osquery-defense-kit/detection/privesc/unexpected-privilege-escala...

-- Find processes that run with a lower effective UID than their parent (state-based)
--
-- references:
--   * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- related:
--   * unexpected-privilege-escalation-events.sql
--
-- tags: transient rapid state process escalation
-- platform: darwin
SELECT
  p.pid AS child_pid,
  p.path AS child_path,
  p.name AS child_name,
  p.cmdline AS child_cmdline,
  p.euid AS child_euid,
  p.state AS child_state,
  file.mode AS child_mode,
  hash.sha256 AS child_hash,
  p.parent AS parent_pid,
  pp.path AS parent_path,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline,
  pp.euid AS parent_euid,
  pfile.mode AS parent_mode,
  phash.sha256 AS parent_hash
FROM
  processes p
  JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file ON p.path = file.path
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN file AS pfile ON pp.path = pfile.path
  LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
  p.euid < p.uid
  AND p.path NOT IN (
    '/bin/ps',
    '/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
    '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
    '/usr/bin/login',
    '/usr/bin/su',
    '/usr/bin/sudo',
    '/usr/bin/top',
    '/usr/local/bin/doas'
  )
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- Find processes that run with a lower effective UID than their parent (state-based)`
More clarity 2022-10-07 16:46:55 +00:00			`--`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)`
			`-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux`
			`--`
			`-- related:`
More clarity 2022-10-07 16:46:55 +00:00			`-- * unexpected-privilege-escalation-events.sql`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`--`
Use 'rapid' instead of 'continous' for tagging 2022-10-17 12:43:29 +00:00			`-- tags: transient rapid state process escalation`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`-- platform: darwin`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`p.pid AS child_pid,`
			`p.path AS child_path,`
			`p.name AS child_name,`
			`p.cmdline AS child_cmdline,`
			`p.euid AS child_euid,`
			`p.state AS child_state,`
			`file.mode AS child_mode,`
			`hash.sha256 AS child_hash,`
			`p.parent AS parent_pid,`
			`pp.path AS parent_path,`
			`pp.name AS parent_name,`
			`pp.cmdline AS parent_cmdline,`
			`pp.euid AS parent_euid,`
			`pfile.mode AS parent_mode,`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`phash.sha256 AS parent_hash`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`FROM`
			`processes p`
			`JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN file ON p.path = file.path`
			`LEFT JOIN hash ON p.path = hash.path`
Fix table joins: hash->phash 2022-10-21 21:38:29 +00:00			`LEFT JOIN file AS pfile ON pp.path = pfile.path`
			`LEFT JOIN hash AS phash ON pp.path = phash.path`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`WHERE`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`p.euid < p.uid`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND p.path NOT IN (`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`'/bin/ps',`
			`'/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`'/usr/bin/login',`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`'/usr/bin/su',`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`'/usr/bin/sudo',`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`'/usr/bin/top',`
			`'/usr/local/bin/doas'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`