RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-02 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Purge observed false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2023-02-09 17:54:41 -05:00
parent a1105fec93
commit 593991adb8
Failed to extract signature
19 changed files with 73 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -3,7 +3,7 @@ out/osqtool:
GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@latest
out/odk-detection.conf: out/osqtool
./out/osqtool --max-results=0 --max-total-daily-duration=3h --max-query-daily-duration=45m --verify pack detection/ > out/odk-detection.conf
./out/osqtool --max-results=0 --max-total-daily-duration=3h45m --max-query-daily-duration=60m --verify pack detection/ > out/odk-detection.conf
out/odk-policy.conf: out/osqtool
./out/osqtool --max-results=0 --verify pack policy/ > out/odk-policy.conf

1
detection/c2/unexpected-https-client-linux.sql
View File

@ -127,6 +127,7 @@ WHERE
'500,/home/publish-release,500u,500g,publish-release',
'500,/home/python3,500u,500g,python3',
'500,/home/slirp4netns,500u,500g,slirp4netns',
'500,/home/spotify,500u,500g,spotify',
'500,/home/steam,500u,100g,steam',
'500,/home/steam,500u,500g,steam',
'500,/home/steamwebhelper,500u,100g,steamwebhelper',

1
detection/c2/unexpected-talkers-linux.sql
View File

@ -167,6 +167,7 @@ WHERE
'80,6,500,/opt/spotify,0u,0g,spotify',
'80,6,0,/usr/bash,0u,0g,bash',
'80,6,500,/opt/zoom,0u,0g,zoom',
'80,6,500,/usr/spotify-launcher,0u,0g,spotify-launche',
'80,6,500,/usr/chrome,0u,0g,chrome',
'80,6,500,/usr/curl,0u,0g,curl',
'80,6,500,/usr/electron,0u,0g,electron',

1
detection/discovery/unexpected-pcap-user-macos.sql
View File

@ -51,6 +51,7 @@ WHERE
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
AND p0.path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
AND p0.path NOT LIKE '/usr/local/Cellar/htop/%/bin/htop'
AND p0.path != '/opt/socket_vmnet/bin/socket_vmnet'
AND NOT s.authority IN (
'Software Signing',

6
detection/evasion/unexpected-kernel-extensions-macos.sql
View File

@ -6,7 +6,8 @@
-- platform: darwin
-- tags: persistent seldom kernel
SELECT
*
linked_against, name, path, size, version,
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
FROM
kernel_extensions
WHERE
@ -14,4 +15,5 @@ WHERE
AND NOT (
idx = 0
AND name = '__kernel__'
);
)
AND exception_key NOT IN ('/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>')

13
detection/evasion/unexpected-var-executables-macos.sql
View File

@ -66,6 +66,10 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
AND file.path NOT LIKE '/var/run/current-system/etc/profiles/per-user/%'
AND file.path NOT LIKE '/var/folders/%/T/freefn-%_emacs_%.eln'
AND file.directory NOT IN (
'/var/db/xcode_select_link/Makefiles/VersioningSystems/',
'/var/db/xcode_select_link/usr/bin',
'/var/db/xcode_select_link/usr/lib',
'/var/db/xcode_select_link/usr/libexec',
'/var/ossec/agentless',
'/var/ossec/bin',
'/var/ossec/wodles',
@ -73,14 +77,11 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
'/var/run/current-system',
'/var/run/current-system/sw/bin',
'/var/select',
'/var/db/xcode_select_link/usr/bin',
'/var/db/xcode_select_link/usr/lib',
'/var/db/xcode_select_link/usr/libexec',
'/var/select/X11/bin',
'/var/select/X11/lib/dri',
'/var/select/X11/lib/flat_namespace',
'/var/select/X11/lib',
'/var/select/X11/libexec'
'/var/select/X11/lib/dri',
'/var/select/X11/libexec',
'/var/select/X11/lib/flat_namespace'
)
AND file.path NOT IN (
'/var/log/acroUpdaterTools.log',

1
detection/execution/recently-created-executables-linux.sql
View File

@ -49,6 +49,7 @@ WHERE
'/opt/google/chrome/nacl_helper',
'/opt/Lens/chrome_crashpad_handler',
'/opt/Lens/lens',
'/usr/bin/faked',
'/opt/sublime_text/sublime_text',
'/usr/lib/systemd/systemd-machined',
'/usr/lib/upowerd',

2
detection/execution/relative-exec-low-uid-events.sql
View File

@ -63,3 +63,5 @@ WHERE
'./configure',
'./ksinstall --install=Keystone.tbz'
)
AND p0_cmd NOT LIKE './tools/bpf/resolve_btfids/resolve_btfids -b vmlinux /var/lib/dkms/%'
AND p0_cmd NOT LIKE './tools/objtool/objtool --hacks=jump_label --link --module'

18
detection/execution/unexpected-execdir-linux.sql
View File

@ -47,7 +47,7 @@ WHERE
AND path != ""
AND REGEX_MATCH (
path,
"^(/bin/|/app/bin|/usr/share/teams/resources/|/sbin/|/usr/bin/|/usr/lib/|/usr/share/spotify-client/|/usr/lib64/|/usr/libexec|/usr/sbin/|/usr/share/code/|/home/|/nix/store/|/opt/|/snap/|/var/lib/snapd/snap/|/tmp/go-build)",
"^(/bin/|/app/bin|/app/extra/|/usr/share/teams/resources/|/sbin/|/usr/bin/|/usr/lib/|/usr/share/spotify-client/|/usr/lib64/|/usr/libexec|/usr/sbin/|/usr/share/code/|/home/|/nix/store/|/opt/|/snap/|/var/lib/snapd/snap/|/tmp/go-build|/usr/local/)",
1
) IS NULL -- Docker
AND NOT cgroup_path LIKE '/system.slice/docker-%' -- Interactive terminal
@ -55,11 +55,17 @@ WHERE
cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-Alacritty-%.scope'
AND path LIKE '/tmp/%'
)
AND NOT path LIKE '/tmp/terraform_%/terraform'
AND NOT path LIKE '/tmp/%/output/%'
AND NOT path LIKE '/tmp/%/_output/%'
AND NOT path LIKE '/tmp/%/bin/%'
AND NOT path LIKE '%/.terraform/providers/%'
AND NOT (
euid > 500
AND (
path LIKE '/tmp/terraform_%/terraform'
OR path LIKE '/tmp/%/output/%'
OR path LIKE '/tmp/%/_output/%'
OR path LIKE '/tmp/%/bin/%'
OR path LIKE '%/.terraform/providers/%'
OR path LIKE '/tmp/.mount_%'
)
)
GROUP BY
path
)

1
detection/execution/unexpected-execdir-macos.sql
View File

@ -109,6 +109,7 @@ WHERE
'~/.cargo/',
'~/code/',
'~/Code/',
'~/.steampipe/',
'~/.config/',
'~/dev/',
'~/git/',

2
detection/execution/unexpected-fetcher-parents.sql
View File

@ -56,6 +56,7 @@ WHERE
'curl,500,launchd,kernel_task',
'curl,500,makepkg,yay',
'curl,500,ruby,zsh',
'curl,0,build.sh,buildkit-runc',
'curl,500,ShellLauncher,',
'curl,500,ShellLauncher,login',
'curl,500,zsh,login',
@ -109,5 +110,6 @@ WHERE
AND parent_name = 'ruby'
AND p.cmdline LIKE '/usr/bin/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/%'
)
GROUP BY
p.pid

6
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -97,12 +97,12 @@ WHERE
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
@ -125,8 +125,7 @@ WHERE
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,syncthing,syncthing,',
'500,terraform-provider-google-beta_v4.48.0_x5,a.out,',
'500,terraform-provider-google_v4.48.0_x5,a.out,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
@ -140,5 +139,6 @@ WHERE
AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'
AND NOT exception_key LIKE '500,kubectl.%,a.out,'
AND NOT exception_key LIKE '500,rustlings,rustlings-%,'
GROUP BY
p0.pid

2
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -102,7 +102,7 @@ WHERE
OR file.mode LIKE "%5%"
OR file.mode LIKE "%1%"
)
AND file.filename NOT IN ('.Trashes')
AND file.filename NOT IN ('.Trashes', '.background')
AND file.filename NOT LIKE '%.previous'
) -- 7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app)
OR (

43
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -225,27 +225,28 @@ WHERE
AND p0_cmd LIKE '%gcloud.py compute start-iap-tunnel%'
)
OR exception_key IN (
'bash,0,pia-daemon,launchd',
'bash,500,Private Internet Access,launchd',
'bash,0,udevadm,udevadm',
'bash,500,.man-wrapped,zsh',
'sh,0,auditd,launchd',
'sh,500,snyk-macos,snyk',
'bash,500,gpg-agent,launchd',
'sh,500,ssh,mosh-client',
'sh,500,Google Drive,launchd',
'sh,500,yabai,launchd',
'sh,500,cloud_sql_proxy,zsh',
'bash,500,com.docker.dev-envs,com.docker.backend',
'zsh,500,old,launchd',
'sh,500,updater,Foxit PDF Reader',
'bash,500,Foxit PDF Reader,launchd',
'zsh,500,stable,launchd',
'dash,0,anacron,systemd',
'sh,500,docs,zsh',
'bash,0,kube-apiserver,containerd-shim-runc-v2',
'bash,0,etcd,containerd-shim-runc-v2',
'zsh,500,python3.10,gnome-shell'
'bash,0,kube-apiserver,containerd-shim-runc-v2',
'bash,0,pia-daemon,launchd',
'bash,0,udevadm,udevadm',
'bash,500,com.docker.dev-envs,com.docker.backend',
'bash,500,Foxit PDF Reader,launchd',
'bash,500,gnome-session-binary,systemd',
'bash,500,gpg-agent,launchd',
'bash,500,.man-wrapped,zsh',
'bash,500,Private Internet Access,launchd',
'dash,0,anacron,systemd',
'sh,0,auditd,launchd',
'sh,500,cloud_sql_proxy,zsh',
'sh,500,docs,zsh',
'sh,500,Google Drive,launchd',
'sh,500,snyk-macos,snyk',
'sh,500,ssh,mosh-client',
'sh,500,updater,Foxit PDF Reader',
'sh,500,yabai,launchd',
'zsh,500,old,launchd',
'zsh,500,python3.10,gnome-shell',
'zsh,500,stable,launchd'
)
OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
OR p0_cmd LIKE '/bin/bash /opt/homebrew/%'
@ -262,7 +263,7 @@ WHERE
OR p0_cmd LIKE '%gcloud config get-value%'
OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
OR p1_cmd LIKE '%/bin/pipenv shell'
OR p1_cmd LIKE 'gcloud% auth login%'
OR p1_cmd LIKE 'gcloud% auth%login%'
OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'

2
detection/initial_access/unexpected-shell-parents.sql
View File

@ -95,6 +95,7 @@ WHERE
'gnome-session-b',
'Runner.Worker',
'provisio',
'pacman',
'sdk',
'sdzoomplugin',
'sh',
@ -195,3 +196,4 @@ WHERE
AND NOT pp.name LIKE '%/bin/direnv'
AND NOT parent_path LIKE '/nix/store/%sh'
AND NOT parent_path LIKE '/opt/homebrew/%'
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'

10
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -9,6 +9,7 @@ SELECT
lp.port,
lp.protocol,
p.euid,
p.cgroup_path,
p.parent,
p.pid,
p.name,
@ -161,12 +162,13 @@ WHERE
)
AND NOT (
p.name IN (
'hugo',
'caddy',
'controller',
'docker-proxy',
'rootlessport',
'hugo',
'nginx-ingress-c',
'webhook',
'controller'
'rootlessport',
'webhook'
)
AND lp.port > 1024
and lp.protocol = 6

7
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -57,12 +57,10 @@ WHERE
-- port is capped at 49152 to represent transient ports
AND NOT exception_key IN (
'10011,6,0,launchd,Software Signing',
'1024,6,0,systemmigrationd,Software Signing',
'1313,6,500,hugo,',
'1338,6,500,registry,',
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'53,6,500,dnsmasq,',
'137,17,0,launchd,Software Signing',
'1024,6,0,systemmigrationd,Software Signing',
'137,17,222,netbiosd,Software Signing',
'138,17,0,launchd,Software Signing',
'138,17,222,netbiosd,Software Signing',
@ -96,6 +94,7 @@ WHERE
'49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,Music,Software Signing',
'49152,6,500,node,',
'49152,6,500,rapportd,Software Signing',
@ -108,7 +107,9 @@ WHERE
'5000,6,500,ControlCenter,Software Signing',
'5001,6,500,gvproxy,',
'5060,6,500,CommCenter,Software Signing',
'53,17,500,dnsmasq,',
'53,17,65,mDNSResponder,Software Signing',
'53,6,500,dnsmasq,',
'53,6,65,mDNSResponder,Software Signing',
'546,17,0,configd,Software Signing',
'547,17,500,dhcp6d,Software Signing',

1
detection/persistence/unexpected-systemctl-calls-linux.sql
View File

@ -77,6 +77,7 @@ WHERE
'systemctl,500,systemd,',
'systemctl,0,dash,logrotate',
'systemctl,0,snapd,systemd',
'systemctl,500,bash,gnome-terminal-server',
'systemctl,0,pacman,pacman',
'systemctl,0,pacman,sudo',
'systemctl,0,tailscaled,',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -163,6 +163,7 @@ WHERE
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',