RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-19 19:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: keyd, virtlogd, dnsmasq, Orum, etc

Browse Source
This commit is contained in:
Thomas Stromberg 2024-12-10 10:11:37 -05:00
parent 9680e54c90
commit ac2a85f85c
Failed to extract signature
15 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -83,9 +83,11 @@ WHERE
'ChatGPT,8.8.8.8,53',
'com.docker.backend,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'Creative Cloud Content Manager.node,8.8.4.4,53',
'coredns,0.0.0.0,53',
'coredns,8.8.8.8,53',
'Creative Cloud Content Manager.node,8.8.4.4,53',
'Creative Cloud Content Manager.node,8.8.8.8,53',
'distnoted,8.8.4.4,53',
'distnoted,8.8.8.8,53',
'dockerd,162.159.140.238,53',
'EpicWebHelper,8.8.4.4,53',
@ -94,20 +96,20 @@ WHERE
'helm,185.199.108.133,53',
'limactl,8.8.8.8,53',
'Meeting Center,8.8.8.8,53',
'msedge,8.8.8.8,53',
'msedge,8.8.4.4,53',
'msedge,8.8.8.8,53',
'node,149.22.90.225,5353',
'nuclei,1.0.0.1,53',
'plugin-container,8.8.8.8,53',
'Pieces OS,208.67.222.222,53',
'plugin-container,8.8.8.8,53',
'ServiceExtension,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'slack,8.8.8.8,53',
'snapd,185.125.188.54,53',
'snapd,185.125.188.55,53',
'snapd,185.125.188.59,53',
'snapd,185.125.188.58,53',
'snapd,185.125.188.59,53',
'Socket Process,8.8.8.8,53',
'syncthing,46.162.192.181,53',
'Telegram,8.8.8.8,53',

10
detection/c2/unexpected-root-libcurl-proc-linux.sql
View File

@ -30,6 +30,7 @@ SELECT
',',
f.mode
) AS exception_key,
pmm.path AS library_path,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
@ -68,16 +69,20 @@ WHERE
AND pmm.path LIKE '%libcurl%'
AND NOT exception_key IN (
'0,0,/var/run/ublue-update.lock,regular,0755',
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
'dnf-automatic,/usr/bin/python__VERSION__,0,system.slice,dnf-automatic-install.service,0755',
'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'implicitclass,/usr/lib/cups/backend/implicitclass,0,system.slice,cups.service,0744',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
@ -89,7 +94,10 @@ WHERE
'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'virtlockd,/usr/sbin/virtlockd,0,system.slice,virtlockd.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'virtlogd,/usr/sbin/virtlogd,0,system.slice,virtlogd.service,0755',
'virtqemud,/usr/sbin/virtqemud,0,system.slice,virtqemud.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',

2
detection/c2/unexpected-talkers-linux.sql
View File

@ -222,6 +222,8 @@ WHERE
'993,6,500,evolution,0u,0g,evolution',
'993,6,500,thunderbird,0u,0g,thunderbird',
'993,6,500,thunderbird,u,g,thunderbird',
'80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
'8883,6,500,WebKitWebProcess,u,g,WebKitWebProces',
'9999,6,500,firefox,0u,0g,firefox'
)
AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'

1
detection/evasion/hidden-cwd.sql
View File

@ -166,6 +166,7 @@ WHERE
OR dir LIKE '~/%enterprise-packages/.chainguard'
OR dir LIKE '%/.git'
OR dir LIKE '%/.git/%'
OR dir LIKE '/run/.ro%'
OR dir LIKE '%/.github'
OR dir LIKE '%/.github/%'
OR dir LIKE '~/%/github.com/%'

5
detection/evasion/hidden-executable.sql
View File

@ -68,9 +68,9 @@ WHERE
OR f.directory LIKE '%/.%'
)
AND NOT homedir LIKE '~/.%/bin'
AND NOT homedir LIKE '~/%/node_modules/.bin'
AND NOT homedir LIKE '~/%/node_modules/.bin%'
AND NOT homedir LIKE '~/.%/%x64/%'
AND NOT homedir LIKE '%/node_modulues/.%'
AND NOT homedir LIKE '%/node_modules/.%'
AND NOT homepath LIKE '~/%arm64%'
AND NOT homepath LIKE '~/%x86_64%'
AND NOT top3_dir LIKE '~/.%/extensions'
@ -113,6 +113,7 @@ WHERE
'/home/linuxbrew/.linuxbrew',
'~/.linuxbrew/Cellar',
'~/node_modules/.bin',
'~/Documents/GitHub',
'~/.nvm/versions',
'~/.pyenv/versions',
'~/.steampipe/db',

1
detection/evasion/old-binaries-running.sql
View File

@ -75,6 +75,7 @@ WHERE
'buildkitd',
'Flycut',
'kail',
'SetupWizard',
'Vimari Extension',
'Android File Transfer Agent',
'BluejeansHelper',

2
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -152,6 +152,8 @@ WHERE
'/var/.ntw_cache',
'/var/.Parallels_swap/',
'/var/.pwd_cache',
'/var/discourse/.git/',
'/var/discourse/.github/',
'/var/root/.bash_history',
'/var/root/.bash_profile',
'/var/root/.cache/',

2
detection/evasion/unexpected-var-run-linux.sql
View File

@ -34,8 +34,10 @@ WHERE
'apcupsd.pid',
'apport.lock',
'atd.pid',
'bootupd-lock',
'atopacctd.pid',
'auditd.pid',
'bluetooth.blocked',
'com.rapid7.cnchub.pid',
'com.rapid7.component_insight_agent.pid',
'com.rapid7.ir_agent.pid',

1
detection/execution/unexpected-execdir-linux.sql
View File

@ -67,6 +67,7 @@ WHERE
AND INSTR(path, "/var/kolide-k2/") != 1
AND INSTR(path, "/usr/share/spotify") != 1
AND INSTR(path, "/usr/share/code/") != 1
AND INSTR(path, "/usr/share/codium/") != 1
AND INSTR(path, "/usr/share/smartgit/") != 1
AND INSTR(path, "/var/home/") != 1
AND INSTR(path, "/usr/local/") != 1

4
detection/execution/unexpected-long-running-security-framework-macos.sql
View File

@ -93,10 +93,12 @@ WHERE -- Focus on longer-running programs
'500,cloud_sql_proxy,a.out,',
'500,docker,docker,',
'500,gopls,a.out,',
'500,python3,python.exe,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdmicmute,sdmicmute,',
'500,sdzoomplugin,,'
'500,sdzoomplugin,,',
'500,serial-discovery,a.out,'
)
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
AND NOT exception_key LIKE '500,___Test%.test,a.out'

3
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -275,6 +275,9 @@ WHERE state = 1
'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp',
'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh',
'true,,ProctorU,goobgennebinldhonaajgafidboenlkl',
'true,,Orum,mgldaplfkpdgnojhbmllomokgeabokdd',
'true,,PSI Bridge Online Proctoring Extension,aeindiojndlokkemcgakgpgbcmgonifn',
'true,,Strict Workflow,cgmnfnmlficgeijcalkgnnkigkefkbhd',
'true,Pushbullet,Pushbullet,chlffgpmiacpedhhbkiomidkjlcfhogd',
'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp',
'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp',

1
detection/persistence/unexpected-device-linux.sql
View File

@ -264,6 +264,7 @@ WHERE (
'/dev/watchdog,character',
'/dev/wwanat,character',
'/dev/wwanmbim,character',
'/dev/wwanqcdm,character',
'/dev/zd,block',
'/dev/zero,character',
'/dev/zfs,character',

3
detection/persistence/unexpected-global-lock.sql
View File

@ -49,7 +49,8 @@ WHERE
'500,1000,/tmp/golangci-lint.lock,regular,0600',
'500,1001,/tmp/nwg-dock.lock,regular,0600',
'74,0,/tmp/mysql.sock.lock,regular,0600',
'74,0,/tmp/mysqlx.sock.lock,regular,0600'
'74,0,/tmp/mysqlx.sock.lock,regular,0600',
'0,1001,/var/run/keyd.socket.lock,regular,0600'
)
AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644'
AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0664'

3
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -137,6 +137,9 @@ WHERE
'53,6,130,dnsmasq',
'53,6,500,coredns',
'53,6,500,dnsmasq',
'53,17,123,dnsmasq',
'53,6,123,dnsmasq',
'67,17,123,dnsmasq',
'5432,6,70,postgres',
'546,17,500,dhcpcd',
'547,17,500,dnsmasq',

3
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -177,6 +177,8 @@ WHERE
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'virtlockd,/usr/sbin/virtlockd,0,system.slice,virtlockd.service,0755',
'virtlogd,/usr/sbin/virtlogd,0,system.slice,virtlogd.service,0755',
'geoclue.service,Location Lookup Service,geoclue,500',
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
@ -205,6 +207,7 @@ WHERE
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
'just,/usr/bin/just,0,user.slice,user-1000.slice,0755',
'keyd,/usr/local/bin/keyd,0,system.slice,keyd.service,0755',
'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',