2023-01-04 16:43:26 +00:00
|
|
|
-- Unexpected process that spawns shell processes (event-based)
|
|
|
|
--
|
|
|
|
-- false positives:
|
|
|
|
-- * IDE's
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
|
|
|
|
-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
|
|
|
|
--
|
|
|
|
-- tags: process events
|
|
|
|
-- interval: 300
|
|
|
|
-- platform: posix
|
2023-01-06 15:18:19 +00:00
|
|
|
SELECT
|
|
|
|
pe.path AS child_path,
|
|
|
|
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
|
|
|
|
TRIM(pe.cmdline) AS child_cmd,
|
|
|
|
pe.pid AS child_pid,
|
2023-01-06 20:31:08 +00:00
|
|
|
pe.euid AS child_euid,
|
2023-01-06 15:18:19 +00:00
|
|
|
p.cgroup_path AS child_cgroup,
|
|
|
|
p.parent AS parent_pid,
|
|
|
|
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
|
|
|
|
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
|
|
|
|
REGEX_MATCH (
|
|
|
|
IIF(pp.path != NULL, pp.path, ppe.path),
|
|
|
|
'.*/(.*)',
|
|
|
|
1
|
|
|
|
) AS parent_name,
|
|
|
|
TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
|
|
|
|
TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
|
|
|
|
REGEX_MATCH (
|
|
|
|
IIF(gp.path != NULL, gp.path, gpe.path),
|
|
|
|
'.*/(.*)',
|
|
|
|
1
|
|
|
|
) AS gparent_name,
|
|
|
|
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
|
|
|
|
FROM
|
|
|
|
process_events pe
|
|
|
|
LEFT JOIN processes p ON pe.pid = p.pid
|
|
|
|
LEFT JOIN processes pp ON pe.parent = pp.pid
|
|
|
|
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
|
|
|
|
LEFT JOIN processes gp ON gp.pid = pp.parent
|
|
|
|
LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
|
|
|
|
WHERE
|
2023-01-06 15:36:48 +00:00
|
|
|
child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
|
2023-01-06 15:18:19 +00:00
|
|
|
AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins
|
|
|
|
AND NOT (
|
|
|
|
parent_name IN (
|
|
|
|
'abrt-handle-eve',
|
|
|
|
'alacritty',
|
|
|
|
'bash',
|
|
|
|
'build-script-build',
|
|
|
|
'chezmoi',
|
2023-01-06 21:01:35 +00:00
|
|
|
'gke-gcloud-auth-plugin',
|
2023-01-06 15:18:19 +00:00
|
|
|
'clang-11',
|
|
|
|
'code',
|
|
|
|
'Code Helper (Renderer)',
|
|
|
|
'Code - Insiders Helper (Renderer)',
|
|
|
|
'collect2',
|
|
|
|
'conmon',
|
|
|
|
'containerd-shim',
|
|
|
|
'dash',
|
|
|
|
'demoit',
|
|
|
|
'direnv',
|
|
|
|
'doas',
|
2023-01-06 15:36:48 +00:00
|
|
|
'docker-credential-desktop',
|
|
|
|
'env',
|
2023-01-06 15:18:19 +00:00
|
|
|
'erl_child_setup',
|
2023-01-06 22:11:24 +00:00
|
|
|
'chainctl',
|
2023-01-06 15:18:19 +00:00
|
|
|
'find',
|
2023-01-06 22:11:24 +00:00
|
|
|
'docker-credential-gcr',
|
2023-01-06 15:18:19 +00:00
|
|
|
'FinderSyncExtension',
|
|
|
|
'fish',
|
|
|
|
'git',
|
2023-01-06 15:36:48 +00:00
|
|
|
'go',
|
2023-01-06 15:18:19 +00:00
|
|
|
'goland',
|
|
|
|
'helm',
|
|
|
|
'i3bar',
|
|
|
|
'i3blocks',
|
|
|
|
'java',
|
|
|
|
'kitty',
|
|
|
|
'ko',
|
|
|
|
'kubectl',
|
|
|
|
'lightdm',
|
2023-01-06 15:36:48 +00:00
|
|
|
'login',
|
2023-01-06 15:18:19 +00:00
|
|
|
'make',
|
|
|
|
'monorail',
|
|
|
|
'ninja',
|
|
|
|
'nix',
|
|
|
|
'nix-build',
|
|
|
|
'nix-daemon',
|
|
|
|
'node',
|
|
|
|
'nvim',
|
|
|
|
'package_script_service',
|
|
|
|
'perl',
|
|
|
|
'PK-Backend',
|
|
|
|
'python',
|
|
|
|
'roxterm',
|
|
|
|
'sdk',
|
|
|
|
'sdzoomplugin',
|
|
|
|
'sh',
|
|
|
|
'skhd',
|
2023-01-06 15:36:48 +00:00
|
|
|
'snyk',
|
2023-01-06 15:18:19 +00:00
|
|
|
'sshd',
|
|
|
|
'sudo',
|
|
|
|
'swift',
|
|
|
|
'systemd',
|
2023-01-06 15:36:48 +00:00
|
|
|
'systemd-sleep',
|
2023-01-06 15:18:19 +00:00
|
|
|
'terminator',
|
|
|
|
'test2json',
|
|
|
|
'tmux',
|
|
|
|
'tmux:server',
|
|
|
|
'vi',
|
|
|
|
'vim',
|
|
|
|
'watch',
|
|
|
|
'wezterm-gui',
|
|
|
|
'xargs',
|
|
|
|
'xcrun',
|
|
|
|
'xfce4-terminal',
|
|
|
|
'yum',
|
|
|
|
'zellij',
|
|
|
|
'zsh'
|
2023-01-06 15:36:48 +00:00
|
|
|
|
2023-01-04 16:58:54 +00:00
|
|
|
)
|
2023-01-06 15:18:19 +00:00
|
|
|
OR parent_name LIKE 'terraform-provider-%'
|
|
|
|
-- Do not add shells to this list if you want your query to detect
|
|
|
|
-- bad programs that were started from a shell.
|
|
|
|
OR gparent_name IN ('env', 'git')
|
|
|
|
-- Homebrew, except we don't want to allow all of ruby
|
|
|
|
OR child_cmd IN (
|
|
|
|
'sh -c /bin/stty size 2>/dev/null',
|
|
|
|
'sh -c python3.7 --version 2>&1',
|
|
|
|
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
|
|
|
|
)
|
|
|
|
OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
|
2023-01-06 22:11:24 +00:00
|
|
|
OR child_cmd LIKE '/bin/sh %google-cloud-sdk/bin/docker-credential-gcloud get'
|
2023-01-06 15:18:19 +00:00
|
|
|
OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'
|
|
|
|
)
|
|
|
|
GROUP BY
|
|
|
|
pe.pid
|