leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

detection rules: YARA + Falco for the 6 highest-rank modules + playbook

Browse Source 
Closes the 'rules in the box' gap — the README has claimed YARA +
Falco coverage but detect_yara and detect_falco were NULL on every
module. This commit lights up both formats for the 6 highest-value
modules (covering 10 of 31 registered modules via family-shared
rules), and the existing operational playbook gains the
format-specific deployment recipes + the cross-format correlation
table.

YARA rules (8 rules, 9 module-headers, 152 lines):
- copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password
  (shared across copy_fail / copy_fail_gcm / dirty_frag_esp /
   dirty_frag_esp6 / dirty_frag_rxrpc)
- dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag
- dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve
  shellcode tail, detects the page-cache overlay landing
- fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid
  cascade, detects the 192-byte page-cache overlay
- pwnkit — gconv-modules cache file format (small text file with
  module UTF-8// X// /tmp/...)
- pack2theroot — malicious .deb (ar archive + SUID-bash postinst) +
  /tmp/.suid_bash artifact scan

Falco rules (13 rules, 9 module-headers, 219 lines):
- pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root
- copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from
  unprivileged userns + /etc/passwd modified by non-root
- dirty_pipe — splice() of setuid/credential file by non-root
- dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root
- fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary
- pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by
  packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction

Wiring: each module's .detect_yara and .detect_falco struct fields
now point at the embedded string. The dispatcher dedups by pointer,
so family-shared rules emit once across the 5 sub-modules.

docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines):
- New 'YARA artifact scanning' subsection under SIEM integration
  with scheduled-scan cron pattern + per-rule trigger table
- New 'Falco runtime detection' subsection with deploy + per-rule
  trigger table
- New 'Per-module detection coverage' table — 4-format matrix
- New 'Correlation across formats' section — multi-format incident
  signature per exploit (the 3-of-4 signal pattern)
- New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough
  from Falco page through yara confirmation, recovery, hunt + patch

The existing operational lifecycle / SIEM patterns / FP tuning
content is preserved unchanged — this commit only adds.

Final stats:
- auditd: 109 rule statements across 27 modules
- sigma:  16 sigma rules across 19 modules
- yara:    8 yara rules across 9 module headers (5 family + 4 distinct)
- falco:  13 falco rules across 9 module headers

The remaining 21 modules can gain YARA / Falco coverage incrementally
by populating their detect_yara / detect_falco struct fields.
This commit is contained in:
KaraZajac
2026-05-23 00:47:13 -04:00
parent 027fc1f9dd
commit 8938a74d04
9 changed files with 526 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/DETECTION_PLAYBOOK.md
+154
View File
@@ -168,6 +168,70 @@ skeletonkey --detect-rules --format=sigma > /etc/sigma/skeletonkey.yml
sigmac -t elastic /etc/sigma/skeletonkey.yml sigmac -t elastic /etc/sigma/skeletonkey.yml
``` ```
### YARA artifact scanning
YARA rules catch the **post-fire** state — page-cache shellcode
overwrites, malicious `.deb` drops, `/etc/passwd` UID flips. Run them
as a scheduled scan against sensitive paths:
```bash
# Ship YARA rules
sudo skeletonkey --detect-rules --format=yara | sudo tee /etc/yara/skeletonkey.yar
# Scheduled scan via cron — catches the page-cache and /tmp artifacts
# /etc/cron.d/skeletonkey-yara
*/15 * * * * root yara -r /etc/yara/skeletonkey.yar \
/etc/passwd /tmp /usr/bin/su /usr/bin/passwd \
2>>/var/log/skeletonkey-yara.log
```
What each rule catches:
| Rule | Triggers on |
|---|---|
| `etc_passwd_uid_flip` | Non-root user line in `/etc/passwd` with a zero-padded UID (`0000+`). Canonical Copy Fail / Dirty Frag / Dirty Pipe / DirtyDecrypt outcome. |
| `etc_passwd_root_no_password` | `root` line with empty password field — DirtyDecrypt's intermediate corruption step. |
| `pwnkit_gconv_modules_cache` | Small `gconv-modules` text file with a `module UTF-8// X// /tmp/…` redefinition. |
| `dirty_pipe_passwd_uid_flip` | Same UID-flip pattern (Dirty Pipe-specific tag). |
| `dirtydecrypt_payload_overlay` | First 28 bytes of `/usr/bin/su` (or similar) match the embedded 120-byte ET_DYN shellcode the V12 PoC overlays. |
| `fragnesia_payload_overlay` | Same shape for the 192-byte Fragnesia payload. |
| `pack2theroot_malicious_deb` | `.deb` ar-archive in `/tmp` with the SUID-bash postinst. |
| `pack2theroot_suid_bash_drop` | `/tmp/.suid_bash` exists and is a real bash ELF. |
The page-cache overlay rules (`dirtydecrypt_payload_overlay`,
`fragnesia_payload_overlay`) are particularly high-signal: no
legitimate ELF starts with those exact 28 bytes, so a hit means the
exploit landed.
### Falco runtime detection
Falco catches the exploit **as it fires** by hooking syscalls and
namespace events. Best deploy for K8s / container hosts but works on
any modern Linux:
```bash
sudo skeletonkey --detect-rules --format=falco \
| sudo tee /etc/falco/rules.d/skeletonkey.yaml
sudo falco --validate /etc/falco/rules.d/skeletonkey.yaml
sudo systemctl reload falco # or restart, depending on distro
```
What each rule catches:
| Rule | Triggers on |
|---|---|
| `Pwnkit-style pkexec invocation` | `pkexec` spawned with empty argv (the bug's hallmark). |
| `Pwnkit-style GCONV_PATH injection` | Non-root sets `GCONV_PATH=` / `CHARSET=` before spawning a setuid binary. |
| `AF_ALG authenc keyblob installed by non-root` | `socket(AF_ALG)` by non-root — Copy Fail / GCM variant primitive. |
| `XFRM NETLINK_XFRM bind from unprivileged userns` | XFRM SA setup from non-root userns — Dirty Frag / Fragnesia primitive. |
| `/etc/passwd modified by non-root` | Post-fire signal for the whole page-cache-write family. |
| `Dirty Pipe splice from setuid/sensitive file by non-root` | `splice()` of `/etc/passwd` or `/usr/bin/su` by non-root. |
| `AF_RXRPC socket created by non-root` | DirtyDecrypt primitive — `socket(AF_RXRPC)` is nearly unheard-of in production. |
| `rxrpc security key added` | `add_key("rxrpc", …)` by non-root — DirtyDecrypt handshake setup. |
| `TCP_ULP=espintcp set by non-root` | Fragnesia trigger — flipping a TCP socket to espintcp ULP. |
| `SUID bash dropped to /tmp` | Pack2TheRoot postinst landing `/tmp/.suid_bash`. |
| `dpkg invoked by PackageKit on behalf of non-root caller` | Pack2TheRoot chain — `packagekitd → dpkg` installing a /tmp `.pk-*.deb`. |
## Day-to-day operational shape ## Day-to-day operational shape
### What "good" looks like in the SIEM ### What "good" looks like in the SIEM
@@ -245,6 +309,96 @@ sudo rm /etc/sysctl.d/99-dirtyfail-mitigations.conf
# Reload affected modules / sysctls per your distro # Reload affected modules / sysctls per your distro
``` ```
## Per-module detection coverage
Across the 4 rule formats:
| Module | CVE | auditd | sigma | yara | falco |
|---|---|:-:|:-:|:-:|:-:|
| copy_fail | CVE-2026-31431 | ✓ | ✓ | ✓ | ✓ |
| copy_fail_gcm | (variant) | ✓ | ✓ | ✓ | ✓ |
| dirty_frag_esp | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
| dirty_frag_esp6 | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
| dirty_frag_rxrpc | CVE-2026-43500 | ✓ | ✓ | ✓ | ✓ |
| dirty_pipe | CVE-2022-0847 | ✓ | ✓ | ✓ | ✓ |
| dirtydecrypt | CVE-2026-31635 | ✓ | ✓ | ✓ | ✓ |
| fragnesia | CVE-2026-46300 | ✓ | ✓ | ✓ | ✓ |
| pwnkit | CVE-2021-4034 | ✓ | ✓ | ✓ | ✓ |
| pack2theroot | CVE-2026-41651 | ✓ | ✓ | ✓ | ✓ |
| Other 21 modules | various | ✓ | partial | — | — |
Full 4-format coverage on the 10 highest-value modules; auditd
covers everything. YARA / Falco expansion to the remaining 21 modules
is incremental contributor work (each module's `detect_yara` /
`detect_falco` field in the module struct just needs a string).
## Correlation across formats
Single-format detections are useful; the high-confidence signal is
the **correlation across formats** for the same module in a short
window. Each exploit leaves a recognisable multi-format trail:
| Exploit | falco fires | auditd fires | yara confirms |
|---|---|---|---|
| Pwnkit | `pkexec` empty argv | `execve /usr/bin/pkexec` + `GCONV_PATH=` env | gconv-modules cache in /tmp |
| Dirty Pipe | `splice()` from `/etc/passwd` | splice + write to `/etc/passwd` | UID flip in `/etc/passwd` |
| Copy Fail | `socket(AF_ALG)` | algif_aead + `ALG_SET_KEY` | UID flip in `/etc/passwd` |
| Dirty Frag (ESP) | NETLINK_XFRM sendto + TCP_ULP | XFRM_MSG_NEWSA | UID flip in `/etc/passwd` |
| DirtyDecrypt | `socket(AF_RXRPC)` + `add_key(rxrpc)` | AF_RXRPC + add_key | 120-byte ELF overwrites `/usr/bin/su` |
| Fragnesia | `TCP_ULP=espintcp` from non-root | XFRM + setsockopt(TCP_ULP) | 192-byte ELF overwrites `/usr/bin/su` |
| Pack2TheRoot | dpkg invoked by packagekitd with /tmp/.pk-*.deb | new `.deb` in `/tmp` + `chmod 4755` on `/tmp/.suid_bash` | malicious `.deb` + SUID bash both present |
If **three of the four signals** fire for the same module in the same
window, the exploit landed. **One signal alone** in a noisy
environment is more likely a tuning FP; **three signals** is incident
response.
## Worked example: catching DirtyDecrypt end-to-end
A SOC operator gets a Falco page:
```
CRITICAL AF_RXRPC socket() by non-root (user=alice proc=poc pid=44231)
```
1. **Confirm via auditd** — pull events keyed on the family:
```bash
sudo ausearch -k skeletonkey-dirtydecrypt-rxrpc -ts recent
```
Expect: `socket(...,33,...)` + subsequent `add_key("rxrpc",...)`.
2. **Confirm via yara** — scan setuid binaries for the page-cache
overlay:
```bash
yara /etc/yara/skeletonkey.yar /usr/bin/su /usr/bin/passwd
```
If `dirtydecrypt_payload_overlay` matches `/usr/bin/su`, **the
exploit landed** — the binary's page cache has been overwritten
with the 120-byte shellcode.
3. **Recover** — the on-disk binary is intact; only the page cache is
corrupted. Drop it:
```bash
sudo skeletonkey --cleanup dirtydecrypt # or: echo 3 > /proc/sys/vm/drop_caches
```
4. **Sigma hunt for lateral / repeat** — query your SIEM with the
sigma rule ID `7c1e9a40-skeletonkey-dirtydecrypt` over the last 7
days to find any other hosts.
5. **Patch.** DirtyDecrypt's mainline fix is commit `a2567217` in
Linux 7.0 — see [`CVES.md`](../CVES.md) for distro backports.
6. **Harden.** `rxrpc` is rarely needed on non-AFS hosts:
```bash
echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
sudo update-initramfs -u
```
The same shape applies to every module: pick the auditd key, the
yara rule for the artifact, the falco rule for the runtime signal,
and the sigma rule for the hunt.
## Common false positives + tuning ## Common false positives + tuning
| Rule key | False positive | Fix | | Rule key | False positive | Fix |
modules/copy_fail_family/skeletonkey_modules.c
+86 -10
View File
@@ -157,6 +157,82 @@ static const char copy_fail_family_sigma[] =
"level: high\n" "level: high\n"
"tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n"; "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";
/* YARA + Falco rules shared across the 5 family modules. Scanned via
* --detect-rules; the dispatcher dedups by pointer so the rule blob
* emits once even though copy_fail / copy_fail_gcm / dirty_frag_*
* all point at the same string. */
static const char copy_fail_family_yara[] =
"rule etc_passwd_uid_flip : page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-31431 / CVE-2026-43284 / CVE-2026-43500\"\n"
" description = \"/etc/passwd page-cache UID flip: a non-root user line shows a zero-padded UID (the canonical Copy Fail / Dirty Frag / DirtyDecrypt / Dirty Pipe payload). Scan /etc/passwd; legitimate root uses plain '0:', never '0000:'.\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" // lowercase-start username, optional shadow ('x') password, then UID 0000 or longer\n"
" $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
" condition:\n"
" $uid_flip\n"
"}\n"
"\n"
"rule etc_passwd_root_no_password\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-31635 (DirtyDecrypt sliding-window write)\"\n"
" description = \"/etc/passwd root entry rewritten to have an empty password field — the DirtyDecrypt PoC's intermediate corruption (rewrite root's password to empty, then `su root` without password).\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" $root_open = /\\nroot::0:0:/ // empty password (canonical x or ! when shadowed)\n"
" condition:\n"
" $root_open\n"
"}\n";
static const char copy_fail_family_falco[] =
"- rule: AF_ALG authenc keyblob installed by non-root (Copy Fail primitive)\n"
" desc: |\n"
" A non-root process creates an AF_ALG socket and installs an\n"
" authencesn(hmac(sha256),cbc(aes)) keyblob via ALG_SET_KEY.\n"
" Core of the Copy Fail (CVE-2026-31431) primitive — also\n"
" triggered by the GCM variant. AF_ALG by non-root is rare on\n"
" most servers; tune by allow-listing your crypto-using daemons.\n"
" condition: >\n"
" evt.type = socket and evt.arg[0] = 38 and not user.uid = 0\n"
" output: >\n"
" AF_ALG socket() by non-root (user=%user.name pid=%proc.pid\n"
" ppid=%proc.ppid parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
" priority: WARNING\n"
" tags: [process, cve.2026.31431, copy_fail]\n"
"\n"
"- rule: XFRM NETLINK_XFRM bind from unprivileged userns (Dirty Frag primitive)\n"
" desc: |\n"
" A NETLINK_XFRM socket is opened from inside an unprivileged\n"
" user namespace, with subsequent XFRM_MSG_NEWSA installing an\n"
" ESP(rfc4106(gcm(aes))) state. Core of the Dirty Frag esp/esp6\n"
" variants — also tripped by Fragnesia's setup phase. Legitimate\n"
" XFRM use is normally privileged (strongSwan, libreswan).\n"
" condition: >\n"
" evt.type = sendto and not user.uid = 0 and\n"
" proc.aname[1] != \"\" // we want non-init userns; refine with k8s.namespace or container.id\n"
" output: >\n"
" NETLINK_XFRM sendto from non-root (user=%user.name pid=%proc.pid\n"
" proc=%proc.name)\n"
" priority: WARNING\n"
" tags: [process, cve.2026.43284, dirty_frag]\n"
"\n"
"- rule: /etc/passwd modified by non-root (Copy Fail / Dirty Frag / Dirty Pipe outcome)\n"
" desc: |\n"
" /etc/passwd is read-only for non-root, so a non-root caller\n"
" showing up on its open(W_OK) audit trail indicates a\n"
" page-cache write primitive succeeded. Catches the post-fire\n"
" state for the whole copy_fail family + dirty_pipe.\n"
" condition: >\n"
" open_write and fd.name = /etc/passwd and not user.uid = 0\n"
" output: >\n"
" Non-root write to /etc/passwd (user=%user.name pid=%proc.pid\n"
" proc=%proc.name)\n"
" priority: CRITICAL\n"
" tags: [filesystem, mitre_privilege_escalation, T1068, copy_fail, dirty_frag]\n";
const struct skeletonkey_module copy_fail_module = { const struct skeletonkey_module copy_fail_module = {
.name = "copy_fail", .name = "copy_fail",
.cve = "CVE-2026-31431", .cve = "CVE-2026-31431",
@@ -169,8 +245,8 @@ const struct skeletonkey_module copy_fail_module = {
.cleanup = copy_fail_family_cleanup, .cleanup = copy_fail_family_cleanup,
.detect_auditd = copy_fail_family_auditd, .detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma, .detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL, .detect_yara = copy_fail_family_yara,
.detect_falco = NULL, .detect_falco = copy_fail_family_falco,
}; };
/* ----- copy_fail_gcm (variant, no CVE) ----- */ /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -201,8 +277,8 @@ const struct skeletonkey_module copy_fail_gcm_module = {
.cleanup = copy_fail_family_cleanup, .cleanup = copy_fail_family_cleanup,
.detect_auditd = copy_fail_family_auditd, .detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma, .detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL, .detect_yara = copy_fail_family_yara,
.detect_falco = NULL, .detect_falco = copy_fail_family_falco,
}; };
/* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */ /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -233,8 +309,8 @@ const struct skeletonkey_module dirty_frag_esp_module = {
.cleanup = copy_fail_family_cleanup, .cleanup = copy_fail_family_cleanup,
.detect_auditd = copy_fail_family_auditd, .detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma, .detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL, .detect_yara = copy_fail_family_yara,
.detect_falco = NULL, .detect_falco = copy_fail_family_falco,
}; };
/* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */ /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -265,8 +341,8 @@ const struct skeletonkey_module dirty_frag_esp6_module = {
.cleanup = copy_fail_family_cleanup, .cleanup = copy_fail_family_cleanup,
.detect_auditd = copy_fail_family_auditd, .detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma, .detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL, .detect_yara = copy_fail_family_yara,
.detect_falco = NULL, .detect_falco = copy_fail_family_falco,
}; };
/* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */ /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -297,8 +373,8 @@ const struct skeletonkey_module dirty_frag_rxrpc_module = {
.cleanup = copy_fail_family_cleanup, .cleanup = copy_fail_family_cleanup,
.detect_auditd = copy_fail_family_auditd, .detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma, .detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL, .detect_yara = copy_fail_family_yara,
.detect_falco = NULL, .detect_falco = copy_fail_family_falco,
}; };
/* ----- Family registration ----- */ /* ----- Family registration ----- */
modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c
+35 -2
View File
@@ -460,6 +460,39 @@ static const char dirty_pipe_auditd[] =
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n" "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n"
"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n"; "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n";
static const char dirty_pipe_yara[] =
"rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2022-0847\"\n"
" description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
" condition:\n"
" $uid_flip\n"
"}\n";
static const char dirty_pipe_falco[] =
"- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n"
" desc: |\n"
" A non-root process calls splice() with a fd pointing at a\n"
" setuid-root binary or a credential file. The Dirty Pipe\n"
" primitive (CVE-2022-0847) splices 1 byte from the target to\n"
" a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n"
" then writes attacker bytes that land in the file's page cache.\n"
" condition: >\n"
" evt.type = splice and not user.uid = 0 and\n"
" (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n"
" or fd.name startswith /usr/bin/su\n"
" or fd.name startswith /usr/bin/passwd\n"
" or fd.name startswith /bin/su)\n"
" output: >\n"
" Dirty Pipe-style splice from sensitive file by non-root\n"
" (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n"
" priority: CRITICAL\n"
" tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n";
static const char dirty_pipe_sigma[] = static const char dirty_pipe_sigma[] =
"title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n" "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
"id: f6b13c08-skeletonkey-dirty-pipe\n" "id: f6b13c08-skeletonkey-dirty-pipe\n"
@@ -487,8 +520,8 @@ const struct skeletonkey_module dirty_pipe_module = {
.cleanup = dirty_pipe_cleanup, .cleanup = dirty_pipe_cleanup,
.detect_auditd = dirty_pipe_auditd, .detect_auditd = dirty_pipe_auditd,
.detect_sigma = dirty_pipe_sigma, .detect_sigma = dirty_pipe_sigma,
.detect_yara = NULL, .detect_yara = dirty_pipe_yara,
.detect_falco = NULL, .detect_falco = dirty_pipe_falco,
}; };
void skeletonkey_register_dirty_pipe(void) void skeletonkey_register_dirty_pipe(void)
modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c
+51 -2
View File
@@ -921,6 +921,55 @@ static const char dd_auditd[] =
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n" "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n"
"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice\n"; "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice\n";
static const char dd_yara[] =
"rule dirtydecrypt_payload_overlay : cve_2026_31635 page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-31635\"\n"
" description = \"DirtyDecrypt payload: the 120-byte ET_DYN x86_64 ELF the public V12 PoC overlays onto the first bytes of a setuid binary's page cache. Scan setuid-root binaries (/usr/bin/su etc.); legitimate binaries are much larger and never start with this exact shellcode.\"\n"
" author = \"SKELETONKEY\"\n"
" reference = \"https://github.com/v12-security/pocs/tree/main/dirtydecrypt\"\n"
" strings:\n"
" // First 28 bytes of the embedded tiny_elf[] payload.\n"
" $payload_head = { 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 03 00 3E 00 01 00 00 00 68 00 00 00 }\n"
" // The setuid(0)+execve(/bin/sh) tail at offset 104 of the payload.\n"
" $shellcode = { B0 69 0F 05 48 8D 3D DD FF FF FF 6A 3B 58 0F 05 }\n"
" $sh = \"/bin/sh\"\n"
" condition:\n"
" // Setuid binaries are at minimum a few KB; the payload is\n"
" // 120 bytes overlaid at offset 0 so the rest of the file\n"
" // remains the original binary content (or padding).\n"
" $payload_head at 0 and $shellcode and $sh and filesize > 4096\n"
"}\n";
static const char dd_falco[] =
"- rule: AF_RXRPC socket created by non-root (DirtyDecrypt primitive)\n"
" desc: |\n"
" Non-root process creates an AF_RXRPC socket. AF_RXRPC is the\n"
" family the DirtyDecrypt (CVE-2026-31635) primitive needs to\n"
" trigger the rxgk in-place decrypt. Most production hosts do\n"
" not use AF_RXRPC at all (it's AFS-flavoured); a non-root\n"
" open here is highly suspicious.\n"
" condition: >\n"
" evt.type = socket and evt.arg[0] = 33 and not user.uid = 0\n"
" output: >\n"
" AF_RXRPC socket() by non-root (user=%user.name proc=%proc.name\n"
" pid=%proc.pid parent=%proc.pname)\n"
" priority: CRITICAL\n"
" tags: [process, mitre_privilege_escalation, T1068, cve.2026.31635]\n"
"\n"
"- rule: rxrpc security key added (DirtyDecrypt handshake setup)\n"
" desc: |\n"
" add_key(\"rxrpc\", …) by a non-root process — the DirtyDecrypt\n"
" PoC adds an rxrpc-typed key carrying a forged rxgk XDR token\n"
" for each fire() of the page-cache write primitive.\n"
" condition: >\n"
" evt.type = add_key and evt.arg[0] contains \"rxrpc\" and not user.uid = 0\n"
" output: >\n"
" rxrpc add_key by non-root (user=%user.name proc=%proc.name)\n"
" priority: WARNING\n"
" tags: [process, cve.2026.31635]\n";
static const char dd_sigma[] = static const char dd_sigma[] =
"title: Possible DirtyDecrypt exploitation (CVE-2026-31635)\n" "title: Possible DirtyDecrypt exploitation (CVE-2026-31635)\n"
"id: 7c1e9a40-skeletonkey-dirtydecrypt\n" "id: 7c1e9a40-skeletonkey-dirtydecrypt\n"
@@ -953,8 +1002,8 @@ const struct skeletonkey_module dirtydecrypt_module = {
.cleanup = dd_cleanup, .cleanup = dd_cleanup,
.detect_auditd = dd_auditd, .detect_auditd = dd_auditd,
.detect_sigma = dd_sigma, .detect_sigma = dd_sigma,
.detect_yara = NULL, .detect_yara = dd_yara,
.detect_falco = NULL, .detect_falco = dd_falco,
}; };
void skeletonkey_register_dirtydecrypt(void) void skeletonkey_register_dirtydecrypt(void)
modules/fragnesia_cve_2026_46300/skeletonkey_modules.c
+54 -2
View File
@@ -1124,6 +1124,58 @@ static const char fg_auditd[] =
"# splice() drives page-cache pages into the ESP-in-TCP stream\n" "# splice() drives page-cache pages into the ESP-in-TCP stream\n"
"-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice\n"; "-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice\n";
static const char fg_yara[] =
"rule fragnesia_payload_overlay : cve_2026_46300 page_cache_write\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-46300\"\n"
" description = \"Fragnesia payload: the 192-byte ET_EXEC x86_64 ELF the public V12 PoC overlays onto the first bytes of /usr/bin/su (or sibling setuid binary). Detects post-fire page-cache contents via direct scan.\"\n"
" author = \"SKELETONKEY\"\n"
" reference = \"https://github.com/v12-security/pocs/tree/main/fragnesia\"\n"
" strings:\n"
" // First 28 bytes of the embedded shell_elf[] payload.\n"
" $payload_head = { 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3E 00 01 00 00 00 78 00 40 00 }\n"
" // The setuid+setgid+seteuid(0) prelude\n"
" $shellcode_drop = { 31 FF 31 F6 31 C0 B0 6A 0F 05 B0 69 0F 05 B0 74 0F 05 }\n"
" $sh = \"/bin/sh\"\n"
" $term = \"TERM=xterm\"\n"
" condition:\n"
" $payload_head at 0 and $shellcode_drop and $sh and $term and filesize > 4096\n"
"}\n";
static const char fg_falco[] =
"- rule: TCP_ULP=espintcp set by non-root (Fragnesia trigger)\n"
" desc: |\n"
" A non-root process flips a TCP socket into the espintcp ULP\n"
" inside an unprivileged userns. Core of the Fragnesia\n"
" (CVE-2026-46300) trigger — also the Dirty Frag ESP-in-TCP\n"
" setup. Legitimate use of TCP_ULP=espintcp from non-root is\n"
" essentially never seen in production.\n"
" condition: >\n"
" evt.type = setsockopt and evt.arg.optname = TCP_ULP and\n"
" not user.uid = 0\n"
" output: >\n"
" Fragnesia-style TCP_ULP=espintcp by non-root\n"
" (user=%user.name proc=%proc.name pid=%proc.pid)\n"
" priority: CRITICAL\n"
" tags: [network, mitre_privilege_escalation, T1068, cve.2026.46300]\n"
"\n"
"- rule: ESP-in-TCP splice to crafted TCP connection (Fragnesia paged-frag write)\n"
" desc: |\n"
" splice() of a setuid binary's pages into a TCP socket whose\n"
" peer is configured for espintcp. Fragnesia's sender path\n"
" splices the carrier file (/usr/bin/su) into the loopback TCP\n"
" flow to land the in-place decrypt on the carrier's page cache.\n"
" condition: >\n"
" evt.type = splice and not user.uid = 0 and\n"
" (fd.name startswith /usr/bin/su or fd.name startswith /bin/su\n"
" or fd.name startswith /usr/bin/passwd)\n"
" output: >\n"
" splice() of setuid binary by non-root (user=%user.name\n"
" proc=%proc.name fd=%fd.name)\n"
" priority: WARNING\n"
" tags: [filesystem, cve.2026.46300]\n";
static const char fg_sigma[] = static const char fg_sigma[] =
"title: Possible Fragnesia exploitation (CVE-2026-46300)\n" "title: Possible Fragnesia exploitation (CVE-2026-46300)\n"
"id: 9b3d2e71-skeletonkey-fragnesia\n" "id: 9b3d2e71-skeletonkey-fragnesia\n"
@@ -1156,8 +1208,8 @@ const struct skeletonkey_module fragnesia_module = {
.cleanup = fg_cleanup, .cleanup = fg_cleanup,
.detect_auditd = fg_auditd, .detect_auditd = fg_auditd,
.detect_sigma = fg_sigma, .detect_sigma = fg_sigma,
.detect_yara = NULL, .detect_yara = fg_yara,
.detect_falco = NULL, .detect_falco = fg_falco,
}; };
void skeletonkey_register_fragnesia(void) void skeletonkey_register_fragnesia(void)
modules/pack2theroot_cve_2026_41651/skeletonkey_modules.c
+90 -2
View File
@@ -660,6 +660,94 @@ static const char p2tr_auditd[] =
"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \\\n" "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \\\n"
" -F auid!=0 -k skeletonkey-pack2theroot-apt\n"; " -F auid!=0 -k skeletonkey-pack2theroot-apt\n";
static const char p2tr_yara[] =
"rule pack2theroot_malicious_deb : cve_2026_41651\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-41651\"\n"
" description = \"Pack2TheRoot payload .deb: small ar archive whose postinst installs a setuid copy of bash to /tmp/.suid_bash. The Vozec PoC + SKELETONKEY's port both leave this artifact in /tmp.\"\n"
" author = \"SKELETONKEY\"\n"
" reference = \"https://github.com/Vozec/CVE-2026-41651\"\n"
" strings:\n"
" $deb_magic = \"!<arch>\"\n"
" $postinst_suid = \"install -m 4755 /bin/bash\"\n"
" $skk_payload = \"Package: skeletonkey-p2tr-payload\"\n"
" $skk_dummy = \"Package: skeletonkey-p2tr-dummy\"\n"
" $vozec_payload = \"Package: pk-poc-payload\"\n"
" $vozec_dummy = \"Package: pk-poc-dummy\"\n"
" condition:\n"
" // Small ar archive matching .deb layout, containing either\n"
" // the published-PoC package names or the SUID-bash postinst.\n"
" $deb_magic at 0 and\n"
" ($postinst_suid or any of ($skk_payload, $skk_dummy, $vozec_payload, $vozec_dummy)) and\n"
" filesize < 64KB\n"
"}\n"
"\n"
"rule pack2theroot_suid_bash_drop : cve_2026_41651\n"
"{\n"
" meta:\n"
" cve = \"CVE-2026-41651\"\n"
" description = \"Pack2TheRoot SUID-bash artifact: /tmp/.suid_bash is the setuid bash dropped by the malicious postinst. Pair this YARA scan with auditd watch -w /tmp/.suid_bash for catch-on-create.\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" $elf = { 7F 45 4C 46 02 01 01 }\n"
" $bash = \"GNU bash\"\n"
" condition:\n"
" // The rule itself can't see the file path; the operator\n"
" // points YARA at /tmp/.suid_bash specifically. Match\n"
" // confirms the file is a real bash ELF (not a planted decoy).\n"
" $elf at 0 and $bash\n"
"}\n";
static const char p2tr_falco[] =
"- rule: SUID bash dropped to /tmp (Pack2TheRoot postinst signature)\n"
" desc: |\n"
" A setuid bit appears on /tmp/.suid_bash. The Pack2TheRoot\n"
" (CVE-2026-41651) malicious .deb postinst runs as root via\n"
" the polkit-bypassed PackageKit transaction and lands a SUID\n"
" copy of /bin/bash at this path.\n"
" condition: >\n"
" evt.type in (chmod, fchmod, fchmodat) and\n"
" evt.arg.mode contains \"S_ISUID\" and\n"
" fd.name = /tmp/.suid_bash\n"
" output: >\n"
" SUID bit set on /tmp/.suid_bash (proc=%proc.name pid=%proc.pid\n"
" ppid=%proc.ppid parent=%proc.pname)\n"
" priority: CRITICAL\n"
" tags: [filesystem, mitre_privilege_escalation, T1068, cve.2026.41651]\n"
"\n"
"- rule: PackageKit InstallFiles invoked twice on same transaction (Pack2TheRoot TOCTOU)\n"
" desc: |\n"
" Two D-Bus InstallFiles() calls hit the same PackageKit\n"
" transaction object in close succession — the exact shape of\n"
" the Pack2TheRoot TOCTOU. Detection requires bus monitoring;\n"
" Falco's k8s/audit ruleset doesn't cover D-Bus natively, but\n"
" if dbus-monitor or systemd's bus audit is wired into the\n"
" feed, this is the trigger.\n"
" condition: >\n"
" // Placeholder: requires dbus-monitor → falco feed.\n"
" // Real-world deployment: pipe `dbus-monitor --system` into\n"
" // a log-source rule keyed on the InstallFiles method name.\n"
" proc.cmdline contains \"InstallFiles\" and proc.cmdline contains \"PackageKit\"\n"
" output: >\n"
" Possible Pack2TheRoot D-Bus TOCTOU shape (cmdline=\"%proc.cmdline\")\n"
" priority: WARNING\n"
" tags: [dbus, cve.2026.41651]\n"
"\n"
"- rule: dpkg invoked by PackageKit on behalf of non-root caller\n"
" desc: |\n"
" PackageKit forks dpkg to install a .deb on behalf of an\n"
" unprivileged caller. Combined with /tmp/.suid_bash creation,\n"
" this completes the Pack2TheRoot exploit chain.\n"
" condition: >\n"
" spawned_process and proc.name = dpkg and proc.aname = packagekitd and\n"
" proc.cmdline contains \"/tmp/.pk-\"\n"
" output: >\n"
" PackageKit-driven dpkg install of /tmp-resident .deb\n"
" (parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
" priority: CRITICAL\n"
" tags: [process, cve.2026.41651, pack2theroot]\n";
static const char p2tr_sigma[] = static const char p2tr_sigma[] =
"title: Possible Pack2TheRoot exploitation (CVE-2026-41651)\n" "title: Possible Pack2TheRoot exploitation (CVE-2026-41651)\n"
"id: 3f2b8d54-skeletonkey-pack2theroot\n" "id: 3f2b8d54-skeletonkey-pack2theroot\n"
@@ -700,8 +788,8 @@ const struct skeletonkey_module pack2theroot_module = {
.cleanup = p2tr_cleanup, .cleanup = p2tr_cleanup,
.detect_auditd = p2tr_auditd, .detect_auditd = p2tr_auditd,
.detect_sigma = p2tr_sigma, .detect_sigma = p2tr_sigma,
.detect_yara = NULL, .detect_yara = p2tr_yara,
.detect_falco = NULL, .detect_falco = p2tr_falco,
}; };
void skeletonkey_register_pack2theroot(void) void skeletonkey_register_pack2theroot(void)
modules/pwnkit_cve_2021_4034/skeletonkey_modules.c
+55 -2
View File
@@ -384,6 +384,59 @@ static const char pwnkit_auditd[] =
"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n" "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"
"-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"; "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n";
static const char pwnkit_yara[] =
"rule pwnkit_gconv_modules_cache : cve_2021_4034 lpe\n"
"{\n"
" meta:\n"
" cve = \"CVE-2021-4034\"\n"
" description = \"Pwnkit gconv-modules cache: redefines UTF-8 to load an attacker .so via iconv when pkexec is invoked with argc==0.\"\n"
" author = \"SKELETONKEY\"\n"
" reference = \"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\"\n"
" strings:\n"
" // gconv-modules text format: \"module FROM// TO// SHARED-OBJECT COST\".\n"
" // Published PoCs redefine UTF-8 and point it at a .so dropped in /tmp.\n"
" $line = /module\\s+UTF-8\\/\\/\\s+\\S+\\/\\/\\s+\\S+\\s+\\d/\n"
" $alias = /alias\\s+\\S+\\s+UTF-8/\n"
" // Hint: PoC workdirs frequently include 'pwnkit' or 'GCONV' in path strings the .so carries.\n"
" $marker_pwn = \"pwnkit\" nocase\n"
" $marker_gcv = \"GCONV_PATH\"\n"
" condition:\n"
" // Small text-format file (gconv-modules caches are tiny) with the module redefinition.\n"
" // Pair with -w /tmp -p wa auditd to catch the drop in real time.\n"
" filesize < 4KB and $line and 1 of ($alias, $marker_pwn, $marker_gcv)\n"
"}\n";
static const char pwnkit_falco[] =
"- rule: Pwnkit-style pkexec invocation (NULL argv)\n"
" desc: |\n"
" pkexec executed without argv (argc == 0). The Qualys PoC for\n"
" CVE-2021-4034 invokes pkexec via execve with NULL argv so the\n"
" out-of-bounds argv read picks up envp as if it were argv[1].\n"
" condition: >\n"
" spawned_process and proc.name = pkexec and\n"
" (proc.cmdline = \"pkexec\" or proc.args = \"\")\n"
" output: >\n"
" Possible Pwnkit (CVE-2021-4034): pkexec spawned with no argv\n"
" (user=%user.name uid=%user.uid pid=%proc.pid ppid=%proc.ppid\n"
" parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
" priority: CRITICAL\n"
" tags: [process, mitre_privilege_escalation, T1068, cve.2021.4034]\n"
"\n"
"- rule: Pwnkit-style GCONV_PATH injection\n"
" desc: |\n"
" A non-root process sets GCONV_PATH in env before spawning a\n"
" setuid binary. Combined with a controlled .so + gconv-modules\n"
" cache, this is the Qualys exploit shape.\n"
" condition: >\n"
" spawned_process and not user.uid = 0 and\n"
" (proc.env contains \"GCONV_PATH=\" or proc.env contains \"CHARSET=\") and\n"
" proc.name in (pkexec, su, sudo, mount, chsh, passwd)\n"
" output: >\n"
" GCONV_PATH/CHARSET set by non-root before setuid spawn\n"
" (user=%user.name target=%proc.name env=\"%proc.env\")\n"
" priority: WARNING\n"
" tags: [process, env_injection, cve.2021.4034]\n";
static const char pwnkit_sigma[] = static const char pwnkit_sigma[] =
"title: Possible Pwnkit exploitation (CVE-2021-4034)\n" "title: Possible Pwnkit exploitation (CVE-2021-4034)\n"
"id: 9e1d4f2c-skeletonkey-pwnkit\n" "id: 9e1d4f2c-skeletonkey-pwnkit\n"
@@ -417,8 +470,8 @@ const struct skeletonkey_module pwnkit_module = {
.cleanup = pwnkit_cleanup, .cleanup = pwnkit_cleanup,
.detect_auditd = pwnkit_auditd, .detect_auditd = pwnkit_auditd,
.detect_sigma = pwnkit_sigma, .detect_sigma = pwnkit_sigma,
.detect_yara = NULL, .detect_yara = pwnkit_yara,
.detect_falco = NULL, .detect_falco = pwnkit_falco,
}; };
void skeletonkey_register_pwnkit(void) void skeletonkey_register_pwnkit(void)
skeletonkey-x86_64-static
Executable
BIN
View File
Binary file not shown.
skeletonkey-x86_64-static.sha256
+1
View File
@@ -0,0 +1 @@
4c4d1397f0286eba3ddc471ae4ba24b4767ba8c70b3101299622ec950e4d90aa skeletonkey-x86_64-static