RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc

This commit is contained in:
Thomas Stromberg 2024-11-18 16:16:52 -05:00
parent 5e2a562417
commit 6fb7fa69e1
Failed to extract signature
23 changed files with 127 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-talkers-linux.sql
View File

@ -197,6 +197,7 @@ WHERE
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
'8080,6,500,idea,0u,0g,idea',
'32768,6,500,mumble,0u,0g,mumble',
'8080,6,500,python3.11,0u,0g,speedtest-cli',
'8080,6,500,speedtest,500u,500g,speedtest',
'8080,6,500,bambu-studio,u,g,bambustu_main',

25
detection/c2/unexpected-talkers-macos.sql
View File

@ -111,26 +111,17 @@ WHERE
unsigned_exception = '500,6,80,main,main'
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
)
AND NOT (
unsigned_exception IN (
-- port 0 means the connection has come and gone since the original process_open_sockets entry
AND NOT unsigned_exception IN (
'500,0,0,gvproxy,gvproxy',
'500,6,0,gvproxy,gvproxy',
'500,17,53,gvproxy,gvproxy',
'500,17,53,gvproxy,gvproxy',
'500,6,32768,gvproxy,gvproxy',
'500,17,123,gvproxy,gvproxy'
)
AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy'
)
AND NOT (
unsigned_exception = '500,0,0,chainlink,chainlink'
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
AND remote_port = 0
AND protocol = 0
)
AND NOT (
unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
AND p0.path LIKE '/nix/store/%-telegram-desktop-%'
AND remote_port = 0
AND protocol = 0
'500,0,0,chainlink,chainlink',
'500,17,123,gvproxy,gvproxy',
'500,0,0,,',
'500,0,0,.Telegram-wrapped,.Telegram-wrapped'
)
GROUP BY
p0.cmdline

1
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -111,6 +111,7 @@ WHERE
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/udmabuf',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE '/dev/pts/%'

1
detection/discovery/unexpected-bpf-user.sql
View File

@ -39,6 +39,7 @@ WHERE
AND p.path NOT IN (
'/usr/bin/qemu-system-x86_64',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-nsresourced',
'/var/opt/Elastic/Endpoint/elastic-endpoint',
'/opt/Elastic/Endpoint/elastic-endpoint'
)

55
detection/evasion/hidden-cwd.sql
View File

@ -154,40 +154,41 @@ WHERE
'~/.zsh'
)
OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev')
OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
OR dir LIKE '/opt/homebrew/%/.cache/%'
OR dir LIKE '~/%enterprise-packages/.chainguard'
OR dir LIKE '/private/tmp/%/.git'
OR dir LIKE '/tmp/.mount_%'
OR dir LIKE '/tmp/%/.git'
OR dir LIKE '~/%/.tests/%'
OR dir LIKE '/tmp/%/.github/workflows'
OR dir LIKE '~/%/.terragrunt-cache/%'
OR dir LIKE '~/.%'
OR dir LIKE '%/.build'
OR dir LIKE '%/.cache/melange%'
OR dir LIKE '%/.cargo/%'
OR dir LIKE '~/code/%'
OR dir LIKE '~/%/.config/nvim'
OR dir LIKE '~/dev/%/dots/%/.config%'
OR dir LIKE '~/%/.docker%'
OR dir LIKE '~/%enterprise-packages/.chainguard'
OR dir LIKE '%/.git'
OR dir LIKE '%/.git/%'
OR dir LIKE '%/.gradle'
OR dir LIKE '%/.github/%'
OR dir LIKE '%/node_modules/.bin'
OR dir LIKE '%/.cache/melange%'
OR dir LIKE '%/.github'
OR dir LIKE '%/.venv'
OR dir LIKE '/home/build/.cache%'
OR dir LIKE '~/.%'
OR dir LIKE '~/.gradle/%'
OR dir LIKE '~/%/.config/nvim'
OR dir LIKE '~/%/.docker%'
OR dir LIKE '/.gradle/%'
OR dir LIKE '~/%/.modcache/%'
OR dir LIKE '~/%/.terraform%'
OR dir LIKE '~/%/.vercel%'
OR dir LIKE '%/.github/%'
OR dir LIKE '~/%/github.com/%'
OR dir LIKE '~/%/node_modules/.pnpm/%'
OR dir LIKE '~/%/src/%'
OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
OR dir LIKE '~/code/%'
OR dir LIKE '~/dev/%/dots/%/.config%'
OR dir LIKE '%/.gradle'
OR dir LIKE '/.gradle/%'
OR dir LIKE '~/.gradle/%'
OR dir LIKE '/home/build/%'
OR dir LIKE '/home/build/.%'
OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
OR dir LIKE '~/%/.modcache/%'
OR dir LIKE '%/node_modules/.bin'
OR dir LIKE '~/%/node_modules/.pnpm/%'
OR dir LIKE '/opt/homebrew/%/.cache/%'
OR dir LIKE '/private/tmp/%/.git'
OR dir LIKE '~/%/src/%'
OR dir LIKE '~/%/.terraform%'
OR dir LIKE '~/%/.terragrunt-cache/%'
OR dir LIKE '~/%/.tests/%'
OR dir LIKE '/tmp/%/.git'
OR dir LIKE '/tmp/%/.github/workflows'
OR dir LIKE '/tmp/.mount_%'
OR dir LIKE '%/.venv'
OR dir LIKE '~/%/.vercel%'
OR dir LIKE '~/src/%' -- For sudo calls to other things
OR (
dir LIKE '/home/.terraform.d/%'

1
detection/evasion/hidden-executable.sql
View File

@ -99,6 +99,7 @@ WHERE
)
AND NOT top3_dir IN (
'~/.bin',
'~/.vscode/cli',
'~/.bin-unwrapped',
'~/.cache/gitstatus',
'~/.cache/selenium',

1
detection/evasion/name_path_mismatch.sql
View File

@ -91,6 +91,7 @@ WHERE
AND NOT exception_key IN (
'0,udevadm,systemd-udevd',
'0,udevadm,(udev-worker)',
'0,systemd-executor,(sd-pam)',
'120,systemd-executor,(sd-pam)',
'42,systemd-executor,(sd-pam)',
'500,busybox,sh',

18
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -61,10 +61,11 @@ WHERE
AND strftime('%s', 'now') - file.ctime > 20
AND file.path NOT IN (
'/.autorelabel',
'/.cache/',
'/dev/.blkid.tab',
'/dev/.mdadm/',
'/.equarantine/',
'/etc/.bootcount',
'/dev/.blkid.tab',
'/etc/.clean',
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
@ -79,11 +80,8 @@ WHERE
'/.mozilla/',
'/tmp/.accounts-agent/',
'/tmp/.audio-agent/',
-- Xcode;
-- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
-- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F',
'/tmp/.bazelci/',
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', -- Xcode
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/.content-agent/',
'/tmp/._contentbarrier_installed',
@ -97,7 +95,6 @@ WHERE
'/tmp/.eos-update-notifier.log',
'/tmp/.featureflags-agent/',
'/tmp/.font-unix/',
'/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
'/tmp/.git/',
'/tmp/.go-version',
'/tmp/.helmrepo',
@ -110,14 +107,13 @@ WHERE
'/tmp/.ses',
'/tmp/.settings-agent/',
'/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub',
'/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
'/tmp/.SIGN.RSA..local-melange.rsa.pub',
'/tmp/.SIGN.RSA.local-melange.rsa.pub',
'/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
'/tmp/.s.PGSQL.5432',
'/var/root/.nx/',
'/tmp/.s.PGSQL.5432.lock',
'/tmp/.terraform/',
'/.cache/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/',
'/tmp/.touchpaddefaults',
@ -151,6 +147,7 @@ WHERE
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/home/.duperemove.hash',
'/var/home/.snapshots',
'/var/mail/.cache/',
'/var/.ntw_cache',
'/var/.Parallels_swap/',
@ -158,8 +155,8 @@ WHERE
'/var/root/.bash_history',
'/var/root/.bash_profile',
'/var/root/.cache/',
'/var/root/.config/',
'/var/root/.CFUserTextEncoding',
'/var/root/.config/',
'/var/root/.docker/',
'/var/root/.forward',
'/var/roothome/.bash_history',
@ -173,11 +170,14 @@ WHERE
'/var/roothome/.local/',
'/var/roothome/.osquery/',
'/var/roothome/.ssh/',
'/var/roothome/.var/',
'/var/home/.snapshots/',
'/var/roothome/.viminfo',
'/var/root/.lesshst',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.nx/',
'/var/root/.osquery/',
'/var/root/.PenTablet/',
'/var/root/.provisio',

3
detection/evasion/unexpected-ld-so-files-linux.sql
View File

@ -62,12 +62,15 @@ WHERE
'/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa',
'/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
'/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c',
'/etc/ld.so.conf.d/llvm18-x86_64.conf,0644,22,a22fdfb5b0443aa1e820a319c56867529ebc54b0f11634c51e5dd847cd8f1b97',
'/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626',
'/etc/ld.so.conf.d/mingw32-hostlib.conf,0644,27,3cc2feee654c7193027397a7f6ab41bd1c6db13fda295278205a050f870f3f3d',
'/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9',
'/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708',
'/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f',
'/etc/ld.so.conf.d/perf.conf,0644,14,c67f871bdc72182dc75c160b16ca3b5371fdab76a27199a29f14b52a5aed1d3f',
'/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221',
'/etc/ld.so.conf.d/pipewire-jack-x86_64-linux-gnu.conf,0644,45,b84c0e703c387e522837367d8db7b09d46aa3c39a476471643dda38faf5b226d',
'/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a',
'/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98',
'/etc/ld.so.conf.d/zz_i386-biarch-compat.conf,0644,56,4e3c617050427d51497a0e5969b0159421580cf5e7c9649e39f45b5e2fcb47b6',

3
detection/evasion/unusual-process-name-linux.sql
View File

@ -40,6 +40,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time < (strftime('%s', 'now') - 43200) AND
(
pname LIKE "%kthread%"
OR pname LIKE "%-help"
@ -98,6 +99,7 @@ WHERE
AND basename NOT IN (
"acpid",
"busybox",
"cpulimit",
"com.docker.backend",
"com.docker.build",
"com.docker.extensions",
@ -126,6 +128,7 @@ WHERE
"xwaylandvideobridge"
)
AND basename NOT LIKE '___Test%'
AND basename NOT LIKE '___2Test%'
AND NOT (
basename IN ('nm-dispatcher')
AND p1_pid = 1

3
detection/evasion/unusual-process-name-macos.sql
View File

@ -43,6 +43,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time < (strftime('%s', 'now') - 43200) AND
(
pname LIKE "%kthread%"
OR pname LIKE "%-help"
@ -105,6 +106,8 @@ WHERE
'at.obdev.littlesnitch.networkextension',
'com.microsoft.teams2.notificationcenter',
'cpu',
'xdg-open',
'EncryptMe',
'dynamiclinkmanager',
'launchd_startx'
)

2
detection/execution/exotic-commands-macos.sql
View File

@ -79,7 +79,7 @@ WHERE
) != "" -- suspicious things
OR REGEX_MATCH (
p.cmdline,
"(UserKnownHostsFile=/dev/null|ransom|malware|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)",
"(UserKnownHostsFile=/dev/null|ransom|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)",
1
) != "" -- Crypto miners
OR REGEX_MATCH (

1
detection/execution/unexpected-execdir-linux.sql
View File

@ -67,6 +67,7 @@ WHERE
AND INSTR(path, "/var/kolide-k2/") != 1
AND INSTR(path, "/usr/share/spotify") != 1
AND INSTR(path, "/usr/share/code/") != 1
AND INSTR(path, "/usr/share/smartgit/") != 1
AND INSTR(path, "/var/home/") != 1
AND INSTR(path, "/usr/local/") != 1
AND INSTR(path, "/tmp/go-build") != 1

1
detection/execution/unexpected-gatekeeper-approvals-macos.sql
View File

@ -30,6 +30,7 @@ WHERE
AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
AND gap.path NOT LIKE '/Users/%/Downloads/missp'
AND gap.path NOT LIKE '/Users/%/Downloads/twistcli'
AND gap.path NOT LIKE '/Users/%/bom'
AND gap.path NOT LIKE '/Users/%/configure'
AND gap.path NOT LIKE '/Users/%/cosign-%'

25
detection/persistence/minimal-socket-client-linux.sql
View File

@ -36,20 +36,23 @@ WHERE
p0.path != '' -- optimization: focus on longer running processes
AND p0.start_time < (strftime('%s', 'now') - 900)
AND p0.path NOT IN (
'/usr/bin/containerd',
'/usr/bin/fusermount3',
'/usr/sbin/acpid',
'/usr/bin/dash',
'/opt/bitnami/redis/bin/redis-server',
'/usr/bin/kas',
'/usr/local/bin/gitary',
'/usr/bin/docker',
'/usr/sbin/mcelog',
'/usr/libexec/docker/docker-proxy',
'/usr/bin/docker-proxy',
'/usr/bin/cat',
'/usr/bin/containerd',
'/usr/bin/dash',
'/usr/bin/docker',
'/usr/bin/docker-proxy',
'/usr/bin/fusermount3',
'/usr/bin/i3blocks',
'/usr/bin/kas',
'/usr/bin/vmalert',
'/usr/lib/electron/chrome-sandbox',
'/usr/bin/i3blocks'
'/usr/libexec/docker/docker-proxy',
'/usr/lib/snapd/snapd',
'/usr/local/bin/containerd',
'/usr/local/bin/gitary',
'/usr/sbin/acpid',
'/usr/sbin/mcelog'
)
AND p0.name NOT IN (
'chrome_crashpad',

1
detection/persistence/suspicious-systemd-unit.sql
View File

@ -226,6 +226,7 @@ rule usr_bin_execstop_shell : medium {
$execstop = /ExecStop=\/bin\/sh .{0,64}/
$not_podman_logging = "/usr/bin/podman $LOGGING"
$not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/
$not_nfs = /ExecStop=\/bin\/sh -c \'\/usr\/sbin\/nfsdctl /
condition:
filesize < 4096 and $execstop and none of ($not*)
}

20
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -59,9 +59,9 @@ WHERE
'anacron.service,Run anacron jobs,',
'anacron.timer,Trigger anacron every hour,',
'apache2.service,The Apache HTTP Server,',
'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data',
'apcupsd.service,APC UPS Power Control Daemon for Linux,',
'apparmor.service,Load AppArmor profiles,',
'vnstat.service,vnStat network traffic monitor,vnstat',
'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),',
'apport-autoreport.service,Process error reports when automatic reporting is enabled,',
'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),',
@ -90,9 +90,9 @@ WHERE
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'bootupd.socket,bootupd.socket,',
'brew-upgrade.service,Upgrade Brew packages,1000',
'brew-update.service,Auto update brew for mutable brew installs,1000',
'brew-update.timer,Timer for brew update for mutable brew,',
'brew-upgrade.service,Upgrade Brew packages,1000',
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,',
'ca-certificates.path,Watch for changes in CA certificates,',
@ -175,7 +175,6 @@ WHERE
'iscsiuio.socket,Open-iSCSI iscsiuio Socket,',
'issue-generator.path,Watch for changes in issue snippets,',
'iwd.service,Wireless service,',
'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data',
'jeos-firstboot.service,SUSE JeOS First Boot Wizard,',
'jeos-firstboot-snapshot.service,SUSE JeOS First Boot Wizard - create system snapshot,',
'kbdsettings.service,Apply settings from /etc/sysconfig/keyboard,',
@ -327,9 +326,11 @@ WHERE
'sshd.service,OpenSSH Daemon,',
'sshd.service,OpenSSH server daemon,',
'sshd.service,SSH Daemon,',
'sshd-unix-local.socket,OpenSSH Server Socket (systemd-ssh-generator, AF_UNIX Local),',
'ssh.service,OpenBSD Secure Shell server,',
'ssh.socket,OpenBSD Secure Shell server socket,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,sssd',
'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,',
'supergfxd.service,SUPERGFX,',
'swapfile.swap,/swapfile,',
@ -340,19 +341,23 @@ WHERE
'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
'sysstat.service,Resets System Activity Logs,root',
'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
'system-cups.slice,CUPS Slice,',
'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,',
'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,',
'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,',
'systemd-binfmt.service,Set Up Additional Binary Formats,',
'systemd-bootctl.socket,Boot Entries Service Socket,',
'systemd-boot-random-seed.service,Update Boot Loader Random Seed,',
'systemd-boot-update.service,Automatic Boot Loader Update,',
'systemd-coredump.socket,Process Core Dump Socket,',
'systemd-creds.socket,Credential Encryption/Decryption,',
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
'systemd-fsck-root.service,File System Check on Root Device,',
'systemd-growfs@-.service,Grow File System on /,',
'systemd-homed-activate.service,Home Area Activation,',
'systemd-homed.service,Home Area Manager,',
'systemd-hostnamed.service,Hostname Service,',
'systemd-hostnamed.socket,Hostname Service Socket,',
'systemd-hwdb-update.service,Rebuild Hardware Database,',
'systemd-initctl.socket,initctl Compatibility Named Pipe,',
'systemd-journal-catalog-update.service,Rebuild Journal Catalog,',
@ -360,16 +365,20 @@ WHERE
'systemd-journald-dev-log.socket,Journal Socket (/dev/log),',
'systemd-journald.service,Journal Service,',
'systemd-journald.socket,Journal Socket,',
'systemd-journald.socket,Journal Sockets,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-localed.service,Locale Service,',
'systemd-logind.service,User Login Management,',
'systemd-machined.service,Virtual Machine and Container Registration Service,',
'systemd-machine-id-commit.service,Commit a transient machine-id on disk,',
'systemd-modules-load.service,Load Kernel Modules,',
'systemd-mountfsd.socket,DDI File System Mounter Socket,',
'systemd-networkd.service,Network Configuration,systemd-network',
'systemd-networkd.socket,Network Service Netlink Socket,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-nsresourced.service,Namespace Resource Manager,',
'systemd-nsresourced.socket,Namespace Resource Manager Socket,',
'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom',
'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,',
'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
@ -383,6 +392,7 @@ WHERE
'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,',
'systemd-suspend.service,System Suspend,',
'systemd-sysctl.service,Apply Kernel Variables,',
'systemd-sysext.socket,System Extension Image Management,',
'systemd-sysext.socket,System Extension Image Management (Varlink),',
'systemd-sysusers.service,Create System Users,',
'systemd-timedated.service,Time & Date Service,',
@ -395,6 +405,7 @@ WHERE
'systemd-udevd-control.socket,udev Control Socket,',
'systemd-udevd-kernel.socket,udev Kernel Socket,',
'systemd-udevd.service,Rule-based Manager for Device Events and Files,',
'systemd-udev-load-credentials.service,Load udev Rules from Credentials,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-update-done.service,Update is Completed,',
@ -410,6 +421,8 @@ WHERE
'thermald.service,Thermal Daemon Service,',
'tlp.service,TLP system startup/shutdown,',
'touchegg.service,Touchégg Daemon,',
'tuned-ppd.service,PPD-to-TuneD API Translation Daemon,',
'tuned.service,Dynamic System Tuning Daemon,',
'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,',
'ua-timer.timer,Ubuntu Pro Timer for running repeated jobs,',
'ublue-system-setup.service,Configure system,',
@ -485,6 +498,7 @@ WHERE
'virtvboxd-admin.socket,libvirt VirtualBox daemon admin socket,',
'virtvboxd-ro.socket,libvirt VirtualBox daemon read-only socket,',
'virtvboxd.socket,libvirt VirtualBox daemon socket,',
'vnstat.service,vnStat network traffic monitor,vnstat',
'whoopsie.path,Start whoopsie on modification of the /var/crash directory,',
'wickedd-auto4.service,wicked AutoIPv4 supplicant service,',
'wickedd-dhcp4.service,wicked DHCPv4 supplicant service,',

1
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -228,6 +228,7 @@ WHERE state = 1
'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
'true,,LeadIQ: Contact Data in One Click,befngoippmpmobkkpkdoblkmofpjihnk',
'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia',
'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg',
'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',

3
detection/persistence/unexpected-cron-entries.sql
View File

@ -27,4 +27,5 @@ WHERE
AND command NOT LIKE 'gsutil %'
AND command NOT LIKE 'root command -v debian-sa1%'
AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate'
AND command NOT LIKe 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
AND command NOT LIKE 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
AND command NOT IN ("ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill")

46
detection/persistence/unexpected-device-linux.sql
View File

@ -60,39 +60,39 @@ WHERE (
AND path NOT LIKE '%/./%'
AND path NOT LIKE '%/../%'
AND exception_key NOT IN (
'/dev/HID-SENSOR-e..auto,character',
'/dev/accel/,directory',
'/dev/accel/accel,character',
'/dev/accel/,directory',
'/dev/acpi_thermal_rel,character',
'/dev/autofs,character',
'/dev/binder,character',
'/dev/binderfs/,directory',
'/dev/binderfs/binder,character',
'/dev/binderfs/binder-control,character',
'/dev/binderfs/,directory',
'/dev/binderfs/features,directory',
'/dev/binderfs/hwbinder,character',
'/dev/binderfs/vndbinder,character',
'/dev/block/,directory',
'/dev/block/:,block',
'/dev/bsg/,directory',
'/dev/block/,directory',
'/dev/bsg/:::,character',
'/dev/bsg/,directory',
'/dev/btrfs-control,character',
'/dev/bus/,directory',
'/dev/bus/usb,directory',
'/dev/cdrom,block',
'/dev/cec,character',
'/dev/char/,directory',
'/dev/char/:,character',
'/dev/char/,directory',
'/dev/char/:,unknown',
'/dev/console,character',
'/dev/core,regular',
'/dev/cpu/,directory',
'/dev/cpu/microcode',
'/dev/cpu_dma_latency,character',
'/dev/cpu/microcode',
'/dev/cros_ec,character',
'/dev/cuse,character',
'/dev/data/,directory',
'/dev/data/root,block',
'/dev/dbc,character',
'/dev/disk/,directory',
'/dev/disk/by-diskseq,directory',
'/dev/disk/by-dname,directory',
'/dev/disk/by-id,directory',
@ -103,12 +103,13 @@ WHERE (
'/dev/disk/by-partuuid,directory',
'/dev/disk/by-path,directory',
'/dev/disk/by-uuid,directory',
'/dev/dm-,block',
'/dev/disk/,directory',
'/dev/dma_heap/,directory',
'/dev/dma_heap/system,character',
'/dev/dri/,directory',
'/dev/dm-,block',
'/dev/dri/by-path,directory',
'/dev/dri/card,character',
'/dev/dri/,directory',
'/dev/dri/renderD,character',
'/dev/drm_dp_aux,character',
'/dev/ecryptfs,character',
@ -123,6 +124,7 @@ WHERE (
'/dev/fuse,character',
'/dev/gpiochip,character',
'/dev/hidraw,character',
'/dev/HID-SENSOR-e..auto,character',
'/dev/hpet,character',
'/dev/hugepages/,directory',
'/dev/hugepages/libvirt,directory',
@ -131,9 +133,9 @@ WHERE (
'/dev/ic-,character',
'/dev/iio:device,character',
'/dev/initctl,fifo',
'/dev/input/,directory',
'/dev/input/by-id,directory',
'/dev/input/by-path,directory',
'/dev/input/,directory',
'/dev/input/event,character',
'/dev/input/js,character',
'/dev/input/mice,character',
@ -142,8 +144,8 @@ WHERE (
'/dev/kfd,character',
'/dev/kmsg,character',
'/dev/kvm,character',
'/dev/libmtp--.,character',
'/dev/libmtp--,character',
'/dev/libmtp--.,character',
'/dev/log,socket',
'/dev/loop,block',
'/dev/loop-control,character',
@ -153,9 +155,9 @@ WHERE (
'/dev/mei,character',
'/dev/mem,character',
'/dev/mqueue/,directory',
'/dev/mtd/by-name,directory',
'/dev/mtd,character',
'/dev/mtd/,directory',
'/dev/mtd/by-name,directory',
'/dev/mtdro,character',
'/dev/net/,directory',
'/dev/net/tun,character',
@ -163,10 +165,10 @@ WHERE (
'/dev/ntsync,character',
'/dev/null,character',
'/dev/nvidia,character',
'/dev/nvidiactl,character',
'/dev/nvidia-modeset,character',
'/dev/nvidia-uvm,character',
'/dev/nvidia-uvm-tools,character',
'/dev/nvidiactl,character',
'/dev/nvme,character',
'/dev/nvmen,block',
'/dev/nvmenp,block',
@ -188,22 +190,23 @@ WHERE (
'/dev/sdc,block',
'/dev/sdd,block',
'/dev/sde,block',
'/dev/serial/,directory',
'/dev/serial/by-id,directory',
'/dev/serial/by-path,directory',
'/dev/serial/,directory',
'/dev/sg,character',
'/dev/sgx_provision',
'/dev/shm/,directory',
'/dev/shm/envoy_shared_memory_,regular',
'/dev/shm/jack_db-,directory',
'/dev/shm/libpod_lock,regular',
'/dev/shm/libpod_rootless_lock_,regular',
'/dev/shm/lttng-ust-wait-,regular',
'/dev/shm/lttng-ust-wait--,regular',
'/dev/snapshot,character',
'/dev/snd/,directory',
'/dev/snd/by-id,directory',
'/dev/snd/by-path,directory',
'/dev/snd/controlC,character',
'/dev/snd/,directory',
'/dev/snd/hwCD,character',
'/dev/snd/pcmCDc,character',
'/dev/snd/pcmCDp,character',
@ -219,10 +222,10 @@ WHERE (
'/dev/tee,character',
'/dev/tpm,character',
'/dev/tpmrm,character',
'/dev/tty,character',
'/dev/ttyACM,character',
'/dev/ttyS,character',
'/dev/tty,character',
'/dev/ttyprintk,character',
'/dev/ttyS,character',
'/dev/ubuntu-vg/,directory',
'/dev/udmabuf,character',
'/dev/uhid,character',
@ -233,8 +236,8 @@ WHERE (
'/dev/usbmon,character',
'/dev/userfaultfd,character',
'/dev/userio,character',
'/dev/vcs,character',
'/dev/vcsa,character',
'/dev/vcs,character',
'/dev/vcsu,character',
'/dev/vfio/,directory',
'/dev/vfio/vfio,character',
@ -251,11 +254,11 @@ WHERE (
'/dev/vhost-vsock',
'/dev/vhost-vsock,character',
'/dev/video,character',
'/dev/vl-subdev,character',
'/dev/vl/,directory',
'/dev/vl/by-id,directory',
'/dev/vl/by-path,directory',
'/dev/vl/,directory',
'/dev/vlloopback,character',
'/dev/vl-subdev,character',
'/dev/vndbinder,character',
'/dev/vsock,character',
'/dev/watchdog,character',
@ -276,6 +279,7 @@ WHERE (
AND NOT path LIKE '/dev/shm/sem.mp-%'
AND NOT path LIKE '/dev/shm/u%-Shm_%'
AND NOT path LIKE '/dev/shm/.com.google.Chrome.%'
AND NOT path LIKE '/dev/shm/.com.microsoft.Edge.%'
AND NOT path LIKE '/dev/shm/libv4l-%'
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
AND NOT path LIKE '/dev/%-vg/%-lv'

1
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -99,6 +99,7 @@ WHERE
'3306,6,500,mariadbd,',
'3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'33333,6,500,Ultimate,',
'49152,6,500,Windsurf Helper (Plugin),Developer ID Application: EXAFUNCTION, INC. (83Z2LHX6XW)',
'3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)',
'3491,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',

5
detection/persistence/yara-suspicious-strings-process-linux.sql
View File

@ -1,5 +1,5 @@
-- Currently running program with Linux red flags
--
--
-- reference:
-- * https://github.com/timb-machine/linux-malware/blob/725aad34e216cc024c93b04964b289f10f819e6e/defensive/yara/personal-malware-bazaar/unixredflags3.yara
--
@ -53,7 +53,7 @@ WHERE
GROUP BY
path
)
AND yara.sigrule = '
AND yara.sigrule = '
rule redflags {
strings:
$bash_history = ".bash_history"
@ -103,6 +103,7 @@ WHERE
'/bin/fish',
'/bin/dash',
'/bin/sh',
'/usr/lib/systemd/systemd-executor',
'/usr/bin/bash',
'/usr/lib/snapd/snapd',
'/usr/bin/snap',

1
detection/privesc/unexpected-setxid-process.sql
View File

@ -34,6 +34,7 @@ WHERE
'/usr/lib/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper',
'/opt/google/chrome/chrome-sandbox',
'/opt/IRCCloud/chrome-sandbox',
'/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
'/usr/bin/doas',
'/usr/bin/crontab',