RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Less false positives: particularly among systemctl calls

This commit is contained in:
Thomas Stromberg 2023-01-20 08:40:08 -05:00
parent 3de05139e3
commit 8e9ae0fda3
Failed to extract signature
15 changed files with 54 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
detection/c2/unexpected-https-client-linux.sql
View File

@ -114,8 +114,10 @@ WHERE
'500,/home/ko,500u,500g,ko',
'500,/home/krel,500u,500g,krel',
'500,/home/mconvert,500u,500g,mconvert',
'500,/home/Melvor Idle,500u,500g,exe',
'500,/home/nerdctl,500u,500g,nerdctl',
'500,/home/promoter,500u,500g,promoter',
'500,/home/publish-release,500u,500g,publish-release',
'500,/home/python3,500u,500g,python3',
'500,/home/slirp4netns,500u,500g,slirp4netns',
'500,/home/steam,500u,100g,steam',
@ -123,6 +125,7 @@ WHERE
'500,/home/steamwebhelper,500u,100g,steamwebhelper',
'500,/home/steamwebhelper,500u,500g,steamwebhelper',
'500,/home/terraform,500u,500g,terraform',
'500,/home/trivy,500u,500g,trivy',
'500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
'500,/ko-app/chainctl,u,g,chainctl',
'500,/ko-app/controller,u,g,controller',
@ -185,6 +188,7 @@ WHERE
'500,/usr/go,u,g,go',
'500,/usr/grype,0u,0g,grype',
'500,/usr/gsd-datetime,0u,0g,gsd-datetime',
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
'500,/usr/htop,0u,0g,htop',
'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
@ -192,14 +196,11 @@ WHERE
'500,/usr/java,u,g,java',
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
'500,/usr/keybase,0u,0g,keybase',
'500,/home/trivy,500u,500g,trivy',
'500,/usr/ko,u,g,ko',
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/lens,0u,0g,lens',
'500,/usr/melange,u,g,melange',
'500,/usr/nautilus,0u,0g,nautilus',
'500,/home/Melvor Idle,500u,500g,exe',
'500,/usr/nix,0u,0g,nix',
'500,/usr/node,0u,0g,node',
'500,/usr/node,0u,0g,.node2nix-wrapp',

4
detection/discovery/unexpected-netutil-calls-macos.sql
View File

@ -5,7 +5,7 @@
--
-- tags: transient process state often
-- platform: linux
-- interval: 900
-- interval: 600
SELECT
pe.path AS child_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
@ -67,7 +67,7 @@ WHERE
'/usr/libexec/ApplicationFirewall/socketfilterfw'
)
AND uptime.total_seconds > 30
AND pe.time > (strftime('%s', 'now') -900) -- Ignore partial table joins
AND pe.time > (strftime('%s', 'now') -600) -- Ignore partial table joins
AND pe.status == 0
AND NOT (
pe.euid > 500

2
detection/evasion/hidden-cwd.sql
View File

@ -107,7 +107,7 @@ WHERE
OR dir LIKE '~/.%'
OR dir LIKE '~/code/%'
OR dir LIKE '~/%/.config/nvim'
OR dir LIKE '~/dev/%/dots/%/.config/%'
OR dir LIKE '~/dev/%/dots/%/.config%'
OR dir LIKE '~/%/.git'
OR dir LIKE '~/%/.github%'
OR dir LIKE '~/%/github.com/%'

1
detection/evasion/name_path_mismatch.sql
View File

@ -63,6 +63,7 @@ WHERE
'name=file,file=firefox,500',
'name=firefox-wrappe,file=firefox,500',
'name=firewalld,file=python3,0',
'name=apt,file=dash,0',
'name=gimp,file=gimp-2,500',
'name=gjs,file=gjs-console,120',
'name=gjs,file=gjs-console,42',

7
detection/evasion/old-binaries-running.sql
View File

@ -30,7 +30,8 @@ WHERE (
ctime_age_days > 1050
OR mtime_age_days > 1050
)
AND f.mtime > 1
-- Jan 1st, 1980 (the source of many false positives)
AND f.mtime > 315561600
AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%'
AND f.path NOT IN (
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
@ -44,6 +45,7 @@ WHERE (
'/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
'/opt/homebrew/Cellar/bash/5.1.16/bin/bash',
'/snap/brackets/138/opt/brackets/Brackets',
'/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler',
'/snap/brackets/138/opt/brackets/Brackets-node',
'/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_14',
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
@ -54,7 +56,8 @@ WHERE (
'BluejeansHelper',
'J8RPQ294UB.com.skitch.SkitchHelper',
'Pandora',
'Pandora Helper'
'Pandora Helper',
'dlv'
)
GROUP BY p.pid,
p.path

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -92,6 +92,7 @@ WHERE (
'/var/.Parallels_swap/',
'/var/.pwd_cache',
'/var/root/.bash_history',
'/tmp/.go_version',
'/var/root/.cache/',
'/var/root/.CFUserTextEncoding',
'/var/root/.forward',

3
detection/evasion/unexpected-tmp-executables-linux.sql
View File

@ -49,12 +49,15 @@ WHERE (
OR file.path LIKE '/tmp/%/git/%'
OR file.path LIKE '/tmp/%/ci/%'
OR file.path LIKE '/tmp/kots/%'
OR file.path LIKE '/tmp/bin/%'
OR file.path LIKE '/tmp/%/github/%'
OR file.path LIKE '/tmp/terraformer/%'
OR file.path LIKE '/tmp/tmp.%'
OR file.path LIKE '/tmp/%/dist/%'
OR file.path LIKE '%/bin/%-gen'
OR file.path LIKE '/tmp/%/target/debug/build/%'
OR file.path LIKE '%/ko/%'
OR file.directory LIKE '/tmp/%/out'
OR file.path LIKE '%/pdf-tools/%'
OR file.path LIKE '%/tmp/epdf%'
OR file.path LIKE "/tmp/%/gradlew"

2
detection/execution/sketchy-fetcher-events.sql
View File

@ -11,7 +11,7 @@ SELECT
pe.pid,
pe.cmdline,
REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
REGEX_MATCH (pe.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (pe.cmdline, '[ /](\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port,
REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,

2
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -47,6 +47,7 @@ WHERE
'500,bufls,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,cloud_sql_proxy,a.out,',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
@ -71,6 +72,7 @@ WHERE
'500,registry-redirect,a.out,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',

6
detection/execution/unexpected-xattr-calls-macos.sql
View File

@ -65,10 +65,14 @@ WHERE pe.path = '/usr/bin/xattr'
pe.euid > 500
AND cmd LIKE '%xattr -l %'
)
AND NOT (
pe.euid > 500
AND cmd LIKE '%xattr -p com.apple.quarantine %'
)
AND NOT (
pe.euid > 500
AND cmd = '/usr/bin/xattr -h'
AND parent_cmd LIKE '%/opt/homebrew/bin/brew%'
AND parent_cmd LIKE '%homebrew%'
)
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'

1
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -122,6 +122,7 @@ WHERE
'discord.com',
'dl.discordapp.net',
'obsproject.com',
'getkap.co',
'www.messenger.com',
'brave.com',
'emacsformacosx.com',

1
detection/initial_access/unexpected-shell-parents.sql
View File

@ -74,6 +74,7 @@ WHERE
'make',
'monorail',
'ninja',
'update-notifier',
'nix',
'nix-build',
'nix-daemon',

17
detection/persistence/unexpected-systemctl-calls.sql
View File

@ -5,7 +5,7 @@
--
-- tags: transient process state often
-- platform: linux
-- interval: 900
-- interval: 300
SELECT
pe.path AS child_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
@ -66,11 +66,22 @@ WHERE
'/bin/systemctl',
'/sbin/systemctl'
)
AND pe.time > (strftime('%s', 'now') -29000) -- Ignore partial table joins
AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins
AND NOT exception_key IN (
'systemctl,0,apt-helper,'
'systemctl,0,apt-helper,',
'systemctl,500,systemd,',
'systemctl,0,dash,logrotate',
'systemctl,0,,containerd-shim-runc-v2'
)
AND NOT child_cmd IN (
'systemctl status kubelet',
'systemctl stop kubelet',
'/sbin/runlevel'
)
-- apt-helper form
AND NOT child_cmd LIKE 'systemctl is-active -q %.service'
AND NOT child_cmd LIKE 'systemctl show --property=%'
AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
GROUP BY
pe.pid

21
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -136,17 +136,20 @@ WHERE
)
-- Because I don't want to whitelist all of Python3
AND p.cmdline NOT IN (
'xargs logger -s',
'/usr/bin/xargs',
'/usr/bin/python3 /usr/sbin/lvmdbusd',
'/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held',
'/sbin/init splash',
'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid',
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',
'/usr/bin/python /usr/bin/firewalld --nofork --nopid',
'/usr/bin/python3 /usr/libexec/blueman-mechanism',
'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
'/usr/bin/python3 /usr/lib/pop-transition/service.py',
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
'/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',
'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid'
'/usr/bin/python3 /usr/bin/unattended-upgrade --download-only',
'/usr/bin/python3 /usr/libexec/blueman-mechanism',
'/usr/bin/python3 /usr/lib/pop-transition/service.py',
'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
'/usr/bin/python3 /usr/sbin/lvmdbusd',
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
'/usr/bin/python /usr/bin/firewalld --nofork --nopid',
'/usr/bin/xargs',
'xargs logger -s'
)
AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'

2
policy/unusually-long-uptime-likely-missing-patches.sql
View File

@ -12,4 +12,4 @@ FROM
os_version,
uptime
WHERE
uptime.days > 90;
uptime.days > 89;