131 lines
3.6 KiB
MySQL
131 lines
3.6 KiB
MySQL
|
-- Pick out exotic processes based on their command-line (state-based)
|
||
|
--
|
||
|
-- false positives:
|
||
|
-- * possible, but none known
|
||
|
--
|
||
|
-- tags: transient process state
|
||
|
-- platform: darwin
|
||
|
SELECT
|
||
|
s.authority AS p0_auth,
|
||
|
s.identifier AS p0_id,
|
||
|
DATETIME(f.ctime, 'unixepoch') AS p0_changed,
|
||
|
DATETIME(f.mtime, 'unixepoch') AS p0_modified,
|
||
|
(strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
|
||
|
-- Child
|
||
|
p0.path AS p0_path,
|
||
|
p0.name AS p0_name,
|
||
|
p0.cmdline AS p0_cmd,
|
||
|
p0.cwd AS p0_cwd,
|
||
|
p0.cgroup_path AS p0_cgroup,
|
||
|
p0.euid AS p0_euid,
|
||
|
p0_hash.sha256 AS p0_sha256,
|
||
|
-- Parent
|
||
|
p0.parent AS p1_pid,
|
||
|
p1.path AS p1_path,
|
||
|
p1.name AS p1_name,
|
||
|
p1_f.mode AS p1_mode,
|
||
|
p1.euid AS p1_euid,
|
||
|
p1.cmdline AS p1_cmd,
|
||
|
p1_hash.sha256 AS p1_sha256,
|
||
|
-- Grandparent
|
||
|
p1.parent AS p2_pid,
|
||
|
p2.name AS p2_name,
|
||
|
p2.path AS p2_path,
|
||
|
p2.cmdline AS p2_cmd,
|
||
|
p2_hash.sha256 AS p2_sha256
|
||
|
FROM
|
||
|
processes p0
|
||
|
LEFT JOIN file f ON p0.path = f.path
|
||
|
LEFT JOIN signature s ON p0.path = s.path
|
||
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||
|
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||
|
LEFT JOIN file p1_f ON p1.path = p1_f.path
|
||
|
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||
|
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||
|
WHERE
|
||
|
-- Known attack scripts
|
||
|
p0.name IN (
|
||
|
'bitspin',
|
||
|
'bpftool',
|
||
|
'heyoka',
|
||
|
'nstx',
|
||
|
'dnscat2',
|
||
|
'tuns',
|
||
|
'iodine',
|
||
|
'esxcli',
|
||
|
'vim-cmd',
|
||
|
'minerd',
|
||
|
'cpuminer-multi',
|
||
|
'cpuminer',
|
||
|
'httpdns',
|
||
|
'rshell',
|
||
|
'rsh',
|
||
|
'xmrig',
|
||
|
'incbit',
|
||
|
'insmod',
|
||
|
'kmod',
|
||
|
'lushput',
|
||
|
'mkfifo',
|
||
|
'msfvenom',
|
||
|
'nc',
|
||
|
'socat'
|
||
|
)
|
||
|
OR p0.name LIKE '%pwn%'
|
||
|
OR p0.name LIKE '%xig%'
|
||
|
OR p0.name LIKE '%xmr%'
|
||
|
OR p0.cmdline LIKE '%bitspin%'
|
||
|
OR p0.cmdline LIKE '%lushput%'
|
||
|
OR p0.cmdline LIKE '%incbit%'
|
||
|
OR p0.cmdline LIKE '%traitor%'
|
||
|
OR p0.cmdline LIKE '%msfvenom%'
|
||
|
-- Unusual behaviors
|
||
|
OR p0.cmdline LIKE '%chattr -ia%'
|
||
|
OR p0.cmdline LIKE '%chflags uchg%'
|
||
|
OR p0.cmdline LIKE '%chmod 777 %'
|
||
|
OR p0.cmdline LIKE '%touch%acmr%'
|
||
|
OR p0.cmdline LIKE '%urllib.urlopen%'
|
||
|
OR p0.cmdline LIKE '%launchctl load%'
|
||
|
OR p0.cmdline LIKE '%launchctl bootout%'
|
||
|
OR p0.cmdline LIKE '%nohup%tmp%'
|
||
|
OR p0.cmdline LIKE '%set visible of front window to false%'
|
||
|
OR p0.cmdline LIKE '%chrome%--load-extension%'
|
||
|
OR (
|
||
|
p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
|
||
|
AND NOT p1.name = 'limactl'
|
||
|
)
|
||
|
-- Crypto miners
|
||
|
OR p0.cmdline LIKE '%c3pool%'
|
||
|
OR p0.cmdline LIKE '%cryptonight%'
|
||
|
OR p0.cmdline LIKE '%f2pool%'
|
||
|
OR p0.cmdline LIKE '%hashrate%'
|
||
|
OR p0.cmdline LIKE '%hashvault%'
|
||
|
OR p0.cmdline LIKE '%minerd%'
|
||
|
OR p0.cmdline LIKE '%monero%'
|
||
|
OR p0.cmdline LIKE '%nanopool%'
|
||
|
OR p0.cmdline LIKE '%nicehash%'
|
||
|
OR p0.cmdline LIKE '%stratum%'
|
||
|
-- Random keywords
|
||
|
OR p0.cmdline LIKE '%ransom%'
|
||
|
OR p0.cmdline LIKE '%malware%'
|
||
|
OR p0.cmdline LIKE '%plant%'
|
||
|
-- Reverse shells
|
||
|
OR p0.cmdline LIKE '%fsockopen%'
|
||
|
OR p0.cmdline LIKE '%openssl%quiet%'
|
||
|
OR p0.cmdline LIKE '%pty.spawn%'
|
||
|
OR (
|
||
|
p0.cmdline LIKE '%sh -i'
|
||
|
AND NOT p0.path = '/usr/bin/docker'
|
||
|
AND NOT p1.name IN ('sh', 'java', 'containerd-shim')
|
||
|
AND NOT p1.cmdline LIKE '%pipenv shell'
|
||
|
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
||
|
)
|
||
|
OR p0.cmdline LIKE '%socat%'
|
||
|
OR p0.cmdline LIKE '%SOCK_STREAM%'
|
||
|
OR INSTR(p0.cmdline, '%Socket.%') > 0
|
||
|
-- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
|
||
|
OR (
|
||
|
p0.cmdline LIKE '%tail -f /dev/null%'
|
||
|
AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
|
||
|
)
|
||
|
AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')
|