osquery-defense-kit/detection/initial_access/unexpected-shell-parent-eve...

-- Unexpected process that spawns shell processes (event-based)
--
-- false positives:
--   * IDE's
--
-- references:
--   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
--   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
--
-- tags: process events
-- interval: 300
-- platform: posix
SELECT
  pe.path AS child_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
  TRIM(pe.cmdline) AS child_cmd,
  pe.pid AS child_pid,
  pe.euid AS child_euid,
  p.cgroup_path AS child_cgroup,
  pe.parent AS parent_pid,
  TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
  TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
  IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
  REGEX_MATCH (
    IIF(pp.path != NULL, pp.path, ppe.path),
    '.*/(.*)',
    1
  ) AS parent_name,
  TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
  TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
  IIF(gp.path != NULL, gphash.sha256, gpehash.path) AS gparent_hash,
  REGEX_MATCH (
    IIF(gp.path != NULL, gp.path, gpe.path),
    '.*/(.*)',
    1
  ) AS gparent_name,
  IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
FROM
  process_events pe
  LEFT JOIN processes p ON pe.pid = p.pid
  LEFT JOIN processes pp ON pe.parent = pp.pid
  LEFT JOIN hash phash ON pp.path = phash.path
  LEFT JOIN process_events ppe ON pe.parent = ppe.pid
  LEFT JOIN hash pehash ON ppe.path = pehash.path
  LEFT JOIN processes gp ON gp.pid = pp.parent
  LEFT JOIN hash gphash ON gp.path = gphash.path
  LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
  LEFT JOIN hash gpehash ON gpe.path = gpehash.path
WHERE
  child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
  AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins
  AND NOT (
    parent_name IN (
      'abrt-handle-eve',
      'alacritty',
      'bash',
      'build-script-build',
      'chezmoi',
      'gke-gcloud-auth-plugin',
      'clang-11',
      'gdm-session-worker',
      'code',
      'Code Helper (Renderer)',
      'Code - Insiders Helper (Renderer)',
      'collect2',
      'conmon',
      'containerd-shim',
      'dash',
      'demoit',
      'direnv',
      'doas',
      'docker-credential-desktop',
      'env',
      'erl_child_setup',
      'chainctl',
      'find',
      'docker-credential-gcr',
      'FinderSyncExtension',
      'fish',
      'git',
      'go',
      'ShellLauncher',
      'goland',
      'helm',
      'i3bar',
      'i3blocks',
      'java',
      'kitty',
      'local-path-provisioner',
      'ko',
      'kubectl',
      'lightdm',
      'login',
      'make',
      'monorail',
      'ninja',
      'nix',
      'nix-build',
      'nix-daemon',
      'node',
      'nvim',
      'package_script_service',
      'perl',
      -- 'python' - do not include this, or you won't detect supply-chain attacks.
      'PK-Backend',
      'roxterm',
      'sdk',
      'sdzoomplugin',
      'sh',
      'skhd',
      'snyk',
      'sshd',
      'sudo',
      'swift',
      'systemd',
      'systemd-sleep',
      'terminator',
      'test2json',
      'tmux',
      'tmux:server',
      'vi',
      'vim',
      'watch',
      'wezterm-gui',
      'xargs',
      'xcrun',
      'xfce4-terminal',
      'yum',
      'zellij',
      'zsh'
    )
    OR parent_name LIKE 'terraform-provider-%'
    -- Do not add shells to this list if you want your query to detect
    -- bad programs that were started from a shell.
    OR gparent_name IN ('env', 'git')
    -- Homebrew, except we don't want to allow all of ruby
    OR child_cmd IN (
      'sh -c /bin/stty size 2>/dev/null',
      'sh -c python3.7 --version 2>&1',
      'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
    )
    OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
    OR child_cmd LIKE '/bin/sh -c pkg-config %'
    OR child_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
    OR child_cmd LIKE '%/bash -e%/bin/as -arch%'
    OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'
    OR gparent_cmd LIKE '/usr/bin/python3 -m py_compile %'
  )
GROUP BY
  pe.pid
detection/initial_access/unexpected-shell-parent-events.sql new detector: unexpected shell parent events 2023-01-04 16:43:26 +00:00			`-- Unexpected process that spawns shell processes (event-based)`
			`--`
			`-- false positives:`
			`-- * IDE's`
			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)`
			`-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)`
			`--`
			`-- tags: process events`
			`-- interval: 300`
			`-- platform: posix`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`SELECT`
			`pe.path AS child_path,`
			`REGEX_MATCH (pe.path, './(.)', 1) AS child_name,`
			`TRIM(pe.cmdline) AS child_cmd,`
			`pe.pid AS child_pid,`
Rewrite unexpected-osascript-calls for simplicity 2023-01-06 20:31:08 +00:00			`pe.euid AS child_euid,`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`p.cgroup_path AS child_cgroup,`
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 15:46:30 +00:00			`pe.parent AS parent_pid,`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,`
			`TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`REGEX_MATCH (`
			`IIF(pp.path != NULL, pp.path, ppe.path),`
			`'./(.)',`
			`1`
			`) AS parent_name,`
			`TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,`
			`TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`IIF(gp.path != NULL, gphash.sha256, gpehash.path) AS gparent_hash,`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`REGEX_MATCH (`
			`IIF(gp.path != NULL, gp.path, gpe.path),`
			`'./(.)',`
			`1`
			`) AS gparent_name,`
			`IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid`
			`FROM`
			`process_events pe`
			`LEFT JOIN processes p ON pe.pid = p.pid`
			`LEFT JOIN processes pp ON pe.parent = pp.pid`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`LEFT JOIN hash phash ON pp.path = phash.path`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`LEFT JOIN process_events ppe ON pe.parent = ppe.pid`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`LEFT JOIN hash pehash ON ppe.path = pehash.path`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`LEFT JOIN processes gp ON gp.pid = pp.parent`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`LEFT JOIN hash gphash ON gp.path = gphash.path`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`LEFT JOIN process_events gpe ON ppe.parent = gpe.pid`
Add some hash fields, fix some false positives 2023-01-09 14:04:38 +00:00			`LEFT JOIN hash gpehash ON gpe.path = gpehash.path`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`WHERE`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins`
			`AND NOT (`
			`parent_name IN (`
			`'abrt-handle-eve',`
			`'alacritty',`
			`'bash',`
			`'build-script-build',`
			`'chezmoi',`
More false positive removal 2023-01-06 21:01:35 +00:00			`'gke-gcloud-auth-plugin',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'clang-11',`
false positives: dots, ipn, apport-gtk, homebrew, hyperkey, contexts 2023-01-09 14:34:20 +00:00			`'gdm-session-worker',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'code',`
			`'Code Helper (Renderer)',`
			`'Code - Insiders Helper (Renderer)',`
			`'collect2',`
			`'conmon',`
			`'containerd-shim',`
			`'dash',`
			`'demoit',`
			`'direnv',`
			`'doas',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'docker-credential-desktop',`
			`'env',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'erl_child_setup',`
Catch up to some older false positives we ran into 2023-01-06 22:11:24 +00:00			`'chainctl',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'find',`
Catch up to some older false positives we ran into 2023-01-06 22:11:24 +00:00			`'docker-credential-gcr',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'FinderSyncExtension',`
			`'fish',`
			`'git',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'go',`
Friday False Positive Flush 2023-01-13 19:10:43 +00:00			`'ShellLauncher',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'goland',`
			`'helm',`
			`'i3bar',`
			`'i3blocks',`
			`'java',`
			`'kitty',`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`'local-path-provisioner',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'ko',`
			`'kubectl',`
			`'lightdm',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'login',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'make',`
			`'monorail',`
			`'ninja',`
			`'nix',`
			`'nix-build',`
			`'nix-daemon',`
			`'node',`
			`'nvim',`
			`'package_script_service',`
			`'perl',`
Remove Python whitelist, see pymafka 2023-01-13 18:47:19 +00:00			`-- 'python' - do not include this, or you won't detect supply-chain attacks.`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'PK-Backend',`
			`'roxterm',`
			`'sdk',`
			`'sdzoomplugin',`
			`'sh',`
			`'skhd',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'snyk',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'sshd',`
			`'sudo',`
			`'swift',`
			`'systemd',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'systemd-sleep',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'terminator',`
			`'test2json',`
			`'tmux',`
			`'tmux:server',`
			`'vi',`
			`'vim',`
			`'watch',`
			`'wezterm-gui',`
			`'xargs',`
			`'xcrun',`
			`'xfce4-terminal',`
			`'yum',`
			`'zellij',`
			`'zsh'`
Add enough exceptions to make this useful 2023-01-04 16:58:54 +00:00			`)`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`OR parent_name LIKE 'terraform-provider-%'`
			`-- Do not add shells to this list if you want your query to detect`
			`-- bad programs that were started from a shell.`
			`OR gparent_name IN ('env', 'git')`
			`-- Homebrew, except we don't want to allow all of ruby`
			`OR child_cmd IN (`
			`'sh -c /bin/stty size 2>/dev/null',`
			`'sh -c python3.7 --version 2>&1',`
			`'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'`
			`)`
			`OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'`
Filter out new false positives 2023-01-13 20:24:18 +00:00			`OR child_cmd LIKE '/bin/sh -c pkg-config %'`
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 17:56:39 +00:00			`OR child_cmd LIKE '/bin/sh %/docker-credential-gcloud get'`
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 15:46:30 +00:00			`OR child_cmd LIKE '%/bash -e%/bin/as -arch%'`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'`
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 15:46:30 +00:00			`OR gparent_cmd LIKE '/usr/bin/python3 -m py_compile %'`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`)`
			`GROUP BY`
			`pe.pid`