From 877b2c495bb7cc9f0241393fc1c1d441921f5717 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 12 Dec 2023 12:33:38 -0500 Subject: [PATCH 1/2] exotic events linux: double interval, reduce hash lookups --- detection/execution/exotic-command-events-linux.sql | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 76ca325..08f4278 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -8,7 +8,7 @@ -- -- tags: transient process events -- platform: linux --- interval: 300 +-- interval: 600 SELECT -- Child pe.path AS p0_path, @@ -32,11 +32,6 @@ SELECT COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline) ) AS p2_cmd, COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path, - COALESCE( - p1_p2_hash.path, - pe1_p2_hash.path, - pe1_pe2_hash.path - ) AS p2_hash, REGEX_MATCH ( COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', @@ -65,11 +60,8 @@ FROM AND pe1_p2.start_time <= pe1.time LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events - LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path - LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path - LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path WHERE - pe.time > (strftime('%s', 'now') -300) + pe.time > (strftime('%s', 'now') -600) AND pe.cmdline != '' AND ( p0_name IN ( From 2c783f17f43f0131f2a341bf97a3eed7aa2b1421 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 12 Dec 2023 12:56:09 -0500 Subject: [PATCH 2/2] exotic events linux: remove uptime join, use empty string --- .../execution/exotic-command-events-linux.sql | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 08f4278..614e0f2 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -9,10 +9,10 @@ -- tags: transient process events -- platform: linux -- interval: 600 -SELECT - -- Child +SELECT -- Child pe.path AS p0_path, pe.time AS p0_time, + pe.uptime AS p0_uptime, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, pe.cwd AS p0_cwd, @@ -43,26 +43,26 @@ SELECT '.*/(.*)', 1 ) AS exception_key -FROM - process_events pe, - uptime +FROM process_events pe LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths) LEFT JOIN processes p1 ON pe.parent = p1.pid AND p1.start_time <= pe.time LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.time <= pe.time - AND pe1.cmdline != '' + AND pe1.cmdline != "" + AND pe1.cwd != "" LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path -- Grandparents (via 3 paths) LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes AND p1_p2.start_time <= p1.start_time LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events AND pe1_p2.start_time <= pe1.time LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid - AND pe1_pe2.cmdline != '' -- Past grandparent via parent events -WHERE - pe.time > (strftime('%s', 'now') -600) - AND pe.cmdline != '' + AND pe1_pe2.cmdline != "" + AND pe1_pe2.cwd != "" +WHERE pe.time > (strftime('%s', 'now') -600) + AND pe.cmdline != "" + AND pe.cwd != "" AND ( p0_name IN ( 'bitspin', @@ -168,7 +168,7 @@ WHERE ) AND NOT ( pe.path IN ('/usr/bin/kmod', '/bin/kmod') - AND uptime.total_seconds < 15 + AND pe.uptime < 15 ) AND NOT ( pe.path = '/usr/bin/mkfifo' @@ -202,4 +202,4 @@ WHERE 'nc,500,fish,konsole', 'chrome_crashpad_handler,500,systemd,systemd', 'bash,0,bash,containerd-shim-runc-v2' - ) + ) \ No newline at end of file