From 10a7091e62333ca572fca396ac6a30111dd8ce71 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 13 Oct 2022 18:31:59 -0400
Subject: [PATCH] Decrease exotic-events complexity by splitting & simplifying

---
 ...ts.sql => exotic-command-events-linux.sql} |  36 +-----
 .../execution/exotic-command-events-macos.sql | 117 ++++++++++++++++++
 2 files changed, 123 insertions(+), 30 deletions(-)
 rename detection/execution/{exotic-command-events.sql => exotic-command-events-linux.sql} (77%)
 create mode 100644 detection/execution/exotic-command-events-macos.sql

diff --git a/detection/execution/exotic-command-events.sql b/detection/execution/exotic-command-events-linux.sql
similarity index 77%
rename from detection/execution/exotic-command-events.sql
rename to detection/execution/exotic-command-events-linux.sql
index 2a023b2..48261ee 100644
--- a/detection/execution/exotic-command-events.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -1,5 +1,6 @@
 -- Ported from exotic-commands
 -- Designed for execution every 15 seconds (where the parent may still be around)
+-- interval: 15
 SELECT
   p.pid,
   p.path,
@@ -33,7 +34,6 @@ WHERE
     basename IN (
       'bitspin',
       'bpftool',
-      'csrutil',
       'heyoka',
       'nstx',
       'dnscat2',
@@ -43,7 +43,6 @@ WHERE
       'rsh',
       'incbit',
       'insmod',
-      'osascript',
       'kmod',
       'lushput',
       'mkfifo',
@@ -52,7 +51,6 @@ WHERE
       'socat'
     )
     -- Chrome Stealer
-    OR cmd LIKE '%set visible of front window to false%'
     OR cmd LIKE '%chrome%-load-extension%'
     -- Known attack scripts
     OR basename LIKE '%pwn%'
@@ -67,19 +65,15 @@ WHERE
     OR cmd LIKE '%ld.so.preload%'
     OR cmd LIKE '%urllib.urlopen%'
     OR cmd LIKE '%nohup%tmp%'
-    OR cmd LIKE '%killall Terminal%'
     OR cmd LIKE '%iptables stop'
     OR cmd LIKE '%systemctl stop firewalld%'
     OR cmd LIKE '%systemctl disable firewalld%'
     OR cmd LIKE '%pkill -f%'
-    OR cmd LIKE '%rm -f /var/tmp%'
+    OR cmd LIKE '%rm -f%/tmp%'
     OR cmd LIKE '%rm -rf /boot%'
-    OR cmd LIKE '%rm -f /tmp%'
     OR cmd LIKE '%xargs kill -9%'
     OR cmd LIKE '%nohup /bin/bash%'
-    OR cmd LIKE '%echo%|%base64 --decode %|%sh%'
-    OR cmd LIKE '%echo%|%base64 --decode %|%python%'
-    OR cmd LIKE '%launchctl list%'
+    OR cmd LIKE '%echo%|%base64 --decode %|%'
     -- Crypto miners
     OR cmd LIKE '%c3pool%'
     OR cmd LIKE '%cryptonight%'
@@ -104,9 +98,7 @@ WHERE
     OR cmd LIKE '%sh -i'
     OR cmd LIKE '%socat%'
     OR cmd LIKE '%SOCK_STREAM%'
-    OR cmd LIKE '%Socket.fork%'
-    OR cmd LIKE '%Socket.new%'
-    OR cmd LIKE '%socket.socket%'
+    OR cmd LIKE '%Socket.%'
   ) -- Things that could reasonably happen at boot.
   AND NOT (
     p.path IN ('/usr/bin/kmod', '/bin/kmod')
@@ -115,7 +107,7 @@ WHERE
   )
   AND NOT (
     p.path IN ('/usr/bin/kmod', '/bin/kmod')
-    AND parent_name IN ('firewalld', 'mkinitramfs', 'systemd')
+    AND parent_name IN ('firewalld', 'mkinitramfs', 'systemd', 'dockerd', 'kube-proxy')
   )
   AND NOT (
     p.path IN ('/usr/bin/kmod', '/bin/kmod')
@@ -125,24 +117,8 @@ WHERE
     p.path = '/usr/bin/mkfifo'
     AND cmd LIKE '%/org.gpgtools.log.%/fifo'
   )
-  AND NOT (
-    cmd LIKE '%csrutil status'
-    AND parent_name IN ('Dropbox')
-  )
-  -- The source of these commands is still a mystery to me.
-  AND NOT (
-    cmd IN (
-      '/usr/bin/csrutil status',
-      '/usr/bin/csrutil report'
-    )
-    AND p.parent = -1
-  )
-  AND NOT (
-    p.path IN ('/usr/bin/kmod', '/bin/kmod')
-    AND parent_name IN ('dockerd', 'kube-proxy')
-  )
   AND NOT cmd LIKE '%modprobe -va%'
   AND NOT cmd LIKE 'modprobe -ab%'
   AND NOT cmd LIKE '%modprobe overlay'
   AND NOT cmd LIKE '%modprobe aufs'
-  AND NOT cmd IN ('lsmod')
+  AND NOT cmd IN ('lsmod')
\ No newline at end of file
diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
new file mode 100644
index 0000000..0f0b6c4
--- /dev/null
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -0,0 +1,117 @@
+-- Ported from exotic-commands
+-- Designed for execution every 15 seconds (where the parent may still be around)
+
+-- interval: 15
+SELECT
+  p.pid,
+  p.path,
+  REPLACE(
+    p.path,
+    RTRIM(p.path, REPLACE(p.path, '/', '')),
+    ''
+  ) AS basename,
+  -- On macOS there is often a trailing space
+  TRIM(p.cmdline) AS cmd,
+  p.mode,
+  p.cwd,
+  p.euid,
+  p.parent,
+  p.syscall,
+  hash.sha256,
+  pp.path AS parent_path,
+  pp.name AS parent_name,
+  TRIM(p.cmdline) AS parent_cmd,
+  pp.euid AS parent_euid,
+  phash.sha256 AS parent_sha256
+FROM
+  uptime,
+  process_events p
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN hash ON p.path = hash.path
+  LEFT JOIN hash AS phash ON pp.path = hash.path
+WHERE
+  p.time > (strftime('%s', 'now') -15)
+  AND (
+    basename IN (
+      'bitspin',
+      'bpftool',
+      'csrutil',
+      'heyoka',
+      'nstx',
+      'dnscat2',
+      'tuns',
+      'iodine',
+      'rshell',
+      'rsh',
+      'incbit',
+      'osascript',
+      'kmod',
+      'lushput',
+      'mkfifo',
+      'msfvenom',
+      'nc',
+      'socat'
+    )
+    -- Chrome Stealer
+    OR cmd LIKE '%set visible of front window to false%'
+    OR cmd LIKE '%chrome%-load-extension%'
+    -- Known attack scripts
+    OR basename LIKE '%pwn%'
+    OR basename LIKE '%attack%'
+    -- Unusual behaviors
+    OR cmd LIKE '%chattr -ia%'
+    OR cmd LIKE '%chmod 777 %'
+    OR cmd LIKE '%touch%acmr%'
+    OR cmd LIKE '%ld.so.preload%'
+    OR cmd LIKE '%urllib.urlopen%'
+    OR cmd LIKE '%nohup%tmp%'
+    OR cmd LIKE '%killall Terminal%'
+    OR cmd LIKE '%iptables stop'
+    OR cmd LIKE '%pkill -f%'
+    OR cmd LIKE '%rm -f /var/tmp%'
+    OR cmd LIKE '%rm -rf /boot%'
+    OR cmd LIKE '%rm -f /tmp%'
+    OR cmd LIKE '%xargs kill -9%'
+    OR cmd LIKE '%nohup /bin/bash%'
+    OR cmd LIKE '%echo%|%base64 --decode %|%'
+    OR cmd LIKE '%launchctl list%'
+    -- Crypto miners
+    OR cmd LIKE '%c3pool%'
+    OR cmd LIKE '%cryptonight%'
+    OR cmd LIKE '%f2pool%'
+    OR cmd LIKE '%hashrate%'
+    OR cmd LIKE '%hashvault%'
+    OR cmd LIKE '%minerd%'
+    OR cmd LIKE '%monero%'
+    OR cmd LIKE '%nanopool%'
+    OR cmd LIKE '%nicehash%'
+    OR cmd LIKE '%stratum%'
+    OR basename LIKE '%xig%'
+    OR basename LIKE '%xmr%'
+    -- Random keywords
+    OR cmd LIKE '%ransom%'
+    -- Reverse shells
+    OR cmd LIKE '%fsockopen%'
+    OR cmd LIKE '%openssl%quiet%'
+    OR cmd LIKE '%pty.spawn%'
+    OR cmd LIKE '%sh -i'
+    OR cmd LIKE '%socat%'
+    OR cmd LIKE '%SOCK_STREAM%'
+    OR cmd LIKE '%Socket.%'
+  ) -- Things that could reasonably happen at boot.
+  AND NOT (
+    p.path = '/usr/bin/mkfifo'
+    AND cmd LIKE '%/org.gpgtools.log.%/fifo'
+  )
+  AND NOT (
+    cmd LIKE '%csrutil status'
+    AND parent_name IN ('Dropbox')
+  )
+  -- The source of these commands is still a mystery to me.
+  AND NOT (
+    cmd IN (
+      '/usr/bin/csrutil status',
+      '/usr/bin/csrutil report'
+    )
+    AND p.parent = -1
+  )