RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-17 09:57:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Monday morning tuning

Browse Source
This commit is contained in:
Thomas Stromberg 2022-09-12 11:17:51 -04:00
parent 78b49a38b2
commit 868f1ff13b
Failed to extract signature
12 changed files with 90 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
fd/macos_keyboard_sniffer.sql
View File

@ -1,12 +1,28 @@
SELECT et.*, p.path, s.authority, s.identifier, h.sha256
SELECT et.*,
p.path,
s.authority,
s.identifier,
h.sha256
FROM event_taps et
JOIN processes p ON et.tapping_process = p.pid
JOIN signature s ON s.path = p.path
JOIN hash h ON h.path = p.path
JOIN processes p ON et.tapping_process = p.pid
JOIN signature s ON s.path = p.path
JOIN hash h ON h.path = p.path
WHERE event_tapped IN ('EventKeyDown', 'EventKeyUp')
AND authority != "Software Signing"
AND NOT (identifier='com.googlecode.iterm2' AND authority='Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)')
AND NOT (identifier='skhd' AND p.path LIKE '/opt/homebrew/Cellar/%/bin/skhd')
AND NOT (identifier='com.logi.ghub.agent' AND p.path = '/Applications/lghub.app/Contents/Frameworks/lghub_agent.app/Contents/MacOS/lghub_agent')
AND NOT (identifier='me.guillaumeb.MonitorControl' AND p.path = '/Applications/MonitorControl.app/Contents/MacOS/MonitorControl')
GROUP BY p.path
AND authority != "Software Signing"
AND NOT (
identifier = 'com.googlecode.iterm2'
AND authority = 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)'
)
AND NOT (
identifier = 'skhd'
AND p.path LIKE '/opt/homebrew/Cellar/%/bin/skhd'
)
AND NOT (
identifier = 'com.logi.ghub.agent'
AND p.path = '/Applications/lghub.app/Contents/Frameworks/lghub_agent.app/Contents/MacOS/lghub_agent'
)
AND NOT (
identifier = 'me.guillaumeb.MonitorControl'
AND p.path = '/Applications/MonitorControl.app/Contents/MacOS/MonitorControl'
)
GROUP BY p.path

5
fd/unexpected-dev-opener.sql
View File

@ -25,9 +25,9 @@ WHERE pof.path LIKE '/dev/%'
'/dev/random',
'/dev/rfkill',
'/dev/snd/seq',
'/dev/tty',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/tty'
'/dev/vga_arbiter'
)
AND NOT pof.path LIKE '/dev/hidraw%'
AND NOT pof.path LIKE '/dev/ttys%'
@ -93,6 +93,7 @@ WHERE pof.path LIKE '/dev/%'
'systemd-logind',
'Xorg',
'gdm-wayland-session',
'gdm-wayland-ses',
'gdm-x-session',
'X'
)

8
fd/unexpected-pcap-user.sql
View File

@ -4,9 +4,11 @@ SELECT pmm.pid,
p.path AS proc_path,
p.name AS proc_name,
p.cmdline AS proc_cmd,
pmm.path AS lib_path
pmm.path AS lib_path,
hash.sha25
FROM process_memory_map pmm
JOIN processes p ON pmm.pid = p.pid
JOIN hash h ON p.path = hash.path
WHERE pmm.path LIKE "%libpcap%"
AND euid = 0
AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
@ -14,10 +16,12 @@ WHERE pmm.path LIKE "%libpcap%"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND proc_path NOT LIKE "/System/Library/%"
AND proc_path NOT LIKE "/nix/store/%/bin/nix"
AND proc_path NOT IN (
'/usr/libexec/UserEventAgent',
'/usr/sbin/systemstats',
'/usr/sbin/cupsd'
'/usr/sbin/cupsd',
'/usr/bin/tcpdump'
)
AND proc_cmd NOT IN (
'/nix/var/nix/profiles/default/bin/nix-daemon',

49
fs/unexpected-setuid-binaries.sql
View File

@ -27,6 +27,7 @@ WHERE
AND type='regular'
AND mode NOT LIKE "0%"
AND mode NOT LIKE "1%"
AND mode NOT LIKE "2%"
AND NOT (mode LIKE '4%11' AND uid=0 AND gid=0 AND
file.path IN (
'/usr/sbin/wodim',
@ -79,6 +80,8 @@ AND NOT (mode LIKE '4%11' AND uid=0 AND gid=0 AND
'/bin/icedax',
'/bin/cdrecord',
'/bin/cdda2wav',
'/usr/bin/staprun',
'/bin/staprun',
'/usr/libexec/security_authtrampoline'
)
)
@ -241,48 +244,4 @@ AND NOT (mode ='6755' AND uid=0 AND gid=0 AND
'/usr/lib64/xtest'
)
)
AND NOT (file.path='/bin/chage' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/bin/crontab' AND mode='2755' AND uid=0 AND gid=104)
AND NOT (file.path='/bin/expiry' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/bin/plocate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/bin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118)
AND NOT (file.path='/bin/staprun' AND mode='4110' AND uid=0 AND gid=156)
AND NOT (file.path='/bin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/bin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/sbin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54)
AND NOT (file.path='/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30)
AND NOT (file.path='/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/sbin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/sbin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/chage' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/bin/crontab' AND mode='2755' AND uid=0 AND gid=104)
AND NOT (file.path='/usr/bin/expiry' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/usr/bin/plocate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/usr/bin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118)
AND NOT (file.path='/usr/bin/staprun' AND mode='4110' AND uid=0 AND gid=156)
AND NOT (file.path='/usr/bin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/write' AND mode='2555' AND uid=0 AND gid=4)
AND NOT (file.path='/usr/bin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/sbin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54)
AND NOT (file.path='/usr/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/sbin/postdrop' AND mode='2755' AND uid=0 AND gid=28)
AND NOT (file.path='/usr/sbin/postqueue' AND mode='2755' AND uid=0 AND gid=28)
AND NOT (file.path='/usr/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30)
AND NOT (file.path='/usr/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/sbin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/sbin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/libexec/camel-lock-helper-1.2' AND mode='2755' AND uid=0 AND gid=8)
AND NOT (file.path='/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache' AND mode='2755' AND uid=173 AND gid=173)

3
net/unexpected-listening-port.sql
View File

@ -8,6 +8,7 @@ WHERE port != 0
AND lp.address NOT LIKE "fe80::%"
AND lp.address NOT LIKE "::ffff:127.0.0.%"
AND NOT (lp.port > 1024 AND lp.protocol = 17)
AND NOT (lp.port IN (8000,8080) AND lp.protocol=6)
-- Linux --
AND NOT (p.name IN ('spotify','Spotify') AND lp.port IN (1900,5353) AND lp.protocol=17)
AND NOT (p.name IN ('spotify','Spotify') AND lp.port>32000 AND lp.protocol IN (6,17))
@ -41,7 +42,7 @@ WHERE port != 0
AND NOT (p.name='nginx' AND p.cwd='/' AND lp.port=80 AND lp.protocol=6)
AND NOT (p.name='plugin-container' AND lp.port>32000 AND lp.protocol IN (6,17))
AND NOT (p.name='node' AND lp.port>1024 AND lp.protocol = 6)
AND NOT (p.name='registry' AND lp.port>1024 AND lp.protocol = 6)
AND NOT (p.name IN ('registry', 'registry-redirect') AND lp.port>1024 AND lp.protocol = 6)
AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6)
AND NOT (p.name='tailscaled' AND lp.port=4161 AND lp.protocol=6)
AND NOT (p.name='tailscaled' AND lp.port>40000 AND lp.protocol IN (6,17))

3
net/unexpected-raw-socket.sql
View File

@ -9,5 +9,6 @@ WHERE family = 17 -- PF_PACKET
AND name NOT IN (
'wpa_supplicant',
'NetworkManager',
'dhcpcd'
'dhcpcd',
'tcpdump'
)

8
process/missing-from-disk.sql
View File

@ -21,7 +21,10 @@ AND p.path NOT IN (
'/usr/libexec/gnome-shell-calendar-server',
'/usr/sbin/NetworkManager'
)
AND parent_path NOT IN ('/usr/bin/containerd-shim-runc-v2')
AND parent_path NOT IN (
'/usr/bin/containerd-shim-runc-v2',
'/usr/local/bin/containerd-shim-runc-v2'
)
AND p.name NOT IN (
"firewalld",
"gopls",
@ -29,5 +32,6 @@ AND p.name NOT IN (
"Slack Helper (GPU)",
"Slack Helper",
"Slack Helper (Renderer)",
"mysqld"
"mysqld",
"containerd-shim"
)

1
process/name_path_mismatch.sql
View File

@ -13,6 +13,7 @@ AND NOT (p.name='tmux:server' AND filename='tmux')
AND NOT (p.name LIKE 'clangd:%' AND filename='clangd')
AND NOT (p.name='nix-daemon' AND filename='nix')
AND NOT (p.name='systemd-udevd' AND filename='udevadm')
AND NOT (p.name LIKE 'npm%' AND filename='node')
AND NOT (p.name='GUI Thread' AND filename='resolve')
AND NOT (p.name='X' AND filename='Xorg')
AND NOT p.path LIKE '/nix/store/%/bin/bash'

35
process/parent-missing-from-disk.sql
View File

@ -1,20 +1,29 @@
-- Parent PID is not on disk
-- Reveals boopkit if a child is spawned
SELECT p.name,
p.pid,
p.path AS path,
p.cmdline AS cmdline,
p.uid,
p.gid,
SELECT p.name AS child_name,
p.pid AS child_pid,
p.path AS child_path,
p.cmdline AS child_cmd,
p.uid AS child_uid,
p.gid AS child_gid,
p.on_disk AS child_on_disk,
pp.pid AS parent_pid,
pp.name AS parent_name,
pp.path AS parent_path,
pp.cmdline AS parent_cmdline,
pp.uid,
pp.gid
pp.cmdline AS cmd,
pp.on_disk AS parent_on_disk,
pp.uid AS parent_uid,
pp.gid AS parent_gid
FROM processes p
JOIN processes pp ON pp.pid = p.parent
WHERE pp.on_disk != 1
AND p.pid > 2
AND pp.pid != 2 -- kthreadd
AND pp.path NOT IN ('/opt/google/chrome/chrome')
WHERE parent_on_disk != 1
AND child_on_disk = 1
AND NOT child_pid IN (1,2)
AND NOT parent_pid IN (1,2) -- launchd, kthreadd
AND NOT parent_path IN (
'/opt/google/chrome/chrome',
'/usr/bin/gnome-shell'
)
AND NOT parent_name IN ('lightdm')
AND parent_path NOT LIKE '/app/extra/%'
AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'

4
process/sketchy-fetcher.sql
View File

@ -56,5 +56,7 @@ WHERE
p.cmdline LIKE "%wget %--user-agent%" OR
p.cmdline LIKE "%wget %--no-check-certificate%"
)
AND p.cmdline NOT LIKE "%If-None-Match%"
AND parent_name NOT IN ('makepkg')
AND parent_cmdline NOT LIKE "%brew.rb upgrade"
AND parent_cmdline NOT LIKE "%brew.rb upgrade"
AND parent_cmdline NOT LIKE "%brew.sh update"

13
process/unexpected-executable-directory.sql
View File

@ -1,10 +1,14 @@
SELECT p.pid,
p.name,
p.path,
p.euid,
p.gid,
f.directory,
p.cmdline
p.cmdline,
hash.sha256
FROM processes p
JOIN file f ON p.path = f.path
JOIN hash ON hash.path = p.path
WHERE directory NOT LIKE '/Applications/%.app/%'
AND directory NOT LIKE '/home/%'
AND directory NOT LIKE '/Library/Apple/System/Library%'
@ -68,10 +72,12 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
'/usr/libexec/ApplicationFirewall',
'/usr/libexec/rosetta',
'/usr/sbin',
'/Library/PrivilegedHelperTools',
'/Library/Printers/DYMO/Utilities',
'/Library/Developer/CommandLineTools/usr/bin',
'/usr/share/code',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS'
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
'/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/Resources/Python.app/Contents/MacOS'
)
AND f.path NOT IN (
'/usr/libexec/AssetCache/AssetCache',
@ -84,7 +90,8 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
'/usr/lib/firefox/firefox',
'/usr/lib64/firefox/firefox'
)
AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
AND directory NOT LIKE '/Library/%/Resources/%/Contents/MacOS'
AND directory NOT LIKE '/Library/Application Support/Adobe/%'
AND directory NOT LIKE '/Library/Developer/CommandLineTools/Library/%'
AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
AND NOT (directory='' AND name LIKE "runc%")

6
startup/unexpected-launchd.sql
View File

@ -1,4 +1,8 @@
SELECT * FROM launchd WHERE run_at_load = 1
SELECT label, name, path, program, program_arguments, signature.authority, signature.identifier, hash.sha256
FROM launchd
JOIN signature ON file.path = signature.path
JOIN hash ON file.path = hash.path
WHERE run_at_load = 1
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/System/Library/%" OR program LIKE "/System/Library/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/usr/sbin/%" OR program LIKE "/usr/sbin/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/sbin/%" OR program LIKE "/sbin/%"))