From 24c2baef28c4c0ccdb7844b034e7ece6d430ad01 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 16 May 2023 17:18:39 -0400 Subject: [PATCH] Make process times broadly available, minor opts --- Makefile | 2 +- .../unexpected-netutil-calls-linux.sql | 1 + .../unexpected-netutil-calls-macos.sql | 1 + .../unexpected-tmp-executables-linux.sql | 1 + ...xec-failed-launch-constraint-violation.sql | 1 + .../execution/exotic-command-events-linux.sql | 1 + .../execution/exotic-command-events-macos.sql | 1 + .../relative-exec-low-uid-events.sql | 1 + .../execution/sketchy-fetcher-events.sql | 1 + .../unexpected-execdir-events-linux.sql | 1 + .../unexpected-execdir-events-macos.sql | 1 + .../unexpected-fetcher-parent-events.sql | 1 + .../unexpected-file-made-executable.sql | 1 + .../unexpected-root-signer-macos.sql | 3 ++ .../execution/unexpected-sysutils-macos.sql | 1 + .../unexpected-xattr-calls-macos.sql | 1 + .../unexpected-shell-parent-events.sql | 1 + .../unexpected-systemctl-calls-linux.sql | 1 + .../setxid-cmdline-overflow-attempt.sql | 1 + .../privesc/setxid-env-overflow-attempt.sql | 1 + ...xpected-elevated-children-events_linux.sql | 1 + fragments/process_event_parents_macos.sql | 1 + fragments/process_parents.sql | 3 ++ incident_response/files-recently-written.sql | 34 ++++++++++++------- incident_response/listening_ports.sql | 1 + incident_response/logged_in_users.sql | 1 + incident_response/open_files.sql | 5 +++ incident_response/process-files.sql | 17 ---------- incident_response/process_open_files.sql | 4 +++ incident_response/process_open_pipes.sql | 4 +++ incident_response/process_open_sockets.sql | 4 +++ .../processes-root-not-apple-macos.sql | 22 ------------ incident_response/shared_memory.sql | 6 +++- 33 files changed, 73 insertions(+), 53 deletions(-) delete mode 100644 incident_response/process-files.sql delete mode 100644 incident_response/processes-root-not-apple-macos.sql diff --git a/Makefile b/Makefile index 1c6ea0e..93cb09f 100644 --- a/Makefile +++ b/Makefile @@ -72,7 +72,7 @@ verify-ci: ./out/osqtool-$(ARCH) verify: ./out/osqtool-$(ARCH) $(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy - $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection all: out/odk-packs.zip diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql index 5e401f1..5aa6f0e 100644 --- a/detection/discovery/unexpected-netutil-calls-linux.sql +++ b/detection/discovery/unexpected-netutil-calls-linux.sql @@ -13,6 +13,7 @@ SELECT TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, pe.pid AS p0_pid, + pe.time, p.cgroup_path AS p0_cgroup, -- Parent pe.parent AS p1_pid, diff --git a/detection/discovery/unexpected-netutil-calls-macos.sql b/detection/discovery/unexpected-netutil-calls-macos.sql index b1deffb..7798c1a 100644 --- a/detection/discovery/unexpected-netutil-calls-macos.sql +++ b/detection/discovery/unexpected-netutil-calls-macos.sql @@ -13,6 +13,7 @@ SELECT TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, pe.pid AS p0_pid, + pe.time AS p0_time, pe.euid AS p0_euid, s.authority AS p0_authority, -- Parent diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 6c50cc3..985f0a2 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -75,6 +75,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR file.path LIKE "%/melange%" OR file.path LIKE "%/bin/busybox" OR file.path LIKE "%/bin/bash" + OR file.path LIKE "/tmp/lima/%" OR file.path LIKE '%/pdf-tools/%' OR file.path LIKE '%-release%/%' OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%' diff --git a/detection/execution/exec-failed-launch-constraint-violation.sql b/detection/execution/exec-failed-launch-constraint-violation.sql index 8ced30b..44e4e8b 100644 --- a/detection/execution/exec-failed-launch-constraint-violation.sql +++ b/detection/execution/exec-failed-launch-constraint-violation.sql @@ -14,6 +14,7 @@ SELECT hash.sha256 AS p0_hash, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, + pe.time AS p0_time, p.cwd AS p0_cwd, pe.pid AS p0_pid, pe.euid AS p0_euid, diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 4124dea..9e84c75 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -12,6 +12,7 @@ SELECT -- Child pe.path AS p0_path, + pe.time AS p0_time, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 55fa7c9..f224a3d 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -11,6 +11,7 @@ -- interval: 180 SELECT -- Child pe.path AS p0_path, + pe.time AS p0_time, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, diff --git a/detection/execution/relative-exec-low-uid-events.sql b/detection/execution/relative-exec-low-uid-events.sql index ef2d1ce..021cb4b 100644 --- a/detection/execution/relative-exec-low-uid-events.sql +++ b/detection/execution/relative-exec-low-uid-events.sql @@ -12,6 +12,7 @@ SELECT -- Child TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, pe.pid AS p0_pid, + pe.time AS p0_time, p.cgroup_path AS p0_cgroup, -- Parent pe.parent AS p1_pid, diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index 5448a8a..eca4b98 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -14,6 +14,7 @@ SELECT TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, pe.pid AS p0_pid, + pe.time AS p0_time, p.cgroup_path AS p0_cgroup, -- Parent pe.parent AS p1_pid, diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql index d4e7ec2..3733bcc 100644 --- a/detection/execution/unexpected-execdir-events-linux.sql +++ b/detection/execution/unexpected-execdir-events-linux.sql @@ -14,6 +14,7 @@ SELECT -- Child REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.pid AS p0_pid, p.cgroup_path AS p0_cgroup, -- Parent diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 3001e74..a9cbc39 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -29,6 +29,7 @@ SELECT pe.path AS p0_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, + pe.time AS p0_time, -- pe.cwd is NULL on macOS p.cwd AS p0_cwd, pe.pid AS p0_pid, diff --git a/detection/execution/unexpected-fetcher-parent-events.sql b/detection/execution/unexpected-fetcher-parent-events.sql index 4205d92..2f6e14c 100644 --- a/detection/execution/unexpected-fetcher-parent-events.sql +++ b/detection/execution/unexpected-fetcher-parent-events.sql @@ -13,6 +13,7 @@ SELECT TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, pe.pid AS p0_pid, + pe.time AS p0_time, pe.euid AS p0_euid, p.cgroup_path AS p0_cgroup, -- Parent diff --git a/detection/execution/unexpected-file-made-executable.sql b/detection/execution/unexpected-file-made-executable.sql index b361d8b..5256485 100644 --- a/detection/execution/unexpected-file-made-executable.sql +++ b/detection/execution/unexpected-file-made-executable.sql @@ -12,6 +12,7 @@ SELECT REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.euid AS p0_euid, pe.pid AS p0_pid, p.cgroup_path AS p0_cgroup, diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index fb6fa99..5aa11d7 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -1,6 +1,7 @@ -- Programs running as root from unusual signers on macOS -- -- platform: darwin +-- interval: 900 -- tags: transient seldom process state -- Canonical example of including process parents from process_events SELECT @@ -8,6 +9,7 @@ SELECT REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir, -- Child pe.path AS p0_path, + pe.time, s.authority AS p0_sauth, s.identifier AS p0_sid, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, @@ -60,6 +62,7 @@ FROM WHERE -- query optimization: Exclude SIP protected directories p.euid = 0 + AND pe.time > (strftime('%s', 'now') -900) AND top_dir NOT IN ( '/Library/Apple', '/System/Library', diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql index bff0dfb..79bd12a 100644 --- a/detection/execution/unexpected-sysutils-macos.sql +++ b/detection/execution/unexpected-sysutils-macos.sql @@ -12,6 +12,7 @@ SELECT REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.pid AS p0_pid, pe.euid AS p0_euid, s.authority AS p0_authority, diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql index 352f810..3cf0cab 100644 --- a/detection/execution/unexpected-xattr-calls-macos.sql +++ b/detection/execution/unexpected-xattr-calls-macos.sql @@ -12,6 +12,7 @@ SELECT REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.pid AS p0_pid, pe.euid AS p0_euid, s.authority AS p0_authority, diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 32eba60..bbf6cd3 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -16,6 +16,7 @@ SELECT REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.pid AS p0_pid, pe.euid AS p0_euid, p.cgroup_path AS p0_cgroup, diff --git a/detection/persistence/unexpected-systemctl-calls-linux.sql b/detection/persistence/unexpected-systemctl-calls-linux.sql index 91c41de..a0b81b2 100644 --- a/detection/persistence/unexpected-systemctl-calls-linux.sql +++ b/detection/persistence/unexpected-systemctl-calls-linux.sql @@ -11,6 +11,7 @@ SELECT -- Child REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, + pe.time AS p0_time, pe.pid AS p0_pid, p.cgroup_path AS p0_cgroup, -- Parent diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql index 7272917..69d9e28 100644 --- a/detection/privesc/setxid-cmdline-overflow-attempt.sql +++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql @@ -5,6 +5,7 @@ SELECT file.mode AS p0_binary_mode, pe.cmdline_size AS p0_cmd_size, + pe.time AS p0_time, -- Child pe.path AS p0_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, diff --git a/detection/privesc/setxid-env-overflow-attempt.sql b/detection/privesc/setxid-env-overflow-attempt.sql index 94e92f4..58658d3 100644 --- a/detection/privesc/setxid-env-overflow-attempt.sql +++ b/detection/privesc/setxid-env-overflow-attempt.sql @@ -15,6 +15,7 @@ SELECT file.mode AS p0_binary_mode, pe.env AS p0_env, + pe.time AS p0_time, pe.env_size AS p0_env_size, -- Child pe.path AS p0_path, diff --git a/detection/privesc/unexpected-elevated-children-events_linux.sql b/detection/privesc/unexpected-elevated-children-events_linux.sql index 036381c..474fa4e 100644 --- a/detection/privesc/unexpected-elevated-children-events_linux.sql +++ b/detection/privesc/unexpected-elevated-children-events_linux.sql @@ -15,6 +15,7 @@ SELECT file.mode AS p0_binary_mode, -- Child pe.path AS p0_path, + pe.time AS p0_time, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, diff --git a/fragments/process_event_parents_macos.sql b/fragments/process_event_parents_macos.sql index 366439b..4bd41ca 100644 --- a/fragments/process_event_parents_macos.sql +++ b/fragments/process_event_parents_macos.sql @@ -2,6 +2,7 @@ SELECT -- Child pe.path AS p0_path, + pe.time AS p0_time, s.authority AS p0_sauth, s.identifier AS p0_sid, hash.sha256 AS p0_hash, diff --git a/fragments/process_parents.sql b/fragments/process_parents.sql index 4ca264b..44e2938 100644 --- a/fragments/process_parents.sql +++ b/fragments/process_parents.sql @@ -4,6 +4,7 @@ SELECT p0.pid AS p0_pid, p0.path AS p0_path, p0.name AS p0_name, + p0.start_time AS p0_start, p0.cmdline AS p0_cmd, p0.cwd AS p0_cwd, p0.cgroup_path AS p0_cgroup, @@ -13,12 +14,14 @@ SELECT p0.parent AS p1_pid, p1.path AS p1_path, p1.name AS p1_name, + p1.start_time AS p1_start, p1.euid AS p1_euid, p1.cmdline AS p1_cmd, p1_hash.sha256 AS p1_sha256, -- Grandparent p1.parent AS p2_pid, p2.name AS p2_name, + p2.start_time AS p2_start, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 diff --git a/incident_response/files-recently-written.sql b/incident_response/files-recently-written.sql index 1db8d41..fef8988 100644 --- a/incident_response/files-recently-written.sql +++ b/incident_response/files-recently-written.sql @@ -6,24 +6,34 @@ SELECT * FROM file WHERE ( - path LIKE "/var/tmp/%%" - OR path LIKE "/Applications/%%" - OR path LIKE "/home/%/%%" - OR path LIKE "/home/%/.%/%%" - OR path LIKE "/home/%/.config/%%" - OR path LIKE "/Library/%%" + path LIKE "/var/tmp/%" + OR path LIKE "/var/tmp/%/%" + OR path LIKE "/Applications/%" + OR path LIKE "/Applications/%/%" + OR path LIKE "/home/%/%" + OR path LIKE "/home/%/.%/%" + OR path LIKE "/home/%/.%/%/%" + OR path LIKE "/home/%/.config/%" + OR path LIKE "/home/%/.config/%/%" + OR path LIKE "/Library/%/%" OR path LIKE "/Library/.%" OR path LIKE "/Library/Application Support/%" OR path LIKE "/Library/Application Support/.%" - OR path LIKE "/tmp/%%" + OR path LIKE "/tmp/%" + OR path LIKE "/tmp/%/%" OR path LIKE "/tmp/.%/%%" - OR path LIKE "/Users/%/%%" - OR path LIKE "/Users/%/.%/%%" - OR path LIKE "/Users/Library/%%" + OR path LIKE "/Users/%/%" + OR path LIKE "/Users/%/%/%" + OR path LIKE "/Users/%/.%/%" + OR path LIKE "/Users/%/.%/%/%" + OR path LIKE "/Users/Library/%" + OR path LIKE "/Users/Library/%/%" OR path LIKE "/Users/Library/.%" - OR path LIKE "/Users/Library/Application Support/%%" + OR path LIKE "/Users/Library/Application Support/%" + OR path LIKE "/Users/Library/Application Support/%/%" OR path LIKE "/Users/Library/Application Support/.%" - OR path LIKE "/var/%%" + OR path LIKE "/var/%" + OR path LIKE "/var/%/%" ) AND ( mtime > (strftime('%s', 'now') -3600) diff --git a/incident_response/listening_ports.sql b/incident_response/listening_ports.sql index 94fd5cd..d6d4032 100644 --- a/incident_response/listening_ports.sql +++ b/incident_response/listening_ports.sql @@ -5,6 +5,7 @@ SELECT lp.*, p.name AS p_name, + p.start_time AS p_time, p.path AS p_path, p.euid AS p_euid FROM diff --git a/incident_response/logged_in_users.sql b/incident_response/logged_in_users.sql index c90791c..d326610 100644 --- a/incident_response/logged_in_users.sql +++ b/incident_response/logged_in_users.sql @@ -7,6 +7,7 @@ SELECT p.name, p.cmdline, p.cwd, + p.start_time, p.root FROM logged_in_users liu, diff --git a/incident_response/open_files.sql b/incident_response/open_files.sql index de089e3..8367971 100644 --- a/incident_response/open_files.sql +++ b/incident_response/open_files.sql @@ -5,7 +5,12 @@ SELECT DISTINCT pof.pid, pof.path, + pof.fd, p.name, + p.start_time, + p.euid, + p.parent, + p.uid, p.cmdline FROM process_open_files pof diff --git a/incident_response/process-files.sql b/incident_response/process-files.sql deleted file mode 100644 index 46c55af..0000000 --- a/incident_response/process-files.sql +++ /dev/null @@ -1,17 +0,0 @@ --- Returns information about running processes(non-hidden only) --- --- tags: postmortem --- platform: posix -SELECT - GROUP_CONCAT(processes.pid) AS processes, - GROUP_CONCAT(processes.name) AS names, - file.*, - hash.sha256, - magic.data -FROM - processes - LEFT JOIN file ON processes.path = file.path - LEFT JOIN hash ON processes.path = hash.path - LEFT JOIN magic ON processes.path = magic.path -GROUP BY - processes.path diff --git a/incident_response/process_open_files.sql b/incident_response/process_open_files.sql index 0905d76..215b649 100644 --- a/incident_response/process_open_files.sql +++ b/incident_response/process_open_files.sql @@ -5,6 +5,10 @@ SELECT p.path AS p_path, p.name AS p_name, + p.start_time AS p_time, + p.euid AS p_euid, + p.uid AS p_uid, + p.cmdline AS p_cmdline, pof.* FROM process_open_files AS pof diff --git a/incident_response/process_open_pipes.sql b/incident_response/process_open_pipes.sql index 011c649..731c483 100644 --- a/incident_response/process_open_pipes.sql +++ b/incident_response/process_open_pipes.sql @@ -5,6 +5,10 @@ SELECT p.path AS p_path, p.name AS p_name, + p.start_time AS p_time, + p.euid AS p_euid, + p.uid AS p_uid, + p.cmdline AS p_cmdline, pop.* FROM process_open_pipes AS pop diff --git a/incident_response/process_open_sockets.sql b/incident_response/process_open_sockets.sql index b2203e7..94f9851 100644 --- a/incident_response/process_open_sockets.sql +++ b/incident_response/process_open_sockets.sql @@ -5,6 +5,10 @@ SELECT p.path AS p_path, p.name AS p_name, + p.start_time AS p_time, + p.euid AS p_euid, + p.uid AS p_uid, + p.cmdline AS p_cmdline, pos.* FROM process_open_sockets AS pos diff --git a/incident_response/processes-root-not-apple-macos.sql b/incident_response/processes-root-not-apple-macos.sql deleted file mode 100644 index 14b28db..0000000 --- a/incident_response/processes-root-not-apple-macos.sql +++ /dev/null @@ -1,22 +0,0 @@ --- Programs running as root from unusual signers on macOS --- --- platform: darwin --- tags: transient process --- Canonical example of including process parents from process_events -SELECT - p.*, - s.* -FROM - processes p - LEFT JOIN signature s ON p.path = s.path -WHERE - p.pid IN ( - SELECT pid FROM processes WHERE - p.euid = 0 - AND p.path NOT LIKE "/System/%" - AND p.path NOT LIKE "/Library/Apple/%" - AND p.path NOT LIKE "/usr/bin/%" - AND p.path NOT LIKE "/usr/libexec/%" - AND p.path NOT LIKE "/usr/sbin/%" - ) - AND s.authority NOT IN ('Software Signing') \ No newline at end of file diff --git a/incident_response/shared_memory.sql b/incident_response/shared_memory.sql index fd8c10a..9707374 100644 --- a/incident_response/shared_memory.sql +++ b/incident_response/shared_memory.sql @@ -4,8 +4,12 @@ -- platform: linux SELECT shm.*, + p.path AS p_path, p.name AS p_name, - p.path AS p_path + p.start_time AS p_time, + p.euid AS p_euid, + p.uid AS p_uid, + p.cmdline AS p_cmdline FROM shared_memory AS shm LEFT JOIN processes p ON shm.pid = p.pid;