RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 19:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: tune-ppd, lightdm, nami, gradle, etc

Browse Source
This commit is contained in:
Thomas Stromberg 2024-10-22 16:12:21 -04:00
parent 67ce4cd92a
commit 81180803ae
Failed to extract signature
16 changed files with 73 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -69,7 +69,8 @@ WHERE
'75.75.76.76', -- Comcast
'68.105.28.13', -- Cox
'80.248.7.1', -- 21st Century (NG)
'34.160.111.32' -- wolfi.dev
'34.160.111.32', -- wolfi.dev
'185.125.190.31' -- Canonical
)
-- Exceptions that specifically talk to one server
AND exception_key NOT IN (
@ -90,6 +91,7 @@ WHERE
'distnoted,8.8.8.8,53',
'limactl,8.8.8.8,53',
'msedge,8.8.8.8,53',
'brave,8.8.8.8,53',
'adguard_dns,1.0.0.1,53',
'helm,185.199.108.133,53',
'coredns,8.8.8.8,53',
@ -115,6 +117,7 @@ WHERE
'go',
'wolfictl',
'gvproxy',
'grype',
'incusd',
'helm',
'terraform-provi',

1
detection/c2/unexpected-https-macos.sql
View File

@ -112,6 +112,7 @@ WHERE
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
'500,bash,bash,,bash',
'500,nami,nami,,a.out',
'500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',

2
detection/evasion/empty_root_environ_linux.sql
View File

@ -71,6 +71,7 @@ WHERE
AND NOT pp.name IN (
'systemd-userdbd',
'crond',
'dpkg',
'systemd',
'systemd-udevd',
'(udev-worker)',
@ -85,6 +86,7 @@ WHERE
AND NOT p.cmdline LIKE '%--type=zygote%'
AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT pp.path LIKE '/usr/bin/%'
AND NOT (
p.name = 'sh'
AND p.cgroup_path = '/system.slice/znapzend.service'

39
detection/evasion/hidden-cwd.sql
View File

@ -8,8 +8,7 @@
--
-- tags: transient often
-- platform: posix
SELECT
REPLACE(p0.cwd, u.directory, '~') AS dir,
SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
REGEX_MATCH (
REPLACE(p0.cwd, u.directory, '~'),
'([/~].*?/.*?)/',
@ -56,8 +55,7 @@ SELECT
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
FROM processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON p0.uid = u.uid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@ -66,14 +64,10 @@ FROM
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.pid IN (
SELECT DISTINCT
pid
FROM
processes
WHERE
cwd LIKE '%/.%'
WHERE p0.pid IN (
SELECT DISTINCT pid
FROM processes
WHERE cwd LIKE '%/.%'
AND NOT name IN (
'apfsd',
'bindfs',
@ -93,33 +87,34 @@ WHERE
AND NOT (
exception_key IN (
'Arduino IDE Helper,/private/var/folders',
'Electron,~/.vscode/extensions',
'arduino-language-server,/private/var/folders',
'as,~/.cache/yay',
'bash,~/.Trash',
'bash,~/.local/share',
'bash,~/go/src',
'c++,~/.cache/yay',
'bash,~/.local/share',
'bash,~/.Trash',
'cc1,/home/build/.cache',
'cc1plus,~/.cache/yay',
'c++,~/.cache/yay',
'cgo,~/.gimme/versions',
'clangd,/private/var/folders',
'conmon,/var~/.local/share',
'mysqld,/var~/.local/share',
'dirhelper,/private/var/folders',
'Electron,~/.vscode/extensions',
'fileproviderd,~/Library/Mobile Documents',
'fish,~/.Trash',
'fish,~/.local/share',
'fish,~/.Trash',
'git,~/.local/share',
'java,~/.gradle/daemon',
'java,/home/build/.gradle',
'java,/home/build/.kotlin',
'java,~/.gradle/daemon',
'java,~/.local/share',
'make,~/.cache/yay',
'makepkg,~/.cache/yay',
'mysqld,~/.local/share',
'mysqld,/var~/.local/share',
'npm install,~/.npm/_cacache',
'opera_autoupdate,/private/var/folders',
'postinstall,/Library/InstallerSandboxes/.PKInstallSandboxManager',
'rm,/private/var/folders',
'rust-analyzer-p,~/.cargo/registry',
'rustc,/home/build/.cargo',
@ -183,12 +178,10 @@ WHERE
OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
OR dir LIKE '~/code/%'
OR dir LIKE '~/dev/%/dots/%/.config%'
OR dir LIKE '~/src/%'
-- For sudo calls to other things
OR dir LIKE '~/src/%' -- For sudo calls to other things
OR (
dir LIKE '/home/.terraform.d/%'
AND p0.euid = 0
)
)
GROUP BY
p0.pid
GROUP BY p0.pid

6
detection/evasion/hidden-executable.sql
View File

@ -71,6 +71,10 @@ WHERE (
'~/.pnpm',
'~/.rbenv',
'~/.rustup',
'~/Code',
'~/code',
'~/Projects',
'~/src',
'~/.sdkman',
'~/.supermaven',
'~/.terraform',
@ -93,6 +97,7 @@ WHERE (
'~/.docker/cli-plugins',
'~/.fig/bin',
'~/.go/bin',
'/home/linuxbrew/.linuxbrew',
'~/.linkerd2/bin',
'~/.linuxbrew/Cellar',
'~/node_modules/.bin',
@ -106,6 +111,7 @@ WHERE (
)
AND NOT dir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT dir LIKE '%/.terraform/providers/%'
AND NOT dir LIKE '%/node_modules/.pnpm/%'
AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'

8
detection/evasion/missing-from-disk-linux.sql
View File

@ -49,8 +49,6 @@ WHERE
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
AND p.path NOT IN (
'/usr/bin/python3.10',
'/opt/google/chrome/nacl_helper',
'/opt/Synergy/resources/synergy-tray'
)
-- Probably just an upgrade
AND p.path NOT LIKE '/usr/bin/%'
AND p.path NOT LIKE '/opt/%'

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -92,6 +92,7 @@ WHERE
'/tmp/.eos-update-notifier.log',
'/tmp/.featureflags-agent/',
'/tmp/.font-unix/',
'/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
'/tmp/.git/',
'/tmp/.go-version',
'/tmp/.helmrepo',

2
detection/execution/recently-created-executables-long-lived-linux.sql
View File

@ -44,7 +44,7 @@ FROM
WHERE
p0.start_time > 0
AND f.ctime > 0
AND p0.start_time > (strftime('%s', 'now') - 43200)
AND p0.start_time < (strftime('%s', 'now') - 43200)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
AND p0.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps

1
detection/execution/unexpected-env-values-linux.sql
View File

@ -75,6 +75,7 @@ WHERE -- This time should match the interval
OR (
LENGTH(pe.value) > 1024
AND pe.key != 'LS_COLORS'
AND pe.key != 'HTTP_AUTH'
AND f.mode IS NOT NULL
AND f.mode NOT LIKE '0%'
)

3
detection/exfil/yara-unexpected-rust-http-exec-process.sql
View File

@ -67,9 +67,10 @@ WHERE
'figma_agent',
'nvim',
'old',
'rpm-ostree',
'OrbStack Helper',
'rpm-ostree',
'sg-nvim-agent',
'sm-agent',
'stable',
'wezterm-gui',
'zed'

1
detection/persistence/listening-from-unusual-location.sql
View File

@ -102,6 +102,7 @@ WHERE
AND NOT homepath LIKE "~/.%"
AND NOT homecwd LIKE "~/.%"
AND NOT homecwd LIKE '/Users/%/.gradle/daemon/%'
AND NOT homecwd LIKE '/home/%/.gradle/daemon/%'
AND NOT f.directory IN (
'/Applications/Keybase.app/Contents/SharedSupport/bin',
'/opt/docker-desktop/bin'

2
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -101,6 +101,8 @@ WHERE
'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj',
'true,,Gem,bnbpceglddpnehbopmdjegpfinikcaoh',
'true,,Chrome Capture - screenshot & GIF,ggaabchcecdbomdcnbahdfddfikjmphe',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh',

1
detection/persistence/unexpected-device-linux.sql
View File

@ -210,6 +210,7 @@ WHERE (
'/dev/stderr,fifo',
'/dev/stderr,character',
'/dev/stdin,character',
'/dev/stdin,fifo',
'/dev/stdout,fifo',
'/dev/stdout,character',
'/dev/tee,character',

3
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -41,11 +41,11 @@ WHERE
'Developer ID Application: Cloudflare Inc. (68WVV388M8)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Ubiquiti Inc. (4P645293E8)',
'Developer ID Application: Grammarly, Inc (W8F64X92K3)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
@ -73,6 +73,7 @@ WHERE
'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: Ubiquiti Inc. (4P645293E8)',
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'Software Signing', -- Apple
'yabai-cert'

43
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -5,8 +5,7 @@
--
-- tags: persistent state net low
-- platform: darwin
SELECT
lp.address,
SELECT lp.address,
lp.port,
lp.protocol,
p.uid,
@ -28,13 +27,11 @@ SELECT
',',
signature.authority
) AS exception_key
FROM
listening_ports lp
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE
port != 0
WHERE port != 0
AND lp.address NOT IN ('224.0.0.251', '::1')
AND lp.address NOT LIKE '127.0.0.%'
AND lp.address NOT LIKE '172.1%'
@ -220,7 +217,7 @@ WHERE
AND lp.port > 5000
)
AND NOT (
exception_key LIKE '3%,6,500,java,'
exception_key LIKE '3%,6,500,java,'
AND p.cwd LIKE '/Users/%'
)
AND NOT (
@ -229,18 +226,23 @@ WHERE
and lp.protocol = 6
)
AND NOT (
p.name IN (
'caddy',
'com.docker.backend',
'controller',
'crane',
'crc',
'OrbStack Helper',
'docker-proxy',
'hugo',
'kubectl',
'node',
'webhook'
(
p.name IN (
'caddy',
'com.docker.backend',
'controller',
'crane',
'crc',
'OrbStack Helper',
'docker-proxy',
'hugo',
'kubectl',
'ssh',
'node',
'webhook'
)
OR p.name LIKE 'kubectl.%'
OR p.name LIKE '__%_go'
)
AND lp.port > 1024
and lp.protocol = 6
@ -266,5 +268,4 @@ WHERE
AND lp.protocol = 6
)
)
GROUP BY
exception_key
GROUP BY exception_key

9
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -88,6 +88,7 @@ WHERE
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
@ -118,6 +119,7 @@ WHERE
'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700',
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
@ -165,6 +167,7 @@ WHERE
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
'group-admin-dae,/usr/libexec/group-admin-daemon,0,system.slice,group-admin-daemon.service,0755',
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
@ -185,6 +188,7 @@ WHERE
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,0700',
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
'just,/usr/bin/just,0,user.slice,user-1000.slice,0755',
'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
@ -198,6 +202,8 @@ WHERE
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
'lightdm,/usr/sbin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/sbin/lightdm,0,user.slice,user-1000.slice,0755',
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
'login,/usr/bin/login,0,user.slice,user-1000.slice,0755',
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
@ -322,7 +328,6 @@ WHERE
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'just,/usr/bin/just,0,user.slice,user-1000.slice,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',
@ -333,6 +338,7 @@ WHERE
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
@ -350,6 +356,7 @@ WHERE
AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755'
AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'tuned-ppd,/usr/bin/python3.%,system.slice,tuned-ppd.service,0755'
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY