diff --git a/detection/persistence/suspicious-udev-runner-linux.sql b/detection/persistence/suspicious-udev-runner-linux.sql new file mode 100644 index 0000000..b6ee5e9 --- /dev/null +++ b/detection/persistence/suspicious-udev-runner-linux.sql @@ -0,0 +1,76 @@ +-- Look for sketchy udev entries, inspired by sedexp +-- +-- references: +-- * https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp +-- * https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/ +-- +-- tags: volume filesystem +-- platform: linux +-- tags: volume filesystem +SELECT file.path, + file.size, + file.btime, + file.ctime, + file.mtime, + hash.sha256, + yara.* +FROM file + JOIN yara ON file.path = yara.path + LEFT JOIN hash ON file.path = hash.path +WHERE file.path IN ( + SELECT file.path + FROM file + WHERE file.path LIKE '/etc/udev/rules.d/%' + OR file.path LIKE '/usr/lib/udev/rules.d/%' + OR file.path LIKE '/lib/udev/rules.d/%' + OR file.path LIKE '/usr/local/lib/udev/rules.d/%' + GROUP BY file.inode + ) + AND yara.sigrule = ' +rule udev_memory_device_runner : critical { + meta: + description = "runs program once built-in memory device is created" + strings: + $action_add = "ACTION==\"add\"" + $major = "ENV{MAJOR}==\"1\"" + $run = "RUN+=" + condition: + all of them +} + +rule udev_at_runner : critical { + meta: + description = "runs program via at" + reference = "https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" + strings: + $add = "ACTION==\"add\"" + $run_at = "RUN+=\"/usr/bin/at " + $run_at2 = "RUN+=\"at " + condition: + $add and any of ($run*) +} + +rule udev_unusual_small_runner : high { + meta: + description = "small udev entry that runs program based on unusual parameters" + strings: + $action_run = "RUN+=" + $not_attrs = "ATTRS{" + $not_kernel = "KERNEL==" + $not_block = "SUBSYSTEM==\"block\"" + $not_bridge = "RUN+=\"bridge-network-interface\"" + condition: + filesize < 96 and all of ($action*) and none of ($not*) +} + +rule udev_major_runner : high { + meta: + description = "runs program once major device number is created, may have false-positives" + strings: + $action_add = "ACTION==\"add\"" + $major = "ENV{MAJOR}==" + $run = "RUN+=" + condition: + all of them +}' + AND yara.count > 0 \ No newline at end of file diff --git a/detection/persistence/unexpected-small-udev-entry-linux.sql b/detection/persistence/unexpected-small-udev-entry-linux.sql deleted file mode 100644 index da702de..0000000 --- a/detection/persistence/unexpected-small-udev-entry-linux.sql +++ /dev/null @@ -1,89 +0,0 @@ --- Unexpected small udev rule entries --- --- Typically vendor-provided udev rules are more verbose. --- --- references: --- * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf --- * https://attack.mitre.org/techniques/T1547/ (Boot or Logon Autostart Execution) --- --- false positives: --- * rules installed by 3rd party software --- --- tags: persistent filesystem state --- platform: linux -SELECT - file.path, - uid, - gid, - mode, - mtime, - ctime, - type, - size, - hash.sha256, - magic.data -FROM - file - LEFT JOIN hash ON file.path = hash.path - LEFT JOIN magic ON file.path = magic.path -WHERE - file.path LIKE '/usr/lib/udev/rules.d/%' - AND file.size < 180 - AND file.path NOT IN ( - '/usr/lib/udev/rules.d/10-switch.rules', - '/usr/lib/udev/rules.d/20-crystalhd.rules', - '/usr/lib/udev/rules.d/30-linksys-ae1200.rules', - '/usr/lib/udev/rules.d/40-redhat-disable-dell-ir-camera.rules', - '/usr/lib/udev/rules.d/45-i2c-tools.rules', - '/usr/lib/udev/rules.d/50-apport.rules', - '/usr/lib/udev/rules.d/60-bridge-network-interface.rules', - '/usr/lib/udev/rules.d/60-ddcutil-i2c.rules', - '/usr/lib/udev/rules.d/60-ddcutil.rules', - '/usr/lib/udev/rules.d/60-drm.rules', - '/usr/lib/udev/rules.d/60-incus-agent.rules', - '/usr/lib/udev/rules.d/60-net.rules', - '/usr/lib/udev/rules.d/60-rfkill.rules', - '/usr/lib/udev/rules.d/60-sunshine-ublue.rules', - '/usr/lib/udev/rules.d/61-accelerometer.rules', - '/usr/lib/udev/rules.d/61-mutter.rules', - '/usr/lib/udev/rules.d/65-persistent-net-nbft.rules', - '/usr/lib/udev/rules.d/66-saned.rules', - '/usr/lib/udev/rules.d/70-hypervfcopy.rules', - '/usr/lib/udev/rules.d/70-hypervkvp.rules', - '/usr/lib/udev/rules.d/70-hypervvss.rules', - '/usr/lib/udev/rules.d/70-rpiboot.rules', - '/usr/lib/udev/rules.d/70-spice-vdagentd.rules', - '/usr/lib/udev/rules.d/70-spice-webdavd.rules', - '/usr/lib/udev/rules.d/70-titan-key.rules', - '/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules', - '/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules', - '/usr/lib/udev/rules.d/71-betop-controllers.rules', - '/usr/lib/udev/rules.d/71-nacon-controllers.rules', - '/usr/lib/udev/rules.d/71-pid_codes-controllers.rules', - '/usr/lib/udev/rules.d/71-sony-vr.rules', - '/usr/lib/udev/rules.d/72-intel-mipi-ipu6-camera.rules', - '/usr/lib/udev/rules.d/75-davincipanel.rules', - '/usr/lib/udev/rules.d/75-probe_mtd.rules', - '/usr/lib/udev/rules.d/75-sdx.rules', - '/usr/lib/udev/rules.d/51-ocfs2.rules', - '/usr/lib/udev/rules.d/81-kvm-rhel.rules', - '/usr/lib/udev/rules.d/85-hdparm.rules', - '/usr/lib/udev/rules.d/85-regulatory.rules', - '/usr/lib/udev/rules.d/88-neutron_hifi_dac.rules', - '/usr/lib/udev/rules.d/90-daxctl-device.rules', - '/usr/lib/udev/rules.d/90-rdma-umad.rules', - '/usr/lib/udev/rules.d/90-usb-microbit.rules', - '/usr/lib/udev/rules.d/90-wireshark-usbmon.rules', - '/usr/lib/udev/rules.d/91-drm-modeset.rules', - '/usr/lib/udev/rules.d/92-viia.rules', - '/usr/lib/udev/rules.d/95-udev-late.rules', - '/usr/lib/udev/rules.d/96-e2scrub.rules', - '/usr/lib/udev/rules.d/99-BlackmagicDevices.rules', - '/usr/lib/udev/rules.d/99-DavinciPanel.rules', - '/usr/lib/udev/rules.d/99-fuse3.rules', - '/usr/lib/udev/rules.d/99-fuse.rules', - '/usr/lib/udev/rules.d/99-libsane1.rules', - '/usr/lib/udev/rules.d/99-lxd-agent.rules', - '/usr/lib/udev/rules.d/99-nfs.rules', - '/usr/lib/udev/rules.d/99-qemu-guest-agent.rules' - )