Merge pull request #122 from tstromberg/bugfixesJan13

Various query bugfixes from the 2022 macOS malware audit

detection/evasion/hidden-executable.sql

@@ -29,6 +29,7 @@ WHERE
   (
     p.name LIKE '.%'
     OR f.filename LIKE '.%'
+    OR f.directory LIKE '.%'
   )
   AND NOT f.path LIKE '/nix/store/%/%-wrapped'
   AND NOT (

detection/execution/exotic-command-events-linux.sql

@@ -77,7 +77,7 @@ WHERE
     OR cmd LIKE '%iptables -P % ACCEPT%'
     OR cmd LIKE '%iptables -F%'
     OR cmd LIKE '%chattr -ia%'
-    OR cmd LIKE '%chmod 777 %'
+    OR cmd LIKE '%chmod %777 %'
     OR (
       INSTR(cmd, 'history') > 0
       AND cmd LIKE '%history'

detection/execution/exotic-command-events-macos.sql

@@ -69,7 +69,7 @@ WHERE
     OR basename LIKE '%pwn%'
     OR basename LIKE '%attack%' -- Unusual behaviors
     OR cmd LIKE '%chattr -ia%'
-    OR cmd LIKE '%chmod 777 %'
+    OR cmd LIKE '%chmod%777 %'
     OR cmd LIKE '%touch%acmr%'
     OR cmd LIKE '%touch -r%'
     OR cmd LIKE '%ld.so.preload%'
@@ -93,6 +93,8 @@ WHERE
     )
     OR cmd LIKE '%echo%|%base64 --decode %|%'
     OR cmd LIKE '%launchctl list%'
+    OR cmd LIKE '%launchctl load%'
+    OR cmd LIKE '%chflags uchg%'
     OR (
       cmd LIKE '%UserKnownHostsFile=/dev/null%'
       AND NOT parent_name = 'limactl'

detection/execution/exotic-commands.sql

@@ -66,11 +66,14 @@ WHERE
   OR cmd LIKE '%iptables -P % ACCEPT%'
   OR cmd LIKE '%iptables -F%'
   OR cmd LIKE '%chattr -ia%'
+  OR cmd LIKE '%chflags uchg%'
   OR cmd LIKE '%chmod 777 %'
   OR cmd LIKE '%bpftool%'
   OR cmd LIKE '%touch%acmr%'
   OR cmd LIKE '%ld.so.preload%'
   OR cmd LIKE '%urllib.urlopen%'
+  OR cmd LIKE '%launchctl list%'
+  OR cmd LIKE '%launchctl load%'
   OR cmd LIKE '%nohup%tmp%'
   OR cmd LIKE '%set visible of front window to false%'
   OR cmd LIKE '%chrome%--load-extension%'
@@ -108,3 +111,5 @@ WHERE
   OR cmd LIKE '%socat%'
   OR cmd LIKE '%SOCK_STREAM%'
   OR INSTR(cmd, '%Socket.%') > 0
+  -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
+  OR cmd LIKE '%tail -f /dev/null%'

detection/execution/sketchy-fetcher-events.sql

@@ -10,10 +10,11 @@
 SELECT
   pe.pid,
   pe.cmdline,
-  REGEX_MATCH (pe.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_ip,
-  REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS remote_port,
-  REGEX_MATCH (pe.cmdline, '/(\w+[\.-]\w+)[:/]', 1) AS remote_addr,
-  REGEX_MATCH (pe.cmdline, '\.(\w+)[:/]', 1) AS remote_tld,
+  REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
+  REGEX_MATCH (pe.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
+  REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port,
+  REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
+  REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
   pe.cwd,
   pe.euid,
   pe.parent,
@@ -36,14 +37,14 @@ WHERE
   pe.time > (strftime('%s', 'now') -60)
   -- NOTE: Sync remaining portion with sketchy-fetchers
   AND (
-    INSTR(p.cmdline, 'wget ') > 0
-    OR INSTR(p.cmdline, 'curl ') > 0
+    INSTR(pe.cmdline, 'wget ') > 0
+    OR INSTR(pe.cmdline, 'curl ') > 0
   )
   AND (
     -- If it's an IP or port, it's suspicious
-    remote_ip NOT IN ('', '127.0.0.1', '::1')
-    OR remote_port != ''
-    OR remote_tld NOT IN (
+    ip NOT IN ('', '127.0.0.1', '::1')
+    OR port != ''
+    OR tld NOT IN (
       '',
       'app',
       'ca',
@@ -73,6 +74,7 @@ WHERE
     OR pe.cmdline LIKE '%curl %--user-agent%'
     OR pe.cmdline LIKE '%curl -k%'
     OR pe.cmdline LIKE '%curl -sL %'
+    OR pe.cmdline LIKE '%curl%-o-%'
     OR pe.cmdline LIKE '%curl%--connect-timeout%'
     OR pe.cmdline LIKE '%curl%--output /dev/null%'
     OR pe.cmdline LIKE '%curl%--O /dev/null%'
@@ -80,6 +82,7 @@ WHERE
     OR pe.cmdline LIKE '%wget %--user-agent%'
     OR pe.cmdline LIKE '%wget %--no-check-certificate%'
     OR pe.cmdline LIKE '%wget -nc%'
+    OR pe.cmdline LIKE '%wget -q%'
     OR pe.cmdline LIKE '%wget -t%'
     -- Or anything launched by a system user
     OR (
@@ -124,4 +127,10 @@ WHERE
     )
   )
   -- These are typically curl -k calls
-  AND remote_addr NOT IN ('releases.hashicorp.com', 'github.com')
+  -- We need the addr "IS NOT NULL" to avoid filtering out
+  -- NULL entries
+  AND NOT (
+    addr IS NOT NULL
+    AND addr IN ('releases.hashicorp.com', 'github.com')
+  )
+

detection/execution/sketchy-fetcher.sql

@@ -11,10 +11,11 @@ SELECT
   p.path,
   p.name,
   p.cmdline,
-  REGEX_MATCH (p.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_ip,
-  REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS remote_port,
-  REGEX_MATCH (p.cmdline, '/(\w+[\.-]\w+)[:/]', 1) AS remote_addr,
-  REGEX_MATCH (p.cmdline, '\.(\w+)[:/]', 1) AS remote_tld,
+  REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
+  REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
+  REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port,
+  REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
+  REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
   p.cwd,
   p.euid,
   p.parent,
@@ -39,9 +40,9 @@ WHERE
     OR INSTR(p.cmdline, 'curl ') > 0
   )
   AND (
-    remote_ip NOT IN ('', '127.0.0.1', '::1')
-    OR remote_port != ''
-    OR remote_tld NOT IN (
+    ip NOT IN ('', '127.0.0.1', '::1')
+    OR port != ''
+    OR tld NOT IN (
       '',
       'app',
       'ca',
@@ -69,12 +70,14 @@ WHERE
     OR p.cmdline LIKE '%curl %--user-agent%'
     OR p.cmdline LIKE '%curl -k%'
     OR p.cmdline LIKE '%curl -sL %'
+    OR p.cmdline LIKE '%curl%-o-%'
     OR p.cmdline LIKE '%curl%--insecure%'
     OR p.cmdline LIKE '%wget %--user-agent%'
     OR p.cmdline LIKE '%wget %--no-check-certificate%'
     OR p.cmdline LIKE '%curl%--connect-timeout%'
     OR p.cmdline LIKE '%wget -nc%'
     OR p.cmdline LIKE '%wget -t%'
+    OR p.cmdline LIKE '%wget -q%'
     OR (
       p.cmdline LIKE '%wget %'
       AND p.euid < 500
@@ -121,4 +124,9 @@ WHERE
     )
   )
   -- These are typically curl -k calls
-  AND remote_addr NOT IN ('releases.hashicorp.com', 'github.com')
+  -- We need the addr "IS NOT NULL" to avoid filtering out
+  -- NULL entries
+  AND NOT (
+    addr IS NOT NULL
+    AND addr IN ('releases.hashicorp.com', 'github.com')
+  )

detection/execution/unexpected-execdir-events-macos.sql

@@ -130,7 +130,7 @@ WHERE
     '~/google-cloud-sdk/',
     '~/homebrew/',
     '~/.kuberlr/',
-    '~/Library/',
+   --  '~/Library/',
     '~/.gradle/',
     '~/.local/',
     '~/Parallels/',
@@ -145,7 +145,6 @@ WHERE
     '~/.vscode/',
     '~/.vs-kubernetes/'
   )
-  AND top_dir NOT LIKE '~/%packages/'
   -- Locally built executables
   AND NOT (
     signature.identifier = 'a.out'
@@ -177,6 +176,7 @@ WHERE
   AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
   AND homedir NOT LIKE '~/%/node_modules/.pnpm/%'
   AND homedir NOT LIKE '~/%repo%'
+  AND homedir NOT LIKE '~/.local/%/packages/%'
   AND homedir NOT LIKE '~/%sigstore%'
   AND homedir NOT LIKE '~/%/bin'
   AND signature.authority NOT IN (

detection/execution/unexpected-execdir-macos.sql

@@ -119,8 +119,10 @@ WHERE
     '~/google-cloud-sdk/',
     '~/homebrew/',
     '~/.kuberlr/',
-    '~/Library/',
-    '~/.local/',
+    -- Abused by KeySteal
+    -- '~/Library/',
+    -- Abused by DazzleSpy, use a more specific place
+    -- '~/.local/',
     '~/Parallels/',
     '~/proj/',
     '~/projects/',
@@ -156,6 +158,8 @@ WHERE
   AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
   AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
   AND homedir NOT LIKE '~/%/node_modules/.pnpm/%'
+  AND homedir NOT LIKE '~/.local/%/packages/%'
+
   -- Allow these anywhere (put last because it's slow to query signatures)
   AND signature.authority NOT IN (
     'Apple iPhone OS Application Signing',

detection/execution/unexpected-gatekeeper-approvals-macos.sql

@@ -31,6 +31,8 @@ WHERE
   AND gap.path NOT LIKE '/usr/local/bin/%'
   AND gap.path NOT LIKE '/Users/%/%-darwin-amd64'
   AND gap.path NOT LIKE '/Users/%/%-darwin-arm64'
+  AND gap.path NOT LIKE '/Users/%/%_darwin_amd64'
+  AND gap.path NOT LIKE '/Users/%/%_darwin_arm64'
   AND gap.path NOT LIKE '/Users/%/configure'
   AND gap.path NOT LIKE '/Users/%/trivy'
 GROUP BY

detection/execution/unexpected-osascript-calls.sql

@@ -60,7 +60,7 @@ WHERE
   pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile')
   AND pe.time > (strftime('%s', 'now') -900)
   AND NOT (
-    p.euid > 500
+    pe.euid > 500
     AND (
       cmd IN ('osascript -e user locale of (get system info)')
       OR cmd LIKE '%"CFBundleName" of property list file (app_path & ":Contents:Info.plist")'

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -27,6 +27,7 @@ WHERE
   (
     mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
     OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
+    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
   )
   AND ea.key = 'where_from'
   AND file.btime > (strftime('%s', 'now') -86400)

detection/initial_access/unexpected-shell-parent-events.sql

@@ -99,8 +99,8 @@ WHERE
       'nvim',
       'package_script_service',
       'perl',
+      -- 'python' - do not include this, or you won't detect supply-chain attacks.
       'PK-Backend',
-      'python',
       'roxterm',
       'sdk',
       'sdzoomplugin',

policy/unusually-long-uptime-likely-missing-patches.sql

@@ -1,4 +1,7 @@
 -- Indicative of a machine that probably needs a reboot for operating-system patches
+--
+-- tags: persistent state
+-- platform: posix
 SELECT
   os_version.name AS os_name,
   os_version.version AS os_version,