08e8d462fe
RED PILL 🔴 💊
241 lines
8.7 KiB
Text
241 lines
8.7 KiB
Text
|
|
/*
|
|
Rules which detect vulnerabilities in configuration files.
|
|
External variables are used so they only work with YARA scanners, that pass them on (e.g. Thor, Loki and Spyre)
|
|
*/
|
|
|
|
|
|
rule VULN_Linux_Sudoers_Commands {
|
|
meta:
|
|
description = "Detects sudoers config with commands which might allow privilege escalation to root"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Arnim Rupp"
|
|
reference = "https://gtfobins.github.io/"
|
|
date = "2022-11-22"
|
|
modified = "2024-04-15"
|
|
score = 50
|
|
id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
|
|
strings:
|
|
$command1 = "/sh " ascii
|
|
$command2 = "/bash " ascii
|
|
$command3 = "/ksh " ascii
|
|
$command4 = "/csh " ascii
|
|
$command5 = "/tcpdump " ascii
|
|
//$command6 = "/cat " ascii
|
|
//$command7 = "/head " ascii
|
|
$command8 = "/nano " ascii
|
|
$command9 = "/pico " ascii
|
|
$command10 = "/rview " ascii
|
|
$command11 = "/vi " ascii
|
|
$command12 = "/vim " ascii
|
|
$command13 = "/rvi " ascii
|
|
$command14 = "/rvim " ascii
|
|
//$command15 = "/more " ascii
|
|
$command16 = "/less " ascii
|
|
$command17 = "/dd " ascii
|
|
/* $command18 = "/mount " ascii prone to FPs */
|
|
|
|
condition:
|
|
( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and
|
|
any of ($command*)
|
|
}
|
|
|
|
rule VULN_Linux_NFS_Exports {
|
|
meta:
|
|
description = "Detects insecure /etc/exports NFS config which might allow privilege escalation to root or other users. The parameter insecure allows any non-root user to mount NFS shares via e.g. an SSH-tunnel. With no_root_squash SUID root binaries are allowed."
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
reference = "https://www.errno.fr/nfs_privesc.html"
|
|
author = "Arnim Rupp"
|
|
date = "2022-11-22"
|
|
score = 50
|
|
id = "4b7d81d8-1ae1-5fcf-a91c-271477a839db"
|
|
strings:
|
|
// line has to start with / to avoid triggering on #-comment lines
|
|
$conf1 = /\n\/.{2,200}?\binsecure\b/ ascii
|
|
$conf2 = /\n\/.{2,200}?\bno_root_squash\b/ ascii
|
|
|
|
condition:
|
|
filename == "exports" and
|
|
filepath contains "/etc" and
|
|
any of ($conf*)
|
|
}
|
|
|
|
rule SUSP_AES_Key_in_MySql_History {
|
|
meta:
|
|
description = "Detects AES key outside of key management in .mysql_history"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Arnim Rupp"
|
|
date = "2022-11-22"
|
|
score = 50
|
|
id = "28acef39-8606-5d3d-b395-0d8db13f6c9c"
|
|
strings:
|
|
$c1 = /\bAES_(DE|EN)CRYPT\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
|
|
$c2 = /\baes_(de|en)crypt\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
|
|
|
|
condition:
|
|
filename == ".mysql_history" and
|
|
any of ($c*)
|
|
}
|
|
|
|
rule VULN_Slapd_Conf_with_Default_Password {
|
|
meta:
|
|
description = "Detects an openldap slapd.conf with the default password test123"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Arnim Rupp"
|
|
date = "2022-11-22"
|
|
reference = "https://www.openldap.org/doc/admin21/slapdconfig.html"
|
|
score = 70
|
|
id = "1d1319da-125b-5373-88f1-27a23c85729e"
|
|
strings:
|
|
/* \nrootpw \{SSHA\}fsAEyxlFOtvZBwPLAF68zpUhth8lERoR */
|
|
$c1 = { 0A 72 6f 6f 74 70 77 20 7b 53 53 48 41 7d 66 73 41 45 79 78 6c 46 4f 74 76 5a 42 77 50 4c 41 46 36 38 7a 70 55 68 74 68 38 6c 45 52 6f 52 }
|
|
|
|
condition:
|
|
filename == "slapd.conf" and
|
|
any of ($c*)
|
|
}
|
|
|
|
rule VULN_Unencrypted_SSH_Private_Key : T1552_004 {
|
|
meta:
|
|
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Arnim Rupp"
|
|
date = "2023-01-06"
|
|
reference = "https://attack.mitre.org/techniques/T1552/004/"
|
|
score = 50
|
|
id = "84b279fc-99c8-5101-b2d8-5c7adbaf753f"
|
|
strings:
|
|
/*
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MII
|
|
*/
|
|
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
|
|
|
|
/*
|
|
-----BEGIN DSA PRIVATE KEY-----
|
|
MIIBvAIBAAKBgQ
|
|
*/
|
|
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
|
|
|
|
/*
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
M
|
|
*/
|
|
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
|
|
|
|
/*
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
|
|
|
|
base64 contains: openssh-key-v1.....none
|
|
*/
|
|
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
|
|
|
|
$putty_start = "PuTTY-User-Key-File" ascii
|
|
$putty_noenc = "Encryption: none" ascii
|
|
|
|
condition:
|
|
/*
|
|
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
|
|
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
|
|
movement => bad signal noise ratio
|
|
*/
|
|
(
|
|
filepath contains "ssh" or
|
|
filepath contains "SSH" or
|
|
filepath contains "utty" or
|
|
filename contains "ssh" or
|
|
filename contains "SSH" or
|
|
filename contains "id_" or
|
|
filename contains "id2_" or
|
|
filename contains ".ppk" or
|
|
filename contains ".PPK" or
|
|
filename contains "utty"
|
|
)
|
|
and
|
|
(
|
|
$openssh_dsa at 0 or
|
|
$openssh_rsa at 0 or
|
|
$openssh_ecdsa at 0 or
|
|
$openssh_ed25519 at 0 or
|
|
(
|
|
$putty_start at 0 and
|
|
$putty_noenc
|
|
)
|
|
)
|
|
and not filepath contains "/root/"
|
|
and not filename contains "ssh_host_"
|
|
}
|
|
|
|
|
|
rule VULN_Unencrypted_SSH_Private_Key_Root_Folder : T1552_004 {
|
|
meta:
|
|
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Arnim Rupp"
|
|
date = "2023-01-06"
|
|
reference = "https://attack.mitre.org/techniques/T1552/004/"
|
|
score = 65
|
|
id = "9e6a03a1-d95f-5de7-a6c0-a2e77486007c"
|
|
strings:
|
|
/*
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MII
|
|
*/
|
|
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
|
|
|
|
/*
|
|
-----BEGIN DSA PRIVATE KEY-----
|
|
MIIBvAIBAAKBgQ
|
|
*/
|
|
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
|
|
|
|
/*
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
M
|
|
*/
|
|
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
|
|
|
|
/*
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
|
|
|
|
base64 contains: openssh-key-v1.....none
|
|
*/
|
|
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
|
|
|
|
$putty_start = "PuTTY-User-Key-File" ascii
|
|
$putty_noenc = "Encryption: none" ascii
|
|
|
|
condition:
|
|
/*
|
|
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
|
|
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
|
|
movement => bad signal noise ratio
|
|
*/
|
|
(
|
|
filepath contains "ssh" or
|
|
filepath contains "SSH" or
|
|
filepath contains "utty" or
|
|
filename contains "ssh" or
|
|
filename contains "SSH" or
|
|
filename contains "id_" or
|
|
filename contains "id2_" or
|
|
filename contains ".ppk" or
|
|
filename contains ".PPK" or
|
|
filename contains "utty"
|
|
)
|
|
and
|
|
(
|
|
$openssh_dsa at 0 or
|
|
$openssh_rsa at 0 or
|
|
$openssh_ecdsa at 0 or
|
|
$openssh_ed25519 at 0 or
|
|
(
|
|
$putty_start at 0 and
|
|
$putty_noenc
|
|
)
|
|
)
|
|
and filepath contains "/root/"
|
|
and not filename contains "ssh_host_"
|
|
}
|