New detector: unexpected chmod exec event

2023-03-16 16:53:32 -04:00 · 2023-03-16 16:53:32 -04:00 · af9a78236e
parent 2e10bdf52b
commit af9a78236e
3 changed files with 80 additions and 4 deletions
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -105,7 +105,7 @@ WHERE
    OR p0_cmd LIKE '%iptables -P % ACCEPT%'
    OR p0_cmd LIKE '%iptables -F%'
    OR p0_cmd LIKE '%chattr -ia%'
-    OR p0_cmd LIKE '%chmod %777 %'
+    OR p0_cmd LIKE '%cat /dev/null%'
    OR (
      INSTR(p0_cmd, 'history') > 0
      AND p0_cmd LIKE '%history'
@ -192,7 +192,6 @@ WHERE
  AND NOT p0_cmd LIKE 'modprobe --all%'
  AND NOT p0_cmd LIKE '%modprobe aufs'
  AND NOT p0_cmd LIKE '%touch -r /tmp/cc%.o %'
-  AND NOT p0_cmd LIKE '%chmod -R 777 /app/%'
  AND NOT p0_cmd LIKE '%modprobe overlay'
  AND NOT p0_cmd LIKE '%modprobe nf_nat_netbios_ns'
  AND NOT p0_cmd LIKE '%modprobe -va%'
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -103,7 +103,7 @@ WHERE
    OR p0_name LIKE '%attack%' -- Unusual behaviors
    OR p0_cmd LIKE '%powershell%'
    OR p0_cmd LIKE '%chattr -ia%'
-    OR p0_cmd LIKE '%chmod%777 %'
+    OR p0_cmd LIKE '%cat /dev/null%'
    OR p0_cmd LIKE '%touch%acmr%'
    OR p0_cmd LIKE '%touch -r%'
    OR p0_cmd LIKE '%ld.so.preload%'
@ -164,7 +164,6 @@ WHERE
      '/bin/launchctl bootout system/com.docker.socket',
      '/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
      'git history',
-      'chmod 0777 /Users/Shared/logitune',
      'nix profile history',
      'helm history',
      'rm -f /tmp/mysql.sock',
--- a/detection/execution/unexpected-chmod-exec-event.sql
+++ b/detection/execution/unexpected-chmod-exec-event.sql
@ -0,0 +1,78 @@
+-- Things that call chmod to set executable permissions
+--
+-- references:
+--   * https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
+--
+-- false positives:
+--   * loads of them
+--
+-- tags: transient process events
+-- platform: linux
+-- interval: 300
+SELECT
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(
+    COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
+  ) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(
+    p1_p2_hash.path,
+    pe1_p2_hash.path,
+    pe1_pe2_hash.path
+  ) AS p2_hash,
+  REGEX_MATCH (
+    COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
+    '.*/(.*)',
+    1
+  ) AS p2_name,
+  -- Exception key
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
+    COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
+    '.*/(.*)',
+    1
+  ) AS exception_key
+FROM
+  process_events pe
+  LEFT JOIN processes p ON pe.pid = p.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
+  AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
+  AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
+WHERE
+  pe.time > (strftime('%s', 'now') -300)
+  AND (
+    pe.cmdline LIKE '%chmod%777%'
+    OR pe.cmdline LIKE '%chmod%700%'
+    OR pe.cmdline LIKE '%chmod%755%'
+    OR pe.cmdline LIKE '%chmod +x%'
+    OR pe.cmdline LIKE '%chmod u+x%'
+  )
+  AND p0_cmd NOT LIKE 'chmod 777 /app/%'
+  AND p0_cmd != 'chmod 0777 /Users/Shared/logitune'
+GROUP BY p0_pid