RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-13 17:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address merge conflict

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-24 10:04:26 -04:00
commit e9ad2660a2
Failed to extract signature
12 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
detection/c2/unexpected-https-client-linux.sql
View File

@ -70,12 +70,13 @@ WHERE
'0,/usr/nix,0u,0g,nix',
'0,/usr/packagekitd,0u,0g,packagekitd',
'0,/usr/pacman,0u,0g,pacman',
'0,/usr/python3.10,0u,0g,dnf',
'0,/usr/tailscaled,0u,0g,tailscaled',
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'500,/app/slack,u,g,slack',
'500,/app/thunderbird,u,g,thunderbird',
'500,/app/zoom.real,u,g,zoom.real',
'0,/usr/python3.10,0u,0g,dnf',
'500,/home/chainctl,500u,100g,chainctl',
'500,/home/chainctl,500u,500g,chainctl',
'500,/home/gitsign,500u,500g,gitsign',
'500,/home/go,500u,500g,go',

1
detection/c2/unexpected-talkers-linux.sql
View File

@ -101,6 +101,7 @@ WHERE
'80,6,500,/usr/chrome,0u,0g,chrome',
'80,6,500,/usr/curl,0u,0g,curl',
'80,6,500,/usr/firefox,0u,0g,firefox',
'80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
'8080,6,500,/opt/chrome,0u,0g,chrome',
'8080,6,500,/usr/firefox,0u,0g,firefox',
'8443,6,500,/opt/chrome,0u,0g,chrome',

15
detection/c2/unexpected-talkers-macos.sql
View File

@ -4,8 +4,9 @@
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net often
-- platform: macos
SELECT protocol,
-- platform: darwin
SELECT
protocol,
s.local_port,
s.remote_port,
s.remote_address,
@ -31,12 +32,14 @@ SELECT protocol,
',',
signature.authority
) AS exception_key
FROM process_open_sockets s
FROM
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON pp.pid = p.parent
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE protocol > 0
WHERE
protocol > 0
AND s.remote_port > 0
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
AND s.remote_address NOT LIKE 'fe80:%'
@ -239,7 +242,6 @@ WHERE protocol > 0
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'80,6,500,webhook.test,a.out,'
) -- nix-shell infects children with open connections
AND NOT (
parent_cmd LIKE '%/tmp/nix-shell%'
@ -332,4 +334,5 @@ WHERE protocol > 0
remote_port IN (53, 443)
AND p.path LIKE '/private/var/folders/%/T/GoLand/%'
)
GROUP BY s.pid
GROUP BY
s.pid

2
detection/execution/exotic-command-events-linux.sql
View File

@ -35,7 +35,7 @@ FROM
process_events p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash AS phash ON pp.path = hash.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.time > (strftime('%s', 'now') -60)
AND (

38
detection/execution/exotic-command-events-macos.sql
View File

@ -51,21 +51,17 @@ WHERE
'rshell',
'rsh',
'incbit',
'osascript',
'kmod',
'lushput',
'mkfifo',
'msfvenom',
'nc',
'socat'
)
-- Chrome Stealer
) -- Chrome Stealer
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%-load-extension%'
-- Known attack scripts
OR cmd LIKE '%chrome%-load-extension%' -- Known attack scripts
OR basename LIKE '%pwn%'
OR basename LIKE '%attack%'
-- Unusual behaviors
OR basename LIKE '%attack%' -- Unusual behaviors
OR cmd LIKE '%chattr -ia%'
OR cmd LIKE '%chmod 777 %'
OR cmd LIKE '%touch%acmr%'
@ -83,17 +79,25 @@ WHERE
OR cmd LIKE '%nohup /bin/bash%'
OR cmd LIKE '%echo%|%base64 --decode %|%'
OR cmd LIKE '%launchctl list%'
OR (cmd LIKE '%UserKnownHostsFile=/dev/null%' AND NOT parent_name='limactl')
-- Random keywords
OR cmd LIKE '%ransom%'
-- Reverse shells
OR (
cmd LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT parent_name = 'limactl'
) -- Random keywords
OR cmd LIKE '%ransom%' -- Reverse shells
OR cmd LIKE '%fsockopen%'
OR cmd LIKE '%openssl%quiet%'
OR cmd LIKE '%pty.spawn%'
OR (cmd LIKE '%sh -i' AND NOT parent_name='sh')
OR (
cmd LIKE '%sh -i'
AND NOT parent_name = 'sh'
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR (cmd LIKE '%Socket.%' AND NOT basename='compile')
OR (
cmd LIKE '%Socket.%'
AND NOT basename IN ('compile', 'sed', 'mv')
AND NOT cmd LIKE "%sys/socket.h%"
)
) -- Things that could reasonably happen at boot.
AND NOT (
p.path = '/usr/bin/mkfifo'
@ -102,8 +106,7 @@ WHERE
AND NOT (
cmd LIKE '%csrutil status'
AND parent_name IN ('Dropbox')
)
-- The source of these commands is still a mystery to me.
) -- The source of these commands is still a mystery to me.
AND NOT (
cmd IN (
'/usr/bin/csrutil status',
@ -111,9 +114,4 @@ WHERE
)
AND p.parent = -1
)
AND NOT cmd LIKE 'osascript -e set zoomStatus%'
AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%'
AND NOT cmd IN (
'osascript -e user locale of (get system info)',
'osascript'
)

10
detection/execution/exotic-commands.sql
View File

@ -48,7 +48,10 @@ WHERE
OR cmd LIKE '%nohup%tmp%'
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%--load-extension%'
OR (cmd LIKE '%UserKnownHostsFile=/dev/null%' AND NOT parent_name='limactl')
OR (
cmd LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT parent_name = 'limactl'
)
-- Crypto miners
OR cmd LIKE '%c3pool%'
OR cmd LIKE '%cryptonight%'
@ -70,7 +73,10 @@ WHERE
OR cmd LIKE '%fsockopen%'
OR cmd LIKE '%openssl%quiet%'
OR cmd LIKE '%pty.spawn%'
OR (cmd LIKE '%sh -i' AND NOT parent_name='sh')
OR (
cmd LIKE '%sh -i'
AND NOT parent_name = 'sh'
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR cmd LIKE '%Socket.fork%'

2
detection/execution/unexpected-gatekeeper-approvals-macos.sql
View File

@ -6,7 +6,7 @@
-- false positives:
-- * developers downloading binaries from Github
--
-- platform: macos
-- platform: darwin
-- tags: persistent filesystem state gatekeeper
SELECT
gap.ctime,

4
detection/execution/unexpected-osascript-calls.sql
View File

@ -27,7 +27,7 @@ FROM
uptime,
process_events p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN signature ON pp.path = signature.path
WHERE
p.path = '/usr/bin/osascript'
@ -36,4 +36,4 @@ WHERE
AND cmd != 'osascript -e user locale of (get system info)'
AND NOT (
exception_key='org.python.python,,osascript' AND parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook'
)
)

2
detection/privesc/docker-container-mounting-root.sql
View File

@ -22,4 +22,4 @@ FROM
docker_container_mounts AS dcm
LEFT JOIN docker_containers dc ON dcm.id = dc.id
WHERE
dcm.source="/"
dcm.source = "/"

4
detection/privesc/unexpected-privilege-escalation-events.sql
View File

@ -30,8 +30,8 @@ FROM
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = file.path
LEFT JOIN hash AS phash ON pp.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid

4
detection/privesc/unexpected-privilege-escalation.sql
View File

@ -30,8 +30,8 @@ FROM
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = file.path
LEFT JOIN hash AS phash ON pp.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.euid < pp.euid
AND p.path NOT IN (

3
detection/privesc/unexpected-privileged-containers.sql
View File

@ -27,5 +27,4 @@ WHERE
AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
AND image NOT LIKE 'docker.io/rancher/k3s:%'
-- this one makes me sad. It's due to limitations running bubblewrap in a container
AND image NOT IN ('cgr.dev/chainguard/melange', 'wolfi:test')
;
AND image NOT IN ('cgr.dev/chainguard/melange', 'wolfi:test');