osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-linu...

-- Unexpected long-running processes running as root
--
-- false positives:
--   * new software requiring escalated privileges
--
-- references:
--   * https://attack.mitre.org/techniques/T1543/
--
-- tags: persistent process state
-- platform: linux
SELECT
  p.pid,
  p.name,
  p.path,
  p.euid,
  p.gid,
  p.cgroup_path,
  f.ctime,
  f.directory AS dirname,
  p.cmdline,
  p.cgroup_path,
  mnt_namespace,
  hash.sha256,
  pp.path AS parent_path,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline
FROM
  processes p
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE
  p.uid = 0
  AND (strftime('%s', 'now') - p.start_time) > 15 -- use osquery as the reference mount namespace
  AND mnt_namespace IN (
    SELECT DISTINCT
      (mnt_namespace)
    FROM
      process_namespaces
      JOIN processes ON processes.pid = process_namespaces.pid
    WHERE
      processes.name IN ('osqueryi', 'osqueryd')
  )
  AND p.path NOT IN (
    '',
    '/sbin/apcupsd',
    '/sbin/mount.ntfs',
    '/usr/bin/abrt-dump-journal-core',
    '/usr/bin/abrt-dump-journal-oops',
    '/usr/bin/abrt-dump-journal-xorg',
    '/usr/bin/anacron',
    '/usr/bin/apcupsd',
    '/usr/bin/bash',
    '/usr/bin/clamscan',
    '/usr/bin/containerd',
    '/usr/bin/containerd-shim-runc-v2',
    '/usr/bin/crond',
    '/usr/bin/dbus-broker',
    '/usr/bin/dbus-broker-launch',
    '/usr/bin/dbus-daemon',
    '/usr/bin/dbus-launch',
    '/usr/bin/dnsmasq',
    '/usr/bin/dockerd',
    '/usr/bin/docker-proxy',
    '/usr/bin/fish',
    '/usr/bin/gdm',
    '/usr/bin/gpg-agent',
    '/usr/bin/journalctl',
    '/usr/bin/lightdm',
    '/usr/bin/osqueryd',
    '/usr/bin/pacman',
    '/usr/bin/sshd',
    '/usr/bin/system76-power',
    '/usr/bin/system76-scheduler',
    '/usr/bin/tailscaled',
    '/usr/bin/touchegg',
    '/usr/bin/vim',
    '/usr/bin/virtlogd',
    '/usr/bin/wpa_supplicant',
    '/usr/bin/xargs',
    '/usr/lib/accountsservice/accounts-daemon',
    '/usr/libexec/accounts-daemon',
    '/usr/libexec/at-spi-bus-launcher',
    '/usr/libexec/dconf-service',
    '/usr/libexec/docker/docker-proxy',
    '/usr/libexec/flatpak-system-helper',
    '/usr/libexec/gdm-session-worker',
    '/usr/libexec/packagekitd',
    '/usr/libexec/polkitd',
    '/usr/libexec/scdaemon',
    '/usr/libexec/snapd/snapd',
    '/usr/libexec/sssd/sssd_kcm',
    '/usr/libexec/udisks2/udisksd',
    '/usr/libexec/xdg-document-portal',
    '/usr/libexec/xdg-permission-store',
    '/usr/lib/flatpak-system-helper',
    '/usr/lib/gdm-session-worker',
    '/usr/lib/snapd/snapd',
    '/usr/lib/software-properties/software-properties-dbus',
    '/usr/lib/systemd/systemd',
    '/usr/lib/systemd/systemd-fsckd',
    '/usr/lib/systemd/systemd-homed',
    '/usr/lib/systemd/systemd-journald',
    '/usr/lib/systemd/systemd-machined',
    '/usr/lib/udisks2/udisksd',
    '/usr/lib/Xorg',
    '/usr/local/kolide-k2/bin/launcher',
    '/usr/local/kolide-k2/bin/osqueryd',
    '/usr/sbin/abrtd',
    '/usr/sbin/abrt-dbus',
    '/usr/sbin/acpid',
    '/usr/sbin/agetty',
    '/usr/sbin/alsactl',
    '/usr/sbin/anacron',
    '/usr/sbin/atd',
    '/usr/sbin/cron',
    '/usr/sbin/crond',
    '/usr/sbin/cups-browsed',
    '/usr/sbin/cupsd',
    '/usr/sbin/dnsmasq',
    '/usr/sbin/gdm',
    '/usr/sbin/gdm3',
    '/usr/sbin/gssproxy',
    '/usr/sbin/mcelog',
    '/usr/sbin/pcscd',
    '/usr/sbin/pwrstatd',
    '/usr/sbin/rsyslogd',
    '/usr/sbin/smartd',
    '/usr/sbin/sshd',
    '/usr/sbin/tailscaled',
    '/usr/sbin/thermald',
    '/usr/sbin/wpa_supplicant',
    '/usr/sbin/zed'
  )
  -- Because I don't want to whitelist all of Python3
  AND p.cmdline NOT IN (
    'xargs logger -s',
    '/usr/bin/xargs',
    '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',
    '/usr/bin/python /usr/bin/firewalld --nofork --nopid',
    '/usr/bin/python3 /usr/libexec/blueman-mechanism',
    '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
    '/usr/bin/python3 /usr/lib/pop-transition/service.py',
    '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
    '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',
    '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid'
  )
  AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
  AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'
  AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %'
  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
  AND p.path NOT LIKE '/nix/store/%/bin/%'
  AND p.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'
  AND p.path NOT LIKE '/nix/store/%/libexec/%'
  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
  -- Exclude processes running inside of Docker containers
  AND NOT p.cgroup_path LIKE '/system.slice/docker-%';
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Unexpected long-running processes running as root`
			`--`
			`-- false positives:`
			`-- * new software requiring escalated privileges`
			`--`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1543/`
			`--`
Update interval tags, mostly for persistence 2022-10-14 18:26:49 +00:00			`-- tags: persistent process state`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- platform: linux`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`p.pid,`
			`p.name,`
			`p.path,`
			`p.euid,`
			`p.gid,`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`p.cgroup_path,`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`f.ctime,`
			`f.directory AS dirname,`
			`p.cmdline,`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`p.cgroup_path,`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`mnt_namespace,`
			`hash.sha256,`
Add systemd-fsckd, blueman-mechanism 2022-11-16 15:37:38 +00:00			`pp.path AS parent_path,`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`pp.name AS parent_name,`
			`pp.cmdline AS parent_cmdline`
			`FROM`
			`processes p`
			`LEFT JOIN file f ON p.path = f.path`
			`LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid`
			`LEFT JOIN hash ON p.path = hash.path`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`WHERE`
			`p.uid = 0`
			`AND (strftime('%s', 'now') - p.start_time) > 15 -- use osquery as the reference mount namespace`
			`AND mnt_namespace IN (`
			`SELECT DISTINCT`
			`(mnt_namespace)`
			`FROM`
			`process_namespaces`
			`JOIN processes ON processes.pid = process_namespaces.pid`
			`WHERE`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`processes.name IN ('osqueryi', 'osqueryd')`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`)`
			`AND p.path NOT IN (`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'',`
			`'/sbin/apcupsd',`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`'/sbin/mount.ntfs',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/abrt-dump-journal-core',`
			`'/usr/bin/abrt-dump-journal-oops',`
			`'/usr/bin/abrt-dump-journal-xorg',`
			`'/usr/bin/anacron',`
			`'/usr/bin/apcupsd',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/bin/bash',`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`'/usr/bin/clamscan',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/containerd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/bin/containerd-shim-runc-v2',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/crond',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/bin/dbus-broker',`
			`'/usr/bin/dbus-broker-launch',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'/usr/bin/dbus-daemon',`
			`'/usr/bin/dbus-launch',`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`'/usr/bin/dnsmasq',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/dockerd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/bin/docker-proxy',`
			`'/usr/bin/fish',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/gdm',`
			`'/usr/bin/gpg-agent',`
			`'/usr/bin/journalctl',`
			`'/usr/bin/lightdm',`
			`'/usr/bin/osqueryd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/bin/pacman',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/sshd',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/bin/system76-power',`
			`'/usr/bin/system76-scheduler',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/tailscaled',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/bin/touchegg',`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`'/usr/bin/vim',`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`'/usr/bin/virtlogd',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/wpa_supplicant',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/bin/xargs',`
			`'/usr/lib/accountsservice/accounts-daemon',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/libexec/accounts-daemon',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/libexec/at-spi-bus-launcher',`
			`'/usr/libexec/dconf-service',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/libexec/docker/docker-proxy',`
			`'/usr/libexec/flatpak-system-helper',`
			`'/usr/libexec/gdm-session-worker',`
			`'/usr/libexec/packagekitd',`
			`'/usr/libexec/polkitd',`
			`'/usr/libexec/scdaemon',`
			`'/usr/libexec/snapd/snapd',`
			`'/usr/libexec/sssd/sssd_kcm',`
			`'/usr/libexec/udisks2/udisksd',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'/usr/libexec/xdg-document-portal',`
			`'/usr/libexec/xdg-permission-store',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/lib/flatpak-system-helper',`
			`'/usr/lib/gdm-session-worker',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'/usr/lib/snapd/snapd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/lib/software-properties/software-properties-dbus',`
			`'/usr/lib/systemd/systemd',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/lib/systemd/systemd-fsckd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/lib/systemd/systemd-homed',`
			`'/usr/lib/systemd/systemd-journald',`
			`'/usr/lib/systemd/systemd-machined',`
			`'/usr/lib/udisks2/udisksd',`
			`'/usr/lib/Xorg',`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`'/usr/local/kolide-k2/bin/launcher',`
			`'/usr/local/kolide-k2/bin/osqueryd',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/abrtd',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/sbin/abrt-dbus',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/acpid',`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`'/usr/sbin/agetty',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/alsactl',`
			`'/usr/sbin/anacron',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/sbin/atd',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/cron',`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`'/usr/sbin/crond',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/cups-browsed',`
			`'/usr/sbin/cupsd',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/sbin/dnsmasq',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/gdm',`
			`'/usr/sbin/gdm3',`
			`'/usr/sbin/gssproxy',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/sbin/mcelog',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/pcscd',`
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 13:50:19 +00:00			`'/usr/sbin/pwrstatd',`
More false positive removal 2023-01-06 21:01:35 +00:00			`'/usr/sbin/rsyslogd',`
			`'/usr/sbin/smartd',`
Post-Thanksgiving false positive flush 2022-11-28 21:06:07 +00:00			`'/usr/sbin/sshd',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/tailscaled',`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`'/usr/sbin/thermald',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/sbin/wpa_supplicant',`
			`'/usr/sbin/zed'`
Janitorial maintenance 2022-10-14 14:18:01 +00:00			`)`
			`-- Because I don't want to whitelist all of Python3`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`AND p.cmdline NOT IN (`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`'xargs logger -s',`
			`'/usr/bin/xargs',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',`
			`'/usr/bin/python /usr/bin/firewalld --nofork --nopid',`
Add systemd-fsckd, blueman-mechanism 2022-11-16 15:37:38 +00:00			`'/usr/bin/python3 /usr/libexec/blueman-mechanism',`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',`
			`'/usr/bin/python3 /usr/lib/pop-transition/service.py',`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',`
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 13:50:19 +00:00			`'/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',`
			`'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`)`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'`
Add dnf 2022-10-19 18:51:33 +00:00			`AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'`
Simplify macos-execdir, reduce false positives 2022-11-07 15:03:43 +00:00			`AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'`
			`AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'`
			`AND p.path NOT LIKE '/nix/store/%/bin/%'`
			`AND p.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'`
			`AND p.path NOT LIKE '/nix/store/%/libexec/%'`
			`AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`-- Exclude processes running inside of Docker containers`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`AND NOT p.cgroup_path LIKE '/system.slice/docker-%';`