2022-10-19 20:56:32 +00:00
|
|
|
-- Find processes that run with a lower effective UID than their parent (state-based)
|
2022-10-07 16:46:55 +00:00
|
|
|
--
|
2022-10-19 20:56:32 +00:00
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
|
|
|
|
-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
|
|
|
|
--
|
|
|
|
-- related:
|
2022-10-07 16:46:55 +00:00
|
|
|
-- * unexpected-privilege-escalation-events.sql
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
2023-02-09 22:01:29 +00:00
|
|
|
-- tags: transient state process escalation
|
2022-11-08 01:36:37 +00:00
|
|
|
-- platform: linux
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
2023-02-09 22:01:29 +00:00
|
|
|
p0.uid AS p0_uid,
|
2023-02-01 18:55:55 +00:00
|
|
|
-- Child
|
2023-02-09 22:01:29 +00:00
|
|
|
p0.pid AS p0_pid,
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.path AS p0_path,
|
|
|
|
p0.name AS p0_name,
|
|
|
|
p0.cmdline AS p0_cmd,
|
|
|
|
p0.cwd AS p0_cwd,
|
|
|
|
p0.cgroup_path AS p0_cgroup,
|
|
|
|
p0.euid AS p0_euid,
|
|
|
|
p0_hash.sha256 AS p0_sha256,
|
|
|
|
-- Parent
|
|
|
|
p0.parent AS p1_pid,
|
|
|
|
p1.path AS p1_path,
|
|
|
|
p1.name AS p1_name,
|
|
|
|
p1_f.mode AS p1_mode,
|
|
|
|
p1.euid AS p1_euid,
|
|
|
|
p1.cmdline AS p1_cmd,
|
|
|
|
p1_hash.sha256 AS p1_sha256,
|
|
|
|
-- Grandparent
|
|
|
|
p1.parent AS p2_pid,
|
|
|
|
p2.name AS p2_name,
|
|
|
|
p2.path AS p2_path,
|
|
|
|
p2.cmdline AS p2_cmd,
|
|
|
|
p2_hash.sha256 AS p2_sha256
|
2022-09-24 15:12:23 +00:00
|
|
|
FROM
|
2023-02-01 18:55:55 +00:00
|
|
|
processes p0
|
|
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
|
|
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
|
|
|
LEFT JOIN file p1_f ON p1.path = p1_f.path
|
|
|
|
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
|
|
|
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
|
|
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
2022-09-24 15:12:23 +00:00
|
|
|
WHERE
|
2023-02-09 22:01:29 +00:00
|
|
|
p0.pid IN (
|
|
|
|
SELECT
|
|
|
|
pid
|
|
|
|
FROM
|
|
|
|
processes
|
|
|
|
WHERE
|
|
|
|
euid < uid
|
|
|
|
AND NOT path IN (
|
|
|
|
'/bin/ps',
|
2023-03-28 20:25:26 +00:00
|
|
|
'/opt/1Password/1password',
|
2023-02-09 22:01:29 +00:00
|
|
|
'/usr/bin/doas',
|
|
|
|
'/usr/bin/fusermount',
|
|
|
|
'/usr/bin/fusermount3',
|
|
|
|
'/usr/bin/login',
|
|
|
|
'/usr/bin/su',
|
|
|
|
'/usr/bin/sudo',
|
2023-03-28 20:25:26 +00:00
|
|
|
'/usr/bin/top',
|
|
|
|
'/usr/libexec/Xorg',
|
|
|
|
'/usr/lib/xorg/Xorg'
|
2023-02-09 22:01:29 +00:00
|
|
|
) -- doas may be in the process of being upgraded
|
|
|
|
AND NOT path LIKE '/nix/store/%/bin/sudo'
|
|
|
|
AND NOT path LIKE '/nix/store/%/bin/dhcpcd'
|
|
|
|
AND NOT path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
|
|
|
|
AND NOT name IN ('doas', 'sudo')
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2023-02-08 19:37:09 +00:00
|
|
|
AND NOT (
|
2023-02-09 22:01:29 +00:00
|
|
|
p0.cmdline LIKE '%pacman%'
|
|
|
|
AND p1.cmdline LIKE 'yay%'
|
2023-02-08 19:37:09 +00:00
|
|
|
)
|
2022-09-24 15:12:23 +00:00
|
|
|
AND NOT (
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.name = 'polkit-agent-he'
|
|
|
|
AND p1.path = '/usr/bin/gnome-shell'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
AND NOT (
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.name = 'fusermount3'
|
|
|
|
AND p1.path = '/usr/lib/xdg-document-portal'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-10-25 13:20:18 +00:00
|
|
|
AND NOT (
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.path = '/usr/bin/pkexec'
|
|
|
|
AND p1.path = '/usr/bin/update-notifier'
|
2022-10-25 13:20:18 +00:00
|
|
|
)
|
2022-10-25 15:39:51 +00:00
|
|
|
AND NOT (
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.path = '/usr/libexec/xdg-permission-store'
|
|
|
|
AND p1.path = '/usr/lib/systemd/systemd'
|
2023-05-08 17:20:47 +00:00
|
|
|
)
|