Query reorganization

2025-01-20 20:40:43 +00:00 · 2022-09-08 09:53:43 -04:00 · 2022-09-08 09:53:43 -04:00 · cbaf2f989c
commit cbaf2f989c
parent ba7755640a
21 changed files with 135 additions and 29 deletions
--- a/alf_exceptions/unexpected-alf-entries.sql
+++ b/alf_exceptions/unexpected-alf-entries.sql
--- a/chrome_extensions/unexpected-chrome-extensions.sql
+++ b/chrome_extensions/unexpected-chrome-extensions.sql
--- a/device_chrome_extensions/risky-device-chrome-extensions.sql
+++ b/device_chrome_extensions/risky-device-chrome-extensions.sql
--- a/file/unexpected-dev-entries.sql
+++ b/file/unexpected-dev-entries.sql
@ -0,0 +1,10 @@
+-- Inspired by BPFdoor
+-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+SELECT *
+FROM file
+WHERE (
+        path LIKE "/dev/shm/%"
+        OR path LIKE "/dev/%/.%"
+        OR path LIKE "/dev/mqueue/%"
+)
+AND filename NOT IN ('.', '..')
--- a/file/unexpected-hidden-system-folders.sql
+++ b/file/unexpected-hidden-system-folders.sql
--- a/file/unexpected-tmp-executables.sql
+++ b/file/unexpected-tmp-executables.sql
@ -0,0 +1,13 @@
+SELECT * FROM file WHERE
+(path LIKE "/tmp/%%" OR path LIKE "/var/tmp/%%")
+AND type = "regular"
+AND mode LIKE "07%"
+AND path NOT LIKE "%go-build%"
+AND path NOT LIKE "%/bin/%-gen"
+AND path NOT LIKE "%/bin/%"
+AND path NOT LIKE "%/ko/%"
+AND path NOT LIKE "%/CCLBS/%"
+AND PATH NOT LIKE "%/tmp/epdf%"
+AND PATH NOT LIKE "%/pdf-tools/%"
+AND PATH NOT LIKE "/tmp/%.sh"
+AND PATH NOT LIKE "/tmp/terraformer/%"
--- a/launchd/unexpected-launchd.sql
+++ b/launchd/unexpected-launchd.sql
--- a/listening_ports/unexpected-listeners.sql
+++ b/listening_ports/unexpected-listeners.sql
@ -43,6 +43,7 @@ WHERE port != 0
    AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6)
    AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=4161 AND lp.protocol=6)
    AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=41641 AND lp.protocol=17)
+    AND NOT (p.name='Sonos' AND p.cwd='/' AND lp.port=3400 AND lp.protocol=6)
    -- macOS --
    AND NOT (p.name IN ('launchd','netbiosd') AND p.cwd='/' AND lp.port IN (137,138) AND lp.protocol=17)
    AND NOT (p.name='Arc Helper' AND p.cwd='/' AND lp.port>5000 AND lp.protocol=17)
--- a/process_envs/processes_without_an_environment.sql
+++ b/process_envs/processes_without_an_environment.sql
@ -0,0 +1,10 @@
+-- Inspired by BPFdoor
+-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+SELECT COUNT(*) AS count,
+    p.pid,
+    p.path,
+    p.cmdline
+FROM process_envs pe
+    JOIN processes p ON pe.pid = p.pid
+GROUP BY p.pid
+HAVING count == 0;
--- a/process_envs/unexpected-env-values.sql
+++ b/process_envs/unexpected-env-values.sql
@ -0,0 +1,25 @@
+-- Inpsired by BPFdoor and other intrusions
+-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
+SELECT key,
+    value,
+    p.pid,
+    p.path,
+    p.cmdline
+FROM process_envs pe
+    JOIN processes p ON pe.pid = p.pid
+WHERE key = 'HISTFILE'
+    OR (
+        key = 'HOME'
+        AND NOT value LIKE '/home/%'
+        AND NOT value LIKE "/var/lib/%"
+        AND NOT value LIKE "/Users/%"
+        AND NOT value IN ('/root', '/var/spool/cups/tmp', '/var/empty', '/var/db/cmiodalassistants', '/run/systemd' '/')
+    OR (
+        key = 'LD_PRELOAD'
+        AND NOT pe.value LIKE ':/snap/%'
+        AND NOT pe.value LIKE '/app/bin/%'
+        AND NOT (
+            p.path LIKE '%/firefox'
+            AND value LIKE 'libmozsandbox.so%'
+        )
+    )
--- a/process_open_sockets/unexpected-talkers.sql
+++ b/process_open_sockets/unexpected-talkers.sql
@ -20,12 +20,12 @@ AND s.state != 'LISTEN'
 AND NOT (p.cmdline LIKE '%.com.flexibits.fantastical2.mac.helper' AND remote_port = 443)
 AND NOT (p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' AND remote_port = 443)
 AND NOT (p.name = 'launcher' AND p.cwd='/' AND remote_port=443 AND protocol=6)
-AND NOT (p.name = 'syncthing' AND remote_port IN (22067,443,22000,22068,39051))
+AND NOT (p.name = 'syncthing' AND remote_port IN (22067,443,22000,22068,39051,587))
 AND NOT (p.name = 'zoom.us' AND remote_port IN (443,8801))
 AND NOT (p.name = 'avconferenced' AND remote_port = 1234)
 AND NOT (p.name IN ('chrome', 'Google Chrome Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (8080,8000,8008,8443,8888) AND remote_address LIKE '192.168.%')
-AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (443,80,8009,8080,8443,5228,32211,53,10001,3478))
-AND NOT (p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') AND remote_port IN (443,587,465,993))
+AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (443,80,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,19307,19308,19309))
+AND NOT (p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') AND remote_port IN (443,587,465,585,993))
 AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (443,8009,4070,32211))
 AND NOT (p.name='cloud_sql_proxy' AND remote_port IN (443,3307))
 AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17)
@ -49,6 +49,7 @@ AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80))
 AND NOT (p.path LIKE '%/NetworkManager' AND remote_port IN (67,80))
 AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
 AND NOT (p.path LIKE '%tailscaled%' AND remote_port > 32000)
+AND NOT (p.path LIKE '%Tailscale%' AND remote_port > 32000)
 AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17)
 AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17)
 AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port>5000 AND protocol=6)
@ -105,8 +106,8 @@ AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
        'terraform',
        'tkn',
        'vcluster',
-        'xmobar'
-        'zoom',
+        'xmobar',
+        'zoom'
    )
 )
 AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')
--- a/processes/deleted-processes.sql
+++ b/processes/deleted-processes.sql
--- a/processes/low_process_ctime_delta.sql
+++ b/processes/low_process_ctime_delta.sql
@ -0,0 +1,24 @@
+SELECT f.path, f.ctime, p.start_time, (p.start_time - f.ctime) AS delta
+FROM processes p
+JOIN file f ON p.path = f.path
+WHERE p.start_time > 0
+AND delta < 300
+AND delta > 0
+AND NOT p.path IN (
+   '/Library/Application Support/Logitech.localized/Logitech Presentation.localized/Onboarding.app/Contents/MacOS/Onboarding',
+   '/opt/google/chrome/chrome',
+   '/usr/bin/containerd',
+   '/usr/bin/obs',
+   '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
+   '/usr/libexec/fwupd/fwupd',
+   '/usr/libexec/sssd/sssd_kcm',
+   '/usr/sbin/cupsd',
+   '/usr/sbin/tailscaled'
+)
+AND NOT p.path LIKE "/Applications/%.app/%"
+AND NOT p.path LIKE "/Library/Apple/System/%"
+AND NOT p.path LIKE "/private/var/db/com.apple.xpc.roleaccountd.staging/%"
+AND NOT p.path LIKE "/Library/Apple/System/Library/%"
+AND NOT p.path LIKE "%-go-build%"
+AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%"
+AND NOT p.path LIKE "%/.vscode/extensions/%"
--- a/processes/old-binaries-running.sql
+++ b/processes/old-binaries-running.sql
@ -0,0 +1,16 @@
+-- Detect poorly done timestamping
+-- Alert on programs running that are over a year old
+SELECT *,
+    ((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
+    ((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days,
+    ((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days
+FROM processes p
+    JOIN file f ON p.path = f.path
+WHERE (
+        ctime_age_days > 982
+        OR mtime_age_days > 982
+        OR (
+            f.btime > 1
+            AND btime_age_days > 1200
+        )
+    )
--- a/processes/unexpected-shell-parents.sql
+++ b/processes/unexpected-shell-parents.sql
@ -7,22 +7,35 @@ SELECT p.name,
 FROM processes p
    JOIN processes pp ON pp.pid = p.parent
 WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
-AND NOT (parent_name='login' AND parent_path='/usr/bin/login')
-AND NOT (parent_name='launchd' AND parent_path='/sbin/launchd')
-AND NOT (parent_name='gnome-terminal-' AND parent_path='/usr/libexec/gnome-terminal-server')
-AND NOT (parent_name='Code Helper (Renderer)' AND parent_path='/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)')
-AND NOT (parent_name='systemd' AND parent_path='/usr/lib/systemd/systemd')
-AND NOT (parent_name='alacritty' AND parent_path='/usr/bin/alacritty')
-AND NOT (parent_name='tmux:server' AND parent_path='/usr/bin/tmux')
-AND NOT (parent_name='xfce4-terminal' AND parent_path='/usr/bin/xfce4-terminal')
-AND NOT (parent_name='launchd_startx' AND parent_path='/opt/X11/libexec/launchd_startx')
-AND NOT (parent_name='Code Helper (Renderer)' AND parent_path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)')
-AND NOT (parent_name='terminator' AND parent_path LIKE '/usr/bin/python3.%')
-AND NOT (parent_name='npm run server' AND parent_path='/usr/bin/node')
-AND NOT (parent_name='wezterm-gui' AND parent_path LIKE '/private/var/folders/%/WezTerm.app/Contents/MacOS/wezterm-gui')
-AND NOT (parent_name='zsh' AND parent_path='/bin/zsh')
-AND NOT (parent_name='tmux' AND parent_path='/opt/homebrew/Cellar/tmux/3.3a/bin/tmux')
-AND NOT (parent_name='bash' AND parent_path LIKE '/nix/store/%-bash-interactive-%/bin/bash')
 AND NOT (parent_name='alacritty' AND parent_path LIKE '/nix/store/%-alacritty-%/bin/alacritty')
+AND NOT (parent_name='alacritty' AND parent_path='/usr/bin/alacritty')
+AND NOT (parent_name='bash' AND parent_path LIKE '/nix/store/%-bash-interactive-%/bin/bash')
+AND NOT (parent_name='bash' AND parent_path LIKE '/Users/%/homebrew/Cellar/bash/%/bin/bash')
+AND NOT (parent_name='bash' AND parent_path='/Applications/GoLand.app/Contents/MacOS/goland')
+AND NOT (parent_name='Code Helper (Renderer)' AND parent_path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)')
+AND NOT (parent_name='Code Helper (Renderer)' AND parent_path='/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)')
+AND NOT (parent_name='crond' AND parent_path='/usr/bin/crond')
+AND NOT (parent_name='dash' AND parent_path='/usr/bin/dash')
+AND NOT (parent_name='sdzoomplugin' AND path="/bin/bash")
+AND NOT (parent_name='Emacs-arm64-11' AND parent_path='/Applications/Emacs.app/Contents/MacOS/Emacs-arm64-11')
+AND NOT (parent_name='gnome-terminal-' AND parent_path='/usr/libexec/gnome-terminal-server')
+AND NOT (parent_name='launchd_startx' AND parent_path='/opt/X11/libexec/launchd_startx')
+AND NOT (parent_name='launchd' AND parent_path='/sbin/launchd')
+AND NOT (parent_name='login' AND parent_path='/usr/bin/login')
+AND NOT (parent_name='node' AND cmdline LIKE '%lint%')
+AND NOT (parent_name='perl' AND cmdline LIKE '%zfs recv%')
+AND NOT (parent_name='roxterm' AND parent_path='/usr/bin/roxterm')
+AND NOT (parent_name='systemd' AND parent_path='/usr/lib/systemd/systemd')
+AND NOT (parent_name='terminator' AND parent_path LIKE '/usr/bin/python3.%')
+AND NOT (parent_name='tmux:server' AND parent_path='/usr/bin/tmux')
+AND NOT (parent_name='tmux' AND parent_path='/opt/homebrew/Cellar/tmux/3.3a/bin/tmux')
+AND NOT (parent_name='wezterm-gui' AND parent_path LIKE '/private/var/folders/%/WezTerm.app/Contents/MacOS/wezterm-gui')
+AND NOT (parent_name='xfce4-terminal' AND parent_path='/usr/bin/xfce4-terminal')
 AND NOT (parent_name='zsh' AND parent_path='/Applications/Warp.app/Contents/MacOS/stable')
-AND NOT (parent_name='bash' AND parent_path='/Applications/GoLand.app/Contents/MacOS/goland')
+AND NOT (parent_name='zsh' AND parent_path='/bin/zsh')
+AND NOT parent_name IN (
+    'monorail',
+    'go',
+    'goland',
+    'demoit'
+)
--- a/processes/unexpectedly-high-readers.sql
+++ b/processes/unexpectedly-high-readers.sql
--- a/processes/unexpectedly-high-writers.sql
+++ b/processes/unexpectedly-high-writers.sql
--- a/safari_extensions/safari-extensions.sql
+++ b/safari_extensions/safari-extensions.sql
--- a/suid_bin/unexpected-setuid-binaries.sql
+++ b/suid_bin/unexpected-setuid-binaries.sql
--- a/system_units/unexpected-systemd.sql
+++ b/system_units/unexpected-systemd.sql
--- a/unexpected-preload.sql
+++ b/unexpected-preload.sql
@ -1,7 +0,0 @@
-SELECT *
-FROM process_envs pe
-    JOIN processes p ON pe.pid = p.pid
-WHERE key = 'LD_PRELOAD'
-AND NOT pe.value LIKE ':/snap/%'
-AND NOT pe.value LIKE '/app/bin/%'
-AND NOT (p.path LIKE '%/firefox' AND value LIKE 'libmozsandbox.so%')