RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #393 from tstromberg/oct16 

net traffic & security framework: Broaden exceptions to reduce false positives
This commit is contained in:
Thomas Strömberg 2024-10-16 10:14:59 -04:00 committed by GitHub
parent f5ce082a4e 9f4b8a0b69
commit b0549b56e2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -62,6 +62,7 @@ WHERE
)
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
AND s.remote_address NOT IN (
'1.1.1.1', -- Cloudflare
'100.100.100.100', -- Tailscale Magic DNS
'208.67.220.123', -- OpenDNS FamilyShield
'75.75.75.75', -- Comcast
@ -90,6 +91,7 @@ WHERE
'limactl,8.8.8.8,53',
'msedge,8.8.8.8,53',
'adguard_dns,1.0.0.1,53',
'helm,185.199.108.133,53',
'coredns,8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'slack,8.8.8.8,53',
@ -121,6 +123,7 @@ WHERE
'limactl',
'mDNSResponder',
'melange',
'syncthing',
'nessusd',
'nuclei',
'systemd-resolved',

12
detection/c2/unexpected-https-linux.sql
View File

@ -56,6 +56,10 @@ WHERE
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND p.path NOT LIKE '/app/bin/%'
AND p.path NOT LIKE '/usr/bin/%'
AND p.path NOT LIKE '/usr/local/bin/%'
AND p.path NOT LIKE '/opt/%'
AND NOT exception_key IN (
'0,agentbeat,0u,0g,agentbeat',
'0,apk,u,g,apk',
@ -65,6 +69,7 @@ WHERE
'0,bash,0u,0g,sh',
'0,canonical-livepatchd,0u,0g,canonical-livep',
'0,chainctl,0u,0g,chainctl',
'0,chainctl,500u,500g,chainctl',
'0,cmake,u,g,cmake',
'0,containerd,u,g,containerd',
'0,dirmngr,0u,0g,dirmngr',
@ -192,6 +197,7 @@ WHERE
'500,gh,0u,0g,gh',
'500,gh-dash,500u,500g,gh-dash',
'500,git,0u,0g,git',
'500,github-desktop,0u,0g,github-desktop',
'500,git-remote-http,0u,0g,git-remote-http',
'500,git-remote-http,u,g,git-remote-http',
'500,gitsign,0u,0g,gitsign',
@ -229,6 +235,7 @@ WHERE
'500,k6,500u,500g,k6',
'500,k9s,0u,0g,k9s',
'500,kbfsfuse,0u,0g,kbfsfuse',
'500,keepassxc,u,g,keepassxc',
'500,keybase,0u,0g,keybase',
'500,Keybase,0u,0g,Keybase',
'500,kioslave5,0u,0g,kioslave5',
@ -330,8 +337,6 @@ WHERE
'500,terraform,500u,500g,terraform',
'500,terraform-ls,500u,500g,terraform-ls',
'500,thunderbird,0u,0g,thunderbird',
'500,wolfi-package-status,500u,500g,wolfi-package-s',
'500,github-desktop,0u,0g,github-desktop',
'500,thunderbird-bin,u,g,thunderbird-bin',
'500,thunderbird,u,g,thunderbird',
'500,tidal-hifi,u,g,tidal-hifi',
@ -340,13 +345,13 @@ WHERE
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'0,chainctl,500u,500g,chainctl',
'500,ubuntu-report,0u,0g,ubuntu-report',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wine64-preloader,500u,500g,DaveTheDiver.ex',
'500,wine64-preloader,500u,500g,Root.exe',
'500,wolfictl,500u,500g,wolfictl',
'500,wolfi-package-status,500u,500g,wolfi-package-s',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,writerside,500u,500g,writerside',
'500,xmobar,0u,0g,xmobar',
@ -357,6 +362,7 @@ WHERE
) -- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic'
AND NOT exception_key LIKE '0,python3.%,500u,500g,dnf-automatic'
AND NOT exception_key LIKE '0,python3.%,0u,0g,yum'
AND NOT exception_key LIKE '500,python3.%,0u,0g,update-manager'
AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'

4
detection/c2/unexpected-https-macos.sql
View File

@ -96,7 +96,7 @@ WHERE
AND p0.path NOT LIKE '/Users/%/bin/%'
AND p0.path NOT LIKE '/System/%'
AND p0.path NOT LIKE '/Users/%/Library/Caches/JetBrains/%/tmp/GoLand/___%'
AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
AND p0.path NOT LIKE '/opt/%'
AND p0.path NOT LIKE '/usr/libexec/%'
AND p0.path NOT LIKE '/usr/sbin/%'
AND p0.path NOT LIKE '/usr/local/kolide-k2/%'
@ -110,6 +110,7 @@ WHERE
'0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
'500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
'500,bash,bash,,bash',
'500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
@ -141,6 +142,7 @@ WHERE
'500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
'500,Signal Helper (Renderer),Signal Helper (Renderer),500u,20g',
'500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
'500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',

2
detection/c2/unexpected-talkers-macos.sql
View File

@ -152,9 +152,11 @@ WHERE
'500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
'500,6,3389,Windows App,Windows App,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
'500,6,5228,Fellow,Fellow,Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow',
'500,6,5228,Superhuman,Superhuman,Developer ID Application: SUPERHUMAN LABS INC. (6XHFYUTQGX),com.superhuman.electron',
'500,6,7881,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed',
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',

5
detection/evasion/hidden-launchd-files-macos.sql
View File

@ -36,3 +36,8 @@ WHERE
file.filename = '.DS_Store'
AND hash.sha256 = 'd65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3'
)
-- Kandji temp file
AND NOT (
file.path LIKE '/Library/LaunchAgents/.dat.nosync%'
AND size = 242
)

2
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -72,7 +72,7 @@ WHERE
AND NOT path LIKE '/Applications/%'
AND NOT path LIKE '/Library/Apple/%'
AND NOT path LIKE '/nix/store/%'
AND NOT path LIKE '/opt/homebrew/%'
AND NOT path LIKE '/opt/%'
AND NOT path LIKE '%/bin/cargo'
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/local/kolide-k2/bin/%'

20
detection/execution/unexpected-security-framework-program-macos.sql → detection/execution/unexpected-long-running-security-framework-macos.sql
View File

@ -56,31 +56,32 @@ WHERE
FROM
processes
WHERE
start_time < (strftime('%s', 'now') - 7200)
start_time < (strftime('%s', 'now') - 25200)
AND parent != 0
-- Assume STP
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/libexec/%'
AND NOT path LIKE '/usr/sbin/%'
-- Regular apps
AND NOT path LIKE '/Applications/%.app/%'
-- Other oddball binary paths
AND NOT path LIKE '/opt/homebrew/Cellar/%'
AND NOT path LIKE '/opt/%'
AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
AND NOT path LIKE '/Users/%/go/src/%/%.test'
AND NOT (
path LIKE '/Users/%/homebrew/Cellar/%'
AND name IN ('limactl', 'Python', 'bash')
)
AND NOT path LIKE '/Users/%/go/%'
AND NOT path LIKE '/Users/%/dev/%'
AND NOT path LIKE '/Users/%/src/%'
AND NOT path LIKE '/Users/%/homebrew/Cellar/%'
AND NOT (
path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
AND name = 'cpu'
)
AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet')
)
AND pmm.path LIKE '%Security.framework%'
AND exception_key NOT IN (
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,nix,nix,',
'500,dirmngr,dirmngr,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
@ -154,6 +155,7 @@ WHERE
'500,keyboxd,,',
'500,keyboxd,keyboxd,',
'500,ko,,',
'500,dirmngr,,',
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
@ -241,6 +243,8 @@ WHERE
AND p0.path LIKE '/Users/%/go/bin/%'
)
AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,'
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
AND NOT exception_key LIKE '500,___%,a.out,'

1
detection/initial_access/unexpected-shell-parents.sql
View File

@ -210,6 +210,7 @@ WHERE
'/Library/Developer/CommandLineTools/usr/bin/git',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon',
'/Library/Kandji/Kandji Agent.app/Contents/MacOS/kandji-library-manager',
'/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Library Manager.app/Contents/MacOS/kandji-library-manager',
'/opt/X11/libexec/launchd_startx',
'/Applications/DDPM/DDPM.app/Contents/MacOS/DDPM',
'/sbin/launchd',