From e2d6fa58a747251d6b6735368d1b2a1cdd52dcc1 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 12 Sep 2023 10:19:22 -0400 Subject: [PATCH] Add primitive name-based detection for possible InfoStealers --- .../initial_access/sketchy-download-name.sql | 74 +++++++++++++++++++ .../sketchy-mounted-diskimage.sql | 36 ++++++++- 2 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 detection/initial_access/sketchy-download-name.sql diff --git a/detection/initial_access/sketchy-download-name.sql b/detection/initial_access/sketchy-download-name.sql new file mode 100644 index 0000000..b6116e7 --- /dev/null +++ b/detection/initial_access/sketchy-download-name.sql @@ -0,0 +1,74 @@ +-- Look for sketchy download files based on keywords +-- +-- references: +-- - https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/ +-- +-- tags: persistent filesystem +-- platform: darwin +SELECT + file.filename, + REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS extension, + magic.data, + hash.sha256, + ea.value AS download_url, + signature.authority AS s_auth, + signature.identifier AS s_id +FROM + file + LEFT JOIN magic ON file.path = magic.path + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN extended_attributes ea ON file.path = ea.path AND ea.key = "where_from" + LEFT JOIN signature ON file.path = signature.path +WHERE + file.path LIKE "/Users/%/Downloads/%" + + -- Frequently targetted extension for InfoStealer attacks + AND extension IN ( + 'dmg', + 'exe', + 'rar', + 'pkg' + ) + AND ( + file.filename LIKE "%Adobe Photoshop%" + OR file.filename LIKE "%.app%" + OR file.filename LIKE "%Advertising%" + OR file.filename LIKE "%agreement%" + OR file.filename LIKE "%animated%" + OR file.filename LIKE "%Brief%" + OR file.filename LIKE "%confidentiality%" + OR file.filename LIKE "%conract%" + OR file.filename LIKE "%contract%" + OR file.filename LIKE "%cover%" + OR file.filename LIKE "%crack%" + OR file.filename LIKE "%description%" + OR file.filename LIKE "%Flash%" + OR file.filename LIKE "%resume%" + OR file.filename LIKE "cv%" + OR file.filename LIKE "%cv" + OR file.filename LIKE "%curriculum%" + OR file.filename LIKE "%freyavr%" + OR file.filename LIKE "%game%" + OR file.filename LIKE "%immediate%" + OR file.filename LIKE "%logos%" + OR file.filename LIKE "%official%" + OR file.filename LIKE "%pdf%" + OR file.filename LIKE "%Player%" + OR file.filename LIKE "%poster%" + OR file.filename LIKE "%presentation%" + OR file.filename LIKE "%receipt%" + OR file.filename LIKE "%reference%" + OR file.filename LIKE "%terms%" + OR file.filename LIKE "%secret%" + OR file.filename LIKE "%confidential%" + OR file.filename LIKE "%trading%" + OR file.filename LIKE "%Update%" + OR file.filename LIKE "%weed%" + ) + -- False positives + AND NOT ( + file.filename LIKE "LogiPresentation%.dmg" + OR file.filename LIKE "pdftk_server-%-win-setup.exe" + OR file.filename LIKE "PioneerDriveUpdaterBDR%.dmg" + OR file.filename LIKE "%MacVim%.dmg" + ) \ No newline at end of file diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index cb0c2e3..3757661 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -95,9 +95,41 @@ WHERE OR ( ( vol_name LIKE "Install%" - OR vol_name LIKE "%Player" + + -- The rest are synced with sketchy-download-names + OR vol_name LIKE "%.app%" + OR vol_name LIKE "%Advertising%" + OR vol_name LIKE "%agreement%" + OR vol_name LIKE "%animated%" + OR vol_name LIKE "%Brief%" + OR vol_name LIKE "%confidentiality%" + OR vol_name LIKE "%conract%" + OR vol_name LIKE "%contract%" + OR vol_name LIKE "%cover%" + OR vol_name LIKE "%crack%" + OR vol_name LIKE "%description%" OR vol_name LIKE "%Flash%" - OR vol_name LIKE "%Update" + OR vol_name LIKE "%resume%" + OR vol_name LIKE "cv%" + OR vol_name LIKE "%cv" + OR vol_name LIKE "%curriculum%" + OR vol_name LIKE "%freyavr%" + OR vol_name LIKE "%game%" + OR vol_name LIKE "%immediate%" + OR vol_name LIKE "%logos%" + OR vol_name LIKE "%official%" + OR vol_name LIKE "%pdf%" + OR vol_name LIKE "%Player%" + OR vol_name LIKE "%poster%" + OR vol_name LIKE "%presentation%" + OR vol_name LIKE "%receipt%" + OR vol_name LIKE "%secret%" + OR vol_name LIKE "%confidential%" + OR vol_name LIKE "%reference%" + OR vol_name LIKE "%terms%" + OR vol_name LIKE "%trading%" + OR vol_name LIKE "%Update%" + OR vol_name LIKE "%weed%" ) AND file.directory LIKE "/Volumes/%/Contents/MacOS" AND signature.authority NOT IN (