leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

detection rules: YARA + Falco for the 6 highest-rank modules + playbook

Browse Source 
Closes the 'rules in the box' gap — the README has claimed YARA +
Falco coverage but detect_yara and detect_falco were NULL on every
module. This commit lights up both formats for the 6 highest-value
modules (covering 10 of 31 registered modules via family-shared
rules), and the existing operational playbook gains the
format-specific deployment recipes + the cross-format correlation
table.

YARA rules (8 rules, 9 module-headers, 152 lines):
- copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password
  (shared across copy_fail / copy_fail_gcm / dirty_frag_esp /
   dirty_frag_esp6 / dirty_frag_rxrpc)
- dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag
- dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve
  shellcode tail, detects the page-cache overlay landing
- fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid
  cascade, detects the 192-byte page-cache overlay
- pwnkit — gconv-modules cache file format (small text file with
  module UTF-8// X// /tmp/...)
- pack2theroot — malicious .deb (ar archive + SUID-bash postinst) +
  /tmp/.suid_bash artifact scan

Falco rules (13 rules, 9 module-headers, 219 lines):
- pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root
- copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from
  unprivileged userns + /etc/passwd modified by non-root
- dirty_pipe — splice() of setuid/credential file by non-root
- dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root
- fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary
- pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by
  packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction

Wiring: each module's .detect_yara and .detect_falco struct fields
now point at the embedded string. The dispatcher dedups by pointer,
so family-shared rules emit once across the 5 sub-modules.

docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines):
- New 'YARA artifact scanning' subsection under SIEM integration
  with scheduled-scan cron pattern + per-rule trigger table
- New 'Falco runtime detection' subsection with deploy + per-rule
  trigger table
- New 'Per-module detection coverage' table — 4-format matrix
- New 'Correlation across formats' section — multi-format incident
  signature per exploit (the 3-of-4 signal pattern)
- New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough
  from Falco page through yara confirmation, recovery, hunt + patch

The existing operational lifecycle / SIEM patterns / FP tuning
content is preserved unchanged — this commit only adds.

Final stats:
- auditd: 109 rule statements across 27 modules
- sigma:  16 sigma rules across 19 modules
- yara:    8 yara rules across 9 module headers (5 family + 4 distinct)
- falco:  13 falco rules across 9 module headers

The remaining 21 modules can gain YARA / Falco coverage incrementally
by populating their detect_yara / detect_falco struct fields.
This commit is contained in:
KaraZajac
2026-05-23 00:47:13 -04:00
parent 027fc1f9dd
commit 8938a74d04
9 changed files with 526 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c
+35 -2
View File
@@ -460,6 +460,39 @@ static const char dirty_pipe_auditd[] =
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n"
"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n";
static const char dirty_pipe_yara[] =
"rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2022-0847\"\n"
" description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
" condition:\n"
" $uid_flip\n"
"}\n";
static const char dirty_pipe_falco[] =
"- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n"
" desc: |\n"
" A non-root process calls splice() with a fd pointing at a\n"
" setuid-root binary or a credential file. The Dirty Pipe\n"
" primitive (CVE-2022-0847) splices 1 byte from the target to\n"
" a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n"
" then writes attacker bytes that land in the file's page cache.\n"
" condition: >\n"
" evt.type = splice and not user.uid = 0 and\n"
" (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n"
" or fd.name startswith /usr/bin/su\n"
" or fd.name startswith /usr/bin/passwd\n"
" or fd.name startswith /bin/su)\n"
" output: >\n"
" Dirty Pipe-style splice from sensitive file by non-root\n"
" (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n"
" priority: CRITICAL\n"
" tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n";
static const char dirty_pipe_sigma[] =
"title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
"id: f6b13c08-skeletonkey-dirty-pipe\n"
@@ -487,8 +520,8 @@ const struct skeletonkey_module dirty_pipe_module = {
.cleanup = dirty_pipe_cleanup,
.detect_auditd = dirty_pipe_auditd,
.detect_sigma = dirty_pipe_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
.detect_yara = dirty_pipe_yara,
.detect_falco = dirty_pipe_falco,
};
void skeletonkey_register_dirty_pipe(void)