Replace unexpected-vol-names with sketchy-mounted-diskimage
This commit is contained in:
parent
9bebd8a59a
commit
c55c0225ac
|
@ -0,0 +1,107 @@
|
||||||
|
-- Look for sketchy mounted disk images, inspired by Shlayer
|
||||||
|
--
|
||||||
|
-- references:
|
||||||
|
-- * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment)
|
||||||
|
-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
|
||||||
|
-- * https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
|
||||||
|
--
|
||||||
|
-- tags: transient volume filesystem rapid
|
||||||
|
-- platform: darwin
|
||||||
|
SELECT RTRIM(file.path, '/') AS f,
|
||||||
|
file.bsd_flags AS f_flags,
|
||||||
|
file.gid AS f_gid,
|
||||||
|
file.mode AS f_mode,
|
||||||
|
file.size AS f_size,
|
||||||
|
file.type AS f_type,
|
||||||
|
REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS f_ext,
|
||||||
|
file.uid AS f_uid,
|
||||||
|
hash.sha256 AS f_sha256,
|
||||||
|
magic.data AS f_data,
|
||||||
|
mdfind.path AS probable_source,
|
||||||
|
mdhash.sha256 AS probable_source_sha256,
|
||||||
|
ea.value AS probable_url,
|
||||||
|
REGEX_MATCH (file.path, '/Volumes/(.*?)/', 1) AS vol_name,
|
||||||
|
signature.authority AS s_auth,
|
||||||
|
signature.identifier AS s_id
|
||||||
|
FROM file
|
||||||
|
LEFT JOIN mdfind ON mdfind.query = "kMDItemFSName == '*" || REGEX_MATCH (file.path, '/Volumes/(\w+)', 1) || "*.dmg'"
|
||||||
|
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
|
||||||
|
AND ea.key = 'where_from'
|
||||||
|
LEFT JOIN hash on file.path = hash.path
|
||||||
|
LEFT JOIN hash mdhash ON mdfind.path = mdhash.path
|
||||||
|
LEFT JOIN magic ON file.path = magic.path
|
||||||
|
LEFT JOIN signature ON file.path = signature.path
|
||||||
|
WHERE file.path IN (
|
||||||
|
SELECT file.path
|
||||||
|
FROM block_devices
|
||||||
|
JOIN mounts ON mounts.device = block_devices.name
|
||||||
|
JOIN file ON file.directory = mounts.path
|
||||||
|
OR file.directory LIKE mounts.path || "/%.app/Contents/MacOS/"
|
||||||
|
OR file.directory LIKE mounts.path || "/%.app/Contents/Resources/"
|
||||||
|
OR file.directory LIKE mounts.path || "/%/%.app/Contents/MacOS/"
|
||||||
|
OR file.directory LIKE mounts.path || "/%/%.app/Contents/Resources/"
|
||||||
|
WHERE model = 'Disk Image'
|
||||||
|
AND parent != ""
|
||||||
|
AND mounts.path LIKE "/Volumes/%"
|
||||||
|
-- osquery will traverse symlinks, this prevents following symlinks to /Applications (poorly)
|
||||||
|
AND mounts.path NOT LIKE "/Volumes/%/Applications/%"
|
||||||
|
)
|
||||||
|
AND (
|
||||||
|
-- Rule 0. App binaries that are hidden, like WnBJLaF/1302.app/Contents/MacOS/1302 (1302.app)
|
||||||
|
(
|
||||||
|
file.directory LIKE '/Volumes/%/Contents/MacOS'
|
||||||
|
AND file.bsd_flags = "HIDDEN"
|
||||||
|
) -- Rule 1. App binaries that are a thin shell script wrapper for another resource (Player_009.app, 1302.app)
|
||||||
|
OR (
|
||||||
|
file.directory LIKE '/Volumes/%/Contents/MacOS'
|
||||||
|
AND file.mode LIKE "%7%"
|
||||||
|
AND file.type != 'directory'
|
||||||
|
AND magic.data LIKE '%script%'
|
||||||
|
) -- Rule 2. App binaries that have mixed-caps names such as LYwjtu0sc3XqkNVbQe_gM4YiRpmgUpRIew or yWnBJLaF (AdobeFlashPlayer_567.app)
|
||||||
|
OR (
|
||||||
|
file.mode LIKE "%7%"
|
||||||
|
AND file.type != 'directory'
|
||||||
|
AND REGEX_MATCH(file.filename, '([a-z]+[A-Z]+[a-z]+[A-Z])', 1) != ""
|
||||||
|
AND magic.data LIKE "%executable%"
|
||||||
|
-- Some people do weird things!
|
||||||
|
AND signature.authority NOT IN (
|
||||||
|
'Software Signing',
|
||||||
|
'Developer ID Application: Atlassian Pty Ltd (UPXU4CQZ5P)',
|
||||||
|
'Developer ID Application: MacroMates Ltd. (45TL96F76G)'
|
||||||
|
)
|
||||||
|
) -- Rule 3. App binaries with a numerical name, such as 2829030009 (Player_009.app)
|
||||||
|
OR (
|
||||||
|
file.mode LIKE "%7%"
|
||||||
|
AND file.type != 'directory'
|
||||||
|
AND REGEX_MATCH(file.filename, '^(\d)+$', 1) != ""
|
||||||
|
) -- 4. App resources that are Mach-O binaries, such as 2829030009, or enc (Player_009.app, AdobeFlashPlayer_567.app)
|
||||||
|
OR (
|
||||||
|
file.directory LIKE '/Volumes/%/Resources'
|
||||||
|
AND magic.data LIKE '%executable%'
|
||||||
|
AND f_ext NOT IN ('py', 'sh', 'metallib')
|
||||||
|
) -- 5. Volumes with a name containing suspicious names: Player, Flash, Update
|
||||||
|
OR (
|
||||||
|
(
|
||||||
|
vol_name LIKE "Install%"
|
||||||
|
OR vol_name LIKE "%Player"
|
||||||
|
OR vol_name LIKE "%Flash%"
|
||||||
|
OR vol_name LIKE "%Update"
|
||||||
|
)
|
||||||
|
AND file.directory LIKE "/Volumes/%/Contents/MacOS"
|
||||||
|
) -- 6. Volumes containing a hidden top-level folder or binary, such as yWnBJLaF (1302.app)
|
||||||
|
OR (
|
||||||
|
file.bsd_flags = "HIDDEN"
|
||||||
|
AND (
|
||||||
|
file.mode LIKE "%7%"
|
||||||
|
OR file.mode LIKE "%5%"
|
||||||
|
OR file.mode LIKE "%1%"
|
||||||
|
)
|
||||||
|
AND file.filename NOT IN ('.Trashes')
|
||||||
|
) -- 7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app)
|
||||||
|
OR (
|
||||||
|
file.symlink = 1
|
||||||
|
AND magic.data != 'symbolic link to /Applications'
|
||||||
|
AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
|
||||||
|
)
|
||||||
|
)
|
||||||
|
GROUP BY file.path;
|
|
@ -1,41 +0,0 @@
|
||||||
-- Surfaces mounts with unexpected names
|
|
||||||
--
|
|
||||||
-- references:
|
|
||||||
-- * https://objective-see.org/blog/blog_0x4E.html (Shlayer)
|
|
||||||
--
|
|
||||||
-- tags: transient volume filesystem often
|
|
||||||
-- platform: darwin
|
|
||||||
SELECT mounts.path,
|
|
||||||
mounts.device,
|
|
||||||
mounts.type,
|
|
||||||
REGEX_MATCH (mounts.path, '.*/(.*)', 1) AS vol_name,
|
|
||||||
REGEX_MATCH (mounts.path, '.*/(\w+)', 1) AS base_name,
|
|
||||||
block_devices.vendor,
|
|
||||||
block_devices.model,
|
|
||||||
block_devices.uuid,
|
|
||||||
file.path AS possible_path,
|
|
||||||
hash.sha256 AS possible_sha256,
|
|
||||||
ea.value AS possible_url
|
|
||||||
FROM mounts
|
|
||||||
LEFT JOIN block_devices ON mounts.device = block_devices.name
|
|
||||||
LEFT JOIN file ON file.path LIKE '/Users/%/Downloads/%' || REGEX_MATCH (mounts.path, '.*/(\w+)', 1) || '%.%'
|
|
||||||
LEFT JOIN extended_attributes ea ON file.path = ea.path
|
|
||||||
AND ea.key = 'where_from'
|
|
||||||
LEFT JOIN hash ON file.path = hash.path
|
|
||||||
WHERE block_devices.type NOT IN ('Apple Fabric', 'PCI-Express')
|
|
||||||
AND vol_name NOT LIKE '%backup%'
|
|
||||||
AND vol_name NOT IN (
|
|
||||||
'Slack',
|
|
||||||
'Docker',
|
|
||||||
'Google Chrome',
|
|
||||||
'Figma Agent Installer',
|
|
||||||
'WhatsApp Installer',
|
|
||||||
'Snagit',
|
|
||||||
'Bartender 4'
|
|
||||||
)
|
|
||||||
AND base_name NOT IN ('JDK', 'Aqua')
|
|
||||||
AND vol_name NOT LIKE 'Signal %-universal'
|
|
||||||
AND vol_name NOT LIKE 'Gephi %'
|
|
||||||
AND mounts.path NOT LIKE '/private/tmp/KSInstallAction.%'
|
|
||||||
AND mounts.path NOT IN ('/private/var/setup')
|
|
||||||
GROUP BY mounts.path
|
|
Loading…
Reference in New Issue