RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 17:37:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #328 from tstromberg/fpr-oct24

Browse Source 
fpr: osquery release spam
This commit is contained in:
Thomas Strömberg 2023-10-24 18:32:59 -04:00 committed by GitHub
commit 7b76585736
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 93 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/evasion/unexpected-etc-executables.sql
View File

@ -153,6 +153,7 @@ WHERE
AND file.path NOT IN (
'/etc/cloud/clean.d/99-installer',
'/etc/grub2-efi.cfg',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/grub2.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',

72
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -118,60 +118,64 @@ WHERE
magic.data IS NOT NULL
AND magic.data LIKE "%shell script%"
)
AND NOT (
magic.data IS NULL
AND file.size < 50000
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/%/shims'
AND NOT homedir LIKE '~/%/plugins'
AND NOT homedir LIKE '/Users/%/.provisio'
AND NOT homedir IN (
'~/.amplify/bin',
'~/.asdf/shims',
'~/.bazel/bin',
'~/.bin',
'~/.cache/gitstatus',
'~/.config/kn',
'~/.config/nvim.bak',
'~/.docker/cli-plugins',
'~/.emacs.d/backups',
'~/.emacs.d.bak/bin',
'~/.fig/bin',
'~/.fzf',
'~/.fzf/bin',
'~/.venv/bin',
'~/.fig/bin',
'~/.zsh_snap/zsh-snap',
'~/.zed/gopls',
'~/.config/kn',
'~/.asdf/shims',
'~/.amplify/bin',
'~/.emacs.d/backups',
'~/.rbenv/shims',
'~/.config/nvim.bak',
'~/.bazel/bin',
'~/.pulumi-dev/bin',
'~/.gvm/bin',
'~/.emacs.d.bak/bin',
'~/.docker/cli-plugins',
'~/.zsh_snap/zsh-autocomplete',
'~/.cache/gitstatus',
'~/.wrangler/bin',
'~/.provisio',
'~/.pyenv/shims',
'~/Library/ApplicationSupport/iTerm2',
'~/.kn/plugins',
'~/.kuberlr/darwin-amd64',
'/Users/Shared/logitune',
'~/Library/ApplicationSupport/iTerm2',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS',
'~/.oh-my-zsh/tools',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
'~/.provisio',
'~/.pulumi-dev/bin',
'~/.pyenv/shims',
'~/.rbenv/shims',
'/Users/Shared/logitune',
'~/.venv/bin',
'~/.wrangler/bin',
'~/.zed/gopls',
'~/.zsh_snap/zsh-autocomplete',
'~/.zsh_snap/zsh-snap'
)
AND NOT top2_homedir IN (
'~/.iterm2',
'~/Library/Application Support',
'/Users/Shared/LGHUB/cache',
'~/Library/Printers',
'~/Library/QuickLook',
'~/Library/pnpm',
'/Users/Shared/Red Giant/Uninstall',
'~/Library/Thunderbird',
'~/Library/Caches',
'~/Library/helm',
'~/Library/pnpm',
'~/Library/Printers',
'~/Library/Python',
'~/Library/QuickLook',
'~/Library/Screen Savers',
'~/Library/Services',
'~/Library/Thunderbird',
'~/.magefile',
'~/.nvm',
'~/.terraform.d',
'~/.terraform.versions',
'~/.iterm2',
'/Users/Shared/LGHUB/cache',
'/Users/Shared/LogiOptionsPlus/cache',
'~/Library/Screen Savers',
'~/Library/Python',
'~/Library/Caches',
'~/.magefile',
'~/.nvm'
'/Users/Shared/Red Giant/Uninstall'
)
GROUP BY
f.path

99
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -79,83 +79,62 @@ WHERE
AND pmm.path LIKE '%Security.framework%'
AND exception_key NOT IN (
'0,nix,nix,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,velociraptor,a.out,',
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,clangd,clangd,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,Bazecor Helper,,',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Duckly Helper,Electron Helper,',
'500,Duckly,Electron,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,Bazecor Helper,,',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,bufls,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,chainctl,a.out,',
'500,Chromium,Chromium,',
'500,clangd,clangd,',
'500,cloud-sql-proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
'500,debug.test,a.out,',
'500,dive,a.out,',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,dlv,a.out,',
'500,docker,a.out,',
'500,Duckly,Electron,',
'500,Duckly Helper,Electron Helper,',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,',
'500,esbuild,,',
'500,esbuild,a.out,',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,git,git,',
'500,gitsign,a.out,',
'500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gke-gcloud-auth-plugin,a.out,',
'500,go,a.out,',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,hugo,a.out,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,k9s,a.out,',
@ -163,34 +142,56 @@ WHERE
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,mattermost,a.out,',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,melange,a.out,',
'500,melange-run,a.out,',
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,monorail,a.out,',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,plugin-darwin-arm64,a.out,',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,registry,a.out,',
'500,registry-redirect,a.out,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,Chromium,Chromium,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,snyk-ls_darwin_arm64,a.out,',
'500,ssh,ssh,',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,stern,a.out,',
'500,syncthing,syncthing,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
'500,tflint,a.out,',
'500,tflint-ruleset-aws,a.out,',
'500,tflint-ruleset-google,a.out,',
'500,timestamp-server,a.out,',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,vim,,',
'500,vim,vim,'
'500,vim,vim,',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
)
AND NOT (
exception_key LIKE '500,%,a.out,'

4
detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View File

@ -4,7 +4,7 @@
-- * https://github.com/Neo23x0/signature-base/blob/master/yara/pua_cryptocoin_miner.yar
--
-- tags: persistent
-- interval: 7200
-- interval: 3600
-- platform: posix
SELECT
yara.*,
@ -42,7 +42,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.start_time > (strftime('%s', 'now') - 3600)
AND yara.sigrule = '
rule cryptexec {
strings:

4
detection/persistence/yara-libtomcrypt-process.sql
View File

@ -4,7 +4,7 @@
-- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
--
-- tags: persistent
-- interval: 86400
-- interval: 3600
-- platform: posix
SELECT
yara.strings,
@ -42,7 +42,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.start_time > (strftime('%s', 'now') - 3600)
AND
yara.sigrule = '
rule redflags {