_cmd LIKE '%/opt/homebrew/bin/brew%' AND parent_cmd LIKE '%/opt/homebrew/bin/brew%'
) )
-- 0002 is downloaded, but never opened AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
AND NOT cmd LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%' AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
-- 0181 seems the same? GROUP BY pe.pid, cmd
AND NOT cmd LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
AND NOT cmd LIKE '/usr/bin/xattr -p com.apple.quarantine %'
GROUP BY pe.pid

1
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -234,6 +234,7 @@ WHERE
'plocate-updatedb.service,Update the plocate database,,200', 'plocate-updatedb.service,Update the plocate database,,200',
'plocate-updatedb.timer,Update the plocate database daily,,100', 'plocate-updatedb.timer,Update the plocate database daily,,100',
'plymouth-quit-wait.service,Hold until boot process finishes up,,200', 'plymouth-quit-wait.service,Hold until boot process finishes up,,200',
'plymouth-quit.service,Terminate Plymouth Boot Screen,,200',
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,,200', 'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,,200',
'plymouth-start.service,Show Plymouth Boot Screen,,500', 'plymouth-start.service,Show Plymouth Boot Screen,,500',
'plymouth-start.service,Show Plymouth Boot Screen,,600', 'plymouth-start.service,Show Plymouth Boot Screen,,600',