osquery-defense-kit/detection/persistence/yara-suspicious-strings-pro...

-- Currently running program with Linux red flags
--
-- reference:
--   * https://github.com/timb-machine/linux-malware/blob/725aad34e216cc024c93b04964b289f10f819e6e/defensive/yara/personal-malware-bazaar/unixredflags3.yara
--
-- tags: persistent extra
-- interval: 7200
-- platform: linux
SELECT
  yara.strings,
  -- Child
  p0.pid AS p0_pid,
  p0.path AS p0_path,
  p0.name AS p0_name,
  p0.start_time AS p0_start,
  p0.cmdline AS p0_cmd,
  p0.cwd AS p0_cwd,
  p0.cgroup_path AS p0_cgroup,
  p0.euid AS p0_euid,
  p0_hash.sha256 AS p0_sha256,
  -- Parent
  p0.parent AS p1_pid,
  p1.path AS p1_path,
  p1.name AS p1_name,
  p1.start_time AS p1_start,
  p1.euid AS p1_euid,
  p1.cmdline AS p1_cmd,
  p1_hash.sha256 AS p1_sha256,
  -- Grandparent
  p1.parent AS p2_pid,
  p2.name AS p2_name,
  p2.start_time AS p2_start,
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
FROM
  processes p0
  JOIN yara ON p0.path = yara.path
  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
  LEFT JOIN processes p1 ON p0.parent = p1.pid
  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
  LEFT JOIN processes p2 ON p1.parent = p2.pid
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
  p0.pid IN (
    SELECT
      pid
    FROM
      processes
    WHERE
      start_time > (strftime('%s', 'now') - 7200)
      AND path != ""
    GROUP BY
      path
  )
  AND yara.sigrule = '
    rule redflags {
    strings:
        $bash_history = ".bash_history"
        $google_chrome = "google-chrome"
        $cron = "cron"
        $dev_shm = "/dev/shm"
        $dev_tcp = "/dev/tcp"
        $dev_udp = "/dev/udp"
        $iptables = "iptables"
        $ld_so = "ld.so.conf"
        $proc = "/proc"
        $sudo = "sudo"
        $systemctl = "systemctl"
        $useradd = "useradd"
        $var_tmp = "/var/tmp"
        $var_run = "/var/run"
        $dev_mqueue = "/dev/mqueue"
        $bin_sh = "/bin/sh"
        $pickup = "pickup -l"
        $avahi = "avahi-daemon:"
        $redhat4 = "Red Hat 4"
    condition:
        filesize < 25MB and 5 of them
}'
  AND yara.count > 0
  AND p0.name NOT IN (
    'chrome_crashpad',
    'X',
    'emacs',
    'git',
    'systemd',
    'NetworkManager',
    'systemd-journal',
    'Xorg',
    'slirp4netns',
    'nacl_helper'
  )
  AND p0.path NOT LIKE '%/google/chrome/%'
  AND p0.path NOT LIKE '%/chrome_crashpad_handler'
  AND p0.path NOT LIKE '/nix/store/%/bin/%'
  AND p0.path NOT LIKE '/nix/store/%/libexec/%'
  AND p0.path NOT LIKE '/usr/local/aws-cli/%/aws'
  AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
  AND p0.path NOT IN (
    '/bin/bash',
    '/bin/containerd-shim-runc-v2',
    '/bin/fish',
    '/bin/dash',
    '/bin/sh',
    '/usr/lib/systemd/systemd-executor',
    '/usr/bin/bash',
    '/usr/lib/snapd/snapd',
    '/usr/bin/snap',
    '/usr/bin/containerd-shim-runc-v2',
    '/usr/bin/docker-proxy',
    '/usr/bin/fish',
    '/usr/bin/docker',
    '/usr/bin/gnome-software',
    '/usr/bin/gpg-agent',
    '/usr/bin/ibus-daemon',
    '/usr/bin/make',
    '/usr/bin/NetworkManager',
    '/usr/bin/nvidia-persistenced',
    '/usr/bin/nvim',
    '/opt/Elastic/Endpoint/elastic-endpoint',
    '/usr/bin/pulseaudio',
    '/usr/bin/sshd',
    '/usr/bin/sudo',
    '/usr/bin/udevadm',
    '/usr/bin/update-notifier',
    '/usr/bin/Xwayland',
    '/usr/lib/bluetooth/bluetoothd',
    '/usr/lib/bluetooth/obexd',
    '/usr/libexec/accounts-daemon',
    '/usr/libexec/bluetooth/bluetoothd',
    '/usr/libexec/bluetooth/obexd',
    '/usr/libexec/flatpak-system-helper',
    '/usr/libexec/sssd/sssd_kcm',
    '/usr/libexec/xdg-desktop-portal',
    '/usr/lib/systemd/systemd',
    '/usr/lib/systemd/systemd-journald',
    '/usr/lib/systemd/systemd-machined',
    '/usr/local/bin/rootlesskit',
    '/usr/local/kolide-k2/bin/launcher',
    '/usr/sbin/acpid',
    '/usr/sbin/auditd',
    '/usr/sbin/cron',
    '/usr/sbin/crond',
    '/usr/sbin/gdm',
    '/usr/sbin/gssproxy',
    '/usr/sbin/mcelog',
    '/usr/sbin/NetworkManager',
    '/usr/sbin/rsyslogd',
    '/usr/sbin/smartd'
  )
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`-- Currently running program with Linux red flags`
fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc 2024-11-18 21:16:52 +00:00			`--`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`-- reference:`
			`-- * https://github.com/timb-machine/linux-malware/blob/725aad34e216cc024c93b04964b289f10f819e6e/defensive/yara/personal-malware-bazaar/unixredflags3.yara`
			`--`
Overdue False Positive Reduction 2024-03-29 14:12:36 +00:00			`-- tags: persistent extra`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`-- interval: 7200`
			`-- platform: linux`
			`SELECT`
			`yara.strings,`
			`-- Child`
			`p0.pid AS p0_pid,`
			`p0.path AS p0_path,`
			`p0.name AS p0_name,`
			`p0.start_time AS p0_start,`
			`p0.cmdline AS p0_cmd,`
			`p0.cwd AS p0_cwd,`
			`p0.cgroup_path AS p0_cgroup,`
			`p0.euid AS p0_euid,`
			`p0_hash.sha256 AS p0_sha256,`
			`-- Parent`
			`p0.parent AS p1_pid,`
			`p1.path AS p1_path,`
			`p1.name AS p1_name,`
			`p1.start_time AS p1_start,`
			`p1.euid AS p1_euid,`
			`p1.cmdline AS p1_cmd,`
			`p1_hash.sha256 AS p1_sha256,`
			`-- Grandparent`
			`p1.parent AS p2_pid,`
			`p2.name AS p2_name,`
			`p2.start_time AS p2_start,`
			`p2.path AS p2_path,`
			`p2.cmdline AS p2_cmd,`
			`p2_hash.sha256 AS p2_sha256`
			`FROM`
			`processes p0`
			`JOIN yara ON p0.path = yara.path`
			`LEFT JOIN hash p0_hash ON p0.path = p0_hash.path`
			`LEFT JOIN processes p1 ON p0.parent = p1.pid`
			`LEFT JOIN hash p1_hash ON p1.path = p1_hash.path`
			`LEFT JOIN processes p2 ON p1.parent = p2.pid`
			`LEFT JOIN hash p2_hash ON p2.path = p2_hash.path`
			`WHERE`
Optimize YARA process queries by deduping paths 2023-11-02 13:53:26 +00:00			`p0.pid IN (`
			`SELECT`
			`pid`
			`FROM`
			`processes`
			`WHERE`
			`start_time > (strftime('%s', 'now') - 7200)`
			`AND path != ""`
			`GROUP BY`
			`path`
			`)`
fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc 2024-11-18 21:16:52 +00:00			`AND yara.sigrule = '`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`rule redflags {`
			`strings:`
			`$bash_history = ".bash_history"`
			`$google_chrome = "google-chrome"`
			`$cron = "cron"`
			`$dev_shm = "/dev/shm"`
			`$dev_tcp = "/dev/tcp"`
			`$dev_udp = "/dev/udp"`
			`$iptables = "iptables"`
			`$ld_so = "ld.so.conf"`
			`$proc = "/proc"`
			`$sudo = "sudo"`
			`$systemctl = "systemctl"`
			`$useradd = "useradd"`
			`$var_tmp = "/var/tmp"`
			`$var_run = "/var/run"`
			`$dev_mqueue = "/dev/mqueue"`
			`$bin_sh = "/bin/sh"`
			`$pickup = "pickup -l"`
			`$avahi = "avahi-daemon:"`
			`$redhat4 = "Red Hat 4"`
			`condition:`
Overdue False Positive Reduction 2024-03-29 14:12:36 +00:00			`filesize < 25MB and 5 of them`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`}'`
			`AND yara.count > 0`
			`AND p0.name NOT IN (`
			`'chrome_crashpad',`
			`'X',`
Overdue False Positive Reduction 2024-03-29 14:12:36 +00:00			`'emacs',`
fpr: Elastic, IR, Velociraptor, BitDefender, incus, Adguard 2024-02-16 22:14:11 +00:00			`'git',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'systemd',`
			`'NetworkManager',`
			`'systemd-journal',`
			`'Xorg',`
			`'slirp4netns',`
			`'nacl_helper'`
			`)`
			`AND p0.path NOT LIKE '%/google/chrome/%'`
			`AND p0.path NOT LIKE '%/chrome_crashpad_handler'`
			`AND p0.path NOT LIKE '/nix/store/%/bin/%'`
			`AND p0.path NOT LIKE '/nix/store/%/libexec/%'`
fpr: aws, java, arch, cody, google, wireshark, etc 2023-10-31 15:40:10 +00:00			`AND p0.path NOT LIKE '/usr/local/aws-cli/%/aws'`
Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 15:45:27 +00:00			`AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`AND p0.path NOT IN (`
fpr: Kolide, qemu, bash, monday, macOS 2023-10-24 22:01:36 +00:00			`'/bin/bash',`
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 17:42:22 +00:00			`'/bin/containerd-shim-runc-v2',`
			`'/bin/fish',`
Overdue False Positive Reduction 2024-03-29 14:12:36 +00:00			`'/bin/dash',`
			`'/bin/sh',`
fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc 2024-11-18 21:16:52 +00:00			`'/usr/lib/systemd/systemd-executor',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/bin/bash',`
fpr: snap, mutedeck, idea, Chrome exts 2024-01-18 22:15:37 +00:00			`'/usr/lib/snapd/snapd',`
			`'/usr/bin/snap',`
fpr: Monday, Splunk, Gnome, Git, Grammarly, etc 2023-10-02 15:35:11 +00:00			`'/usr/bin/containerd-shim-runc-v2',`
			`'/usr/bin/docker-proxy',`
			`'/usr/bin/fish',`
Overdue False Positive Reduction 2024-03-29 14:12:36 +00:00			`'/usr/bin/docker',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/bin/gnome-software',`
			`'/usr/bin/gpg-agent',`
			`'/usr/bin/ibus-daemon',`
Reduce false positives on Ubuntu + Lima 2023-09-26 17:09:22 +00:00			`'/usr/bin/make',`
Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 15:45:27 +00:00			`'/usr/bin/NetworkManager',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/bin/nvidia-persistenced',`
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 17:42:22 +00:00			`'/usr/bin/nvim',`
Add exceptions for Elastic Defend 2024-01-08 22:18:25 +00:00			`'/opt/Elastic/Endpoint/elastic-endpoint',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/bin/pulseaudio',`
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 17:42:22 +00:00			`'/usr/bin/sshd',`
			`'/usr/bin/sudo',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/bin/udevadm',`
			`'/usr/bin/update-notifier',`
Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 15:45:27 +00:00			`'/usr/bin/Xwayland',`
fpr: containerd, hyper, Docker, Chromium, spotify, busycal 2023-10-02 20:11:44 +00:00			`'/usr/lib/bluetooth/bluetoothd',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/lib/bluetooth/obexd',`
			`'/usr/libexec/accounts-daemon',`
			`'/usr/libexec/bluetooth/bluetoothd',`
			`'/usr/libexec/bluetooth/obexd',`
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 17:42:22 +00:00			`'/usr/libexec/flatpak-system-helper',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/libexec/sssd/sssd_kcm',`
			`'/usr/libexec/xdg-desktop-portal',`
Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 15:45:27 +00:00			`'/usr/lib/systemd/systemd',`
			`'/usr/lib/systemd/systemd-journald',`
			`'/usr/lib/systemd/systemd-machined',`
fpr: rootlesskit, sshd, Fedora, Oracle Linux 2023-10-25 17:42:22 +00:00			`'/usr/local/bin/rootlesskit',`
fpr: Monday, Splunk, Gnome, Git, Grammarly, etc 2023-10-02 15:35:11 +00:00			`'/usr/local/kolide-k2/bin/launcher',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/sbin/acpid',`
			`'/usr/sbin/auditd',`
			`'/usr/sbin/cron',`
fpr: Monday, Splunk, Gnome, Git, Grammarly, etc 2023-10-02 15:35:11 +00:00			`'/usr/sbin/crond',`
			`'/usr/sbin/gdm',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/sbin/gssproxy',`
			`'/usr/sbin/mcelog',`
Fix vpl, kolide exceptions, increase timeouts for yara 2023-10-02 15:45:27 +00:00			`'/usr/sbin/NetworkManager',`
YARA rules everywhere! 2023-09-20 21:03:21 +00:00			`'/usr/sbin/rsyslogd',`
			`'/usr/sbin/smartd'`
fpr: containerd, hyper, Docker, Chromium, spotify, busycal 2023-10-02 20:11:44 +00:00			`)`