new detector: unexpected file made executable

2025-01-10 15:49:31 +00:00 · 2023-01-13 12:10:43 -05:00 · 2023-01-13 12:10:43 -05:00 · 36cac9722b
commit 36cac9722b
parent 1bd030a2f2
1 changed files with 49 additions and 0 deletions
--- a/detection/execution/unexpected-file-made-executable.sql
+++ b/detection/execution/unexpected-file-made-executable.sql
@ -0,0 +1,49 @@
+-- Detect commands used to bless a file as executable
+--
+-- false positives:
+--   * none observed, but they are expected
+--
+-- interval: 600
+-- platform: posix
+-- tags: process events
+SELECT pe.path AS path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
+  TRIM(pe.cmdline) AS cmd,
+  pe.pid AS pid,
+  pe.euid AS euid,
+  pe.parent AS parent_pid,
+  TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
+  TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
+  REGEX_MATCH (
+    IIF(pp.path != NULL, pp.path, ppe.path),
+    '.*/(.*)',
+    1
+  ) AS parent_name,
+  TRIM(IIF(pp.path != NULL, hash.sha256, ehash.sha256)) AS parent_hash,
+  TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
+  TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
+  REGEX_MATCH (
+    IIF(gp.path != NULL, gp.path, gpe.path),
+    '.*/(.*)',
+    1
+  ) AS gparent_name,
+  IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
+  REGEX_MATCH(TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
+FROM process_events pe
+  LEFT JOIN processes p ON pe.pid = p.pid
+  LEFT JOIN processes pp ON pe.parent = pp.pid
+  LEFT JOIN process_events ppe ON pe.parent = ppe.pid
+  LEFT JOIN processes gp ON gp.pid = pp.parent
+  LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
+  LEFT JOIN hash ON pp.path = hash.path
+  LEFT JOIN hash thash ON target_path = thash.path
+  LEFT JOIN hash ehash ON ppe.path = ehash.path
+WHERE pe.time > (strftime('%s', 'now') -600)
+AND pe.path LIKE '%/chmod'
+AND (
+  cmd LIKE '%chmod 7%'
+  OR cmd LIKE '%chmod 5%'
+  OR cmd LIKE '%chmod 1%'
+  OR cmd LIKE '%chmod +%x'
+)
+GROUP BY pe.pid