RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-25 14:30:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge another day worth of false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-27 10:23:15 -04:00
parent aa4c6ce411
commit a00af6c1fa
Failed to extract signature
19 changed files with 70 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-dns-traffic.sql
View File

@ -80,6 +80,7 @@ WHERE
AND exception_key NOT IN (
'coredns,0.0.0.0,53',
'nessusd,50.16.123.71,53',
'Arc Helper,1.0.0.1,53',
'syncthing,46.162.192.181,53'
)
-- Local DNS servers and custom clients go here

6
detection/c2/unexpected-https-client-linux.sql
View File

@ -66,6 +66,7 @@ WHERE
AND NOT exception_key IN (
'0,/opt/snapd,0u,0g,snapd',
'0,/usr/bash,0u,0g,mkinitcpio',
'0,/usr/containerd,u,g,containerd',
'0,/usr/dockerd,0u,0g,dockerd',
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
'0,/usr/launcher,0u,0g,launcher',
@ -75,6 +76,7 @@ WHERE
'0,/usr/python3.10,0u,0g,dnf',
'0,/usr/tailscaled,0u,0g,tailscaled',
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,/usr/http,0u,0g,https',
'500,/app/slack,u,g,slack',
'500,/app/thunderbird,u,g,thunderbird',
'500,/app/zoom.real,u,g,zoom.real',
@ -93,6 +95,7 @@ WHERE
'500,/opt/slack,0u,0g,slack',
'500,/opt/spotify,0u,0g,spotify',
'500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,/usr/cargo,0u,0g,cargo',
'500,/usr/chainctl,0u,0g,chainctl',
'500,/usr/chrome,0u,0g,chrome',
'500,/usr/code,0u,0g,code',
@ -110,10 +113,13 @@ WHERE
'500,/usr/go,500u,500g,go',
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
'500,/usr/java,0u,0g,java',
'500,/home/grype,500u,500g,grype',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/signal-desktop,0u,0g,signal-desktop',
'500,/usr/slack,0u,0g,slack',
'500,/usr/syncthing,0u,0g,syncthing',
'500,/usr/terraform,0u,0g,terraform',
'500,/usr/trivy,0u,0g,trivy',
'500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,/usr/xmobar,0u,0g,xmobar',
'500,/usr/yay,0u,0g,yay'

3
detection/c2/unexpected-talkers-linux.sql
View File

@ -86,6 +86,7 @@ WHERE
'143,6,500,/app/thunderbird,u,g,thunderbird',
'22000,6,500,/usr/syncthing,0u,0g,syncthing',
'22,6,500,/usr/ssh,0u,0g,ssh',
'3478,6,500,/opt/chrome,0u,0g,chrome',
'4070,6,500,/opt/spotify,0u,0g,spotify',
'5228,6,500,/opt/chrome,0u,0g,chrome',
'5228,6,500,/usr/chrome,0u,0g,chrome',
@ -95,9 +96,11 @@ WHERE
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
'80,6,0,/usr/packagekitd,0u,0g,packagekitd',
'80,6,0,/usr/pacman,0u,0g,pacman',
'80,6,500,/usr/pacman,0u,0g,pacman',
'80,6,0,/usr/python3.10,0u,0g,yum',
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,105,/usr/http,0u,0g,http',
'80,6,500,/app/thunderbird,u,g,thunderbird',
'80,6,500,/opt/chrome,0u,0g,chrome',
'80,6,500,/opt/firefox,0u,0g,firefox',

2
detection/c2/unexpected-talkers-macos.sql
View File

@ -183,6 +183,7 @@ WHERE
'443,6,500,git-remote-http,git-remote-http-555549448cff17dcad50330caee64c85205e6a99,',
'443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,',
'443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,',
'443,6,500,git-remote-http,git-remote-http-55554944e0748565fb2d356b9eb3edf61873140d,',
'443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,',
'443,6,500,gitsign,,',
'443,6,500,gitsign,a.out,',
@ -224,6 +225,7 @@ WHERE
'443,6,500,Slack Helper,,',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'443,6,500,step,step,',
'443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',

10
detection/collection/high-disk-bytes-written.sql
View File

@ -33,6 +33,7 @@ WHERE
AND p.path NOT IN (
'/bin/bash',
'/opt/homebrew/bin/qemu-system-aarch64',
'/usr/bin/apt',
'/usr/bin/aptd',
'/usr/bin/bash',
'/usr/bin/bwrap',
@ -41,6 +42,7 @@ WHERE
'/usr/bin/dockerd',
'/usr/bin/fish',
'/usr/bin/gnome-shell',
'/usr/bin/gnome-software',
'/usr/bin/make',
'/usr/bin/melange',
'/usr/bin/qemu-system-x86_64',
@ -96,14 +98,14 @@ WHERE
'containerd',
'esbuild',
'firefox',
'fsdaemon',
'go',
'grype',
'goland',
'java',
'launcher',
'gopls',
'grype',
'java',
'jetbrains-toolb',
'slack',
'launcher',
'slack',
'wineserver'
)

1
detection/credentials/unexpected-sensitive-file-access-linux.sql
View File

@ -79,6 +79,7 @@ WHERE
'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
'chrome,chrome,~/.config/google-chrome',
'firefox,.firefox-wrappe,~/.cache/mozilla',
'firefox,Web Content,~/.mozilla/firefox',
'firefox,.firefox-wrappe,~/.mozilla/firefox',
'firefox,file:// Content,~/.mozilla/firefox',
'firefox,firefox,~/.cache/mozilla',

7
detection/evasion/hidden-cwd.sql
View File

@ -1,4 +1,4 @@
-- Programs running with a hidden current working directory
-- Programs running with a hidden current working directory (state-based)
--
-- false positives:
-- * Users rummaging through their configuration files
@ -68,9 +68,11 @@ WHERE
'npm install,~/.npm/_cacache',
'mysqld,~/.local/share'
)
OR exception_key LIKE '%sh,~/.Trash/%'
OR dir IN (
'~/.config',
'~/.vim',
'~/.terraform.d',
'~/.cache/yay',
'~/.local/share/chezmoi',
'~/.local/share/nvim',
@ -104,4 +106,7 @@ WHERE
OR dir LIKE '~/%/.terraform%'
OR dir LIKE '~/.vscode/extensions/%'
OR dir LIKE '~/.zsh/%'
OR dir LIKE '~/%/.git'
-- For sudo calls to other things
OR (dir LIKE '/home/.terraform.d/%' AND p.euid = 0)
)

2
detection/evasion/unexpected-kernel-modules-linux.sql
View File

@ -60,6 +60,7 @@ WHERE
'cmac',
'configfs',
'coretemp',
'cpuid',
'cqhci',
'crc16',
'crc32c_generic',
@ -194,6 +195,7 @@ WHERE
'ip6table_nat',
'ip6table_raw',
'ip6_tables',
'ip6table_security',
'ip6t_REJECT',
'ip6t_rpfilter',
'ip6t_rt',

6
detection/evasion/unexpected-var-executables-macos.sql
View File

@ -14,11 +14,14 @@ SELECT
file.mtime,
file.size,
hash.sha256,
magic.data
magic.data,
signature.authority,
signature.identifier
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN signature ON file.path = signature.path
WHERE
(
-- This list is the result of multiple queries combined and can likely be minimized
@ -42,6 +45,7 @@ WHERE
AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'
AND file.path NOT LIKE '/var/tmp/epdfinfo%'
AND file.path NOT LIKE '/var/folders%/T/sp_relauncher'
AND file.path NOT LIKE '/var/folders/pv/%/C/com.apple.FontRegistry/annex_aux'
AND (
file.mode LIKE '%7%'
or file.mode LIKE '%5%'

3
detection/execution/exotic-command-events-linux.sql
View File

@ -103,7 +103,7 @@ WHERE
OR cmd LIKE '%sh -i'
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR cmd LIKE '%Socket.%'
OR (cmd LIKE '%Socket.%' AND NOT cmd LIKE '%ipc-socket%')
) -- Things that could reasonably happen at boot.
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
@ -135,3 +135,4 @@ WHERE
AND NOT cmd IN ('lsmod')
-- Seen on Ubuntu
AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg'
AND NOT cmd LIKE 'rm -f /var/tmp/mkinitramfs_%'

5
detection/execution/recently-created-executables-linux.sql
View File

@ -37,6 +37,7 @@ WHERE
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
AND p.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
-- These are binaries that get installed/updated often enough that we should just mask them
AND NOT p.path IN (
'',
'/opt/google/chrome/chrome',
@ -46,6 +47,9 @@ WHERE
'/usr/bin/dockerd',
'/usr/bin/gedit',
'/usr/bin/obs',
'/usr/bin/docker-proxy',
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/snapd/snapd',
'/usr/bin/pipewire',
'/usr/bin/tailscaled',
'/usr/bin/udevadm',
@ -68,6 +72,7 @@ WHERE
'/usr/lib/systemd/systemd-timesyncd',
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/bin/containerd-shim-runc-v2',
'/usr/sbin/chronyd',
'/usr/sbin/cupsd',
'/usr/sbin/tailscaled'

3
detection/execution/recently-created-executables-macos.sql
View File

@ -52,6 +52,7 @@ WHERE
'Developer ID Application: Galvanix (5BRAQAFB8B)',
'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: GitHub (VEKTX9H2N7)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
@ -83,6 +84,7 @@ WHERE
AND NOT p.path LIKE '/private/var/folders/%/T/pulumi-go.%'
AND NOT p.path LIKE '/Users/%/bin/%'
AND NOT p.path LIKE '/Users/%/code/%'
AND NOT p.path LIKE '/Users/%/src/%'
AND NOT p.path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
AND NOT p.path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
AND NOT p.path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
@ -94,6 +96,7 @@ WHERE
AND NOT p.path LIKE '/usr/local/Cellar/%'
AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND NOT p.path LIKE '%/.vscode/extensions/%'
AND NOT p.path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
AND NOT (
p.path LIKE '/Users/%'
AND p.uid > 499

1
detection/execution/sketchy-fetcher.sql
View File

@ -80,6 +80,7 @@ WHERE
OR parent_cmdline LIKE '/nix/store/%-builder.sh'
OR p.cmdline LIKE 'git %'
OR p.cmdline LIKE '%LICENSES/vendor/%'
OR p.cmdline LIKE 'curl -sL wttr.in%'
OR p.cmdline LIKE '%localhost:%'
OR p.cmdline LIKE '%127.0.0.1:%'
OR p.name IN ('apko')

1
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -96,6 +96,7 @@ WHERE
AND dirname NOT LIKE '/usr/libexec/%'
AND dirname NOT LIKE '/usr/local/%'
AND dirname NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
AND dirname NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
-- Unexplained data issue
AND dirname NOT LIKE '../%'
AND p.path NOT IN (

1
detection/execution/unexpected-osascript-calls.sql
View File

@ -48,6 +48,7 @@ WHERE
p.path = '/usr/bin/osascript'
AND p.time > (strftime('%s', 'now') -60)
AND exception_key NOT IN (
',,osascript',
'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss'
)
AND cmd NOT IN ('osascript -e user locale of (get system info)')

7
detection/exfil/high_disk_bytes_read.sql
View File

@ -39,13 +39,14 @@ WHERE
'emacs',
'firefox',
'fish',
'fleet_backend',
'fsdaemon',
'GoogleSoftwareUpdateAgent',
'gopls',
'java',
'launcher',
'LogiFacecamService',
'nautilus',
'systemd',
'nessusd',
'nix',
'osqueryd',
@ -53,18 +54,22 @@ WHERE
'qemu-system-x86',
'qemu-system-x86-64',
'slack',
'systemd',
'wineserver',
'ykman-gui',
'zsh'
)
AND NOT p.path IN (
'/usr/bin/apt',
'/usr/bin/darktable',
'/usr/bin/dockerd',
'/usr/bin/gnome-shell',
'/usr/bin/udevadm',
'/usr/libexec/aned',
'/usr/libexec/coreduetd',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/logd',
'/usr/libexec/logd_helper',
'/usr/libexec/packagekitd',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/signpost_reporter',

5
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -10,6 +10,8 @@
SELECT
description AS 'desc',
fragment_path AS path,
MAX(user, "root") AS effective_user,
following,
hash.sha256,
file.ctime,
file.size,
@ -381,9 +383,10 @@ WHERE
'zpool-trim.timer,zpool-trim.timer,,0'
)
OR exception_key LIKE 'machine-qemu%,Virtual Machine qemu%,,300'
OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,200'
OR id LIKE 'blockdev@dev-mapper-luks%.target'
OR id LIKE 'blockdev@dev-mapper-nvme%.target'
OR id LIKE 'dbus-:%-org.freedesktop.problems@0.service'
OR id LIKE ''
OR id LIKE 'dev-disk-by%.swap'
OR id LIKE 'dev-mapper-%.swap'
OR id LIKE 'dev-zram%.swap'

9
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -50,6 +50,8 @@ WHERE
'/usr/bin/containerd',
'/usr/bin/containerd-shim-runc-v2',
'/usr/bin/crond',
'/usr/bin/dbus-daemon',
'/usr/bin/dbus-launch',
'/usr/bin/dockerd',
'/usr/bin/docker-proxy',
'/usr/bin/fish',
@ -61,10 +63,6 @@ WHERE
'/usr/bin/pacman',
'/usr/bin/sshd',
'/usr/bin/tailscaled',
'/usr/libexec/xdg-permission-store',
'/usr/libexec/xdg-document-portal',
'/usr/bin/dbus-daemon',
'/usr/bin/dbus-launch',
'/usr/bin/wpa_supplicant',
'/usr/libexec/accounts-daemon',
'/usr/libexec/docker/docker-proxy',
@ -76,8 +74,11 @@ WHERE
'/usr/libexec/snapd/snapd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/libexec/udisks2/udisksd',
'/usr/libexec/xdg-document-portal',
'/usr/libexec/xdg-permission-store',
'/usr/lib/flatpak-system-helper',
'/usr/lib/gdm-session-worker',
'/usr/lib/snapd/snapd',
'/usr/lib/software-properties/software-properties-dbus',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-homed',

17
detection/privesc/unexpected-privilege-escalation-events.sql
View File

@ -36,20 +36,19 @@ WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid
AND p.path NOT IN (
'/bin/ps',
'/usr/bin/doas',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/login',
'/usr/bin/sudo',
'/usr/bin/doas',
'/bin/ps',
'/usr/bin/top'
'/usr/bin/top',
'/usr/lib/snapd/snap-confine',
'/usr/lib/snapd/snap-update-ns'
)
AND p.path NOT LIKE '/nix/store/%/bin/sudo'
AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
AND NOT (
p.path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
AND parent_path = '/usr/lib/systemd/systemd'
)
AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
AND NOT (
child_name = 'polkit-agent-helper-1'
AND parent_path = '/usr/bin/gnome-shell'
@ -58,3 +57,7 @@ WHERE
child_name = 'fusermount3'
AND parent_path = '/usr/lib/xdg-document-portal'
)
AND NOT (
child_name IN ('dash', 'pkexec')
AND parent_path = '/usr/bin/update-notifier'
)