osquery-defense-kit/detection/execution/exotic-command-events-macos...

-- Ported from exotic-commands
-- Designed for execution every 15 seconds (where the parent may still be around)

-- interval: 15
SELECT
  p.pid,
  p.path,
  REPLACE(
    p.path,
    RTRIM(p.path, REPLACE(p.path, '/', '')),
    ''
  ) AS basename,
  -- On macOS there is often a trailing space
  TRIM(p.cmdline) AS cmd,
  p.mode,
  p.cwd,
  p.euid,
  p.parent,
  p.syscall,
  hash.sha256,
  pp.path AS parent_path,
  pp.name AS parent_name,
  TRIM(p.cmdline) AS parent_cmd,
  pp.euid AS parent_euid,
  phash.sha256 AS parent_sha256
FROM
  uptime,
  process_events p
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN hash AS phash ON pp.path = hash.path
WHERE
  p.time > (strftime('%s', 'now') -15)
  AND (
    basename IN (
      'bitspin',
      'bpftool',
      'csrutil',
      'heyoka',
      'nstx',
      'dnscat2',
      'tuns',
      'iodine',
      'rshell',
      'rsh',
      'incbit',
      'osascript',
      'kmod',
      'lushput',
      'mkfifo',
      'msfvenom',
      'nc',
      'socat'
    )
    -- Chrome Stealer
    OR cmd LIKE '%set visible of front window to false%'
    OR cmd LIKE '%chrome%-load-extension%'
    -- Known attack scripts
    OR basename LIKE '%pwn%'
    OR basename LIKE '%attack%'
    -- Unusual behaviors
    OR cmd LIKE '%chattr -ia%'
    OR cmd LIKE '%chmod 777 %'
    OR cmd LIKE '%touch%acmr%'
    OR cmd LIKE '%ld.so.preload%'
    OR cmd LIKE '%urllib.urlopen%'
    OR cmd LIKE '%nohup%tmp%'
    OR cmd LIKE '%killall Terminal%'
    OR cmd LIKE '%iptables stop'
    OR cmd LIKE '%pkill -f%'
    OR cmd LIKE '%rm -f /var/tmp%'
    OR cmd LIKE '%rm -rf /boot%'
    OR cmd LIKE '%rm -f /tmp%'
    OR cmd LIKE '%xargs kill -9%'
    OR cmd LIKE '%nohup /bin/bash%'
    OR cmd LIKE '%echo%|%base64 --decode %|%'
    OR cmd LIKE '%launchctl list%'
    -- Crypto miners
    OR cmd LIKE '%c3pool%'
    OR cmd LIKE '%cryptonight%'
    OR cmd LIKE '%f2pool%'
    OR cmd LIKE '%hashrate%'
    OR cmd LIKE '%hashvault%'
    OR cmd LIKE '%minerd%'
    OR cmd LIKE '%monero%'
    OR cmd LIKE '%nanopool%'
    OR cmd LIKE '%nicehash%'
    OR cmd LIKE '%stratum%'
    OR basename LIKE '%xig%'
    OR basename LIKE '%xmr%'
    -- Random keywords
    OR cmd LIKE '%ransom%'
    -- Reverse shells
    OR cmd LIKE '%fsockopen%'
    OR cmd LIKE '%openssl%quiet%'
    OR cmd LIKE '%pty.spawn%'
    OR cmd LIKE '%sh -i'
    OR cmd LIKE '%socat%'
    OR cmd LIKE '%SOCK_STREAM%'
    OR cmd LIKE '%Socket.%'
  ) -- Things that could reasonably happen at boot.
  AND NOT (
    p.path = '/usr/bin/mkfifo'
    AND cmd LIKE '%/org.gpgtools.log.%/fifo'
  )
  AND NOT (
    cmd LIKE '%csrutil status'
    AND parent_name IN ('Dropbox')
  )
  -- The source of these commands is still a mystery to me.
  AND NOT (
    cmd IN (
      '/usr/bin/csrutil status',
      '/usr/bin/csrutil report'
    )
    AND p.parent = -1
  )
More tuning 2022-09-15 13:34:45 +00:00			`-- Ported from exotic-commands`
Fix many broken queries 2022-09-21 14:30:17 +00:00			`-- Designed for execution every 15 seconds (where the parent may still be around)`
Decrease exotic-events complexity by splitting & simplifying 2022-10-13 22:31:59 +00:00
			`-- interval: 15`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`p.pid,`
			`p.path,`
			`REPLACE(`
More tuning 2022-09-15 13:34:45 +00:00			`p.path,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`RTRIM(p.path, REPLACE(p.path, '/', '')),`
			`''`
			`) AS basename,`
			`-- On macOS there is often a trailing space`
			`TRIM(p.cmdline) AS cmd,`
			`p.mode,`
			`p.cwd,`
			`p.euid,`
			`p.parent,`
			`p.syscall,`
			`hash.sha256,`
			`pp.path AS parent_path,`
			`pp.name AS parent_name,`
			`TRIM(p.cmdline) AS parent_cmd,`
			`pp.euid AS parent_euid,`
			`phash.sha256 AS parent_sha256`
			`FROM`
			`uptime,`
			`process_events p`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON p.path = hash.path`
			`LEFT JOIN hash AS phash ON pp.path = hash.path`
			`WHERE`
			`p.time > (strftime('%s', 'now') -15)`
			`AND (`
			`basename IN (`
			`'bitspin',`
			`'bpftool',`
			`'csrutil',`
			`'heyoka',`
			`'nstx',`
			`'dnscat2',`
			`'tuns',`
			`'iodine',`
			`'rshell',`
			`'rsh',`
			`'incbit',`
Remove more false positives, add more detail to sensitive file access 2022-10-05 20:15:40 +00:00			`'osascript',`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`'kmod',`
			`'lushput',`
			`'mkfifo',`
			`'msfvenom',`
			`'nc',`
			`'socat'`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`-- Chrome Stealer`
			`OR cmd LIKE '%set visible of front window to false%'`
			`OR cmd LIKE '%chrome%-load-extension%'`
			`-- Known attack scripts`
			`OR basename LIKE '%pwn%'`
			`OR basename LIKE '%attack%'`
			`-- Unusual behaviors`
			`OR cmd LIKE '%chattr -ia%'`
More clarity 2022-10-07 16:46:55 +00:00			`OR cmd LIKE '%chmod 777 %'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`OR cmd LIKE '%touch%acmr%'`
			`OR cmd LIKE '%ld.so.preload%'`
			`OR cmd LIKE '%urllib.urlopen%'`
			`OR cmd LIKE '%nohup%tmp%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR cmd LIKE '%killall Terminal%'`
			`OR cmd LIKE '%iptables stop'`
			`OR cmd LIKE '%pkill -f%'`
			`OR cmd LIKE '%rm -f /var/tmp%'`
			`OR cmd LIKE '%rm -rf /boot%'`
			`OR cmd LIKE '%rm -f /tmp%'`
			`OR cmd LIKE '%xargs kill -9%'`
			`OR cmd LIKE '%nohup /bin/bash%'`
Decrease exotic-events complexity by splitting & simplifying 2022-10-13 22:31:59 +00:00			`OR cmd LIKE '%echo%\|%base64 --decode %\|%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR cmd LIKE '%launchctl list%'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`-- Crypto miners`
			`OR cmd LIKE '%c3pool%'`
			`OR cmd LIKE '%cryptonight%'`
			`OR cmd LIKE '%f2pool%'`
			`OR cmd LIKE '%hashrate%'`
			`OR cmd LIKE '%hashvault%'`
			`OR cmd LIKE '%minerd%'`
			`OR cmd LIKE '%monero%'`
			`OR cmd LIKE '%nanopool%'`
			`OR cmd LIKE '%nicehash%'`
			`OR cmd LIKE '%stratum%'`
			`OR basename LIKE '%xig%'`
			`OR basename LIKE '%xmr%'`
			`-- Random keywords`
			`OR cmd LIKE '%ransom%'`
			`-- Reverse shells`
			`OR cmd LIKE '%fsockopen%'`
			`OR cmd LIKE '%openssl%quiet%'`
			`OR cmd LIKE '%pty.spawn%'`
			`OR cmd LIKE '%sh -i'`
			`OR cmd LIKE '%socat%'`
			`OR cmd LIKE '%SOCK_STREAM%'`
Decrease exotic-events complexity by splitting & simplifying 2022-10-13 22:31:59 +00:00			`OR cmd LIKE '%Socket.%'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`) -- Things that could reasonably happen at boot.`
			`AND NOT (`
			`p.path = '/usr/bin/mkfifo'`
			`AND cmd LIKE '%/org.gpgtools.log.%/fifo'`
			`)`
			`AND NOT (`
			`cmd LIKE '%csrutil status'`
			`AND parent_name IN ('Dropbox')`
			`)`
			`-- The source of these commands is still a mystery to me.`
			`AND NOT (`
			`cmd IN (`
			`'/usr/bin/csrutil status',`
			`'/usr/bin/csrutil report'`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND p.parent = -1`
			`)`