2022-09-15 13:34:45 +00:00
|
|
|
-- Ported from exotic-commands
|
2022-09-21 14:30:17 +00:00
|
|
|
-- Designed for execution every 15 seconds (where the parent may still be around)
|
2022-09-15 13:34:45 +00:00
|
|
|
SELECT p.pid,
|
|
|
|
|
p.path,
|
2022-09-22 09:18:03 +00:00
|
|
|
REPLACE(
|
|
|
|
|
p.path,
|
|
|
|
|
RTRIM(p.path, REPLACE(p.path, '/', '')),
|
|
|
|
|
''
|
|
|
|
|
) AS basename,
|
2022-09-20 21:46:47 +00:00
|
|
|
-- On macOS there is often a trailing space
|
2022-09-21 14:30:17 +00:00
|
|
|
TRIM(p.cmdline) AS cmd,
|
2022-09-15 13:34:45 +00:00
|
|
|
p.mode,
|
|
|
|
|
p.cwd,
|
|
|
|
|
p.euid,
|
|
|
|
|
p.parent,
|
|
|
|
|
p.syscall,
|
2022-09-22 17:18:16 +00:00
|
|
|
hash.sha256,
|
2022-09-15 13:34:45 +00:00
|
|
|
pp.path AS parent_path,
|
|
|
|
|
pp.name AS parent_name,
|
2022-09-21 17:34:10 +00:00
|
|
|
TRIM(p.cmdline) AS parent_cmd,
|
2022-09-15 13:34:45 +00:00
|
|
|
pp.euid AS parent_euid,
|
2022-09-22 17:18:16 +00:00
|
|
|
phash.sha256 AS parent_sha256
|
2022-09-22 09:18:03 +00:00
|
|
|
FROM uptime,
|
|
|
|
|
process_events p
|
2022-09-15 13:34:45 +00:00
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
2022-09-22 17:18:16 +00:00
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
|
|
|
LEFT JOIN hash AS phash ON pp.path = hash.path
|
2022-09-21 14:30:17 +00:00
|
|
|
WHERE p.time > (strftime('%s', 'now') -15)
|
2022-09-22 09:18:03 +00:00
|
|
|
AND (
|
2022-09-20 21:46:47 +00:00
|
|
|
basename IN (
|
|
|
|
|
'bitspin',
|
|
|
|
|
'bpftool',
|
|
|
|
|
'csrutil',
|
2022-09-22 17:18:16 +00:00
|
|
|
'heyoka',
|
|
|
|
|
'nstx',
|
|
|
|
|
'dnscat2',
|
|
|
|
|
'tuns',
|
|
|
|
|
'iodine',
|
|
|
|
|
'rshell',
|
|
|
|
|
'rsh',
|
2022-09-20 21:46:47 +00:00
|
|
|
'incbit',
|
|
|
|
|
'insmod',
|
|
|
|
|
'kmod',
|
|
|
|
|
'lushput',
|
|
|
|
|
'mkfifo',
|
|
|
|
|
'msfvenom',
|
|
|
|
|
'nc',
|
|
|
|
|
'socat'
|
|
|
|
|
)
|
2022-09-22 09:18:03 +00:00
|
|
|
-- Chrome Stealer
|
2022-09-20 21:46:47 +00:00
|
|
|
OR cmd LIKE '%set visible of front window to false%'
|
2022-09-22 17:18:16 +00:00
|
|
|
OR cmd LIKE '%chrome%-load-extension%'
|
2022-09-20 21:46:47 +00:00
|
|
|
-- Known attack scripts
|
|
|
|
|
OR basename LIKE '%pwn%'
|
2022-09-21 17:34:10 +00:00
|
|
|
OR basename LIKE '%attack%'
|
2022-09-20 21:46:47 +00:00
|
|
|
-- Unusual behaviors
|
|
|
|
|
OR cmd LIKE '%ufw disable%'
|
|
|
|
|
OR cmd LIKE '%iptables -P % ACCEPT%'
|
|
|
|
|
OR cmd LIKE '%iptables -F%'
|
|
|
|
|
OR cmd LIKE '%chattr -ia%'
|
|
|
|
|
OR cmd LIKE '%touch%acmr%'
|
|
|
|
|
OR cmd LIKE '%ld.so.preload%'
|
|
|
|
|
OR cmd LIKE '%urllib.urlopen%'
|
|
|
|
|
OR cmd LIKE '%nohup%tmp%'
|
2022-09-22 17:18:16 +00:00
|
|
|
OR cmd LIKE "%killall Terminal%"
|
|
|
|
|
OR cmd LIKE "%nohup /bin/bash%"
|
|
|
|
|
OR cmd LIKE "%echo%|%base64 --decode %|%sh%"
|
|
|
|
|
OR cmd LIKE "%echo%|%base64 --decode %|%python%"
|
|
|
|
|
OR cmd LIKE "%launchctl list%"
|
2022-09-20 21:46:47 +00:00
|
|
|
-- Crypto miners
|
|
|
|
|
OR cmd LIKE '%c3pool%'
|
|
|
|
|
OR cmd LIKE '%cryptonight%'
|
|
|
|
|
OR cmd LIKE '%f2pool%'
|
|
|
|
|
OR cmd LIKE '%hashrate%'
|
|
|
|
|
OR cmd LIKE '%hashvault%'
|
|
|
|
|
OR cmd LIKE '%minerd%'
|
|
|
|
|
OR cmd LIKE '%monero%'
|
|
|
|
|
OR cmd LIKE '%nanopool%'
|
|
|
|
|
OR cmd LIKE '%nicehash%'
|
|
|
|
|
OR cmd LIKE '%stratum%'
|
|
|
|
|
OR basename LIKE '%xig%'
|
|
|
|
|
OR basename LIKE '%xmr%'
|
|
|
|
|
-- Random keywords
|
|
|
|
|
OR cmd LIKE '%ransom%'
|
|
|
|
|
-- Reverse shells
|
|
|
|
|
OR cmd LIKE '%/dev/tcp/%'
|
|
|
|
|
OR cmd LIKE '%/dev/udp/%'
|
|
|
|
|
OR cmd LIKE '%fsockopen%'
|
|
|
|
|
OR cmd LIKE '%openssl%quiet%'
|
|
|
|
|
OR cmd LIKE '%pty.spawn%'
|
|
|
|
|
OR cmd LIKE '%sh -i'
|
|
|
|
|
OR cmd LIKE '%socat%'
|
|
|
|
|
OR cmd LIKE '%SOCK_STREAM%'
|
|
|
|
|
OR cmd LIKE '%Socket.fork%'
|
|
|
|
|
OR cmd LIKE '%Socket.new%'
|
|
|
|
|
OR cmd LIKE '%socket.socket%'
|
2022-09-22 09:18:03 +00:00
|
|
|
) -- Things that could reasonably happen at boot.
|
2022-09-20 21:46:47 +00:00
|
|
|
AND NOT (
|
|
|
|
|
p.path IN ('/usr/bin/kmod', '/bin/kmod')
|
2022-09-22 09:18:03 +00:00
|
|
|
AND parent_path = '/usr/lib/systemd/systemd'
|
|
|
|
|
AND parent_cmd = '/sbin/init'
|
2022-09-20 21:46:47 +00:00
|
|
|
)
|
2022-09-15 13:34:45 +00:00
|
|
|
AND NOT (
|
2022-09-20 21:46:47 +00:00
|
|
|
p.path IN ('/usr/bin/kmod', '/bin/kmod')
|
2022-09-22 17:18:16 +00:00
|
|
|
AND parent_name IN ('firewalld', 'mkinitramfs', 'systemd')
|
2022-09-20 21:46:47 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
p.path IN ('/usr/bin/kmod', '/bin/kmod')
|
2022-09-15 13:34:45 +00:00
|
|
|
AND uptime.total_seconds < 15
|
2022-09-15 15:28:50 +00:00
|
|
|
)
|
2022-09-22 09:18:03 +00:00
|
|
|
AND NOT (
|
|
|
|
|
p.path = '/usr/bin/mkfifo'
|
|
|
|
|
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
cmd LIKE '%csrutil status'
|
|
|
|
|
AND parent_name IN ('Dropbox')
|
|
|
|
|
)
|
|
|
|
|
-- The source of these commands is still a mystery to me.
|
|
|
|
|
AND NOT (
|
|
|
|
|
cmd IN (
|
|
|
|
|
'/usr/bin/csrutil status',
|
|
|
|
|
'/usr/bin/csrutil report'
|
|
|
|
|
)
|
|
|
|
|
AND p.parent = -1
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
p.path IN ('/usr/bin/kmod', '/bin/kmod')
|
|
|
|
|
AND parent_name IN ('dockerd', 'kube-proxy')
|
|
|
|
|
)
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT cmd LIKE '%modprobe -va%'
|
2022-09-20 21:46:47 +00:00
|
|
|
AND NOT cmd LIKE 'modprobe -ab%'
|
|
|
|
|
AND NOT cmd LIKE '%modprobe overlay'
|
|
|
|
|
AND NOT cmd LIKE '%modprobe aufs'
|
2022-09-21 17:34:10 +00:00
|
|
|
AND NOT cmd IN ('lsmod')
|
