mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
Run 'make reformat'
This commit is contained in:
parent
e13773d9b7
commit
e6824d87e9
@ -210,7 +210,8 @@ WHERE
|
||||
AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
|
||||
)
|
||||
AND NOT (
|
||||
s.remote_port = 80 AND (
|
||||
s.remote_port = 80
|
||||
AND (
|
||||
p.cgroup_path LIKE '/system.slice/docker-%'
|
||||
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
|
||||
)
|
||||
|
@ -210,4 +210,3 @@ WHERE
|
||||
)
|
||||
GROUP BY
|
||||
pof.pid
|
||||
|
||||
|
@ -48,7 +48,8 @@ SELECT
|
||||
)
|
||||
) AS exception_key
|
||||
FROM
|
||||
process_events pe, uptime
|
||||
process_events pe,
|
||||
uptime
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN hash phash ON pp.path = phash.path
|
||||
|
@ -48,7 +48,8 @@ SELECT
|
||||
)
|
||||
) AS exception_key
|
||||
FROM
|
||||
process_events pe, uptime
|
||||
process_events pe,
|
||||
uptime
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN hash phash ON pp.path = phash.path
|
||||
@ -81,9 +82,7 @@ WHERE
|
||||
'zsh'
|
||||
)
|
||||
)
|
||||
AND exception_key NOT IN (
|
||||
'netstat,0,sh,sudo'
|
||||
)
|
||||
AND exception_key NOT IN ('netstat,0,sh,sudo')
|
||||
AND parent_cmd NOT IN ('/bin/sh /etc/periodic/daily/420.status-network')
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
@ -7,7 +7,8 @@
|
||||
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
|
||||
--
|
||||
-- tags: transient process state
|
||||
SELECT p.path,
|
||||
SELECT
|
||||
p.path,
|
||||
p.cmdline,
|
||||
p.cwd,
|
||||
p.pid,
|
||||
@ -22,11 +23,13 @@ SELECT p.path,
|
||||
f.uid,
|
||||
m.path,
|
||||
f.gid
|
||||
FROM processes p
|
||||
FROM
|
||||
processes p
|
||||
LEFT JOIN file f ON p.path = f.path
|
||||
LEFT JOIN hash h ON p.path = h.path
|
||||
LEFT JOIN magic m ON p.path = m.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
ctime_age_days > 1050
|
||||
OR mtime_age_days > 1050
|
||||
)
|
||||
@ -59,5 +62,6 @@ WHERE (
|
||||
'Pandora Helper',
|
||||
'dlv'
|
||||
)
|
||||
GROUP BY p.pid,
|
||||
p.path
|
||||
GROUP BY
|
||||
p.pid,
|
||||
p.path
|
||||
|
@ -35,7 +35,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
|
||||
-- Unfortunately, there is no column for when an exception was granted, so
|
||||
-- we're currently unable to filter out old entries.
|
||||
exception_key NOT IN (
|
||||
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
|
||||
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
|
||||
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
|
||||
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
|
||||
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
||||
|
@ -4,7 +4,8 @@
|
||||
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
|
||||
--
|
||||
-- tags: persistent state filesystem
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
file.directory,
|
||||
uid,
|
||||
gid,
|
||||
@ -13,10 +14,12 @@ SELECT file.path,
|
||||
file.size,
|
||||
hash.sha256,
|
||||
magic.data
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash on file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
-- This list is the result of multiple queries combined and can likely be minimized
|
||||
file.path LIKE '/dev/%%'
|
||||
OR file.path LIKE '/dev/%%/%%'
|
||||
@ -68,4 +71,4 @@ WHERE (
|
||||
AND file.mode = '0755'
|
||||
AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
|
||||
AND file.size > 1000000
|
||||
)
|
||||
)
|
||||
|
@ -8,7 +8,8 @@
|
||||
--
|
||||
-- platform: posix
|
||||
-- tags: persistent filesystem state
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
file.directory,
|
||||
uid,
|
||||
gid,
|
||||
@ -20,10 +21,12 @@ SELECT file.path,
|
||||
size,
|
||||
hash.sha256,
|
||||
magic.data
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash ON file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
file.path LIKE '/lib/.%'
|
||||
OR file.path LIKE '/.%'
|
||||
OR file.path LIKE '/bin/%/.%'
|
||||
@ -155,4 +158,4 @@ WHERE (
|
||||
AND NOT (
|
||||
file.path = '/var/root/.oracle_jre_usage/'
|
||||
AND file.size = 96
|
||||
)
|
||||
)
|
||||
|
@ -5,7 +5,8 @@
|
||||
--
|
||||
-- tags: persistent
|
||||
-- platform: posix
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
uid,
|
||||
gid,
|
||||
mode,
|
||||
@ -16,10 +17,12 @@ SELECT file.path,
|
||||
file.size,
|
||||
hash.sha256,
|
||||
magic.data
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash on file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
-- Recursive queries don't seem to work well with hidden directories :(
|
||||
file.path LIKE '/tmp/%%'
|
||||
OR file.path LIKE '/tmp/.%/%%'
|
||||
@ -126,7 +129,7 @@ WHERE (
|
||||
file.type = 'regular'
|
||||
AND size < 10
|
||||
)
|
||||
-- Binaries we might actually see legitimately
|
||||
-- Binaries we might actually see legitimately
|
||||
AND NOT (
|
||||
file.path LIKE '/tmp/%'
|
||||
AND file.uid > 500
|
||||
@ -136,7 +139,6 @@ WHERE (
|
||||
OR file.filename LIKE "%-cli"
|
||||
)
|
||||
)
|
||||
|
||||
-- All checks with magic.data must first check for a lack of NULL value,
|
||||
-- otherwise you filter out platforms without magic.data.
|
||||
AND NOT (
|
||||
|
@ -5,7 +5,8 @@
|
||||
--
|
||||
-- tags: persistent
|
||||
-- platform: macos
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
uid,
|
||||
gid,
|
||||
mode,
|
||||
@ -18,11 +19,13 @@ SELECT file.path,
|
||||
magic.data,
|
||||
signature.identifier,
|
||||
signature.authority
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash on file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
LEFT JOIN signature ON file.path = signature.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
-- Recursive queries don't seem to work well with hidden directories :(
|
||||
file.path LIKE '/tmp/%%'
|
||||
OR file.path LIKE '/tmp/.%/%%'
|
||||
@ -130,7 +133,7 @@ WHERE (
|
||||
AND NOT (
|
||||
magic.data IS NOT NULL
|
||||
AND (
|
||||
magic.data = 'JSON data'
|
||||
OR magic.data LIKE 'ELF %-bit %SB executable%'
|
||||
magic.data = 'JSON data'
|
||||
OR magic.data LIKE 'ELF %-bit %SB executable%'
|
||||
)
|
||||
)
|
||||
)
|
||||
|
@ -118,4 +118,4 @@ WHERE
|
||||
file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'
|
||||
AND file.size < 40000
|
||||
AND file.uid = 501
|
||||
)
|
||||
)
|
||||
|
@ -9,7 +9,8 @@
|
||||
-- tags: transient process events
|
||||
-- platform: linux
|
||||
-- interval: 30
|
||||
SELECT pe.path AS path,
|
||||
SELECT
|
||||
pe.path AS path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
|
||||
TRIM(pe.cmdline) AS cmd,
|
||||
pe.pid AS pid,
|
||||
@ -31,7 +32,9 @@ SELECT pe.path AS path,
|
||||
1
|
||||
) AS gparent_name,
|
||||
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
|
||||
FROM process_events pe, uptime
|
||||
FROM
|
||||
process_events pe,
|
||||
uptime
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
|
||||
|
@ -9,7 +9,8 @@
|
||||
-- tags: transient process events
|
||||
-- platform: darwin
|
||||
-- interval: 45
|
||||
SELECT pe.path AS path,
|
||||
SELECT
|
||||
pe.path AS path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
|
||||
TRIM(pe.cmdline) AS cmd,
|
||||
pe.pid AS pid,
|
||||
@ -41,7 +42,8 @@ SELECT pe.path AS path,
|
||||
signature.authority,
|
||||
esignature.authority
|
||||
) AS parent_authority
|
||||
FROM process_events pe
|
||||
FROM
|
||||
process_events pe
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
|
||||
@ -159,4 +161,4 @@ WHERE
|
||||
AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
|
||||
AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
|
||||
AND NOT cmd LIKE '%history'
|
||||
AND NOT name IN ('cc1', 'compile')
|
||||
AND NOT name IN ('cc1', 'compile')
|
||||
|
@ -134,11 +134,14 @@ WHERE
|
||||
AND NOT (
|
||||
addr IS NOT NULL
|
||||
AND (
|
||||
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
|
||||
addr IN (
|
||||
'releases.hashicorp.com',
|
||||
'github.com',
|
||||
'dl.enforce.dev'
|
||||
)
|
||||
-- Ignore local addresses (Docker development)
|
||||
OR addr NOT LIKE '%.%'
|
||||
OR ip LIKE '172.2%'
|
||||
OR ip LIKE '192.168.%'
|
||||
)
|
||||
)
|
||||
|
||||
|
@ -129,11 +129,14 @@ WHERE
|
||||
AND NOT (
|
||||
addr IS NOT NULL
|
||||
AND (
|
||||
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
|
||||
addr IN (
|
||||
'releases.hashicorp.com',
|
||||
'github.com',
|
||||
'dl.enforce.dev'
|
||||
)
|
||||
-- Ignore local addresses (Docker development)
|
||||
OR addr NOT LIKE '%.%'
|
||||
OR ip LIKE '172.21.%'
|
||||
OR ip LIKE '192.168.%'
|
||||
)
|
||||
)
|
||||
|
||||
|
@ -142,7 +142,7 @@ WHERE
|
||||
'~/google-cloud-sdk/',
|
||||
'~/homebrew/',
|
||||
'~/.kuberlr/',
|
||||
-- '~/Library/',
|
||||
-- '~/Library/',
|
||||
'~/.gradle/',
|
||||
'~/.local/',
|
||||
'~/Parallels/',
|
||||
@ -193,7 +193,6 @@ WHERE
|
||||
AND homedir NOT LIKE '~/%sigstore%'
|
||||
AND homedir NOT LIKE '~/%/bin'
|
||||
AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
|
||||
|
||||
-- These signers can run from wherever the hell they want.
|
||||
AND signature.authority NOT IN (
|
||||
'Apple iPhone OS Application Signing',
|
||||
|
@ -6,7 +6,8 @@
|
||||
-- interval: 600
|
||||
-- platform: posix
|
||||
-- tags: process events
|
||||
SELECT pe.path AS path,
|
||||
SELECT
|
||||
pe.path AS path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
|
||||
TRIM(pe.cmdline) AS cmd,
|
||||
pe.pid AS pid,
|
||||
@ -29,8 +30,9 @@ SELECT pe.path AS path,
|
||||
1
|
||||
) AS gparent_name,
|
||||
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
|
||||
REGEX_MATCH(TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
|
||||
FROM process_events pe
|
||||
REGEX_MATCH (TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
|
||||
FROM
|
||||
process_events pe
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
|
||||
@ -39,17 +41,19 @@ FROM process_events pe
|
||||
LEFT JOIN hash ON pp.path = hash.path
|
||||
LEFT JOIN hash thash ON target_path = thash.path
|
||||
LEFT JOIN hash ehash ON ppe.path = ehash.path
|
||||
WHERE pe.time > (strftime('%s', 'now') -600)
|
||||
AND pe.path LIKE '%/chmod'
|
||||
AND (
|
||||
cmd LIKE '%chmod 7%'
|
||||
OR cmd LIKE '%chmod 5%'
|
||||
OR cmd LIKE '%chmod 1%'
|
||||
OR cmd LIKE '%chmod +%x'
|
||||
)
|
||||
AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
|
||||
AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
|
||||
AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
|
||||
AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
|
||||
AND NOT parent_cgroup LIKE '/system.slice/docker-%'
|
||||
GROUP BY pe.pid
|
||||
WHERE
|
||||
pe.time > (strftime('%s', 'now') -600)
|
||||
AND pe.path LIKE '%/chmod'
|
||||
AND (
|
||||
cmd LIKE '%chmod 7%'
|
||||
OR cmd LIKE '%chmod 5%'
|
||||
OR cmd LIKE '%chmod 1%'
|
||||
OR cmd LIKE '%chmod +%x'
|
||||
)
|
||||
AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
|
||||
AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
|
||||
AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
|
||||
AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
|
||||
AND NOT parent_cgroup LIKE '/system.slice/docker-%'
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
@ -87,4 +87,5 @@ WHERE
|
||||
-- The following apply to all uids
|
||||
AND NOT cmd = 'osascript -e user locale of (get system info)'
|
||||
GROUP BY
|
||||
pe.pid, pe.cmd
|
||||
pe.pid,
|
||||
pe.cmd
|
||||
|
@ -74,4 +74,3 @@ WHERE
|
||||
AND p.name = "node"
|
||||
AND parent_name IN ("vim", "nvim")
|
||||
)
|
||||
|
||||
|
@ -106,4 +106,4 @@ WHERE
|
||||
)
|
||||
AND NOT p.path IN ('/opt/socket_vmnet/bin/socket_vmnet')
|
||||
GROUP BY
|
||||
pmm.pid
|
||||
pmm.pid
|
||||
|
@ -6,7 +6,8 @@
|
||||
-- interval: 60
|
||||
-- platform: darwin
|
||||
-- tags: process events
|
||||
SELECT pe.path AS path,
|
||||
SELECT
|
||||
pe.path AS path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
|
||||
TRIM(pe.cmdline) AS cmd,
|
||||
pe.pid AS pid,
|
||||
@ -38,7 +39,8 @@ SELECT pe.path AS path,
|
||||
signature.authority,
|
||||
esignature.authority
|
||||
) AS parent_authority
|
||||
FROM process_events pe
|
||||
FROM
|
||||
process_events pe
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
|
||||
@ -48,7 +50,8 @@ FROM process_events pe
|
||||
LEFT JOIN hash ehash ON ppe.path = ehash.path
|
||||
LEFT JOIN signature ON pp.path = signature.path
|
||||
LEFT JOIN signature esignature ON ppe.path = esignature.path
|
||||
WHERE pe.path = '/usr/bin/xattr'
|
||||
WHERE
|
||||
pe.path = '/usr/bin/xattr'
|
||||
AND pe.status = 0
|
||||
AND pe.time > (strftime('%s', 'now') -60)
|
||||
AND cmd NOT IN (
|
||||
@ -81,4 +84,6 @@ WHERE pe.path = '/usr/bin/xattr'
|
||||
)
|
||||
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
|
||||
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
|
||||
GROUP BY pe.pid, cmd
|
||||
GROUP BY
|
||||
pe.pid,
|
||||
cmd
|
||||
|
@ -150,4 +150,5 @@ WHERE
|
||||
)
|
||||
AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
|
||||
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
|
||||
GROUP BY p.pid
|
||||
GROUP BY
|
||||
p.pid
|
||||
|
@ -66,4 +66,4 @@ WHERE
|
||||
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
|
||||
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
|
||||
AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'
|
||||
AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'
|
||||
AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'
|
||||
|
@ -15,7 +15,7 @@ SELECT
|
||||
p.path,
|
||||
p.cmdline,
|
||||
p.cgroup_path,
|
||||
datetime(file.mtime,'unixepoch') AS mtime,
|
||||
datetime(file.mtime, 'unixepoch') AS mtime,
|
||||
p.cwd,
|
||||
hash.sha256,
|
||||
CONCAT (
|
||||
|
@ -48,7 +48,8 @@ SELECT
|
||||
)
|
||||
) AS exception_key
|
||||
FROM
|
||||
process_events pe, uptime
|
||||
process_events pe,
|
||||
uptime
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
LEFT JOIN processes pp ON pe.parent = pp.pid
|
||||
LEFT JOIN hash phash ON pp.path = phash.path
|
||||
@ -87,6 +88,5 @@ WHERE
|
||||
AND NOT child_cmd LIKE 'systemctl show --property=%'
|
||||
AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
|
||||
AND NOT child_cmd LIKE '/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%/bus'
|
||||
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
@ -23,4 +23,4 @@ FROM
|
||||
WHERE
|
||||
p.time > (strftime('%s', 'now') -60)
|
||||
AND file.mode NOT LIKE '0%'
|
||||
AND p.cmdline_size > 2048
|
||||
AND p.cmdline_size > 2048
|
||||
|
@ -37,6 +37,9 @@ WHERE
|
||||
AND filename LIKE "%-%-%.json"
|
||||
AND size BETWEEN 2311 AND 2385
|
||||
-- Don't alert on tokens that begin with the username-, as they may be personal
|
||||
AND NOT INSTR(filename, CONCAT(u.username, "-")) == 1
|
||||
AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
|
||||
-- Don't alert on tokens that begin with the users full name and a dash
|
||||
AND NOT INSTR(filename, REPLACE(LOWER(TRIM(description))," ", "-")) == 1
|
||||
AND NOT INSTR(
|
||||
filename,
|
||||
REPLACE(LOWER(TRIM(description)), " ", "-")
|
||||
) == 1
|
||||
|
Loading…
Reference in New Issue
Block a user