osquery-defense-kit/detection/execution/unexpected-env-values-macos.sql

-- Applications setting environment variables to bypass security protections
--
-- Inpsired by BPFdoor and other intrusions
-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
--
-- WARNING: This query is known to require a higher than average wall time.
--
-- tags: transient state rapid
-- platform: macos
SELECT
  key,
  value,
  p.pid,
  p.path,
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
FROM
  process_envs pe
  LEFT JOIN processes p ON pe.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE
  (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/Users/%/.%_history'
  )
  OR (
    key = 'LD_PRELOAD'
    AND NOT p.path LIKE '%/firefox'
    AND NOT pe.value = 'libfakeroot.so'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
  )
  OR (
    key = 'DYLD_INSERT_LIBRARIES' -- actively exploited on programs which disable library security
  )
  OR (
    key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers
  )
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Applications setting environment variables to bypass security protections`
			`--`
Just about done 2022-09-08 21:58:56 +00:00			`-- Inpsired by BPFdoor and other intrusions`
			`-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- WARNING: This query is known to require a higher than average wall time.`
			`--`
Use 'rapid' instead of 'continous' for tagging 2022-10-17 12:43:29 +00:00			`-- tags: transient state rapid`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- platform: macos`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`key,`
			`value,`
			`p.pid,`
			`p.path,`
			`p.cmdline,`
			`p.parent AS parent_pid,`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`pp.cmdline AS parent_cmd`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`FROM`
			`process_envs pe`
			`LEFT JOIN processes p ON pe.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`WHERE`
			`(`
			`key = 'HISTFILE'`
			`AND NOT VALUE LIKE '/Users/%/.%_history'`
			`)`
			`OR (`
			`key = 'LD_PRELOAD'`
			`AND NOT p.path LIKE '%/firefox'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND NOT pe.value = 'libfakeroot.so'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT pe.value LIKE 'libmozsandbox.so%'`
			`)`
			`OR (`
Remove more false positives, add more detail to sensitive file access 2022-10-05 20:15:40 +00:00			`key = 'DYLD_INSERT_LIBRARIES' -- actively exploited on programs which disable library security`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
			`OR (`
			`key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers`
			`)`