Skip to content

Commit

Permalink
Address Kibana false positives (chainguard-dev#391)
Browse files Browse the repository at this point in the history
Signed-off-by: egibs <[email protected]>
  • Loading branch information
egibs authored Jul 30, 2024
1 parent 4b9283f commit 44b5a48
Show file tree
Hide file tree
Showing 8 changed files with 12,998 additions and 9 deletions.
1 change: 1 addition & 0 deletions pkg/compile/compile.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var badRules = map[string]bool{
"DELIVRTO_SUSP_HTML_WASM_Smuggling": true,
"SIGNATURE_BASE_FVEY_Shadowbroker_Auct_Dez16_Strings": true,
"ELASTIC_Macos_Creddump_Keychainaccess_535C1511": true,
"SIGNATURE_BASE_Reconcommands_In_File": true,
// ThreatHunting Keywords (some duplicates)
"Adobe_XMP_Identifier": true,
"Antivirus_Signature_signature_keyword": true,
Expand Down
7 changes: 6 additions & 1 deletion rules/combo/backdoor/php.yara
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,13 @@ rule php_eval_gzinflate_base64_backdoor : critical {
$f_gzinflate = "gzinflate("
$f_base64_decode = "base64_decode"
$not_php = "PHP_FLOAT_DIG" fullword
$not_js = " ?? "
$not_js2 = " === "
$not_js3 = "const"
$not_js4 = "this."
$not_js5 = "throw"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
$not_php = "PHP_FLOAT_DIG" fullword
$not_workaround = "/* workaround for chrome bug "
condition:
all of ($f*) and none of ($not*)
Expand Down
6 changes: 4 additions & 2 deletions rules/secrets/keychain-dump.yara
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ rule security_dump_keychain : critical {
hash_2011_bin_kd = "8eb5ab5d71c84c9927b420948abedcf510369c8d566ee94c0cb5bc276d0d0a72"
strings:
$dump = "dump-keychain"
$ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$dump and not $ctkcard
$dump and none of ($not*)
}
20 changes: 14 additions & 6 deletions rules/secrets/keychain.yara
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ rule keychain : medium macos {
strings:
$ref = "Keychain"
$ref2 = "keychain"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
any of them
any of ($ref*) and none of ($not*)
}

rule macos_library_keychains : medium {
Expand All @@ -20,26 +22,32 @@ rule macos_library_keychains : medium {
hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
strings:
$ref = "/Library/Keychains"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
any of them
$ref and none of ($not*)
}

rule find_generic_password : high {
meta:
description = "Looks up a password from the Keychain"
strings:
$ref = /find-generic-passsword[ \-\w\']{0,32}/
$ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$ref and not $ctkcard
$ref and none of ($not*)
}

rule find_internet_password : high {
meta:
description = "Looks up an internet password from the Keychain"
strings:
$ref = /find-internet-passsword[ \-\w\']{0,32}/
$ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$ref and not $ctkcard
$ref and none of ($not*)
}
12,856 changes: 12,856 additions & 0 deletions samples/Javascript/clean/php.js

Large diffs are not rendered by default.

59 changes: 59 additions & 0 deletions samples/Javascript/clean/php.js.simple
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Javascript/clean/php.js
combo/net/tunnel_proxy
compression/gzip
databases/mysql
databases/sqlite
encoding/base64
encoding/reverse
env/USER
evasion/base64/decode
exec/program
exec/program/background
exec/shell_command
fs/directory/create
fs/directory/remove
fs/fifo/create
fs/file/delete
fs/file/truncate
fs/link/read
fs/lock/update
fs/node/create
fs/permission/modify
fs/symlink/resolve
fs/watch
kernel/acct
kernel/hostname/get
kernel/platform
net/hostname/resolve
net/http/cookies
net/http/form/upload
net/http/post
net/ip/parse
net/ip/resolve
net/ip/string
net/socket/connect
net/socket/listen
net/socket/local/address
net/socket/peer/address
net/socket/receive
net/socket/send
net/upload
net/url/encode
process/chroot
process/effective/groupid/get
process/groupid/set
process/parent_pid/get
process/userid/set
process/username/get
random/insecure
ref/ip_port
ref/path/etc
ref/path/hidden
ref/site/url
ref/words/agent
ref/words/password
ref/words/plugin
ref/words/spoof
secrets/private_key
techniques/code_eval
tty/pathname
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Dumping of Keychain Content via Security Command",
"query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
"references": [
"https://ss64.com/osx/security.html"
],
"risk_score": 73,
"rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.001",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1555/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Linux/clean/credential_access_dumping_keychain_security.json
ref/site/url
ref/words/password

0 comments on commit 44b5a48

Please sign in to comment.