From ef3653216e7320241953a4aaae90f483b87c3e25 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 4 Jan 2023 11:14:04 -0500 Subject: [PATCH] New detector: relative exec low uid --- .../relative-exec-low-uid-events.sql | 35 +++++++++++++++++++ detection/execution/relative-exec-low-uid.sql | 30 ++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 detection/execution/relative-exec-low-uid-events.sql create mode 100644 detection/execution/relative-exec-low-uid.sql diff --git a/detection/execution/relative-exec-low-uid-events.sql b/detection/execution/relative-exec-low-uid-events.sql new file mode 100644 index 0000000..7a165c3 --- /dev/null +++ b/detection/execution/relative-exec-low-uid-events.sql @@ -0,0 +1,35 @@ +-- Programs running as root with a relative path (event-based) +-- +-- references: +-- * https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/ +-- +-- platform: posix +-- interval: 300 +-- tags: process events +SELECT + pe.pid, + pe.path, + pe.mode, + pe.cwd, + pe.euid, + pe.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmd, + pp.euid AS parent_euid, + phash.sha256 AS parent_sha256, + gp.cmdline AS gparent_cmd, + hash.sha256 AS sha256, + p.cgroup_path AS cgroup, + pp.cgroup_path AS parent_cgroup, + gp.cgroup_path AS gparent_cgroup +FROM + process_events pe + LEFT JOIN processes p ON pe.pid = pe.pid + LEFT JOIN processes pp ON pe.parent = p.pid + LEFT JOIN processes gp ON pp.parent = gp.pid + LEFT JOIN hash ON pe.path = hash.path + LEFT JOIN hash phash ON pp.path = hash.path +WHERE + pe.euid < 500 AND pe.cmdline LIKE './%' + AND pe.time > (strftime('%s', 'now') -300) diff --git a/detection/execution/relative-exec-low-uid.sql b/detection/execution/relative-exec-low-uid.sql new file mode 100644 index 0000000..0df222b --- /dev/null +++ b/detection/execution/relative-exec-low-uid.sql @@ -0,0 +1,30 @@ +-- Programs running as root with a relative path +-- +-- references: +-- * https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/ +-- +-- tags: transient process rapid state +-- platform: linux +SELECT + p.pid, + p.name, + p.path, + p.euid, + p.gid, + p.cgroup_path, + f.ctime, + f.directory AS dirname, + p.cmdline, + hash.sha256, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid, + hash.sha256 AS parent_sha256 +FROM + processes p + LEFT JOIN file f ON p.path = f.path + LEFT JOIN hash ON hash.path = p.path + LEFT JOIN processes pp ON p.parent = pp.pid +WHERE + p.euid < 500 AND p.cmdline LIKE './%'