osquery-defense-kit/detection/credentials/yara-mounted-stealer.sql

83 lines
2.8 KiB
MySQL
Raw Normal View History

2023-09-20 21:03:21 +00:00
-- Look for sketchy mounted disk images, inspired by Shlayer
--
-- references:
-- * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment)
-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
-- * https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
--
-- tags: volume filesystem
-- platform: darwin
SELECT
RTRIM(file.path, '/') AS f,
file.bsd_flags AS f_flags,
file.gid AS f_gid,
file.mode AS f_mode,
file.size AS f_size,
file.type AS f_type,
REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS f_ext,
file.uid AS f_uid,
hash.sha256 AS f_sha256,
magic.data AS f_data,
mdfind.path AS probable_source,
mdhash.sha256 AS probable_source_sha256,
ea.value AS probable_url,
REGEX_MATCH (file.path, '/Volumes/(.*?)/', 1) AS vol_name,
signature.authority AS s_auth,
signature.identifier AS s_id,
yara.*
FROM
file
JOIN yara ON file.path = yara.path
LEFT JOIN mdfind ON mdfind.query = "kMDItemFSName == '*" || REGEX_MATCH (file.path, '/Volumes/(\w+)', 1) || "*.dmg'"
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
AND ea.key = 'where_from'
LEFT JOIN hash on file.path = hash.path
LEFT JOIN hash mdhash ON mdfind.path = mdhash.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN signature ON file.path = signature.path
WHERE
file.path IN (
SELECT
file.path
FROM
block_devices
JOIN mounts ON mounts.device = block_devices.name
JOIN file ON file.directory = mounts.path
OR file.directory LIKE mounts.path || "/%.app/Contents/MacOS/"
OR file.directory LIKE mounts.path || "/%.app/Contents/Resources/"
OR file.directory LIKE mounts.path || "/%/%.app/Contents/MacOS/"
OR file.directory LIKE mounts.path || "/%/%.app/Contents/Library/LaunchServices"
OR file.directory LIKE mounts.path || "/%/%.app/Contents/Resources/"
WHERE
model = 'Disk Image'
AND parent != ""
AND mounts.path LIKE "/Volumes/%"
-- osquery will traverse symlinks, this prevents following symlinks to /Applications (poorly)
AND file.path NOT LIKE "/Volumes/%/Applications/%"
AND (
file.mode LIKE "%7%"
OR file.mode LIKE "%5%"
OR file.mode LIKE "%1%"
)
AND file.type = "regular"
)
AND magic.data LIKE "%Executable%"
AND yara.sigrule = '
rule stealer {
strings:
$data_stealers = "data_stealers" ascii
$library_keychains = "/Library/Keychains" ascii
$cookies_sqlite = "cookies.sqlite" ascii
$moz_cookies = "moz_cookies" ascii
$operagx = "OperaGX" ascii
$brave_software = "BraveSoftware" ascii
$osascript = "osascript" ascii
$find_generic_password = "find-generic-password" ascii
2023-09-20 21:03:21 +00:00
condition:
2 of them
}'
AND yara.count > 0
GROUP BY
file.path