RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #424 from tstromberg/fpr-nov13 

fpr: mc, colima, webfilterproxyd, headlamp, record it, etc
This commit is contained in:
Thomas Strömberg 2024-11-13 16:54:01 -05:00 committed by GitHub
parent f610ee5e4d 71096ba4c7
commit 5e2a562417
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
25 changed files with 108 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -73,7 +73,6 @@ WHERE
'185.125.190.31', -- Canonical
'185.125.190.77' -- Canonical
)
-- Exceptions that specifically talk to one server
AND exception_key NOT IN (
'adguard_dns,1.0.0.1,53',
@ -84,6 +83,7 @@ WHERE
'ChatGPT,8.8.8.8,53',
'com.docker.backend,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'Creative Cloud Content Manager.node,8.8.4.4,53',
'coredns,0.0.0.0,53',
'coredns,8.8.8.8,53',
'distnoted,8.8.8.8,53',

1
detection/c2/unexpected-root-libcurl-proc-linux.sql
View File

@ -77,6 +77,7 @@ WHERE
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'implicitclass,/usr/lib/cups/backend/implicitclass,0,system.slice,cups.service,0744',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',

14
detection/c2/unexpected-talkers-linux.sql
View File

@ -8,7 +8,8 @@
--
-- tags: transient state net rapid
-- platform: linux
SELECT s.remote_address,
SELECT
s.remote_address,
s.remote_port,
s.local_port,
s.local_address,
@ -39,12 +40,14 @@ SELECT s.remote_address,
'g,',
p.name
) AS exception_key
FROM process_open_sockets s
FROM
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash ON p.path = hash.path
WHERE protocol > 0
WHERE
protocol > 0
AND s.remote_port > 0 -- See unexpected-https-client
AND NOT (
s.remote_port = 443
@ -108,11 +111,13 @@ WHERE protocol > 0
'80,6,0,python3.12,500u,500g,dnf-automatic',
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
'123,17,106,chronyd,0u,0g,chronyd',
'5222,6,500,msedge,0u,0g,msedge',
'80,6,0,python3.11,0u,0g,dnf-automatic',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf',
'80,6,0,python3.12,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'89,6,500,chrome,0u,0g,chrome',
'80,6,0,python3.9,u,g,yum',
'80,6,0,rpm-ostree,0u,0g,rpm-ostree',
@ -294,4 +299,5 @@ WHERE protocol > 0
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
)
)
GROUP BY p.cmdline
GROUP BY
p.cmdline

23
detection/c2/unexpected-talkers-macos.sql
View File

@ -5,7 +5,8 @@
--
-- tags: transient state net often
-- platform: macos
SELECT pos.protocol,
SELECT
pos.protocol,
pos.local_port,
pos.remote_port,
remote_address,
@ -40,17 +41,24 @@ SELECT pos.protocol,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256
FROM process_open_sockets pos
FROM
process_open_sockets pos
LEFT JOIN processes p0 ON pos.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN signature s ON p0.path = s.path
WHERE pos.pid IN (
SELECT pid
from process_open_sockets
WHERE protocol > 0
WHERE
pos.pid IN (
SELECT
pid
from
process_open_sockets
WHERE
protocol > 0
AND local_port > 0
AND remote_port > 0
AND NOT (
remote_port IN (53, 443)
AND protocol IN (6, 17)
@ -124,4 +132,5 @@ WHERE pos.pid IN (
AND remote_port = 0
AND protocol = 0
)
GROUP BY p0.cmdline
GROUP BY
p0.cmdline

1
detection/collection/spotlight-database-export-macos.sql
View File

@ -32,4 +32,5 @@ WHERE
AND f.path NOT LIKE '%mysql-test/suite/%'
AND f.path NOT LIKE '%.json'
AND f.path NOT LIKE '%.log'
AND f.path NOT LIKE '%/testdata/%'
AND f.size > 32768

1
detection/credentials/macos_keyboard_sniffer.sql
View File

@ -57,6 +57,7 @@ FROM
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
et.event_tapped IN ('EventKeyDown', 'EventKeyUp')
AND et.enabled != 0
AND s.authority != 'Software Signing' -- Popular programs that sniff keyboard events, but do not appear to be malware.
AND NOT exception_key IN (
'Alfred,com.runningwithcrayons.Alfred,Developer ID Application: Running with Crayons Ltd (XZZXE9SED4)',

2
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -238,6 +238,8 @@ WHERE
'/dev/video,zoom',
'/dev/video,zoom.real',
'/dev/wwan0mbim,mbim-proxy',
'/dev/udmabuf,xdg-desktop-portal-gnome',
'/dev/udmabuf,nautilus',
'/dev/zfs,',
'/dev/zfs,zed',
'/dev/zfs,zfs',

1
detection/credentials/unexpected-dev-opener-macos.sql
View File

@ -108,6 +108,7 @@ WHERE
'/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io8log,airportd,Software Signing,com.apple.airport.airportd',
'/dev/cu.debug-console,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon',
'/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter',

31
detection/evasion/hidden-cwd.sql
View File

@ -8,7 +8,8 @@
--
-- tags: transient often
-- platform: posix
SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
SELECT
REPLACE(p0.cwd, u.directory, '~') AS dir,
REGEX_MATCH (
REPLACE(p0.cwd, u.directory, '~'),
'([/~].*?/.*?)/',
@ -55,7 +56,8 @@ SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON p0.uid = u.uid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@ -64,10 +66,14 @@ FROM processes p0
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE p0.pid IN (
SELECT DISTINCT pid
FROM processes
WHERE cwd LIKE '%/.%'
WHERE
p0.pid IN (
SELECT DISTINCT
pid
FROM
processes
WHERE
cwd LIKE '%/.%'
AND NOT name IN (
'apfsd',
'bindfs',
@ -94,6 +100,7 @@ WHERE p0.pid IN (
'bash,~/.Trash',
'bash,~/.local/share',
'bash,~/go/src',
'telegram-deskto,~/snap/telegram-desktop',
'c++,~/.cache/yay',
'cc1,/home/build/.cache',
'cc1plus,~/.cache/yay',
@ -119,6 +126,7 @@ WHERE p0.pid IN (
'rust-analyzer-p,~/.cargo/registry',
'rustc,/home/build/.cargo',
'vet,/home/build/.cache',
'npm install,/home/build/.npm',
'zsh,/private/tmp/workspace',
'zsh,~/.Trash'
)
@ -129,6 +137,7 @@ WHERE p0.pid IN (
OR dir IN (
'~/.config',
'~/.local/bin',
'/home/build',
'/var/home/linuxbrew/.linuxbrew/Cellar',
'~/.vim',
'~/dev/extra-packages/.chainguard',
@ -144,12 +153,7 @@ WHERE p0.pid IN (
'~/.hunter/_Base',
'~/.zsh'
)
OR top_dir IN (
'~/Sync',
'~/src',
'~/workspace',
'~/dev'
)
OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev')
OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
OR dir LIKE '/opt/homebrew/%/.cache/%'
OR dir LIKE '~/%enterprise-packages/.chainguard'
@ -190,4 +194,5 @@ WHERE p0.pid IN (
AND p0.euid = 0
)
)
GROUP BY p0.pid
GROUP BY
p0.pid

15
detection/evasion/hidden-executable.sql
View File

@ -5,7 +5,8 @@
--
-- tags: transient
-- platform: posix
SELECT f.directory,
SELECT
f.directory,
f.btime,
p0.start_time,
RTRIM(
@ -51,7 +52,8 @@ SELECT f.directory,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@ -59,7 +61,8 @@ FROM processes p0
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE (
WHERE
(
p0.name LIKE '.%'
OR f.filename LIKE '.%'
OR f.directory LIKE '%/.%'
@ -88,6 +91,7 @@ WHERE (
'~/.terraform',
'~/.tflint.d',
'~/.vs-kubernetes',
'~/chainguard-images',
'~/Code',
'~/Projects',
'~/code',
@ -116,7 +120,7 @@ WHERE (
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%'
AND NOT f.directory LIKE '/var~/Code/cgr/private/.terraform/%'
AND NOT f.directory LIKE '%/.terraform/%'
AND NOT f.path LIKE '/nix/store/%/%-wrapped'
AND NOT (
f.path LIKE '/nix/store/%'
@ -127,4 +131,5 @@ WHERE (
AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS'
GROUP BY f.path
GROUP BY
f.path

1
detection/evasion/old-binaries-running.sql
View File

@ -65,6 +65,7 @@ WHERE
'/usr/bin/pavucontrol',
'/usr/bin/espeak',
'/usr/bin/unpigz',
'/usr/bin/xsettingsd',
'/usr/bin/xss-lock',
'/usr/bin/i3lock',
'/usr/bin/xbindkeys',

2
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -53,9 +53,11 @@ WHERE
'/usr/lib/electron22',
'/usr/bin',
'/opt/google/chrome',
'/opt/microsoft/msedge',
'/usr/libexec',
'/usr/lib/systemd',
'/usr/lib',
'/usr/lib/go/bin',
'/usr/share/code'
) -- long-running launchers
AND NOT p1.name IN (

3
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -114,8 +114,10 @@ WHERE
'/tmp/.SIGN.RSA.local-melange.rsa.pub',
'/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
'/tmp/.s.PGSQL.5432',
'/var/root/.nx/',
'/tmp/.s.PGSQL.5432.lock',
'/tmp/.terraform/',
'/.cache/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/',
'/tmp/.touchpaddefaults',
@ -156,6 +158,7 @@ WHERE
'/var/root/.bash_history',
'/var/root/.bash_profile',
'/var/root/.cache/',
'/var/root/.config/',
'/var/root/.CFUserTextEncoding',
'/var/root/.docker/',
'/var/root/.forward',

1
detection/evasion/unexpected-process-extension-linux.sql
View File

@ -93,3 +93,4 @@ WHERE
AND NOT basename LIKE 'terraform-provider%'
AND NOT basename LIKE 'ld-%.so'
AND NOT basename LIKE 'unison-%'
AND NOT basename IN ('io.elementary.appcenter')

3
detection/evasion/unexpected-var-run-macos.sql
View File

@ -54,6 +54,9 @@ WHERE
'kdc.pid',
'prl_disp_service.pid',
'prl_naptd.pid',
'prl_desktop_services.lock',
'prl_desktop_services_foreground.lock',
'prl_disp_service.urgent',
'prl_watchdog-ebdba5702a20.pid',
'resolv.conf',
'rtadvd.pid',

1
detection/evasion/unusual-process-name-linux.sql
View File

@ -120,6 +120,7 @@ WHERE
"xdg-desktop-portal-gnome",
"xdg-desktop-portal-gtk",
"xdg-desktop-portal-kde",
"xdg-desktop-portal-xapp",
"xdg-document-portal",
"xdg-permission-store",
"xwaylandvideobridge"

3
detection/execution/exotic-commands-linux.sql
View File

@ -127,6 +127,9 @@ WHERE
'goland',
'java',
'pycharm',
'zsh',
'bash',
'jetbrains',
'sh',
'vim',
'vim.nox'

19
detection/execution/unexpected-long-running-security-framework-macos.sql
View File

@ -2,7 +2,8 @@
--
-- platform: darwin
-- tags: persistent state process seldom
SELECT s.authority,
SELECT
s.authority,
s.identifier,
CONCAT (
MIN(p0.euid, 500),
@ -38,7 +39,8 @@ SELECT s.authority,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
FROM
processes p0
JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@ -48,9 +50,12 @@ FROM processes p0
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE -- Focus on longer-running programs
p0.pid IN (
SELECT pid
FROM processes
WHERE start_time < (strftime('%s', 'now') - 25200)
SELECT
pid
FROM
processes
WHERE
start_time < (strftime('%s', 'now') - 25200)
AND parent != 0 -- Assume STP
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/libexec/%'
@ -100,4 +105,6 @@ WHERE -- Focus on longer-running programs
AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,'
AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,'
AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,'
GROUP BY p0.pid
AND NOT exception_key LIKE '500,marksman-macos,marksman-%,'
GROUP BY
p0.pid

2
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -96,6 +96,7 @@ WHERE
'irccloud.com',
'jetbrains.com',
'kagi.com',
'kolide.com',
'libreoffice.org',
'live.com',
'logitech.com',
@ -266,5 +267,6 @@ WHERE
AND host NOT LIKE 'www.google.%'
AND host NOT LIKE '%release%.storage.googleapis.com'
AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%'
AND ea.value NOT LIKE 'https://storage.googleapis.com/kolide-k2-production-downloads-f414/%'
GROUP BY
ea.value

7
detection/persistence/listening-from-unusual-location.sql
View File

@ -55,6 +55,7 @@ FROM
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
lp.port != 0
AND NOT lp.address IN ("127.0.0.1", "::1")
AND (
p0.path LIKE "/private/tmp%"
OR p0.path LIKE "/private/var/tmp%"
@ -93,11 +94,6 @@ WHERE
AND lp.port > 1024
and lp.protocol = 6
)
AND NOT (
p0.name = "ssh"
AND homecwd LIKE '/tmp/%'
AND lp.address IN ("127.0.0.1", "::1")
)
-- Overly broad, but prevents a lot of false positives
AND NOT homepath LIKE "~/.%"
AND NOT homecwd LIKE "~/.%"
@ -118,6 +114,7 @@ WHERE
'32768,6,500,Python',
'32768,6,500,python3',
'32768,17,499,viscosity_openvpn',
'9867,6,500,bazel-remote',
'1,1,500,ping'
)
AND NOT p0.path LIKE '/nix/store/%'

1
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -88,6 +88,7 @@ WHERE
'/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer',
'/opt/homebrew/bin/gitsign-credential-cache',
'/opt/homebrew/opt/emacs/bin/emacs --fg-daemon',
'/opt/homebrew/opt/libvirt/sbin/libvirtd -f /opt/homebrew/etc/libvirt/libvirtd.conf',
'/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
'/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
'/opt/homebrew/opt/mariadb/bin/mysqld_safe',

3
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -39,7 +39,7 @@ FROM
LEFT JOIN hash ON p.path = hash.path
WHERE
port != 0
AND lp.address NOT IN ('224.0.0.251', '::1')
AND lp.address NOT IN ('224.0.0.251', '::1', '127.0.0.1', '127.1.1.1')
AND lp.address NOT LIKE '127.0.0.%'
AND lp.address NOT LIKE '172.1%'
AND lp.address NOT LIKE 'fe80::%'
@ -74,6 +74,7 @@ WHERE
'10256,6,0,kube-proxy',
'10256,6,500,kube-proxy',
'1,1,500,ping',
'1,255,500,ping',
'1,255,500,mtr-packet',
'1337,6,500,kdenlive',
'1716,6,500,daemon.js',

15
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -5,7 +5,8 @@
--
-- tags: persistent state net low
-- platform: darwin
SELECT lp.address,
SELECT
lp.address,
lp.port,
lp.protocol,
p.uid,
@ -27,11 +28,13 @@ SELECT lp.address,
',',
signature.authority
) AS exception_key
FROM listening_ports lp
FROM
listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE port != 0
WHERE
port != 0
AND lp.address NOT IN ('224.0.0.251', '::1')
AND lp.address NOT LIKE '127.0.0.%'
AND lp.address NOT LIKE '172.1%'
@ -57,9 +60,11 @@ WHERE port != 0
'111,6,1,rpcbind,Software Signing',
'1144,6,500,fuscript,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
'1234,6,500,qemu-system-aarch64,',
'5001,6,500,Record It,Apple Mac OS Application Signing',
'1313,6,500,hugo,',
'1338,6,500,ec2-metadata-mock,',
'1338,6,500,registry,',
'4466,6,500,headlamp-server,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'137,17,0,launchd,Software Signing',
'137,17,222,netbiosd,Software Signing',
'138,17,0,launchd,Software Signing',
@ -70,6 +75,7 @@ WHERE port != 0
'1824,6,500,WaveLink,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'2112,6,500,fake,',
'49152,6,0,webfilterproxyd,Software Signing',
'2112,6,500,rekor-server,',
'2112,6,500,timestamp-server,',
'22000,6,500,syncthing,',
@ -275,4 +281,5 @@ WHERE port != 0
AND p.cmdline LIKE '%/.colima/_lima/colima-docker/ssh.sock%'
)
)
GROUP BY exception_key
GROUP BY
exception_key

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -308,6 +308,7 @@ WHERE
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',

1
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -272,6 +272,7 @@ WHERE -- Focus on longer-running programs
'/usr/local/bin/warsaw/core',
'/usr/local/kolide-k2/bin/osquery-extension.ext',
'/usr/local/sbin/velociraptor',
'/opt/colima/bin/socket_vmnet',
'/usr/sbin/aslmanager',
'/usr/sbin/audioclocksyncd',
'/usr/sbin/auditd',