RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add detectors for the reveng_rtkit rootkit

This commit is contained in:
Thomas Stromberg 2023-02-23 17:05:11 -05:00
parent 0cba2837bc
commit a7c2ef97e1
Failed to extract signature
3 changed files with 291 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
detection/evasion/pid-hidden-by-rootkit.sql Normal file
View File

@ -0,0 +1,37 @@
-- Finds processes that are apparently hidden by a rootkit
--
-- references:
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
--
-- Confirmed to catch revenge-rtkit
--
-- false positives:
-- * custom kernel modules
--
-- tags: persistent kernel state
-- platform: linux
WITH RECURSIVE cnt(x) AS (
SELECT 1
UNION ALL
SELECT x + 1
FROM cnt
LIMIT 32768
)
SELECT p.*
FROM cnt
JOIN processes p ON x = p.pid
WHERE x NOT IN (
SELECT pid
FROM processes
)
AND p.start_time < (strftime('%s', 'now') - 1) -- Improve how we filter tasks out.
-- This is not very precise. What we really want to do is verify that
-- this pid is not listed as a task of any other pid
AND (
p.pgroup = p.pid
OR (
p.pid = p.parent
AND p.threads = 1
)
)

29
detection/evasion/unusually-tainted-kernel-linux.sql Normal file
View File

@ -0,0 +1,29 @@
-- Unusually tainted kernel - via a loaded kernel module
--
-- references:
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
-- * https://docs.kernel.org/admin-guide/tainted-kernels.html
--
-- Confirmed to catch revenge-rtkit
--
-- false positives:
-- * custom kernel modules
--
-- tags: persistent kernel state
-- platform: linux
--
-- 12289 is an unsigned, out of tree, proprietary driver
-- 4097 is a signed, out of tree, proprietary driver
SELECT current_value AS value,
current_value & 65536 AS is_aux,
current_value & 8192 is_unsigned,
current_value & 4096 AS out_of_tree,
current_value & 512 AS kernel_warning,
current_value & 614 AS requested_by_userspace,
current_value & 8 AS force_unloaded,
current_value & 4 AS out_of_spec,
current_value & 2 AS force_loaded,
current_value & 1 AS proprietary
FROM system_controls
WHERE name = "kernel.tainted"
AND current_value NOT IN (0, 12289, 4097)

225
detection/persistence/unexpected-device.sql Normal file
View File

@ -0,0 +1,225 @@
-- Finds unexpected device names, sometimes used for communication to a rootkit
--
-- references:
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
--
-- Confirmed to catch revenge-rtkit
--
-- false positives:
-- * custom kernel modules
--
-- tags: persistent filesystem state
-- platform: linux
SELECT -- Remove numerals from device names
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
DISTINCT REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(REPLACE(path, "0", ""), "1", ""),
"2",
""
),
"3",
""
),
"4",
""
),
"5",
""
),
"6",
""
),
"7",
""
),
"8",
""
),
"9",
""
) AS path_expr,
file.*
FROM file
WHERE (
path LIKE '/dev/%'
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
'/dev/block/:',
'/dev/bsg/',
'/dev/bsg/:::',
'/dev/btrfs-control',
'/dev/bus/',
'/dev/bus/usb',
'/dev/cdrom',
'/dev/char/',
'/dev/char/:',
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
'/dev/disk/by-diskseq',
'/dev/disk/by-id',
'/dev/disk/by-label',
'/dev/disk/by-partlabel',
'/dev/disk/by-partuuid',
'/dev/disk/by-path',
'/dev/disk/by-uuid',
'/dev/dm-',
'/dev/dma_heap/',
'/dev/dma_heap/system',
'/dev/dri/',
'/dev/dri/by-path',
'/dev/dri/card',
'/dev/dri/renderD',
'/dev/drm_dp_aux',
'/dev/dvd',
'/dev/ecryptfs',
'/dev/fb',
'/dev/fd/',
'/dev/full',
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/hugepages/libvirt',
'/dev/hwrng',
'/dev/ic-',
'/dev/iio:device',
'/dev/initctl',
'/dev/input/',
'/dev/input/by-id',
'/dev/input/by-path',
'/dev/input/event',
'/dev/input/js',
'/dev/input/mice',
'/dev/input/mouse',
'/dev/kfd',
'/dev/kmsg',
'/dev/kvm',
'/dev/log',
'/dev/loop',
'/dev/loop-control',
'/dev/lp',
'/dev/mapper/',
'/dev/mapper/control',
'/dev/mcelog',
'/dev/media',
'/dev/mei',
'/dev/mem',
'/dev/mqueue/',
'/dev/mtd',
'/dev/mtdro',
'/dev/net/',
'/dev/net/tun',
'/dev/ngn',
'/dev/null',
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvme',
'/dev/nvmen',
'/dev/nvmenp',
'/dev/nvram',
'/dev/port',
'/dev/ppp',
'/dev/pps',
'/dev/psaux',
'/dev/ptmx',
'/dev/ptp',
'/dev/pts/',
'/dev/pts/ptmx',
'/dev/random',
'/dev/rfkill',
'/dev/rpool/',
'/dev/rpool/keystore',
'/dev/rtc',
'/dev/sda',
'/dev/sg',
'/dev/shm/',
'/dev/snapshot',
'/dev/snd/',
'/dev/snd/by-id',
'/dev/snd/by-path',
'/dev/snd/controlC',
'/dev/snd/hwCD',
'/dev/snd/pcmCDc',
'/dev/snd/pcmCDp',
'/dev/snd/seq',
'/dev/snd/timer',
'/dev/sr',
'/dev/stderr',
'/dev/stdin',
'/dev/stdout',
'/dev/tpm',
'/dev/tpmrm',
'/dev/tty',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/udmabuf',
'/dev/uhid',
'/dev/uinput',
'/dev/urandom',
'/dev/usb/',
'/dev/usb/hiddev',
'/dev/usbmon',
'/dev/userfaultfd',
'/dev/userio',
'/dev/vboxdrv',
'/dev/vboxdrvu',
'/dev/vboxnetctl',
'/dev/vboxusb/',
'/dev/vcs',
'/dev/vcsa',
'/dev/vcsu',
'/dev/vda',
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vgubuntu/',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/vhost-net',
'/dev/vhost-vsock',
'/dev/video',
'/dev/vl/',
'/dev/vl/by-id',
'/dev/vl/by-path',
'/dev/watchdog',
'/dev/wmi/',
'/dev/wmi/dell-smbios',
'/dev/zd',
'/dev/zero',
'/dev/zfs',
'/dev/zram',
'/dev/zvol/',
'/dev/zvol/rpool',
'/dev/vlloopback'
)
AND NOT path LIKE '/dev/mapper/%'
AND NOT path LIKE '/dev/shm/u%-Shm_%'
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'