Merge pull request #304 from tstromberg/infostealerz
Add primitive name-based detection for possible InfoStealers
This commit is contained in:
commit
6adfb1d109
|
@ -0,0 +1,74 @@
|
|||
-- Look for sketchy download files based on keywords
|
||||
--
|
||||
-- references:
|
||||
-- - https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/
|
||||
--
|
||||
-- tags: persistent filesystem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
file.filename,
|
||||
REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS extension,
|
||||
magic.data,
|
||||
hash.sha256,
|
||||
ea.value AS download_url,
|
||||
signature.authority AS s_auth,
|
||||
signature.identifier AS s_id
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
LEFT JOIN hash ON file.path = hash.path
|
||||
LEFT JOIN extended_attributes ea ON file.path = ea.path AND ea.key = "where_from"
|
||||
LEFT JOIN signature ON file.path = signature.path
|
||||
WHERE
|
||||
file.path LIKE "/Users/%/Downloads/%"
|
||||
|
||||
-- Frequently targetted extension for InfoStealer attacks
|
||||
AND extension IN (
|
||||
'dmg',
|
||||
'exe',
|
||||
'rar',
|
||||
'pkg'
|
||||
)
|
||||
AND (
|
||||
file.filename LIKE "%Adobe Photoshop%"
|
||||
OR file.filename LIKE "%.app%"
|
||||
OR file.filename LIKE "%Advertising%"
|
||||
OR file.filename LIKE "%agreement%"
|
||||
OR file.filename LIKE "%animated%"
|
||||
OR file.filename LIKE "%Brief%"
|
||||
OR file.filename LIKE "%confidentiality%"
|
||||
OR file.filename LIKE "%conract%"
|
||||
OR file.filename LIKE "%contract%"
|
||||
OR file.filename LIKE "%cover%"
|
||||
OR file.filename LIKE "%crack%"
|
||||
OR file.filename LIKE "%description%"
|
||||
OR file.filename LIKE "%Flash%"
|
||||
OR file.filename LIKE "%resume%"
|
||||
OR file.filename LIKE "cv%"
|
||||
OR file.filename LIKE "%cv"
|
||||
OR file.filename LIKE "%curriculum%"
|
||||
OR file.filename LIKE "%freyavr%"
|
||||
OR file.filename LIKE "%game%"
|
||||
OR file.filename LIKE "%immediate%"
|
||||
OR file.filename LIKE "%logos%"
|
||||
OR file.filename LIKE "%official%"
|
||||
OR file.filename LIKE "%pdf%"
|
||||
OR file.filename LIKE "%Player%"
|
||||
OR file.filename LIKE "%poster%"
|
||||
OR file.filename LIKE "%presentation%"
|
||||
OR file.filename LIKE "%receipt%"
|
||||
OR file.filename LIKE "%reference%"
|
||||
OR file.filename LIKE "%terms%"
|
||||
OR file.filename LIKE "%secret%"
|
||||
OR file.filename LIKE "%confidential%"
|
||||
OR file.filename LIKE "%trading%"
|
||||
OR file.filename LIKE "%Update%"
|
||||
OR file.filename LIKE "%weed%"
|
||||
)
|
||||
-- False positives
|
||||
AND NOT (
|
||||
file.filename LIKE "LogiPresentation%.dmg"
|
||||
OR file.filename LIKE "pdftk_server-%-win-setup.exe"
|
||||
OR file.filename LIKE "PioneerDriveUpdaterBDR%.dmg"
|
||||
OR file.filename LIKE "%MacVim%.dmg"
|
||||
)
|
|
@ -96,9 +96,41 @@ WHERE
|
|||
OR (
|
||||
(
|
||||
vol_name LIKE "Install%"
|
||||
OR vol_name LIKE "%Player"
|
||||
|
||||
-- The rest are synced with sketchy-download-names
|
||||
OR vol_name LIKE "%.app%"
|
||||
OR vol_name LIKE "%Advertising%"
|
||||
OR vol_name LIKE "%agreement%"
|
||||
OR vol_name LIKE "%animated%"
|
||||
OR vol_name LIKE "%Brief%"
|
||||
OR vol_name LIKE "%confidentiality%"
|
||||
OR vol_name LIKE "%conract%"
|
||||
OR vol_name LIKE "%contract%"
|
||||
OR vol_name LIKE "%cover%"
|
||||
OR vol_name LIKE "%crack%"
|
||||
OR vol_name LIKE "%description%"
|
||||
OR vol_name LIKE "%Flash%"
|
||||
OR vol_name LIKE "%Update"
|
||||
OR vol_name LIKE "%resume%"
|
||||
OR vol_name LIKE "cv%"
|
||||
OR vol_name LIKE "%cv"
|
||||
OR vol_name LIKE "%curriculum%"
|
||||
OR vol_name LIKE "%freyavr%"
|
||||
OR vol_name LIKE "%game%"
|
||||
OR vol_name LIKE "%immediate%"
|
||||
OR vol_name LIKE "%logos%"
|
||||
OR vol_name LIKE "%official%"
|
||||
OR vol_name LIKE "%pdf%"
|
||||
OR vol_name LIKE "%Player%"
|
||||
OR vol_name LIKE "%poster%"
|
||||
OR vol_name LIKE "%presentation%"
|
||||
OR vol_name LIKE "%receipt%"
|
||||
OR vol_name LIKE "%secret%"
|
||||
OR vol_name LIKE "%confidential%"
|
||||
OR vol_name LIKE "%reference%"
|
||||
OR vol_name LIKE "%terms%"
|
||||
OR vol_name LIKE "%trading%"
|
||||
OR vol_name LIKE "%Update%"
|
||||
OR vol_name LIKE "%weed%"
|
||||
)
|
||||
AND file.directory LIKE "/Volumes/%/Contents/MacOS"
|
||||
AND signature.authority NOT IN (
|
||||
|
|
Loading…
Reference in New Issue