diff --git a/packs/ossec-rootkit.conf b/packs/ossec-rootkit.conf new file mode 100644 index 00000000..4b168442 --- /dev/null +++ b/packs/ossec-rootkit.conf @@ -0,0 +1,412 @@ +{ + "platform": "linux", + "version": "1.4.5", + "queries": { + "bash_door": { + "query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');", + "interval": "3600", + "description": "bash_door", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "slapper_installed": { + "query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');", + "interval": "3600", + "description": "slapper_installed", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "mithra`s_rootkit": { + "query": "select * from file where path in ('/usr/lib/locale/uboot');", + "interval": "3600", + "description": "mithra`s_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "omega_worm": { + "query": "select * from file where path in ('/dev/chr');", + "interval": "3600", + "description": "omega_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "kenga3_rootkit": { + "query": "select * from file where path in ('/usr/include/. .');", + "interval": "3600", + "description": "kenga3_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "sadmind/iis_worm": { + "query": "select * from file where path in ('/dev/cuc');", + "interval": "3600", + "description": "sadmind/iis_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "rsha": { + "query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');", + "interval": "3600", + "description": "rsha", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "old_rootkits": { + "query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');", + "interval": "3600", + "description": "old_rootkits", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "telekit_trojan": { + "query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');", + "interval": "3600", + "description": "telekit_trojan", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "tc2_worm": { + "query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');", + "interval": "3600", + "description": "tc2_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "shitc": { + "query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');", + "interval": "3600", + "description": "shitc", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "rh_sharpe": { + "query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');", + "interval": "3600", + "description": "rh_sharpe", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "showtee_/_romanian_rootkit": { + "query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');", + "interval": "3600", + "description": "showtee_/_romanian_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "lrk_rootkit": { + "query": "select * from file where path in ('/dev/ida/.inet');", + "interval": "3600", + "description": "lrk_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "zk_rootkit": { + "query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');", + "interval": "3600", + "description": "zk_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "ramen_worm": { + "query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');", + "interval": "3600", + "description": "ramen_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "maniac_rk": { + "query": "select * from file where path in ('/usr/bin/mailrc');", + "interval": "3600", + "description": "maniac_rk", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "bmbl_rootkit": { + "query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');", + "interval": "3600", + "description": "bmbl_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "suckit_rootkit": { + "query": "select * from file where path in ('/lib/.x', '/lib/sk');", + "interval": "3600", + "description": "suckit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "adore_rootkit": { + "query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');", + "interval": "3600", + "description": "adore_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "ldp_worm": { + "query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');", + "interval": "3600", + "description": "ldp_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "romanian_rootkit": { + "query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');", + "interval": "3600", + "description": "romanian_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "illogic_rootkit": { + "query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');", + "interval": "3600", + "description": "illogic_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "bobkit_rootkit": { + "query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');", + "interval": "3600", + "description": "bobkit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "monkit": { + "query": "select * from file where path in ('/lib/defs');", + "interval": "3600", + "description": "monkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "override_rootkit": { + "query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');", + "interval": "3600", + "description": "override_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "madalin_rootkit": { + "query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');", + "interval": "3600", + "description": "madalin_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "solaris_worm": { + "query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');", + "interval": "3600", + "description": "solaris_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "phalanx_rootkit": { + "query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');", + "interval": "3600", + "description": "phalanx_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "ark_rootkit": { + "query": "select * from file where path in ('/dev/ptyxx');", + "interval": "3600", + "description": "ark_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "tribe_bot": { + "query": "select * from file where path in ('/dev/wd4');", + "interval": "3600", + "description": "tribe_bot", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "cback_worm": { + "query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');", + "interval": "3600", + "description": "cback_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "optickit": { + "query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');", + "interval": "3600", + "description": "optickit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "anonoiyng_rootkit": { + "query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');", + "interval": "3600", + "description": "anonoiyng_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "loc_rookit": { + "query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');", + "interval": "3600", + "description": "loc_rookit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "showtee": { + "query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');", + "interval": "3600", + "description": "showtee", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "zarwt_rootkit": { + "query": "select * from file where path in ('/bin/imin', '/bin/imout');", + "interval": "3600", + "description": "zarwt_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "lion_worm": { + "query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');", + "interval": "3600", + "description": "lion_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "suspicious_file": { + "query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');", + "interval": "3600", + "description": "suspicious_file", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "apa_kit": { + "query": "select * from file where path in ('/usr/share/.aPa');", + "interval": "3600", + "description": "apa_kit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "enye_sec_rootkit": { + "query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');", + "interval": "3600", + "description": "enye_sec_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "rk17": { + "query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');", + "interval": "3600", + "description": "rk17", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "trk_rootkit": { + "query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');", + "interval": "3600", + "description": "trk_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "scalper_installed": { + "query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');", + "interval": "3600", + "description": "scalper_installed", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "hidr00tkit": { + "query": "select * from file where path in ('/var/lib/games/.k');", + "interval": "3600", + "description": "hidr00tkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "beastkit_rootkit": { + "query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');", + "interval": "3600", + "description": "beastkit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "shv5_rootkit": { + "query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');", + "interval": "3600", + "description": "shv5_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "esrk_rootkit": { + "query": "select * from file where path in ('/usr/lib/tcl5.3');", + "interval": "3600", + "description": "esrk_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "shkit_rootkit": { + "query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');", + "interval": "3600", + "description": "shkit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "knark_installed": { + "query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');", + "interval": "3600", + "description": "knark_installed", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "volc_rootkit": { + "query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');", + "interval": "3600", + "description": "volc_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "fu_rootkit": { + "query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');", + "interval": "3600", + "description": "fu_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "ajakit_rootkit": { + "query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');", + "interval": "3600", + "description": "ajakit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "monkit_found": { + "query": "select * from file where path in ('/usr/lib/libpikapp.a');", + "interval": "3600", + "description": "monkit_found", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "t0rn_rootkit": { + "query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');", + "interval": "3600", + "description": "t0rn_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "adore_worm": { + "query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');", + "interval": "3600", + "description": "adore_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "55808.a_worm": { + "query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');", + "interval": "3600", + "description": "55808.a_worm", + "value": "Artifacts used by this malware", + "platform": "linux" + }, + "tuxkit_rootkit": { + "query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');", + "interval": "3600", + "description": "tuxkit_rootkit", + "value": "Artifacts used by this malware", + "platform": "linux" + } + } +} \ No newline at end of file diff --git a/tools/deployment/osquery.example.conf b/tools/deployment/osquery.example.conf index 78aa6829..7d38ddff 100644 --- a/tools/deployment/osquery.example.conf +++ b/tools/deployment/osquery.example.conf @@ -74,6 +74,7 @@ // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf", // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf", // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf", - // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf" + // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf", + // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf" } }