RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Run reformat

This commit is contained in:
Thomas Stromberg 2024-02-16 17:21:00 -05:00
parent b1e05d6612
commit f72e6424c0
29 changed files with 233 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
detection/collection/excess-google-drive-downloads-macos.sql
View File

@ -23,6 +23,8 @@ WHERE
AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400)
-- Common, low-risk for exfil
AND file.filename NOT LIKE '%.csv'
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
GROUP BY ea.key
HAVING num_downloads > 8
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
GROUP BY
ea.key
HAVING
num_downloads > 8

2
detection/collection/high-disk-bytes-written.sql
View File

@ -52,7 +52,6 @@ WHERE
AND p0.pid > 2
AND p0.parent != 2
AND p0.path NOT IN (
'/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
'/bin-busybox',
'/bin/bash',
@ -202,4 +201,3 @@ WHERE
AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
AND NOT p0.cmdline LIKE '%brew.rb upgrade'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'

12
detection/discovery/unexpected-pcap-user-macos.sql
View File

@ -40,7 +40,11 @@ FROM
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.pid IN (
SELECT pid FROM processes WHERE
SELECT
pid
FROM
processes
WHERE
euid = 0
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Apple/%'
@ -56,9 +60,11 @@ WHERE
AND path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
AND path NOT LIKE '/usr/local/Cellar/htop/%/bin/htop'
AND path NOT LIKE '/opt/homebrew/Cellar/btop/%/bin/btop'
AND path NOT IN ('/opt/socket_vmnet/bin/socket_vmnet', '/usr/local/sbin/velociraptor')
AND path NOT IN (
'/opt/socket_vmnet/bin/socket_vmnet',
'/usr/local/sbin/velociraptor'
)
)
AND pmm.path LIKE '%libpcap%'
-- These are all protected directories
AND NOT s.authority IN (

6
detection/evasion/missing-from-disk-linux.sql
View File

@ -49,4 +49,8 @@ WHERE
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper', '/opt/Synergy/resources/synergy-tray')
AND p.path NOT IN (
'/usr/bin/python3.10',
'/opt/google/chrome/nacl_helper',
'/opt/Synergy/resources/synergy-tray'
)

6
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -35,13 +35,15 @@ SELECT -- Child
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
FROM
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE p1.on_disk != 1
WHERE
p1.on_disk != 1
AND p0.on_disk = 1
AND NOT p0.pid IN (1, 2)
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd

15
detection/evasion/parent-pid-missing-from-procfs.sql
View File

@ -10,18 +10,23 @@
-- * Can by racy if child and parent exit at the right time
--
-- tags: persistent daemon
SELECT p.*,
SELECT
p.*,
hash.sha256,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM processes p
FROM
processes p
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN process_open_files pof ON p.pid = pof.pid
WHERE -- Prevent false positives by avoiding short-lived commands
p.start_time < (strftime('%s', 'now') -1)
AND p.parent NOT IN (
SELECT pid
FROM processes
SELECT
pid
FROM
processes
)
AND p.parent != 0
AND p.parent IS NOT NULL
GROUP BY p.pid
GROUP BY
p.pid

9
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -5,7 +5,8 @@
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT ae.path,
SELECT
ae.path,
ae.state,
file.mtime,
file.ctime,
@ -25,7 +26,8 @@ SELECT ae.path,
',',
MIN(file.uid, 501)
) AS exception_key
FROM alf_exceptions ae
FROM
alf_exceptions ae
LEFT JOIN file ON ae.path = file.path
LEFT JOIN hash ON ae.path = hash.path
LEFT JOIN signature ON ae.path = signature.path
@ -170,4 +172,5 @@ WHERE -- Filter out stock exceptions to decrease overhead
OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe'
)
)
GROUP BY exception_key
GROUP BY
exception_key

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -225,5 +225,4 @@ WHERE
file.path LIKE '/tmp/.ssh-%'
AND file.type = "socket"
AND file.mode = '0600'
)

5
detection/execution/tiny-executable.sql
View File

@ -32,7 +32,4 @@ WHERE
AND NOT file.path LIKE '/home/%/.zsh/completion'
AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
AND NOT file.path IN (
'/',
'/usr/bin/ruby'
)
AND NOT file.path IN ('/', '/usr/bin/ruby')

4
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -35,8 +35,8 @@ FROM
LEFT JOIN signature ON file.path = signature.path
WHERE
file.path IN (
SELECT
DISTINCT file.path
SELECT DISTINCT
file.path
FROM
block_devices
JOIN mounts ON mounts.device = block_devices.name

15
detection/persistence/low-fd-socket.sql
View File

@ -8,7 +8,8 @@
--
-- tags: process state
-- platform: posix
SELECT pos.protocol,
SELECT
pos.protocol,
pos.pid,
pos.remote_address,
pos.local_address,
@ -40,13 +41,19 @@ SELECT pos.protocol,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM process_open_sockets pos
FROM
process_open_sockets pos
JOIN processes p0 ON pos.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE pos.fd < 3
WHERE
pos.fd < 3
AND pos.family != 1
AND p0.path NOT IN ('/usr/libexec/bootpd', '/usr/local/bin/velociraptor', '/Applications/NetSpot.app/Contents/MacOS/NetSpot')
AND p0.path NOT IN (
'/usr/libexec/bootpd',
'/usr/local/bin/velociraptor',
'/Applications/NetSpot.app/Contents/MacOS/NetSpot'
)

22
detection/persistence/minimal-socket-client-linux.sql
View File

@ -8,7 +8,8 @@
--
-- tags: persistent process state seldom
-- platform: linux
SELECT pos.protocol,
SELECT
pos.protocol,
pos.pid,
pos.remote_address,
pos.local_address,
@ -27,11 +28,13 @@ SELECT pos.protocol,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256
FROM processes p0
FROM
processes p0
JOIN process_open_sockets pos ON p0.pid = pos.pid
JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
WHERE p0.path != '' -- optimization: focus on longer running processes
WHERE
p0.path != '' -- optimization: focus on longer running processes
AND p0.start_time < (strftime('%s', 'now') - 900)
AND p0.path NOT IN (
'/usr/bin/containerd',
@ -46,11 +49,18 @@ WHERE p0.path != '' -- optimization: focus on longer running processes
'/usr/lib/electron/chrome-sandbox',
'/usr/bin/i3blocks'
)
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
AND p0.name NOT IN (
'chrome_crashpad',
'dhcpcd',
'stern',
'Brackets-node'
) -- optimization: minimalistic daemons typically only run 1 pid per path
AND p0.path NOT LIKE '/home/%/go/bin/%'
AND pos.family != 1
AND pos.pid > 0
AND pos.state != 'LISTEN'
AND pmm.path LIKE "%.so.%"
GROUP BY pos.pid -- libc.so, ld-linux
HAVING lib_count IN (1, 2)
GROUP BY
pos.pid -- libc.so, ld-linux
HAVING
lib_count IN (1, 2)

10
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -74,7 +74,6 @@ WHERE
)
)
AND NOT exception_key IN (
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
@ -144,12 +143,9 @@ WHERE
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
<<<<<<< HEAD
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
=======
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
>>>>>>> main
'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
<< << << < HEAD 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
== == == = 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
>> >> >> > main 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',

9
incident_response/file_events.sql
View File

@ -3,6 +3,9 @@
-- tags: postmortem
-- platform: posix
-- interval: 900
SELECT *
FROM file_events
WHERE time > (strftime('%s', 'now') -900)
SELECT
*
FROM
file_events
WHERE
time > (strftime('%s', 'now') -900)

12
incident_response/files-recently-written.sql
View File

@ -3,9 +3,12 @@
-- tags: postmortem
-- platform: posix
-- interval: 3600
SELECT *
FROM file
WHERE (
SELECT
*
FROM
file
WHERE
(
path LIKE "/var/tmp/%"
OR path LIKE "/var/tmp/%/%"
OR path LIKE "/Applications/%"
@ -45,4 +48,5 @@ WHERE (
OR btime > (strftime('%s', 'now') -3600)
)
AND NOT path LIKE "%/../%"
GROUP BY inode;
GROUP BY
inode;

3
incident_response/socket_events.sql
View File

@ -7,4 +7,5 @@ SELECT
*
FROM
socket_events
WHERE time > (strftime('%s', 'now') -600)
WHERE
time > (strftime('%s', 'now') -600)

4
policy/unexpected-rsa-keys.sql
View File

@ -47,4 +47,6 @@ WHERE
AND NOT INSTR(file.filename, 'melange.rsa') > 0
AND NOT INSTR(file.filename, 'local-melange-enterprise.rsa') > 0
-- Demo keys
AND NOT sha256 IN ('a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de')
AND NOT sha256 IN (
'a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de'
)