leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

detection rules: YARA + Falco for the 6 highest-rank modules + playbook

Browse Source 
Closes the 'rules in the box' gap — the README has claimed YARA +
Falco coverage but detect_yara and detect_falco were NULL on every
module. This commit lights up both formats for the 6 highest-value
modules (covering 10 of 31 registered modules via family-shared
rules), and the existing operational playbook gains the
format-specific deployment recipes + the cross-format correlation
table.

YARA rules (8 rules, 9 module-headers, 152 lines):
- copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password
  (shared across copy_fail / copy_fail_gcm / dirty_frag_esp /
   dirty_frag_esp6 / dirty_frag_rxrpc)
- dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag
- dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve
  shellcode tail, detects the page-cache overlay landing
- fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid
  cascade, detects the 192-byte page-cache overlay
- pwnkit — gconv-modules cache file format (small text file with
  module UTF-8// X// /tmp/...)
- pack2theroot — malicious .deb (ar archive + SUID-bash postinst) +
  /tmp/.suid_bash artifact scan

Falco rules (13 rules, 9 module-headers, 219 lines):
- pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root
- copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from
  unprivileged userns + /etc/passwd modified by non-root
- dirty_pipe — splice() of setuid/credential file by non-root
- dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root
- fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary
- pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by
  packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction

Wiring: each module's .detect_yara and .detect_falco struct fields
now point at the embedded string. The dispatcher dedups by pointer,
so family-shared rules emit once across the 5 sub-modules.

docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines):
- New 'YARA artifact scanning' subsection under SIEM integration
  with scheduled-scan cron pattern + per-rule trigger table
- New 'Falco runtime detection' subsection with deploy + per-rule
  trigger table
- New 'Per-module detection coverage' table — 4-format matrix
- New 'Correlation across formats' section — multi-format incident
  signature per exploit (the 3-of-4 signal pattern)
- New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough
  from Falco page through yara confirmation, recovery, hunt + patch

The existing operational lifecycle / SIEM patterns / FP tuning
content is preserved unchanged — this commit only adds.

Final stats:
- auditd: 109 rule statements across 27 modules
- sigma:  16 sigma rules across 19 modules
- yara:    8 yara rules across 9 module headers (5 family + 4 distinct)
- falco:  13 falco rules across 9 module headers

The remaining 21 modules can gain YARA / Falco coverage incrementally
by populating their detect_yara / detect_falco struct fields.
This commit is contained in:
KaraZajac
2026-05-23 00:47:13 -04:00
parent 027fc1f9dd
commit 8938a74d04
9 changed files with 526 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/fragnesia_cve_2026_46300/skeletonkey_modules.c
+54 -2
View File
@@ -1124,6 +1124,58 @@ static const char fg_auditd[] =
"# splice() drives page-cache pages into the ESP-in-TCP stream\n"
"-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice\n";
static const char fg_yara[] =
"rule fragnesia_payload_overlay : cve_2026_46300 page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-46300\"\n"
" description = \"Fragnesia payload: the 192-byte ET_EXEC x86_64 ELF the public V12 PoC overlays onto the first bytes of /usr/bin/su (or sibling setuid binary). Detects post-fire page-cache contents via direct scan.\"\n"
" author = \"SKELETONKEY\"\n"
" reference = \"https://github.com/v12-security/pocs/tree/main/fragnesia\"\n"
" strings:\n"
" // First 28 bytes of the embedded shell_elf[] payload.\n"
" $payload_head = { 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3E 00 01 00 00 00 78 00 40 00 }\n"
" // The setuid+setgid+seteuid(0) prelude\n"
" $shellcode_drop = { 31 FF 31 F6 31 C0 B0 6A 0F 05 B0 69 0F 05 B0 74 0F 05 }\n"
" $sh = \"/bin/sh\"\n"
" $term = \"TERM=xterm\"\n"
" condition:\n"
" $payload_head at 0 and $shellcode_drop and $sh and $term and filesize > 4096\n"
"}\n";
static const char fg_falco[] =
"- rule: TCP_ULP=espintcp set by non-root (Fragnesia trigger)\n"
" desc: |\n"
" A non-root process flips a TCP socket into the espintcp ULP\n"
" inside an unprivileged userns. Core of the Fragnesia\n"
" (CVE-2026-46300) trigger — also the Dirty Frag ESP-in-TCP\n"
" setup. Legitimate use of TCP_ULP=espintcp from non-root is\n"
" essentially never seen in production.\n"
" condition: >\n"
" evt.type = setsockopt and evt.arg.optname = TCP_ULP and\n"
" not user.uid = 0\n"
" output: >\n"
" Fragnesia-style TCP_ULP=espintcp by non-root\n"
" (user=%user.name proc=%proc.name pid=%proc.pid)\n"
" priority: CRITICAL\n"
" tags: [network, mitre_privilege_escalation, T1068, cve.2026.46300]\n"
"\n"
"- rule: ESP-in-TCP splice to crafted TCP connection (Fragnesia paged-frag write)\n"
" desc: |\n"
" splice() of a setuid binary's pages into a TCP socket whose\n"
" peer is configured for espintcp. Fragnesia's sender path\n"
" splices the carrier file (/usr/bin/su) into the loopback TCP\n"
" flow to land the in-place decrypt on the carrier's page cache.\n"
" condition: >\n"
" evt.type = splice and not user.uid = 0 and\n"
" (fd.name startswith /usr/bin/su or fd.name startswith /bin/su\n"
" or fd.name startswith /usr/bin/passwd)\n"
" output: >\n"
" splice() of setuid binary by non-root (user=%user.name\n"
" proc=%proc.name fd=%fd.name)\n"
" priority: WARNING\n"
" tags: [filesystem, cve.2026.46300]\n";
static const char fg_sigma[] =
"title: Possible Fragnesia exploitation (CVE-2026-46300)\n"
"id: 9b3d2e71-skeletonkey-fragnesia\n"
@@ -1156,8 +1208,8 @@ const struct skeletonkey_module fragnesia_module = {
.cleanup = fg_cleanup,
.detect_auditd = fg_auditd,
.detect_sigma = fg_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
.detect_yara = fg_yara,
.detect_falco = fg_falco,
};
void skeletonkey_register_fragnesia(void)