osquery-defense-kit/detection/execution/unexpected-chmod-exec-event.sql

79 lines
2.7 KiB
MySQL
Raw Normal View History

-- Things that call chmod to set executable permissions
--
-- references:
-- * https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
--
-- false positives:
-- * loads of them
--
-- tags: transient process events
-- platform: linux
-- interval: 300
SELECT
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
pe.cwd AS p0_cwd,
pe.pid AS p0_pid,
p.cgroup_path AS p0_cgroup,
-- Parent
pe.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.path, pe1.path) AS p1_path,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
-- Grandparent
COALESCE(p1.parent, pe1.parent) AS p2_pid,
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
TRIM(
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
) AS p2_cmd,
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
COALESCE(
p1_p2_hash.path,
pe1_p2_hash.path,
pe1_pe2_hash.path
) AS p2_hash,
REGEX_MATCH (
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
'.*/(.*)',
1
) AS p2_name,
-- Exception key
REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
'.*/(.*)',
1
) AS exception_key
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
AND pe1.cmdline != ''
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
-- Grandparents (via 3 paths)
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
WHERE
pe.time > (strftime('%s', 'now') -300)
AND (
pe.cmdline LIKE '%chmod%777%'
OR pe.cmdline LIKE '%chmod%700%'
OR pe.cmdline LIKE '%chmod%755%'
OR pe.cmdline LIKE '%chmod +rwx%'
OR pe.cmdline LIKE '%chmod +x%'
OR pe.cmdline LIKE '%chmod u+x%'
)
AND p0_cmd NOT LIKE 'chmod 777 /app/%'
AND p0_cmd != 'chmod 0777 /Users/Shared/logitune'
GROUP BY p0_pid