RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Optimize queries for lower false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-07 16:19:18 -04:00
parent 24abbda57e
commit 75a858b4ee
Failed to extract signature
18 changed files with 258 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fd/unexpected-pcap-user-macos.sql
View File

@ -34,6 +34,7 @@ WHERE pmm.path LIKE "%libpcap%"
AND child_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND NOT s.authority IN (
"Software Signing",
"Apple Mac OS Application Signing"
"Apple Mac OS Application Signing",
"Developer ID Application: Kolide Inc (YZ3EM74M78)"
)
GROUP BY pmm.pid

1
fd/unexpected-sensitive-file-access-linux.sql
View File

@ -73,6 +73,7 @@ WHERE f.uid != ""
"firefox,file:// Content,~/.mozilla/firefox",
"firefox,firefox,~/.cache/mozilla",
"firefox,firefox,~/.mozilla/firefox",
"firefox,file:// Content,~/.cache/mozilla",
"firefox,firefox,~/snap/firefox",
"firefox,Isolated Servic,~/.cache/mozilla",
"firefox,Isolated Servic,~/snap/firefox",

38
net/unexpected-listening-port-linux.sql
View File

@ -55,60 +55,60 @@ WHERE
) IN (
"10250,6,0,kubelet",
"10256,6,0,kube-proxy",
"17,255,500,dhcpcd",
"1716,6,500,kdeconnectd",
"22,6,0,sshd",
"443,6,500,jcef_helper",
"4143,6,500,linkerd2-proxy",
"17,255,0,dhcpcd",
"17,255,500,dhcpcd",
"22000,6,500,syncthing",
"22,6,0,sshd",
"3000,6,472,grafana-server",
"8086,6,500,controller",
"4191,6,500,linkerd2-proxy",
"3000,6,500,grafana-server",
"8090,6,500,linkerd-policy-",
"32768,6,0,tailscaled",
"32768,6,0,.tailscaled-wra",
"32768,6,0,tailscaled",
"32768,6,0,tailscaled",
"32768,6,500,com.docker.backend",
"32768,6,500,dleyna-renderer",
"32768,6,500,spotify",
"3551,6,0,apcupsd",
"8443,6,500,controller",
"4143,6,500,linkerd2-proxy",
"4191,6,500,linkerd2-proxy",
"443,6,500,jcef_helper",
"4443,6,500,metrics-server",
"5000,6,500,ControlCenter",
"5001,6,0,registry",
"53,17,0,coredns",
"53,17,500,dnsmasq",
"5355,6,193,systemd-resolve",
"53,6,0,coredns",
"53,6,500,dnsmasq",
"5355,6,193,systemd-resolve",
"5432,6,70,postgres",
"546,17,500,dhcpcd",
"58,255,0,dhcpcd",
"58,255,0,NetworkManager",
"58,255,500,dhcpcd",
"53,17,500,dnsmasq",
"631,17,0,cups-browsed",
"6379,6,500,redis-server",
"6443,6,0,kube-apiserver",
"67,17,500,dnsmasq",
"8009,6,0,java",
"68,17,500,dhcpcd",
"7000,6,500,ControlCenter",
"80,6,60,nginx",
"8008,6,500,controlplane",
"8009,6,0,java",
"80,6,60,nginx",
"8080,6,0,coredns",
"443,6,500,jcef_helper",
"8086,6,0,influxd",
"4443,6,500,metrics-server",
"32768,6,500,dleyna-renderer",
"8080,6,0,java",
"8086,6,0,influxd",
"8086,6,500,controller",
"8086,6,500,influxd",
"53,17,500,dnsmasq",
"8090,6,500,linkerd-policy-",
"8123,6,500,Brackets-node",
"8181,6,0,coredns",
"8443,6,0,kube-apiserver",
"8443,6,500,controller",
"8443,6,500,controlplane",
"9000,6,500,authentik-proxy",
"9090,6,500,controlplane",
"9153,6,0,coredns",
"9300,6,500,authentik-proxy"
)
AND NOT (
p.path LIKE ",ko-app,%"

37
net/unexpected-talkers-linux.sql
View File

@ -125,13 +125,13 @@ WHERE protocol > 0
AND NOT exception_key IN (
"123,17,,",
"123,17,500,chronyd",
"22,6,,",
-- shortlived SSH (git push)
"22,6,500,ssh",
"22067,6,500,syncthing",
"22,6,,",
"22,6,500,ssh",
"27024,6,500,steam",
"3100,6,500,firefox",
"3100,6,500,k6",
"32768,6,0,tailscaled",
"3307,6,500,cloud_sql_proxy",
"4070,6,500,spotify",
"443,17,500,chrome",
@ -139,7 +139,7 @@ WHERE protocol > 0
"443,17,500,jcef_helper",
"443,17,500,slack",
"443,17,500,spotify",
"443,6,0,.tailscaled-wra",
"443,6,0,apk",
"443,6,0,containerd",
"443,6,0,depmod",
"443,6,0,dirmngr",
@ -147,17 +147,17 @@ WHERE protocol > 0
"443,6,0,dockerd",
"443,6,0,influxd",
"443,6,0,launcher",
"443,6,0,nix",
"443,6,0,nix-daemon",
"443,6,0,packagekitd",
"443,6,0,pacman",
"443,6,0,snapd",
"443,6,0,systemctl",
"443,6,0,tailscaled",
"443,6,0,.tailscaled-wra",
"443,6,0,yum",
"443,6,105,https",
-- /usr/lib/apt/methods/https
"443,6,472,grafana-server",
"443,6,500,___go_build_github_com_anchore_grype,a.out,",
"443,6,500,.firefox-wrappe",
"443,6,500,1password",
"443,6,500,authentik-proxy",
"443,6,500,aws",
@ -179,6 +179,7 @@ WHERE protocol > 0
"443,6,500,electron",
"443,6,500,emacs",
"443,6,500,firefox",
"443,6,500,.firefox-wrappe",
"443,6,500,flameshot",
"443,6,500,geoclue",
"443,6,500,gh",
@ -187,6 +188,7 @@ WHERE protocol > 0
"443,6,500,gnome-shell",
"443,6,500,gnome-software",
"443,6,500,go",
"443,6,500,___go_build_github_com_anchore_grype,a.out,",
"443,6,500,grafana-server",
"443,6,500,grype",
"443,6,500,gunicorn",
@ -202,12 +204,13 @@ WHERE protocol > 0
"443,6,500,ko",
"443,6,500,kolide-pipeline",
"443,6,500,kubectl",
"443,6,500,minicli",
"443,6,500,ngrok",
"443,6,500,nix",
"443,6,500,node",
"443,6,500,obs",
"443,6,500,obs-browser-page",
"443,6,500,obs-ffmpeg-mux",
"443,6,500,obs",
"443,6,500,obsidian",
"443,6,500,pingsender",
"443,6,500,pip",
@ -220,11 +223,11 @@ WHERE protocol > 0
"443,6,500,spotify",
"443,6,500,steamwebhelper",
"443,6,500,teams",
"443,6,500,terraform-provi",
"443,6,500,terraform",
"443,6,500,terraform-provi",
"443,6,500,tkn",
"443,6,500,.tox-wrapped",
"443,6,500,trivy",
"443,6,0,systemctl",
"443,6,500,vcluster",
"443,6,500,vim",
"443,6,500,WebKitNetworkPr",
@ -236,31 +239,29 @@ WHERE protocol > 0
"443,6,500,zoom",
"5228,6,500,chrome",
"6000,6,500,ssh",
"67,17,0,NetworkManager",
"7903,6,500,syncthing",
"80,6,0,.tailscaled-wra",
"8006,6,500,chrome",
"80,6,0,dnf",
"443,6,500,.tox-wrapped",
"80,6,0,gdk-pixbuf-quer",
"80,6,0,NetworkManager",
"80,6,0,pacman",
"80,6,0,tailscaled",
"80,6,0,.tailscaled-wra",
"80,6,0,yum",
"80,6,105,http",
-- /usr/lib/apt/methods/http
"80,6,500,.firefox-wrappe",
"80,6,500,curl",
"80,6,500,firefox",
"80,6,500,.firefox-wrappe",
"80,6,500,gitsign",
"80,6,500,slack",
"80,6,500,spotify",
"67,17,0,NetworkManager",
"80,6,500,steam",
"80,6,0,gdk-pixbuf-quer",
"80,6,500,steamwebhelper",
"80,6,500,syncthing",
"8006,6,500,chrome",
"8801,17,500,zoom",
"9090,6,500,firefox",
"9090,6,500,k6",
"443,6,0,nix",
"9090,6,500,prometheus",
"9090,6,500,rootlessport"
) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.

18
net/unexpected-talkers-macos.sql
View File

@ -116,8 +116,8 @@ WHERE protocol > 0
"22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)",
"22,6,500,ssh,,",
"22,6,500,ssh,com.apple.openssh,Software Signing",
"22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"22,6,500,ssh,ssh,",
"22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
@ -133,17 +133,17 @@ WHERE protocol > 0
"443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"443,6,0,nix,nix,",
"443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,,,",
"443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,500,,,",
"443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,500,bash,bash,",
"443,6,500,chainctl_Darwin_arm64,a.out,",
"443,6,500,chainctl,,",
"443,6,500,chainctl,a.out,",
"443,6,500,chainctl_Darwin_arm64,a.out,",
"443,6,500,civo,a.out,",
"443,6,500,cloud_sql_proxy,a.out,",
"443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,cosign,,",
"443,6,500,cosign,a.out,",
"443,6,500,crane,,",
@ -157,12 +157,12 @@ WHERE protocol > 0
"443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)",
"443,6,500,gh,a.out,",
"443,6,500,gh,gh,",
"443,6,500,git,com.apple.git,Software Signing",
"443,6,500,git,git,",
"443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing",
"443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,",
"443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,",
"443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,",
"443,6,500,git,com.apple.git,Software Signing",
"443,6,500,git,git,",
"443,6,500,gitsign,,",
"443,6,500,gitsign,a.out,",
"443,6,500,gitsign,gitsign,",
@ -187,13 +187,13 @@ WHERE protocol > 0
"443,6,500,prober,a.out,",
"443,6,500,pulumi-resource-gcp,a.out,",
"443,6,500,pulumi-resource-github,a.out,",
"443,6,500,python2.7,python2.7,",
"443,6,500,python3.10,python3.10,",
"443,6,500,Python,com.apple.python3,Software Signing",
"443,6,500,Python,org.python.python,",
"443,6,500,Python,Python,",
"443,6,500,python2.7,python2.7,",
"443,6,500,python3.10,python3.10,",
"443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing",
"443,6,500,scorecard-darwin-amd64,,",
"443,6,500,Slack Helper,,",

13
process/hidden-cwd.sql
View File

@ -36,13 +36,20 @@ FROM processes p
WHERE dir LIKE "%/.%"
AND NOT (
exception_key IN (
"bash,~/.local/share",
"bash,~/go/src",
"mysqld,~/.local/share",
"Electron,~/.vscode/extensions"
"Electron,~/.vscode/extensions",
"fish,~/.local/share",
"git,~/.local/share",
"mysqld,~/.local/share"
)
OR dir IN ("~/.vim", "~/.config/nvim")
OR dir IN ("~/.vim", "~/.config/nvim", "~/.cache/yay")
OR p.name IN ("bindfs", "vim", "nvim", "code")
OR dir LIKE "~/go/src/%"
OR dir LIKE "~/.local/share/nvim/%"
OR dir LIKE "~/.local/share/fish/%"
OR dir LIKE "/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%"
OR dir LIKE "~/src/%"
OR dir LIKE "~/%/.github%"
OR dir LIKE "~/code/%"
)

27
process/missing-from-disk-macos.sql
View File

@ -1,5 +1,4 @@
SELECT
p.pid,
SELECT p.pid,
p.path,
p.name,
p.parent,
@ -17,21 +16,17 @@ SELECT
pp.cmdline AS parent_cmd,
pp.cwd AS parent_cwd,
hash.sha256 AS parent_sha256
FROM
processes p
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
WHERE
p.on_disk != 1
-- false positives from recently spawned processes
WHERE p.on_disk != 1 -- false positives from recently spawned processes
AND (strftime("%s", "now") - p.start_time) > 15
AND p.pid > 0
AND p.parent != 2
-- kthreadd
AND p.state != "Z"
-- The kernel no longer has enough tracking information for this alert to be useful
AND p.parent != 2 -- kthreadd
AND p.state != "Z" -- The kernel no longer has enough tracking information for this alert to be useful
AND NOT (
p.parent = 1 AND p.path = ""
p.parent = 1
AND p.path = ""
)
AND NOT (
p.gid = 20
@ -42,12 +37,14 @@ WHERE
OR cmd LIKE "/Library/Apple/System/%"
OR cmd LIKE "/Library/Application Support/Logitech.localized/%"
OR cmd LIKE "/Library/Developer/CommandLineTools/%"
OR p.path IN (
"/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper"
)
OR cmd LIKE "/opt/homebrew/Cellar/%"
OR p.path LIKE "/opt/homebrew/Cellar/%"
OR p.path LIKE "/opt/homebrew/Cellar/%/bin/%"
OR cmd LIKE "/opt/homebrew/opt/%"
OR cmd LIKE "/private/var/folders/%/Visual Studio Code.app/Contents/%"
OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%"
-- Sometimes cmd is empty also :(
OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%" -- Sometimes cmd is empty also :(
OR parent_cmd LIKE "/Applications/Google Chrome.app/%"
)
)

24
process/recently-created-executables.sql
View File

@ -36,25 +36,25 @@ WHERE p.start_time > 0
"/Applications/Opal.app/Contents/Library/LaunchServices",
"/Applications/Opal.app/Contents/MacOS",
"/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS",
"/Applications/Signal.app/Contents/MacOS",
"/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS",
"/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS",
"/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS",
"/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS",
"/Applications/Slack.app/Contents/MacOS",
"/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS",
"/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (GPU).app/Contents/MacOS",
"/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (Renderer).app/Contents/MacOS",
"/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS",
"/Applications/Spotify.app/Contents/MacOS",
"/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS",
"/Applications/Stream Deck.app/Contents/MacOS",
"/Applications/Tailscale.app/Contents/MacOS",
"/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS",
"/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS",
"/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS",
"/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (Renderer).app/Contents/MacOS",
"/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS",
"/Applications/Todoist.app/Contents/MacOS",
"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS",
"/Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources",
@ -64,7 +64,6 @@ WHERE p.start_time > 0
"/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS",
"/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS",
"/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS",
"/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS",
"/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS",
"/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS",
"/usr/local/kolide-k2/bin"
@ -81,8 +80,10 @@ WHERE p.start_time > 0
"/usr/bin/dockerd",
"/usr/bin/obs",
"/usr/bin/udevadm",
"/usr/lib/at-spi-bus-launcher",
"/usr/lib/at-spi2-registryd",
"/usr/lib/at-spi-bus-launcher",
"/usr/libexec/fwupd/fwupd",
"/usr/libexec/sssd/sssd_kcm",
"/usr/lib/fwupd/fwupd",
"/usr/lib/slack/chrome_crashpad_handler",
"/usr/lib/slack/slack",
@ -92,17 +93,17 @@ WHERE p.start_time > 0
"/usr/lib/systemd/systemd-timesyncd",
"/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page",
"/usr/lib/xf86-video-intel-backlight-helper",
"/usr/libexec/fwupd/fwupd",
"/usr/libexec/sssd/sssd_kcm",
"/usr/sbin/cupsd",
"/usr/sbin/tailscaled"
)
AND NOT p.path LIKE "/Applications/%.app/%"
AND NOT p.path LIKE "/home/%/%.test"
AND NOT p.path LIKE "%-go-build%"
AND NOT p.path LIKE "/home/%/bin/%"
AND NOT p.path LIKE "/home/%/terraform-provider-%"
AND NOT p.path LIKE "/home/%/%.test"
AND NOT p.path LIKE "/Library/Apple/System/%"
AND NOT p.path LIKE "/Library/Application Support/Adobe/Adobe Desktop Common/%"
AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%" -- Known parent processes, typically GUI shells and updaters
AND NOT p.path LIKE "/Library/Application Support/Logitech.localized/%"
AND NOT p.path LIKE "/nix/store/%/bin/%"
AND NOT p.path LIKE "/opt/homebrew/bin/%"
@ -114,7 +115,7 @@ WHERE p.start_time > 0
AND NOT p.path LIKE "/private/var/folders/%/bin/%"
AND NOT p.path LIKE "/private/var/folders/%/go-build%"
AND NOT p.path LIKE "/private/var/folders/%/GoLand/%"
AND NOT p.path LIKE "/Users/%/%.test"
AND NOT p.path LIKE "/private/var/folders/%/T/pulumi-go.%"
AND NOT p.path LIKE "/Users/%/bin/%"
AND NOT p.path LIKE "/Users/%/code/%"
AND NOT p.path LIKE "/Users/%/Library/Application Support/%/Contents/MacOS/%"
@ -123,12 +124,11 @@ WHERE p.start_time > 0
AND NOT p.path LIKE "/Users/%/Library/Google/%.bundle/Contents/Helpers/%"
AND NOT p.path LIKE "/Users/%/Library/Mobile Documents/%/Contents/Frameworks%"
AND NOT p.path LIKE "/Users/%/terraform-provider-%"
AND NOT p.path LIKE "/Users/%/%.test"
AND NOT p.path LIKE "/usr/local/bin/%"
AND NOT p.path LIKE "/usr/local/Cellar/%"
AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND NOT p.path LIKE "%-go-build%"
AND NOT p.path LIKE "%/.vscode/extensions/%"
AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%" -- Known parent processes, typically GUI shells and updaters
AND NOT pp.path IN ("/usr/bin/gnome-shell") -- Filter out developers working on their own code
AND NOT (
(

2
process/sketchy-fetcher.sql
View File

@ -32,6 +32,7 @@ WHERE
OR p.cmdline LIKE "%pastebin%"
OR p.cmdline LIKE "%curl %--user-agent%"
OR p.cmdline LIKE "%curl -k%"
OR p.cmdline LIKE "%curl -sL%"
OR p.cmdline LIKE "%curl%--insecure%"
OR p.cmdline LIKE "%wget %--user-agent%"
OR p.cmdline LIKE "%wget %--no-check-certificate%"
@ -72,5 +73,6 @@ WHERE
OR p.cmdline LIKE "%LICENSES/vendor/%"
OR p.cmdline LIKE "%localhost:%"
OR p.cmdline LIKE "%127.0.0.1:%"
OR p.name IN ("apko")
)
)

26
process/tiny-executable.sql Normal file
View File

@ -0,0 +1,26 @@
-- Discover tiny dropper binaries, such as Shikitega:
-- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
-- Duration: 0.063s
SELECT
p.pid,
p.path,
p.cmdline,
file.size,
file.mode,
p.cwd,
p.euid,
p.parent,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256
FROM
processes p
LEFT JOIN file ON p.path = file.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
WHERE file.size > 0
AND file.size < 10000

26
process/touched-executable-macos.sql
View File

@ -25,14 +25,15 @@ FROM processes p
LEFT JOIN signature ON p.path = signature.path
WHERE f.btime == f.mtime
AND (
btime_ctime_days_diff > 0 -- change time is older than birth time
OR (btime_ctime_days_diff < -365 && btime_ctime_days_diff < -1000) -- change time is older than birth time, but not 1970
OR start_atime_days_diff > 90 -- access time is older than start time
OR start_atime_days_diff < -10 -- access time is newer than start time
)
-- Vendors that create software packages that look like a touched file.
-- Typically they have a ctime way earlier than btime (>90 days)
-- change time is older than birth time
btime_ctime_days_diff > 0 -- change time is older than birth time, but not 1970
OR (
(btime_ctime_days_diff < -365)
AND (btime_ctime_days_diff < -1000)
) -- access time is older than start time
OR start_atime_days_diff > 90 -- access time is newer than start time
OR start_atime_days_diff < -10
) -- Vendors that create software packages that look like a touched file.
AND NOT signature.authority IN (
"Apple Mac OS Application Signing",
"Developer ID Application: Adobe Inc. (JQ525L2MZD)",
@ -41,22 +42,23 @@ WHERE f.btime == f.mtime
"Developer ID Application: Bryan Jones (49EYHPJ4Q3)",
"Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)",
"Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)",
"Developer ID Application: Docker Inc (9BNSXJN65R)",
"Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)",
"Developer ID Application: Galvanix (5BRAQAFB8B)",
"Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)",
"Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)",
"Developer ID Application: Galvanix (5BRAQAFB8B)",
"Developer ID Application: GitHub (VEKTX9H2N7)",
"Developer ID Application: Google LLC (EQHXZ8M8AV)",
"Developer ID Application: Docker Inc (9BNSXJN65R)",
"Developer ID Application: Logitech Inc. (QED4VVPZWA)",
"Developer ID Application: Michael Jones (YD6LEYT6WZ)",
"Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)",
"Developer ID Application: RescueTime, Inc (FSY4RB8H39)",
"Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)",
"Developer ID Application: Yubico Limited (LQA3CS5MM7)",
"Software Signing"
)
AND NOT (
btime_ctime_days_diff < -90
AND p.euid > 500
p.euid > 500
AND (
p.path IN (
"/Applications/Divvy.app/Contents/MacOS/Divvy",

15
process/unexpected-executable-directory-macos.sql
View File

@ -54,21 +54,21 @@ WHERE dirname NOT IN (
AND signature.authority NOT IN (
"Apple Mac OS Application Signing",
"Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)",
"Developer ID Application: Figma, Inc. (T8RA8NE3B7)",
"Developer ID Application: Docker Inc (9BNSXJN65R)",
"Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)",
"Developer ID Application: Figma, Inc. (T8RA8NE3B7)",
"Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)",
"Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"Developer ID Application: Logitech Inc. (QED4VVPZWA)",
"Developer ID Application: Objective-See, LLC (VBG97UB4TA)",
"Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)",
"Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"Developer ID Application: Valve Corporation (MXGJJ98X76)",
"Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)",
"Developer ID Application: Objective-See, LLC (VBG97UB4TA)",
"Developer ID Application: Opal Camera Inc (97Z3HJWCRT)",
"Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"Developer ID Application: Valve Corporation (MXGJJ98X76)",
"Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)",
"Software Signing"
)
@ -93,6 +93,7 @@ WHERE dirname NOT IN (
AND dirname NOT LIKE "/opt/homebrew/Cellar/%/libexec"
AND dirname NOT LIKE "/opt/homebrew/Cellar/%/libexec/%"
AND dirname NOT LIKE "/opt/homebrew/Cellar/%/Contents/MacOS"
AND dirname NOT LIKE "/opt/homebrew/Caskroom/%/bin"
AND dirname NOT LIKE "/private/tmp/%.app/Contents/MacOS"
AND dirname NOT LIKE "/private/tmp/go-build%/exe"
AND dirname NOT LIKE "/private/tmp/nix-build-%"

3
process/unexpected-shell-parents.sql
View File

@ -40,6 +40,7 @@ WHERE
"java",
"ko",
"kubectl",
"doas",
"make",
"monorail",
"nix-daemon",
@ -53,6 +54,7 @@ WHERE
"python",
"roxterm",
"sdzoomplugin",
"sh",
"skhd",
"swift",
"systemd",
@ -79,6 +81,7 @@ WHERE
"/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon",
"/opt/X11/libexec/launchd_startx",
"/sbin/launchd",
"/usr/lib/xorg/Xorg",
"/usr/bin/alacritty",
"/usr/bin/apt-get",
"/usr/bin/bash",

2
process/unexpected-uid0-daemon-linux.sql
View File

@ -31,6 +31,8 @@ WHERE p.uid = 0
"/usr/bin/abrt-dump-journal-core",
"/usr/bin/abrt-dump-journal-oops",
"/usr/bin/abrt-dump-journal-xorg",
"/usr/bin/pacman",
"/usr/bin/fish",
"/usr/bin/anacron",
"/usr/bin/apcupsd",
"/usr/bin/containerd-shim-runc-v2",

3
process_events/sketchy-fetcher-events.sql
View File

@ -40,6 +40,7 @@ WHERE
OR p.cmdline LIKE "%curl.*—write-out%"
OR p.cmdline LIKE "%curl %--user-agent%"
OR p.cmdline LIKE "%curl -k%"
OR p.cmdline LIKE "%curl -sL%"
OR p.cmdline LIKE "%curl%--connect-timeout%"
OR p.cmdline LIKE "%curl%--output /dev/null%"
OR p.cmdline LIKE "%curl%--O /dev/null%"
@ -59,7 +60,7 @@ WHERE
)
)
-- Exceptions for all calls
AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
AND pp.name NOT IN ('makepkg', 'apko') -- Exceptions for non-privileged calls
AND NOT (
p.euid > 500
AND (

28
process_events/tiny-executable-events.sql Normal file
View File

@ -0,0 +1,28 @@
-- Discover tiny dropper binaries, such as Shikitega:
-- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
-- Designed for execution every 30 seconds (where the parent may still be around)
SELECT
p.pid,
p.path,
p.cmdline,
file.size,
p.mode,
p.cwd,
p.euid,
p.parent,
p.syscall,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256
FROM
process_events p
LEFT JOIN file ON p.path = file.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
WHERE
p.time > (strftime('%s', 'now') -30)
AND file.size > 0
AND file.size < 10000

45
process_events/unexpected-privilege-escalation-events.sql Normal file
View File

@ -0,0 +1,45 @@
-- Designed for execution every 30 seconds (where the parent may still be around)
SELECT
p.pid AS child_pid,
p.path AS child_path,
REGEX_MATCH (RTRIM(file.path, "/"), ".*/(.*?)$", 1) AS child_name,
p.cmdline AS child_cmdline,
p.euid AS child_euid,
file.mode AS child_mode,
hash.sha256 AS child_hash,
p.parent AS parent_pid,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
pfile.mode AS parent_mode,
hash.sha256 AS parent_hash
FROM
process_events p
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = file.path
LEFT JOIN hash AS phash ON pp.path = hash.path
WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid
AND p.path NOT IN (
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/login',
'/usr/bin/sudo',
'/usr/bin/doas',
'/bin/ps',
'/usr/bin/top'
)
AND p.path NOT LIKE "/nix/store/%/bin/sudo"
AND p.path NOT LIKE "/nix/store/%/bin/dhcpcd"
AND NOT (
child_name = 'polkit-agent-helper-1'
AND parent_path = '/usr/bin/gnome-shell'
)
AND NOT (
child_name = 'fusermount3'
AND parent_path = '/usr/lib/xdg-document-portal'
)

44
startup/unexpected-small-udev-entry.sql Normal file
View File

@ -0,0 +1,44 @@
-- Inspired by Operation Earth Berberoka
-- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
SELECT
file.path,
uid,
gid,
mode,
mtime,
ctime,
type,
size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
file.path LIKE "/usr/lib/udev/rules.d/%"
AND file.size < 180
AND file.path NOT IN (
"/usr/lib/udev/rules.d/60-rfkill.rules",
"/usr/lib/udev/rules.d/50-apport.rules",
"/usr/lib/udev/rules.d/60-net.rules",
"/usr/lib/udev/rules.d/61-mutter.rules",
"/usr/lib/udev/rules.d/66-saned.rules",
"/usr/lib/udev/rules.d/70-hypervfcopy.rules",
"/usr/lib/udev/rules.d/70-hypervkvp.rules",
"/usr/lib/udev/rules.d/70-hypervvss.rules",
"/usr/lib/udev/rules.d/70-spice-vdagentd.rules",
"/usr/lib/udev/rules.d/70-spice-webdavd.rules",
"/usr/lib/udev/rules.d/75-probe_mtd.rules",
"/usr/lib/udev/rules.d/85-hdparm.rules",
"/usr/lib/udev/rules.d/85-regulatory.rules",
"/usr/lib/udev/rules.d/90-daxctl-device.rules",
"/usr/lib/udev/rules.d/91-drm-modeset.rules",
"/usr/lib/udev/rules.d/96-e2scrub.rules",
"/usr/lib/udev/rules.d/99-fuse.rules",
"/usr/lib/udev/rules.d/99-fuse3.rules",
"/usr/lib/udev/rules.d/99-libsane1.rules",
"/usr/lib/udev/rules.d/99-nfs.rules",
"/usr/lib/udev/rules.d/99-qemu-guest-agent.rules"
)