From c58cac1a1f17467209881323bf38489ed873fcb5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 11 May 2023 10:32:17 -0400 Subject: [PATCH 1/2] New detector: unexpected /var/run files --- .../evasion/unexpected-var-run-linux.sql | 63 +++++++++++++++++++ .../evasion/unexpected-var-run-macos.sql | 55 ++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 detection/evasion/unexpected-var-run-linux.sql create mode 100644 detection/evasion/unexpected-var-run-macos.sql diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql new file mode 100644 index 0000000..1011efa --- /dev/null +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -0,0 +1,63 @@ +-- Find unexpected regular files in /var/run +-- +-- false positives: +-- * none known +-- +-- references: +-- * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ +-- +-- tags: persistent seldom +-- platform: linux +SELECT file.filename, + uid, + gid, + mode, + file.ctime, + file.atime, + file.mtime, + file.size, + hash.sha256, + magic.data +FROM file + LEFT JOIN hash on file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE file.directory = "/var/run" + AND file.type = "regular" + AND file.filename NOT IN ( + 'acpid.pid', + 'agetty.reload', + 'alsactl.pid', + 'apport.lock', + 'atd.pid', + "auditd.pid", + "crond.pid", + 'crond.reboot', + "cron.reboot", + "docker.pid", + 'firefox-restart-required', + 'gdm3.pid', + 'gssproxy.pid', + 'haproxy.pid', + "lightdm.pid", + 'mcelog.pid', + 'motd', + 'nvidia_runtimepm_enabled', + 'nvidia_runtimepm_supported', + 'reboot-required', + 'reboot-required.pkgs', + 'rsyslogd.pid', + 'sm-notify.pid', + 'sshd.pid', + 'u-d-c-nvidia-drm-was-loaded', + 'u-d-c-nvidia-was-loaded', + 'unattended-upgrades.lock', + 'unattended-upgrades.progress', + "utmp", + "xtables.lock", + 'zed.pid', + 'zed.state', + 'zfs_fs_name', + 'zfs_unlock_complete' + ) +AND NOT file.filename LIKE 'u-d-c-gpu-0%' +GROUP BY file.path; \ No newline at end of file diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql new file mode 100644 index 0000000..ca941a6 --- /dev/null +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -0,0 +1,55 @@ +-- Find unexpected regular files in /var/run +-- +-- false positives: +-- * none known +-- +-- references: +-- * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ +-- +-- tags: persistent seldom +-- platform: darwin +SELECT file.filename, + uid, + gid, + mode, + file.ctime, + file.atime, + file.mtime, + file.size, + hash.sha256, + magic.data +FROM file + LEFT JOIN hash on file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE file.directory = "/var/run" + AND file.type = "regular" + AND file.filename NOT IN ( + 'appfwd.pid', + 'auditd.pid', + '.autoBackup', + 'automount.initialized', + 'com.apple.DumpPanic.finishedPMUFaultHandling', + 'com.apple.DumpPanic.finishedThisBoot', + 'com.apple.logind.didRunThisBoot', + 'com.apple.loginwindow.didRunThisBoot', + 'com.apple.mdmclient.daemon.didRunThisBoot', + 'com.apple.mobileassetd-MobileAssetBrain', + 'com.apple.parentalcontrols.webfilterctl.mutex', + 'com.apple.softwareupdate.availableupdatesupdated', + 'com.apple.WindowServer.didRunThisBoot', + 'diskarbitrationd.pid', + 'FirstBootAfterUpdate', + 'FirstBootCleanupHandled', + 'hdiejectd.pid', + 'prl_disp_service.pid', + 'prl_naptd.pid', + 'prl_watchdog-ebdba5702a20.pid', + 'resolv.conf', + 'rtadvd.pid', + 'socketfilterfw.launchd', + 'syslog.pid', + 'systemkeychaincheck.done', + 'utmpx', + 'wifi' + ) +GROUP BY file.path; \ No newline at end of file From 099d6664fe21e582424078d5afde09da0a843ad2 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 11 May 2023 10:33:51 -0400 Subject: [PATCH 2/2] Remove seldom modifier, reformat --- .../evasion/unexpected-var-run-linux.sql | 112 +++++++++--------- .../evasion/unexpected-var-run-macos.sql | 96 ++++++++------- 2 files changed, 108 insertions(+), 100 deletions(-) diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql index 1011efa..932f1d4 100644 --- a/detection/evasion/unexpected-var-run-linux.sql +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -6,58 +6,62 @@ -- references: -- * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ -- --- tags: persistent seldom +-- tags: persistent -- platform: linux -SELECT file.filename, - uid, - gid, - mode, - file.ctime, - file.atime, - file.mtime, - file.size, - hash.sha256, - magic.data -FROM file - LEFT JOIN hash on file.path = hash.path - LEFT JOIN magic ON file.path = magic.path -WHERE file.directory = "/var/run" - AND file.type = "regular" - AND file.filename NOT IN ( - 'acpid.pid', - 'agetty.reload', - 'alsactl.pid', - 'apport.lock', - 'atd.pid', - "auditd.pid", - "crond.pid", - 'crond.reboot', - "cron.reboot", - "docker.pid", - 'firefox-restart-required', - 'gdm3.pid', - 'gssproxy.pid', - 'haproxy.pid', - "lightdm.pid", - 'mcelog.pid', - 'motd', - 'nvidia_runtimepm_enabled', - 'nvidia_runtimepm_supported', - 'reboot-required', - 'reboot-required.pkgs', - 'rsyslogd.pid', - 'sm-notify.pid', - 'sshd.pid', - 'u-d-c-nvidia-drm-was-loaded', - 'u-d-c-nvidia-was-loaded', - 'unattended-upgrades.lock', - 'unattended-upgrades.progress', - "utmp", - "xtables.lock", - 'zed.pid', - 'zed.state', - 'zfs_fs_name', - 'zfs_unlock_complete' - ) -AND NOT file.filename LIKE 'u-d-c-gpu-0%' -GROUP BY file.path; \ No newline at end of file +SELECT + file.filename, + uid, + gid, + mode, + file.ctime, + file.atime, + file.mtime, + file.size, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash on file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE + file.directory = "/var/run" + AND file.type = "regular" + AND file.filename NOT IN ( + 'acpid.pid', + 'agetty.reload', + 'alsactl.pid', + 'apport.lock', + 'atd.pid', + "auditd.pid", + "crond.pid", + 'crond.reboot', + "cron.reboot", + "docker.pid", + 'firefox-restart-required', + 'gdm3.pid', + 'gssproxy.pid', + 'haproxy.pid', + "lightdm.pid", + 'mcelog.pid', + 'motd', + 'nvidia_runtimepm_enabled', + 'nvidia_runtimepm_supported', + 'reboot-required', + 'reboot-required.pkgs', + 'rsyslogd.pid', + 'sm-notify.pid', + 'sshd.pid', + 'u-d-c-nvidia-drm-was-loaded', + 'u-d-c-nvidia-was-loaded', + 'unattended-upgrades.lock', + 'unattended-upgrades.progress', + "utmp", + "xtables.lock", + 'zed.pid', + 'zed.state', + 'zfs_fs_name', + 'zfs_unlock_complete' + ) + AND NOT file.filename LIKE 'u-d-c-gpu-0%' +GROUP BY + file.path; diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql index ca941a6..4d186a3 100644 --- a/detection/evasion/unexpected-var-run-macos.sql +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -6,50 +6,54 @@ -- references: -- * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ -- --- tags: persistent seldom +-- tags: persistent -- platform: darwin -SELECT file.filename, - uid, - gid, - mode, - file.ctime, - file.atime, - file.mtime, - file.size, - hash.sha256, - magic.data -FROM file - LEFT JOIN hash on file.path = hash.path - LEFT JOIN magic ON file.path = magic.path -WHERE file.directory = "/var/run" - AND file.type = "regular" - AND file.filename NOT IN ( - 'appfwd.pid', - 'auditd.pid', - '.autoBackup', - 'automount.initialized', - 'com.apple.DumpPanic.finishedPMUFaultHandling', - 'com.apple.DumpPanic.finishedThisBoot', - 'com.apple.logind.didRunThisBoot', - 'com.apple.loginwindow.didRunThisBoot', - 'com.apple.mdmclient.daemon.didRunThisBoot', - 'com.apple.mobileassetd-MobileAssetBrain', - 'com.apple.parentalcontrols.webfilterctl.mutex', - 'com.apple.softwareupdate.availableupdatesupdated', - 'com.apple.WindowServer.didRunThisBoot', - 'diskarbitrationd.pid', - 'FirstBootAfterUpdate', - 'FirstBootCleanupHandled', - 'hdiejectd.pid', - 'prl_disp_service.pid', - 'prl_naptd.pid', - 'prl_watchdog-ebdba5702a20.pid', - 'resolv.conf', - 'rtadvd.pid', - 'socketfilterfw.launchd', - 'syslog.pid', - 'systemkeychaincheck.done', - 'utmpx', - 'wifi' - ) -GROUP BY file.path; \ No newline at end of file +SELECT + file.filename, + uid, + gid, + mode, + file.ctime, + file.atime, + file.mtime, + file.size, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash on file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE + file.directory = "/var/run" + AND file.type = "regular" + AND file.filename NOT IN ( + 'appfwd.pid', + 'auditd.pid', + '.autoBackup', + 'automount.initialized', + 'com.apple.DumpPanic.finishedPMUFaultHandling', + 'com.apple.DumpPanic.finishedThisBoot', + 'com.apple.logind.didRunThisBoot', + 'com.apple.loginwindow.didRunThisBoot', + 'com.apple.mdmclient.daemon.didRunThisBoot', + 'com.apple.mobileassetd-MobileAssetBrain', + 'com.apple.parentalcontrols.webfilterctl.mutex', + 'com.apple.softwareupdate.availableupdatesupdated', + 'com.apple.WindowServer.didRunThisBoot', + 'diskarbitrationd.pid', + 'FirstBootAfterUpdate', + 'FirstBootCleanupHandled', + 'hdiejectd.pid', + 'prl_disp_service.pid', + 'prl_naptd.pid', + 'prl_watchdog-ebdba5702a20.pid', + 'resolv.conf', + 'rtadvd.pid', + 'socketfilterfw.launchd', + 'syslog.pid', + 'systemkeychaincheck.done', + 'utmpx', + 'wifi' + ) +GROUP BY + file.path;