mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-06 01:25:20 +00:00
Querypack equivalent of ossec rootkit db (#3377)
This commit is contained in:
Lambda Conjecture
Mitchell Grenier
parent
80aaed8b05
commit
ebae5785a7
412
packs/ossec-rootkit.conf
Normal file
412
packs/ossec-rootkit.conf
Normal file
@ -0,0 +1,412 @@
|
||||
{
|
||||
"platform": "linux",
|
||||
"version": "1.4.5",
|
||||
"queries": {
|
||||
"bash_door": {
|
||||
"query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');",
|
||||
"interval": "3600",
|
||||
"description": "bash_door",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"slapper_installed": {
|
||||
"query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');",
|
||||
"interval": "3600",
|
||||
"description": "slapper_installed",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"mithra`s_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/lib/locale/uboot');",
|
||||
"interval": "3600",
|
||||
"description": "mithra`s_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"omega_worm": {
|
||||
"query": "select * from file where path in ('/dev/chr');",
|
||||
"interval": "3600",
|
||||
"description": "omega_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"kenga3_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/include/. .');",
|
||||
"interval": "3600",
|
||||
"description": "kenga3_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"sadmind/iis_worm": {
|
||||
"query": "select * from file where path in ('/dev/cuc');",
|
||||
"interval": "3600",
|
||||
"description": "sadmind/iis_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"rsha": {
|
||||
"query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');",
|
||||
"interval": "3600",
|
||||
"description": "rsha",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"old_rootkits": {
|
||||
"query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');",
|
||||
"interval": "3600",
|
||||
"description": "old_rootkits",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"telekit_trojan": {
|
||||
"query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');",
|
||||
"interval": "3600",
|
||||
"description": "telekit_trojan",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"tc2_worm": {
|
||||
"query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');",
|
||||
"interval": "3600",
|
||||
"description": "tc2_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"shitc": {
|
||||
"query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');",
|
||||
"interval": "3600",
|
||||
"description": "shitc",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"rh_sharpe": {
|
||||
"query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');",
|
||||
"interval": "3600",
|
||||
"description": "rh_sharpe",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"showtee_/_romanian_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');",
|
||||
"interval": "3600",
|
||||
"description": "showtee_/_romanian_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"lrk_rootkit": {
|
||||
"query": "select * from file where path in ('/dev/ida/.inet');",
|
||||
"interval": "3600",
|
||||
"description": "lrk_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"zk_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');",
|
||||
"interval": "3600",
|
||||
"description": "zk_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"ramen_worm": {
|
||||
"query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');",
|
||||
"interval": "3600",
|
||||
"description": "ramen_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"maniac_rk": {
|
||||
"query": "select * from file where path in ('/usr/bin/mailrc');",
|
||||
"interval": "3600",
|
||||
"description": "maniac_rk",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"bmbl_rootkit": {
|
||||
"query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');",
|
||||
"interval": "3600",
|
||||
"description": "bmbl_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"suckit_rootkit": {
|
||||
"query": "select * from file where path in ('/lib/.x', '/lib/sk');",
|
||||
"interval": "3600",
|
||||
"description": "suckit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"adore_rootkit": {
|
||||
"query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');",
|
||||
"interval": "3600",
|
||||
"description": "adore_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"ldp_worm": {
|
||||
"query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');",
|
||||
"interval": "3600",
|
||||
"description": "ldp_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"romanian_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');",
|
||||
"interval": "3600",
|
||||
"description": "romanian_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"illogic_rootkit": {
|
||||
"query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');",
|
||||
"interval": "3600",
|
||||
"description": "illogic_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"bobkit_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');",
|
||||
"interval": "3600",
|
||||
"description": "bobkit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"monkit": {
|
||||
"query": "select * from file where path in ('/lib/defs');",
|
||||
"interval": "3600",
|
||||
"description": "monkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"override_rootkit": {
|
||||
"query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');",
|
||||
"interval": "3600",
|
||||
"description": "override_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"madalin_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');",
|
||||
"interval": "3600",
|
||||
"description": "madalin_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"solaris_worm": {
|
||||
"query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');",
|
||||
"interval": "3600",
|
||||
"description": "solaris_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"phalanx_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');",
|
||||
"interval": "3600",
|
||||
"description": "phalanx_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"ark_rootkit": {
|
||||
"query": "select * from file where path in ('/dev/ptyxx');",
|
||||
"interval": "3600",
|
||||
"description": "ark_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"tribe_bot": {
|
||||
"query": "select * from file where path in ('/dev/wd4');",
|
||||
"interval": "3600",
|
||||
"description": "tribe_bot",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"cback_worm": {
|
||||
"query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');",
|
||||
"interval": "3600",
|
||||
"description": "cback_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"optickit": {
|
||||
"query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');",
|
||||
"interval": "3600",
|
||||
"description": "optickit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"anonoiyng_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');",
|
||||
"interval": "3600",
|
||||
"description": "anonoiyng_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"loc_rookit": {
|
||||
"query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');",
|
||||
"interval": "3600",
|
||||
"description": "loc_rookit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"showtee": {
|
||||
"query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');",
|
||||
"interval": "3600",
|
||||
"description": "showtee",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"zarwt_rootkit": {
|
||||
"query": "select * from file where path in ('/bin/imin', '/bin/imout');",
|
||||
"interval": "3600",
|
||||
"description": "zarwt_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"lion_worm": {
|
||||
"query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');",
|
||||
"interval": "3600",
|
||||
"description": "lion_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"suspicious_file": {
|
||||
"query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');",
|
||||
"interval": "3600",
|
||||
"description": "suspicious_file",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"apa_kit": {
|
||||
"query": "select * from file where path in ('/usr/share/.aPa');",
|
||||
"interval": "3600",
|
||||
"description": "apa_kit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"enye_sec_rootkit": {
|
||||
"query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');",
|
||||
"interval": "3600",
|
||||
"description": "enye_sec_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"rk17": {
|
||||
"query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');",
|
||||
"interval": "3600",
|
||||
"description": "rk17",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"trk_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');",
|
||||
"interval": "3600",
|
||||
"description": "trk_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"scalper_installed": {
|
||||
"query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');",
|
||||
"interval": "3600",
|
||||
"description": "scalper_installed",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"hidr00tkit": {
|
||||
"query": "select * from file where path in ('/var/lib/games/.k');",
|
||||
"interval": "3600",
|
||||
"description": "hidr00tkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"beastkit_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');",
|
||||
"interval": "3600",
|
||||
"description": "beastkit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"shv5_rootkit": {
|
||||
"query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');",
|
||||
"interval": "3600",
|
||||
"description": "shv5_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"esrk_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/lib/tcl5.3');",
|
||||
"interval": "3600",
|
||||
"description": "esrk_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"shkit_rootkit": {
|
||||
"query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');",
|
||||
"interval": "3600",
|
||||
"description": "shkit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"knark_installed": {
|
||||
"query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');",
|
||||
"interval": "3600",
|
||||
"description": "knark_installed",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"volc_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');",
|
||||
"interval": "3600",
|
||||
"description": "volc_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"fu_rootkit": {
|
||||
"query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');",
|
||||
"interval": "3600",
|
||||
"description": "fu_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"ajakit_rootkit": {
|
||||
"query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');",
|
||||
"interval": "3600",
|
||||
"description": "ajakit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"monkit_found": {
|
||||
"query": "select * from file where path in ('/usr/lib/libpikapp.a');",
|
||||
"interval": "3600",
|
||||
"description": "monkit_found",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"t0rn_rootkit": {
|
||||
"query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');",
|
||||
"interval": "3600",
|
||||
"description": "t0rn_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"adore_worm": {
|
||||
"query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');",
|
||||
"interval": "3600",
|
||||
"description": "adore_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"55808.a_worm": {
|
||||
"query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');",
|
||||
"interval": "3600",
|
||||
"description": "55808.a_worm",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
},
|
||||
"tuxkit_rootkit": {
|
||||
"query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');",
|
||||
"interval": "3600",
|
||||
"description": "tuxkit_rootkit",
|
||||
"value": "Artifacts used by this malware",
|
||||
"platform": "linux"
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -74,6 +74,7 @@
|
||||
// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
|
||||
// "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
|
||||
// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
|
||||
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
|
||||
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
|
||||
// "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user