mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-17 19:44:31 +00:00
Merge pull request #383 from tstromberg/suspicious-systemd
new detection: suspicious systemd units
This commit is contained in:
commit
73f76d5f1d
268
detection/persistence/suspicious-systemd-unit.sql
Normal file
268
detection/persistence/suspicious-systemd-unit.sql
Normal file
@ -0,0 +1,268 @@
|
||||
-- Funky systemd units, may be evidence of persistence
|
||||
--
|
||||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service)
|
||||
-- * https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
|
||||
-- * https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/
|
||||
--
|
||||
-- false positives:
|
||||
-- * home-made systemd files
|
||||
--
|
||||
-- tags: persistent filesystem systemd
|
||||
-- platform: linux
|
||||
SELECT
|
||||
file.path,
|
||||
file.size,
|
||||
file.btime,
|
||||
file.ctime,
|
||||
file.mtime,
|
||||
hash.sha256,
|
||||
yara.*
|
||||
FROM file
|
||||
JOIN yara ON file.path = yara.path
|
||||
JOIN hash ON file.path = hash.path
|
||||
WHERE
|
||||
file.path IN (
|
||||
SELECT DISTINCT(fragment_path) FROM systemd_units
|
||||
WHERE fragment_path LIKE "%.service"
|
||||
AND NOT fragment_path LIKE "/run/systemd/generator.late/%"
|
||||
)
|
||||
AND yara.sigrule = '
|
||||
rule systemd_execstart_danger_path_val : high {
|
||||
meta:
|
||||
ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/"
|
||||
description = "Starts from a dangerous-looking path"
|
||||
strings:
|
||||
$awkward = /ExecStart=\/(boot|var|tmp|dev|root)\/[\.\w\-\/]{0,32}/
|
||||
condition:
|
||||
filesize < 102400 and $awkward
|
||||
}
|
||||
|
||||
rule systemd_execstart_elsewhere : medium {
|
||||
meta:
|
||||
description = "Starts from an unusual path"
|
||||
ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/"
|
||||
hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0"
|
||||
hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289"
|
||||
hash_2024_2024_Spinning_YARN_yarn_fragments = "723326f8551f2a92ccceeec93859f58df380a3212e7510bc64181f2a0743231c"
|
||||
strings:
|
||||
$execstart = /ExecStart=\/[\w\/]{1,128}/
|
||||
$not_bin = "ExecStart=/bin/"
|
||||
$not_bin_true = "ExecStart=/bin/true"
|
||||
$not_etc_rcd = "ExecStart=/etc/rc.d/rc.local"
|
||||
$not_etc_rc_local = "ExecStart=/etc/rc.local"
|
||||
$not_init_d = "ExecStart=/etc/init.d/"
|
||||
$not_lib = "ExecStart=/lib/"
|
||||
$not_motd = "ExecStart=/etc/update-motd.d/"
|
||||
$not_opt = "ExecStart=/opt/"
|
||||
$not_sbin = "ExecStart=/sbin/"
|
||||
$not_usr_bin = "ExecStart=/usr/bin/"
|
||||
$not_usr_libexec = "ExecStart=/usr/libexec/"
|
||||
$not_usr_lib = "ExecStart=/usr/lib/"
|
||||
$not_usr_local = "ExecStart=/usr/local/"
|
||||
$not_usr_sbin = "ExecStart=/usr/sbin/"
|
||||
$not_usr_share = "ExecStart=/usr/share/"
|
||||
condition:
|
||||
filesize < 102400 and $execstart and none of ($not_*)
|
||||
}
|
||||
|
||||
rule systemd_execstop_elsewhere : medium {
|
||||
meta:
|
||||
ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html"
|
||||
description = "Runs program from unexpected directory at stop"
|
||||
strings:
|
||||
$execstop = /ExecStop=\/[\w\.\_\-]{2,64}/
|
||||
$not_lib = "ExecStop=/lib/"
|
||||
$not_opt = "ExecStart=/opt/"
|
||||
$not_sbin = "ExecStop=/sbin/"
|
||||
$not_usr_libexec = "ExecStop=/usr/libexec/"
|
||||
$not_usr_lib = "ExecStop=/usr/lib/"
|
||||
$not_usr_local = "ExecStop=/usr/local/"
|
||||
$not_usr_sbin = "ExecStop=/usr/sbin/"
|
||||
$not_usr_share = "ExecStop=/usr/share/"
|
||||
condition:
|
||||
filesize < 384 and $execstop and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_small_no_blank_lines : high {
|
||||
meta:
|
||||
ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/"
|
||||
hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0"
|
||||
strings:
|
||||
$execstart = "ExecStart"
|
||||
$blank = "\n\n"
|
||||
$not_dbus = "Type=dbus"
|
||||
$not_after = /After=\w/
|
||||
$not_before = /Before=\w{1,128}/
|
||||
$not_notify = "Type=notify"
|
||||
condition:
|
||||
filesize < 512 and $execstart and not $blank and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_small_multiuser_no_comments_or_documentation : high {
|
||||
meta:
|
||||
ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/"
|
||||
description = "systemd unit is undocumented"
|
||||
strings:
|
||||
$execstart = "ExecStart="
|
||||
$multiuser = "multi-user.target"
|
||||
$not_comment = "# "
|
||||
$not_documentation = "Documentation="
|
||||
$not_requires_socket = /Requires=.{0,64}socket/
|
||||
$not_condition_path = "Condition"
|
||||
$not_after = "After="
|
||||
$not_systemd = "ExecStart=systemd-"
|
||||
$not_output = "StandardOutput="
|
||||
$not_part_of = "PartOf="
|
||||
$not_dbus = "Type=dbus"
|
||||
$not_oneshot = "Type=oneshot"
|
||||
$not_lima = "Description=lima-guestagent"
|
||||
condition:
|
||||
filesize < 384 and $execstart and $multiuser and none of ($not_*)
|
||||
}
|
||||
rule systemd_small_no_output : high {
|
||||
meta:
|
||||
description = "Discards all logging output"
|
||||
strings:
|
||||
$output_null = "StandardOutput=null"
|
||||
$error_null = "StandardError=null"
|
||||
$not_input_null = "StandardInput=null"
|
||||
$not_syslog = "syslog"
|
||||
$not_before = "Before="
|
||||
$not_display = "WantedBy=display-manager.service"
|
||||
condition:
|
||||
filesize < 384 and ($output_null and $error_null) and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_small_multiuser_not_in_dependency_tree : high {
|
||||
meta:
|
||||
description = "Relies on nothing, nothing relies on it"
|
||||
hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0"
|
||||
strings:
|
||||
$execstart = "ExecStart="
|
||||
$multiuser = "multi-user.target"
|
||||
$not_after = /After=\w/
|
||||
$not_before = /Before=\w{1,128}/
|
||||
$not_requires = /Requires=\w/
|
||||
$not_condition = "Condition"
|
||||
$not_oneshot = "Type=oneshot"
|
||||
$not_default = "DefaultDependencies=no"
|
||||
$not_env = "EnvironmentFile="
|
||||
$not_bus = "BusName="
|
||||
$not_idle = "Type=idle"
|
||||
$not_systemd = "ExecStart=systemd-"
|
||||
$not_lima = "Description=lima-guestagent"
|
||||
condition:
|
||||
filesize < 384 and $execstart and $multiuser and none of ($not_*)
|
||||
}
|
||||
|
||||
rule sytemd_small_type_forking_not_in_dep_tree : high {
|
||||
meta:
|
||||
hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe"
|
||||
hash_2023_Unix_Malware_Kaiji_3e68 = "3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4"
|
||||
hash_2023_Unix_Malware_Kaiji_f4a6 = "f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a"
|
||||
strings:
|
||||
$forking = "Type=forking"
|
||||
$not_after = /After=\w/
|
||||
$not_before = /Before=\w{1,128}/
|
||||
$not_condition = "ConditionPath"
|
||||
$not_oneshot = "Type=oneshot"
|
||||
$not_default_deps = "DefaultDependencies=no"
|
||||
$not_env = "EnvironmentFile="
|
||||
$not_bus = "BusName="
|
||||
$not_idle = "Type=idle"
|
||||
$not_systemd = "ExecStart=systemd-"
|
||||
$not_default_target = "WantedBy=default.target"
|
||||
condition:
|
||||
filesize < 384 and $forking and none of ($not_*)
|
||||
}
|
||||
|
||||
rule systemd_small_restart_always : medium {
|
||||
meta:
|
||||
description = "service restarts no matter how many times it crashes"
|
||||
hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0"
|
||||
strings:
|
||||
$restart = "Restart=always"
|
||||
$not_syslog = "SyslogLevel="
|
||||
$not_gpl = "GPL-2.0-only"
|
||||
$not_after = /After=\w/
|
||||
$not_before = /Before=\w{1,128}/
|
||||
$not_notify = "Type=notify"
|
||||
condition:
|
||||
filesize < 384 and $restart and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_small_short_description {
|
||||
meta:
|
||||
description = "Short or no description"
|
||||
strings:
|
||||
$execstart = "ExecStart="
|
||||
$short_desc = /Description=\n/
|
||||
condition:
|
||||
filesize < 384 and all of them
|
||||
}
|
||||
|
||||
rule systemd_nice_execstart_restart_no_comment {
|
||||
meta:
|
||||
description = "Sets nice value and restarts always without comments, possible miner"
|
||||
strings:
|
||||
$has_execstart = "ExecStart="
|
||||
$has_restart = "Restart=always"
|
||||
$has_nice = "Nice="
|
||||
$not_comment = "#"
|
||||
condition:
|
||||
filesize < 4096 and all of ($has*) and none of ($not*)
|
||||
}
|
||||
|
||||
rule usr_bin_execstop_shell : medium {
|
||||
meta:
|
||||
ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html"
|
||||
description = "Runs shell script at stop"
|
||||
strings:
|
||||
$execstop = /ExecStop=\/bin\/sh .{0,64}/
|
||||
$not_podman_logging = "/usr/bin/podman $LOGGING"
|
||||
condition:
|
||||
filesize < 4096 and $execstop and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_hidden_execstart : critical {
|
||||
meta:
|
||||
description = "ExecStart references hidden file"
|
||||
strings:
|
||||
$path_top_bin = /ExecStart=\/\.[\w\/]+/
|
||||
$path_sub_bin = /ExecStart=\/\w[\w\/]*\/\.\w+/
|
||||
$path_arg_sub = /ExecStart=.* \/\w[\w\/]*\/\.\w+/
|
||||
$path_arg_top = /ExecStart=.* \/\.[\w\/]+/
|
||||
$not_autorelabel = "/.autorelabel"
|
||||
$not_exists = "ConditionPathExists"
|
||||
$not_ksysguard = "/.ksysguard/ksgrd_network_helper"
|
||||
condition:
|
||||
any of ($path*) and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_hidden_execstop : critical {
|
||||
meta:
|
||||
description = "ExecStop references hidden file"
|
||||
strings:
|
||||
$path_top_bin = /ExecStart=\/\.[\w\/]+/
|
||||
$path_sub_bin = /ExecStart=\/\w[\w\/]*\/\.\w+/
|
||||
$path_arg_sub = /ExecStart=.* \/\w[\w\/]*\/\.\w+/
|
||||
$path_arg_top = /ExecStart=.* \/\.[\w\/]+/
|
||||
|
||||
$not_autorelabel = "/.autorelabel"
|
||||
$not_exists = "ConditionPathExists"
|
||||
condition:
|
||||
any of ($path*) and none of ($not*)
|
||||
}
|
||||
|
||||
rule systemd_hidden_working_directory : critical {
|
||||
meta:
|
||||
description = "WorkingDirectory is a hidden"
|
||||
strings:
|
||||
$ref = /WorkingDirectory=.*\/\..*/
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
'
|
||||
|
||||
AND yara.count > 0
|
Loading…
Reference in New Issue
Block a user