osquery-defense-kit/detection/privesc/unexpected-privilege-escala...

-- Find processes that run with a lower effective UID than their parent (state-based)
--
-- references:
--   * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- related:
--   * unexpected-privilege-escalation-events.sql
--
-- tags: transient state process escalation
-- platform: linux
SELECT
  p0.uid AS p0_uid,
  -- Child
  p0.pid AS p0_pid,
  p0.path AS p0_path,
  p0.name AS p0_name,
  p0.cmdline AS p0_cmd,
  p0.cwd AS p0_cwd,
  p0.cgroup_path AS p0_cgroup,
  p0.euid AS p0_euid,
  p0_hash.sha256 AS p0_sha256,
  -- Parent
  p0.parent AS p1_pid,
  p1.path AS p1_path,
  p1.name AS p1_name,
  p1_f.mode AS p1_mode,
  p1.euid AS p1_euid,
  p1.cmdline AS p1_cmd,
  p1_hash.sha256 AS p1_sha256,
  -- Grandparent
  p1.parent AS p2_pid,
  p2.name AS p2_name,
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
FROM
  processes p0
  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
  LEFT JOIN processes p1 ON p0.parent = p1.pid
  LEFT JOIN file p1_f ON p1.path = p1_f.path
  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
  LEFT JOIN processes p2 ON p1.parent = p2.pid
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
  p0.pid IN (
    SELECT
      pid
    FROM
      processes
    WHERE
      euid < uid
      AND NOT path IN (
        '/bin/ps',
        '/opt/1Password/1password',
        '/usr/bin/doas',
        '/usr/bin/fusermount',
        '/usr/bin/fusermount3',
        '/usr/bin/newgrp',
        '/usr/bin/login',
        '/usr/bin/su',
        '/usr/bin/sudo',
        '/usr/bin/top',
        '/usr/libexec/Xorg',
        '/usr/lib/xorg/Xorg'
      ) -- doas may be in the process of being upgraded
      AND NOT path LIKE '/nix/store/%/bin/sudo'
      AND NOT path LIKE '/nix/store/%/bin/dhcpcd'
      AND NOT path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
      AND NOT name IN ('doas', 'sudo')
  )
  AND NOT (
    p0.cmdline LIKE '%pacman%'
    AND p1.cmdline LIKE 'yay%'
  )
  AND NOT (
    p0.name = 'polkit-agent-he'
    AND p1.path = '/usr/bin/gnome-shell'
  )
  AND NOT (
    p0.name = 'fusermount3'
    AND p1.path = '/usr/lib/xdg-document-portal'
  )
  AND NOT (
    p0.path = '/usr/bin/pkexec'
    AND p1.path = '/usr/bin/update-notifier'
  )
  AND NOT (
    p0.path = '/usr/libexec/xdg-permission-store'
    AND p1.path = '/usr/lib/systemd/systemd'
  )
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- Find processes that run with a lower effective UID than their parent (state-based)`
More clarity 2022-10-07 16:46:55 +00:00			`--`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)`
			`-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux`
			`--`
			`-- related:`
More clarity 2022-10-07 16:46:55 +00:00			`-- * unexpected-privilege-escalation-events.sql`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`--`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`-- tags: transient state process escalation`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`-- platform: linux`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`p0.uid AS p0_uid,`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`-- Child`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`p0.pid AS p0_pid,`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`p0.path AS p0_path,`
			`p0.name AS p0_name,`
			`p0.cmdline AS p0_cmd,`
			`p0.cwd AS p0_cwd,`
			`p0.cgroup_path AS p0_cgroup,`
			`p0.euid AS p0_euid,`
			`p0_hash.sha256 AS p0_sha256,`
			`-- Parent`
			`p0.parent AS p1_pid,`
			`p1.path AS p1_path,`
			`p1.name AS p1_name,`
			`p1_f.mode AS p1_mode,`
			`p1.euid AS p1_euid,`
			`p1.cmdline AS p1_cmd,`
			`p1_hash.sha256 AS p1_sha256,`
			`-- Grandparent`
			`p1.parent AS p2_pid,`
			`p2.name AS p2_name,`
			`p2.path AS p2_path,`
			`p2.cmdline AS p2_cmd,`
			`p2_hash.sha256 AS p2_sha256`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`FROM`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`processes p0`
			`LEFT JOIN hash p0_hash ON p0.path = p0_hash.path`
			`LEFT JOIN processes p1 ON p0.parent = p1.pid`
			`LEFT JOIN file p1_f ON p1.path = p1_f.path`
			`LEFT JOIN hash p1_hash ON p1.path = p1_hash.path`
			`LEFT JOIN processes p2 ON p1.parent = p2.pid`
			`LEFT JOIN hash p2_hash ON p2.path = p2_hash.path`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`WHERE`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`p0.pid IN (`
			`SELECT`
			`pid`
			`FROM`
			`processes`
			`WHERE`
			`euid < uid`
			`AND NOT path IN (`
			`'/bin/ps',`
fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage 2023-03-28 20:25:26 +00:00			`'/opt/1Password/1password',`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`'/usr/bin/doas',`
			`'/usr/bin/fusermount',`
			`'/usr/bin/fusermount3',`
fpr: Docker Desktop, code-oss, incus, etc 2024-02-26 22:26:56 +00:00			`'/usr/bin/newgrp',`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`'/usr/bin/login',`
			`'/usr/bin/su',`
			`'/usr/bin/sudo',`
fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage 2023-03-28 20:25:26 +00:00			`'/usr/bin/top',`
			`'/usr/libexec/Xorg',`
			`'/usr/lib/xorg/Xorg'`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`) -- doas may be in the process of being upgraded`
			`AND NOT path LIKE '/nix/store/%/bin/sudo'`
			`AND NOT path LIKE '/nix/store/%/bin/dhcpcd'`
			`AND NOT path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'`
			`AND NOT name IN ('doas', 'sudo')`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
Monday morning false-positive purge 2023-02-08 19:37:09 +00:00			`AND NOT (`
Query performance improvements, add pids, decrease frequency 2023-02-09 22:01:29 +00:00			`p0.cmdline LIKE '%pacman%'`
			`AND p1.cmdline LIKE 'yay%'`
Monday morning false-positive purge 2023-02-08 19:37:09 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT (`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`p0.name = 'polkit-agent-he'`
			`AND p1.path = '/usr/bin/gnome-shell'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
			`AND NOT (`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`p0.name = 'fusermount3'`
			`AND p1.path = '/usr/lib/xdg-document-portal'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
Add update-notifier -> pkexec exception 2022-10-25 13:20:18 +00:00			`AND NOT (`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`p0.path = '/usr/bin/pkexec'`
			`AND p1.path = '/usr/bin/update-notifier'`
Add update-notifier -> pkexec exception 2022-10-25 13:20:18 +00:00			`)`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`AND NOT (`
Include more process information across queries 2023-02-01 18:55:55 +00:00			`p0.path = '/usr/libexec/xdg-permission-store'`
			`AND p1.path = '/usr/lib/systemd/systemd'`
make reformat 2023-05-08 17:20:47 +00:00			`)`