From 5839a20fb3ec52235b20f98a78f1d154cc471e55 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 18 Oct 2022 10:08:34 -0400 Subject: [PATCH] Detect more --- .../unexpected-hidden-system-folders.sql | 7 +++- .../execution/exotic-command-events-linux.sql | 4 +++ .../execution/exotic-command-events-macos.sql | 4 +++ detection/impact/evenly-timestomped.sql | 34 +++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 detection/impact/evenly-timestomped.sql diff --git a/detection/evasion/unexpected-hidden-system-folders.sql b/detection/evasion/unexpected-hidden-system-folders.sql index 9572f37..6df5613 100644 --- a/detection/evasion/unexpected-hidden-system-folders.sql +++ b/detection/evasion/unexpected-hidden-system-folders.sql @@ -1,9 +1,12 @@ -- Find unexpected hidden directories in operating-system folders -- +-- references: +-- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/ +-- -- false positives: -- * unusual installers -- --- platform: linux +-- platform: posix -- tags: persistent filesystem state SELECT file.path, @@ -29,6 +32,8 @@ WHERE OR file.path LIKE '/libexec/.%' OR file.path LIKE '/Library/.%' OR file.path LIKE '/sbin/.%' + OR file.path LIKE '/etc/.%' + OR file.path LIKE '/etc/%/.%' OR file.path LIKE '/sbin/%/.%' OR file.path LIKE '/tmp/.%' OR file.path LIKE '/usr/bin/.%' diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index e2599f9..2a8df63 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -1,5 +1,8 @@ -- Pick out exotic processes based on their command-line (events-based) -- +-- references: +-- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/ +-- -- false positives: -- * possible, but none known -- @@ -79,6 +82,7 @@ WHERE OR cmd LIKE '%xargs kill -9%' OR cmd LIKE '%nohup /bin/bash%' OR cmd LIKE '%echo%|%base64 --decode %|%' + OR cmd LIKE '%UserKnownHostsFile=/dev/null%' -- Crypto miners OR cmd LIKE '%c3pool%' OR cmd LIKE '%cryptonight%' diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 745ecaa..3bf34c0 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -1,5 +1,8 @@ -- Pick out exotic processes based on their command-line (events-based) -- +-- references: +-- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/ +-- -- false positives: -- * possible, but none known -- @@ -79,6 +82,7 @@ WHERE OR cmd LIKE '%nohup /bin/bash%' OR cmd LIKE '%echo%|%base64 --decode %|%' OR cmd LIKE '%launchctl list%' + OR cmd LIKE '%UserKnownHostsFile=/dev/null%' -- Crypto miners OR cmd LIKE '%c3pool%' OR cmd LIKE '%cryptonight%' diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql new file mode 100644 index 0000000..37d09ac --- /dev/null +++ b/detection/impact/evenly-timestomped.sql @@ -0,0 +1,34 @@ +-- Files where the timestamp falls along 12-hour boundaries - probably caused by 'touch 0000' +-- +-- false positives: +-- * 1 in 43200 chance per binary +-- +-- tags: persistent seldom filesystem +-- platform: linux +SELECT file.path, + DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time, + DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time, + file.inode, + hash.sha256, + magic.data +FROM file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE ( + file.path LIKE "/bin/%%" + OR file.path LIKE "/etc/%%" + OR file.path LIKE "/sbin/%%" + OR file.path LIKE "/lib/%%" + OR file.path LIKE "/usr/%%" + ) + -- This timestamp is in UTC + AND file.mtime%3600 = 0 + -- Narrow down to specific offsets in the users local timezone (there should be a better way!) + AND ( + mod_time LIKE "% 12:00:00" + OR mod_time LIKE "% 00:00:00" + ) + -- false positives + AND file.path NOT IN ('/etc/master.passwd') + AND file.path NOT LIKE '%/lynis%' + AND file.path NOT LIKE '%/yelp-xsl%'