RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-09 14:59:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
120 Commits 1 Branch 31 Tags 6.1 MiB
Makefile 100%
f13a61c5ad
Go to file
Thomas Stromberg f13a61c5ad
Add query to find hidden LaunchAgent/LaunchDaemon files
2022-10-10 10:42:06 -04:00
antivirus Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 11:12:23 -04:00
browser Overdue false positive removal 2022-09-29 15:42:27 -04:00
docker Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 11:12:23 -04:00
exfil New exfil detector, exception improvements 2022-09-30 12:10:18 -04:00
fd Fix broken queries 2022-10-10 08:01:30 -04:00
firewall Remove more false positives, add more detail to sensitive file access 2022-10-05 16:15:40 -04:00
fs Add query to find hidden LaunchAgent/LaunchDaemon files 2022-10-10 10:42:06 -04:00
kernel Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 11:12:23 -04:00
net Optimize queries for lower false positives 2022-10-07 16:19:18 -04:00
process Optimize queries for lower false positives 2022-10-07 16:19:18 -04:00
process_events Fix broken queries 2022-10-10 08:01:30 -04:00
startup Optimize queries for lower false positives 2022-10-07 16:19:18 -04:00
.gitignore Initial commit 2022-08-31 14:33:47 -04:00
README.md More clarity 2022-10-07 12:46:55 -04:00

README.md

osquery-packs

osquery packs, mostly geared toward threat hunting.

Linux Case Study: Shikitega (September 2022)

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

Here is a partial list of what stages would have been detected by particular queries:

  • Initial Dropper Execution, detected by:
    • process_events/tiny-executable-events.sql
    • process/tiny-executable.sql
  • Next Stage Dropper Execution, detected by:
    • process_events/tiny-executable-events.sql
    • process/tiny-executable.sql
    • process/unexpected-shell-parents.sql
  • Escalation Prep, detected by:
    • process/sketchy-fetchers.sql
    • process-events/sketchy-fetcher-events.sql
    • net/unexpected-talkers-linux.sql
    • net/exotic-command-events.sql
    • net/exotic-cmdline.sql
  • Escalation Tool Execution detected by:
    • process/unexpected-executable-permissions.sql
    • process/unexpected-executable-directory-linux.sql
    • process/unexpected-tmp-executables.sql
    • net/exotic-command-events.sql
    • net/exotic-cmdline.sql
    • process/unexpected-shell-parents.sql
    • process/missing-from-disk-linux.sql
  • Privilege Escalation detected by:
    • process/unexpected-setxid-process.sql
    • process/unexpected-privilege-escalation.sql
    • process/events/unexpected-privilege-escalation-events.sql
    • process/name_path_mismatch.sql
  • Persistence detected by:
    • startup/unexpected-cron-entries.sql
    • process/unexpected-executable-directory-linux.sql

macOS Case Study: CloudMensis (April 2022)

https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/

Here is a partial list of what stages would have been detected by particular queries:

  • Initial Dropper Execution, detected by:

    • net/unexpected-talkers-macos.sql

  • Second Stage Execution, detected by:

    • process/unexpected-executable-directory-macos.sql
    • startup/unexpected-launch-daemon-macos.sql
    • mounts/unexpected-mounts.sql

  • TCC Bypass, detected by:

    • env/unexpected-env-values.sql

  • Spy Agent Execution, detected by:

    • net/unexpected-talkers-macos.sql
    • process_events/exotic-command-events.sql
    • process/unexpected-executable-directory-macos.sql