Add new spotlight queries to surface unexpected dmg/iso downloads

2022-10-18 08:52:05 -04:00 · 2022-10-18 08:52:05 -04:00 · 0160d05ed3
parent 346309f3d2
commit 0160d05ed3
2 changed files with 196 additions and 0 deletions
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -0,0 +1,136 @@
+-- Surface ISO/DMG disk images that were downloaded from unexpected places
+--
+-- references:
+--   * https://unit42.paloaltonetworks.com/chromeloader-malware/
+--
+-- false positives:
+--   * disk images downloaded from a location not in the exception list
+--
+-- platform: darwin
+-- tags: persistent filesystem spotlight
+SELECT file.path,
+    file.size,
+    datetime(file.btime, 'unixepoch') AS file_created,
+    magic.data,
+    ea.value AS url,
+    REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
+    REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
+FROM mdfind
+    LEFT JOIN file ON mdfind.path = file.path
+    LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
+    LEFT JOIN magic ON file.path = magic.path
+WHERE (
+        mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
+        OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
+    )
+    AND ea.key = 'where_from'
+    AND file.btime > (strftime('%s', 'now') -86400)
+    AND domain NOT IN (
+        'adobe.com',
+        'alfredapp.com',
+        'android.com',
+        'apple.com',
+        'download.prss.microsoft.com',
+        'arc.net',
+        'balsamiq.com',
+        'brave.com',
+        'digidesign.com',
+        'digidesign.com',
+        'gaomon.net',
+        'epson.com',
+        'fcix.net',
+        'xtom.com',
+        'gaomon.net',
+        'oracle.com',
+        'akmedia.digidesign.com',
+        'canon.co.uk',
+        'cdn.mozilla.net',
+        'charlesproxy.com',
+        'csclub.uwaterloo.ca',
+        'docker.com',
+        'duckduckgo.com',
+        'eclipse.org',
+        'gimp.org',
+        'github.io',
+        'githubusercontent.com',
+        'grammarly.com',
+        'integodownload.com',
+        'jetbrains.com',
+        'libreoffice.org',
+        'loom.com',
+        'microsoft.com',
+        'minecraft.net',
+        'mirrorservice.org',
+        'mojang.com',
+        'mozilla.org',
+        'mysql.com',
+        'ocf.berkeley.edu',
+        'oobesaas.adobe.com',
+        'osuosl.org',
+        'pqrs.org',
+        'steampowered.com',
+        'c-wss.com',
+        'irccloud.com',
+        'discordapp.net',
+        'getutm.app',
+        'dogado.de',
+        'vc.logitech.com',
+        'steampowered.com',
+        'discord.com',
+        'logitech.com',
+        'skype.com',
+        'remarkable.com',
+        'balena.io',
+        'signal.org',
+        'prusa3d.com',
+        'google.ca',
+        'zsa.io',
+        'slack-edge.com',
+        'tableplus.com',
+        'ubuntu.com',
+        'umd.edu',
+        'virtualbox.org',
+        'warp.dev',
+        'webex.com'
+    )
+    AND host NOT IN (
+        'dl.google.com',
+        'www.google.com',
+        'warp-releases.storage.googleapis.com',
+        'mail.google.com',
+        'github.com',
+        'ubuntu.com',
+        'balsamiq.com',
+        'tableplus.com',
+        'discord.com',
+        'dl.discordapp.net',
+        'obsproject.com',
+        'www.messenger.com',
+        'brave.com',
+        'emacsformacosx.com',
+        'store.steampowered.com',
+        'wavebox.io',
+        'manual.canon',
+        'dygma.com',
+        'duckduckgo.com',
+        'obsidian.md'
+    )
+    -- Yes, these are meant to be fairly broad.
+    AND host NOT LIKE 'download%'
+    AND host NOT LIKE 'cdn%'
+    AND host NOT LIKE '%.edu'
+    AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
+    AND host NOT LIKE '%.org'
+    AND host NOT LIKE 'dl.%'
+    AND host NOT LIKE 'dl-%'
+    AND host NOT LIKE 'mirror%'
+    AND host NOT LIKE 'driver.%'
+    AND host NOT LIKE 'support%'
+    AND host NOT LIKE 'software%'
+    AND host NOT LIKE 'www.google.%'
+    AND host NOT LIKE '%release%.storage.googleapis.com'
+    AND NOT (
+        host LIKE '%.fbcdn.net'
+        AND file.filename LIKE 'Messenger.%.dmg'
+    )
+GROUP BY ea.value
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@ -0,0 +1,60 @@
+-- Surface webmail downloads of an unexpected sort
+--
+-- false positives:
+--   * Files without an extension or extensions not explicitly added to the allow list
+--
+-- platform: darwin
+-- tags: persistent filesystem spotlight
+SELECT file.path,
+    file.size,
+    datetime(file.btime, 'unixepoch') AS file_created,
+    magic.data,
+    hash.sha256,
+    LOWER(
+        REGEX_MATCH(RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
+    ) AS extension
+FROM mdfind
+    LEFT JOIN file ON mdfind.path = file.path
+    LEFT JOIN magic ON file.path = magic.path
+    LEFT JOIN hash ON file.path = hash.path
+WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
+    AND file.btime > (strftime('%s', 'now') -86400)
+    -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
+    AND extension NOT IN (
+        'bz2',
+        'cer',
+        'csv',
+        'doc',
+        'docx',
+        'eml',
+        'gif',
+        'gz',
+        'htm',
+        'html',
+        'icloud',
+        'jpeg',
+        'jpg',
+        'mp3',
+        'mp4',
+        'mpeg',
+        'mpg',
+        'ods',
+        'odt',
+        'pdf',
+        'pem',
+        'pgp',
+        'png',
+        'ppt',
+        'pptx',
+        'pub',
+        'tar',
+        'tif',
+        'tiff',
+        'txt',
+        'wav',
+        'xls',
+        'xlsm',
+        'xlsx',
+        'zip',
+        'zstd'
+    )