From a7cd9abaf334cb697eb564b9401bd3602bd6a3a1 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 12 Jul 2023 16:06:05 -0400 Subject: [PATCH] new detector: unexpected process extension linux --- .../unexpected-process-extension-linux.sql | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 detection/evasion/unexpected-process-extension-linux.sql diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql new file mode 100644 index 0000000..e9d38ec --- /dev/null +++ b/detection/evasion/unexpected-process-extension-linux.sql @@ -0,0 +1,56 @@ +-- Processes that have an unusual extension +-- +-- false positives: +-- * none observed +-- +-- references: +-- * https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware +-- +-- tags: persistent process state +-- platform: linux + +SELECT + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + REGEX_MATCH (p0.path, '.*\/(.*?)$', 1) AS basename, + REGEX_MATCH (p0.path, '.*\.(\w+)$', 1) AS extension, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 +FROM + processes p0 + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path +WHERE + extension IS NOT NULL + AND extension NOT IN ( + '1', + '2', + 'real', + 'ext' + ) + AND NOT basename LIKE 'python3.%' + AND NOT basename LIKE 'python2.%' \ No newline at end of file