From af9a78236ea19a06eb5d8d14c9f74e0a59f72fed Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 16 Mar 2023 16:53:32 -0400
Subject: [PATCH] New detector: unexpected chmod exec event

---
 .../execution/exotic-command-events-linux.sql |  3 +-
 .../execution/exotic-command-events-macos.sql |  3 +-
 .../execution/unexpected-chmod-exec-event.sql | 78 +++++++++++++++++++
 3 files changed, 80 insertions(+), 4 deletions(-)
 create mode 100644 detection/execution/unexpected-chmod-exec-event.sql

diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index fdba9b0..9dc0884 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -105,7 +105,7 @@ WHERE
     OR p0_cmd LIKE '%iptables -P % ACCEPT%'
     OR p0_cmd LIKE '%iptables -F%'
     OR p0_cmd LIKE '%chattr -ia%'
-    OR p0_cmd LIKE '%chmod %777 %'
+    OR p0_cmd LIKE '%cat /dev/null%'
     OR (
       INSTR(p0_cmd, 'history') > 0
       AND p0_cmd LIKE '%history'
@@ -192,7 +192,6 @@ WHERE
   AND NOT p0_cmd LIKE 'modprobe --all%'
   AND NOT p0_cmd LIKE '%modprobe aufs'
   AND NOT p0_cmd LIKE '%touch -r /tmp/cc%.o %'
-  AND NOT p0_cmd LIKE '%chmod -R 777 /app/%'
   AND NOT p0_cmd LIKE '%modprobe overlay'
   AND NOT p0_cmd LIKE '%modprobe nf_nat_netbios_ns'
   AND NOT p0_cmd LIKE '%modprobe -va%'
diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
index 0e302c1..c0bef2a 100644
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -103,7 +103,7 @@ WHERE
     OR p0_name LIKE '%attack%' -- Unusual behaviors
     OR p0_cmd LIKE '%powershell%'
     OR p0_cmd LIKE '%chattr -ia%'
-    OR p0_cmd LIKE '%chmod%777 %'
+    OR p0_cmd LIKE '%cat /dev/null%'
     OR p0_cmd LIKE '%touch%acmr%'
     OR p0_cmd LIKE '%touch -r%'
     OR p0_cmd LIKE '%ld.so.preload%'
@@ -164,7 +164,6 @@ WHERE
       '/bin/launchctl bootout system/com.docker.socket',
       '/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
       'git history',
-      'chmod 0777 /Users/Shared/logitune',
       'nix profile history',
       'helm history',
       'rm -f /tmp/mysql.sock',
diff --git a/detection/execution/unexpected-chmod-exec-event.sql b/detection/execution/unexpected-chmod-exec-event.sql
new file mode 100644
index 0000000..0c97e20
--- /dev/null
+++ b/detection/execution/unexpected-chmod-exec-event.sql
@@ -0,0 +1,78 @@
+-- Things that call chmod to set executable permissions
+--
+-- references:
+--   * https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
+--
+-- false positives:
+--   * loads of them
+--
+-- tags: transient process events
+-- platform: linux
+-- interval: 300
+SELECT
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(
+    COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
+  ) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(
+    p1_p2_hash.path,
+    pe1_p2_hash.path,
+    pe1_pe2_hash.path
+  ) AS p2_hash,
+  REGEX_MATCH (
+    COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
+    '.*/(.*)',
+    1
+  ) AS p2_name,
+  -- Exception key
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
+    COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
+    '.*/(.*)',
+    1
+  ) AS exception_key
+FROM
+  process_events pe
+  LEFT JOIN processes p ON pe.pid = p.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
+  AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
+  AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
+WHERE
+  pe.time > (strftime('%s', 'now') -300)
+  AND (
+    pe.cmdline LIKE '%chmod%777%'
+    OR pe.cmdline LIKE '%chmod%700%'
+    OR pe.cmdline LIKE '%chmod%755%'
+    OR pe.cmdline LIKE '%chmod +x%'
+    OR pe.cmdline LIKE '%chmod u+x%'
+  )
+  AND p0_cmd NOT LIKE 'chmod 777 /app/%'
+  AND p0_cmd != 'chmod 0777 /Users/Shared/logitune'
+GROUP BY p0_pid
\ No newline at end of file