RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #177 from tstromberg/wutang 

New detector: unexpected ssh-authorized-keys
This commit is contained in:
Thomas Strömberg 2023-02-14 20:36:58 -05:00 committed by GitHub
parent be02e9f785 ec675bfb8d
commit a4ae39a66c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
detection/persistence/unexpected-ssh-authorized-keys.sql Normal file
View File

@ -0,0 +1,29 @@
-- Find unexpected SSH authorized keys
--
-- references:
-- * https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/
-- * https://www.countercraftsec.com/blog/dota3-malware-again-and-again/
-- * https://attack.mitre.org/techniques/T1098/004/
-- * https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html
--
-- tags: persistent state filesystem
-- platform: posix
SELECT file.path,
file.uid,
file.gid,
file.atime,
file.mtime,
file.ctime,
file.size,
hash.sha256,
users.username,
users.uid AS u_uid
FROM users
JOIN file ON file.path = users.directory || "/.ssh/authorized_keys"
JOIN hash ON file.path = hash.path
WHERE file.uid != u_uid
OR file.uid < 500
OR (
file.path NOT LIKE '/home/%'
AND file.path NOT LIKE '/Users/%'
)