Decrease exotic-events complexity by splitting & simplifying

This commit is contained in:
Thomas Stromberg 2022-10-13 18:31:59 -04:00
parent 1fb2b694bb
commit 10a7091e62
Failed to extract signature
2 changed files with 123 additions and 30 deletions

View File

@ -1,5 +1,6 @@
-- Ported from exotic-commands
-- Designed for execution every 15 seconds (where the parent may still be around)
-- interval: 15
SELECT
p.pid,
p.path,
@ -33,7 +34,6 @@ WHERE
basename IN (
'bitspin',
'bpftool',
'csrutil',
'heyoka',
'nstx',
'dnscat2',
@ -43,7 +43,6 @@ WHERE
'rsh',
'incbit',
'insmod',
'osascript',
'kmod',
'lushput',
'mkfifo',
@ -52,7 +51,6 @@ WHERE
'socat'
)
-- Chrome Stealer
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%-load-extension%'
-- Known attack scripts
OR basename LIKE '%pwn%'
@ -67,19 +65,15 @@ WHERE
OR cmd LIKE '%ld.so.preload%'
OR cmd LIKE '%urllib.urlopen%'
OR cmd LIKE '%nohup%tmp%'
OR cmd LIKE '%killall Terminal%'
OR cmd LIKE '%iptables stop'
OR cmd LIKE '%systemctl stop firewalld%'
OR cmd LIKE '%systemctl disable firewalld%'
OR cmd LIKE '%pkill -f%'
OR cmd LIKE '%rm -f /var/tmp%'
OR cmd LIKE '%rm -f%/tmp%'
OR cmd LIKE '%rm -rf /boot%'
OR cmd LIKE '%rm -f /tmp%'
OR cmd LIKE '%xargs kill -9%'
OR cmd LIKE '%nohup /bin/bash%'
OR cmd LIKE '%echo%|%base64 --decode %|%sh%'
OR cmd LIKE '%echo%|%base64 --decode %|%python%'
OR cmd LIKE '%launchctl list%'
OR cmd LIKE '%echo%|%base64 --decode %|%'
-- Crypto miners
OR cmd LIKE '%c3pool%'
OR cmd LIKE '%cryptonight%'
@ -104,9 +98,7 @@ WHERE
OR cmd LIKE '%sh -i'
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR cmd LIKE '%Socket.fork%'
OR cmd LIKE '%Socket.new%'
OR cmd LIKE '%socket.socket%'
OR cmd LIKE '%Socket.%'
) -- Things that could reasonably happen at boot.
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
@ -115,7 +107,7 @@ WHERE
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_name IN ('firewalld', 'mkinitramfs', 'systemd')
AND parent_name IN ('firewalld', 'mkinitramfs', 'systemd', 'dockerd', 'kube-proxy')
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
@ -125,22 +117,6 @@ WHERE
p.path = '/usr/bin/mkfifo'
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
)
AND NOT (
cmd LIKE '%csrutil status'
AND parent_name IN ('Dropbox')
)
-- The source of these commands is still a mystery to me.
AND NOT (
cmd IN (
'/usr/bin/csrutil status',
'/usr/bin/csrutil report'
)
AND p.parent = -1
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_name IN ('dockerd', 'kube-proxy')
)
AND NOT cmd LIKE '%modprobe -va%'
AND NOT cmd LIKE 'modprobe -ab%'
AND NOT cmd LIKE '%modprobe overlay'

View File

@ -0,0 +1,117 @@
-- Ported from exotic-commands
-- Designed for execution every 15 seconds (where the parent may still be around)
-- interval: 15
SELECT
p.pid,
p.path,
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
) AS basename,
-- On macOS there is often a trailing space
TRIM(p.cmdline) AS cmd,
p.mode,
p.cwd,
p.euid,
p.parent,
p.syscall,
hash.sha256,
pp.path AS parent_path,
pp.name AS parent_name,
TRIM(p.cmdline) AS parent_cmd,
pp.euid AS parent_euid,
phash.sha256 AS parent_sha256
FROM
uptime,
process_events p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash AS phash ON pp.path = hash.path
WHERE
p.time > (strftime('%s', 'now') -15)
AND (
basename IN (
'bitspin',
'bpftool',
'csrutil',
'heyoka',
'nstx',
'dnscat2',
'tuns',
'iodine',
'rshell',
'rsh',
'incbit',
'osascript',
'kmod',
'lushput',
'mkfifo',
'msfvenom',
'nc',
'socat'
)
-- Chrome Stealer
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%-load-extension%'
-- Known attack scripts
OR basename LIKE '%pwn%'
OR basename LIKE '%attack%'
-- Unusual behaviors
OR cmd LIKE '%chattr -ia%'
OR cmd LIKE '%chmod 777 %'
OR cmd LIKE '%touch%acmr%'
OR cmd LIKE '%ld.so.preload%'
OR cmd LIKE '%urllib.urlopen%'
OR cmd LIKE '%nohup%tmp%'
OR cmd LIKE '%killall Terminal%'
OR cmd LIKE '%iptables stop'
OR cmd LIKE '%pkill -f%'
OR cmd LIKE '%rm -f /var/tmp%'
OR cmd LIKE '%rm -rf /boot%'
OR cmd LIKE '%rm -f /tmp%'
OR cmd LIKE '%xargs kill -9%'
OR cmd LIKE '%nohup /bin/bash%'
OR cmd LIKE '%echo%|%base64 --decode %|%'
OR cmd LIKE '%launchctl list%'
-- Crypto miners
OR cmd LIKE '%c3pool%'
OR cmd LIKE '%cryptonight%'
OR cmd LIKE '%f2pool%'
OR cmd LIKE '%hashrate%'
OR cmd LIKE '%hashvault%'
OR cmd LIKE '%minerd%'
OR cmd LIKE '%monero%'
OR cmd LIKE '%nanopool%'
OR cmd LIKE '%nicehash%'
OR cmd LIKE '%stratum%'
OR basename LIKE '%xig%'
OR basename LIKE '%xmr%'
-- Random keywords
OR cmd LIKE '%ransom%'
-- Reverse shells
OR cmd LIKE '%fsockopen%'
OR cmd LIKE '%openssl%quiet%'
OR cmd LIKE '%pty.spawn%'
OR cmd LIKE '%sh -i'
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR cmd LIKE '%Socket.%'
) -- Things that could reasonably happen at boot.
AND NOT (
p.path = '/usr/bin/mkfifo'
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
)
AND NOT (
cmd LIKE '%csrutil status'
AND parent_name IN ('Dropbox')
)
-- The source of these commands is still a mystery to me.
AND NOT (
cmd IN (
'/usr/bin/csrutil status',
'/usr/bin/csrutil report'
)
AND p.parent = -1
)