Improve detection for bpfdoor and similar backdoors.

detection/persistence/low-fd-socket.sql

@@ -0,0 +1,26 @@
+-- Find programs where fd0 (stdin), fd1 (stdout), or fd2 (stderr) are connected to a socket
+--
+-- false positives:
+--   * none known
+--
+-- references:
+--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+--
+-- tags: process state
+-- platform: posix
+SELECT p.uid,
+    p.euid,
+    pos.protocol,
+    pos.pid,
+    pos.remote_address,
+    pos.local_address,
+    pos.local_port,
+    pos.remote_port,
+    p.name,
+    p.parent,
+    p.cgroup_path,
+    p.path,
+    pos.state
+FROM processes p
+    JOIN process_open_sockets pos ON p.pid = pos.pid
+    WHERE fd < 3 AND family != 1;

detection/persistence/minimal-socket-client-linux.sql

@@ -0,0 +1,48 @@
+-- Slow query to find root programs with an open socket and few shared libraries
+--
+-- false positives:
+--   * some minimalist daemons
+--
+-- references:
+--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+--
+-- tags: persistent process state seldom
+-- platform: linux
+SELECT p.uid,
+    p.euid,
+    pos.protocol,
+    pos.pid,
+    pos.remote_address,
+    pos.local_address,
+    pos.local_port,
+    pos.remote_port,
+    p.name,
+    p.parent,
+    p.cgroup_path,
+    p.path,
+    pos.state,
+    GROUP_CONCAT(DISTINCT pmm.path) AS libs,
+    COUNT(DISTINCT pmm.path) AS lib_count
+FROM processes p
+    JOIN process_open_sockets pos ON p.pid = pos.pid AND pos.family != 1
+    JOIN process_memory_map pmm ON pos.pid = pmm.pid 
+WHERE p.pid IN (
+        SELECT pid
+        FROM processes
+        WHERE path NOT IN (
+                '/usr/bin/containerd',
+                '/usr/bin/fusermount3',
+                '/usr/sbin/acpid',
+                '/usr/bin/dash',
+                '/usr/bin/docker',
+                '/usr/sbin/mcelog',
+                '/usr/bin/docker-proxy',
+                '/usr/bin/cat',
+                '/usr/lib/electron/chrome-sandbox',
+                '/usr/bin/i3blocks'
+            )
+            AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
+    )
+    AND pmm.path LIKE "%.so.%"
+GROUP BY pos.pid -- libc.so, ld-linux
+HAVING lib_count IN (1, 2)

detection/persistence/minimal-socket-client-macos.sql

@@ -0,0 +1,45 @@
+-- Slow query to find root programs with an open socket and few shared libraries
+--
+-- false positives:
+--   * some minimalist daemons
+--
+-- references:
+--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+--
+-- tags: persistent process state seldom
+-- platform: macos
+SELECT p.uid,
+    p.euid,
+    pos.protocol,
+    pos.pid,
+    pos.remote_address,
+    pos.local_address,
+    pos.local_port,
+    pos.remote_port,
+    p.name,
+    p.parent,
+    p.cgroup_path,
+    p.path,
+    pos.state,
+    GROUP_CONCAT(pmm.path) AS libs,
+    COUNT(DISTINCT pmm.path) AS lib_count,
+    CONCAT(MIN(p.euid, 500), ',', p.name, ',', s.authority, ',', s.identifier) AS exception_key
+FROM processes p
+    JOIN process_open_sockets pos ON p.pid = pos.pid AND family != 1
+    LEFT JOIN signature s ON p.path = s.path
+    JOIN process_memory_map pmm ON pos.pid = pmm.pid 
+WHERE p.pid IN (
+        SELECT pid
+        FROM processes
+    )
+    AND pmm.path LIKE "%.dylib"
+AND exception_key NOT IN (
+    '500,Slack,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap',
+    '500,Slack Helper (Renderer),Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper',
+    '500,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020',
+    '500,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
+    '500,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
+    '500,Todoist,Apple Mac OS Application Signing,com.todoist.mac.Todoist'
+)
+GROUP BY pos.pid
+HAVING lib_count IN (1, 2)

detection/persistence/unexpected-global-lock.sql

@@ -0,0 +1,42 @@
+-- Find unexpected world readable run locks
+--
+-- false positives:
+--   * none known
+--
+-- references:
+--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+--
+-- tags: persistent filesystem state
+-- platform: posix
+SELECT *,
+    CONCAT(
+        MIN(file.uid, 500),
+        ",",
+        file.gid,
+        ",",
+        file.path,
+        ",",
+        file.type,
+        ',',
+        mode
+    ) AS exception_key
+FROM file
+WHERE (
+        path LIKE "/tmp/%.lock"
+        OR path LIKE "/var/run/%.lock"
+        OR path LIKE "/var/tmp/%.lock"
+        OR path LIKE "/dev/shm/%.lock"
+        OR path LIKE "/dev/mqueue/%.lock"
+        OR path LIKE "/tmp/.%.lock"
+        OR path LIKE "/var/run/.%.lock"
+        OR path LIKE "/var/tmp/.%.lock"
+        OR path LIKE "/dev/shm/.%.lock"
+        OR path LIKE "/dev/mqueue/.%.lock"
+    )
+    AND exception_key NOT IN (
+        '0,0,/var/run/unattended-upgrades.lock,regular,0640',
+        '0,0,/var/run/xtables.lock,regular,0600',
+        '0,0,/var/run/apport.lock,regular,0600',
+        '74,0,/tmp/mysql.sock.lock,regular,0600',
+        '74,0,/tmp/mysqlx.sock.lock,regular,0600'
+    )

detection/persistence/unexpected-lock-opener.sql

@@ -0,0 +1,63 @@
+-- Find unexpected programs with open lock files
+--
+-- false positives:
+--   * many possible
+--
+-- references:
+--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+--
+-- tags: persistent filesystem state
+-- platform: posix
+SELECT
+    CONCAT(
+        MIN(p0.euid, 500),
+        ',',
+        COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path),
+        ',',
+        REGEX_MATCH (
+            REPLACE(pof.path, u.directory, '~'),
+            '(.*)/.*',
+            1
+        )
+    ) AS exception_key,
+    pof.path AS lock,
+    -- Child
+    p0.pid AS p0_pid,
+    p0.path AS p0_path,
+    p0.name AS p0_name,
+    p0.cmdline AS p0_cmd,
+    p0.cwd AS p0_cwd,
+    p0.cgroup_path AS p0_cgroup,
+    p0.euid AS p0_euid,
+    p0_hash.sha256 AS p0_sha256
+FROM processes p0
+    JOIN users u ON p0.euid = u.uid
+    LEFT JOIN process_open_files pof ON p0.pid = pof.pid
+    LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+    LEFT JOIN processes p1 ON p0.parent = p1.pid
+    LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+    LEFT JOIN processes p2 ON p1.parent = p2.pid
+    LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+WHERE pof.path LIKE "%.lock"
+    AND pof.path NOT LIKE "/run/user/1%/%.lock"
+    AND NOT exception_key IN (
+        '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
+        '0,snapd,/var/lib/snapd',
+        '200,softwareupdated,/private~/SplunkHistory',
+        '500,Beeper,~/Library/Application Support/Beeper/EventStore',
+        '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
+        '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3',
+        '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
+        '500,bridge,~/Library/Caches/protonmail/bridge-v3',
+        '500,buildkitd,~/.local/share/buildkit',
+        '500,com.docker.backend,~/Library/Containers/com.docker.docker',
+        '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database',
+        '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database'
+    )
+    AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
+    AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
+    AND NOT exception_key LIKE '500,lua-language-server,~/%'
+    AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2'
+    AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck'
+GROUP BY p0.path,
+    pof.path