More scripts

fd/unexpected-dev-opener.sql

@@ -31,6 +31,7 @@ WHERE pof.path LIKE '/dev/%'
     )
 AND NOT pof.path LIKE '/dev/ttys%'
 AND NOT pof.path LIKE '/dev/pts/%'
+AND NOT pof.path LIKE '/dev/snd/pcm%'
 AND NOT pof.path LIKE '/dev/snd/control%'
 AND NOT pof.path LIKE '/dev/shm/.com.google.%'
 AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
@@ -48,6 +49,7 @@ AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE
 AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd' AND device='/dev/kmsg')
 AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%')
 AND NOT (p.name='chrome' AND device LIKE '/dev/video%')
+AND NOT (p.name='chrome' AND device LIKE '/dev/hidraw%')
 AND NOT (p.name='firefox' AND device LIKE '/dev/shm/.%')
 AND NOT (program='/sbin/launchd' AND device='/dev/console')
 AND NOT (program='/System/Library/Frameworks/GSS.framework/Helpers/GSSCred' AND device='/dev/auditsessions')

fs/unexpected-hidden-system-folders.sql

@@ -29,6 +29,7 @@ WHERE (
         '/.file',
         '/.vol/',
         '/.VolumeIcon.icns',
+        '/tmp/.dotnet/'
         '/tmp/._contentbarrier_installed',
         '/tmp/../',
         '/tmp/./',

fs/unexpected-tmp-executables.sql

@@ -1,4 +1,4 @@
-SELECT file.path, uid, gid, mode, strftime('%s', 'now') - ctime AS mtime_age, magic.*, hash.sha256
+SELECT file.path, uid, gid, mode, file.mtime, magic.data, hash.sha256
 FROM file
 JOIN magic ON file.path = magic.path
 JOIN hash on file.path = hash.path
@@ -20,4 +20,4 @@ AND file.path NOT LIKE "/tmp/com.apple.installer%"
 -- Nix
 AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
 -- Don't alert if it's only on disk for a moment
-AND NOT (file.directory LIKE "/tmp/%" AND mtime_age < 60)
+AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)

process/hidden-cwd.sql

@@ -0,0 +1,19 @@
+SELECT p.pid,
+    p.path,
+    p.name,
+    p.cmdline,
+    p.cwd,
+    p.euid,
+    p.parent,
+    pp.path AS parent_path,
+    pp.name AS parent_name,
+    pp.cmdline AS parent_cmdline,
+    pp.euid AS parent_euid
+FROM processes p
+    JOIN processes pp ON p.parent = pp.pid
+WHERE
+p.cwd LIKE "%/.%" AND NOT (
+    p.cwd LIKE "%/.local/share%" OR
+    p.cwd LIKE "%/.vscode/extensions%" OR
+    p.name = 'bindfs'
+)

process/masqueraders.sql

@@ -0,0 +1,30 @@
+SELECT p.name,
+    f.filename,
+    p.path,
+    p.cmdline
+FROM processes p
+    JOIN file f ON p.path = f.path
+WHERE SUBSTR(f.filename, 0, 8) != SUBSTR(p.name, 0, 8)
+AND NOT (p.name='.firefox-wrappe' AND filename='firefox')
+AND NOT (p.name='(sd-pam)' AND filename='systemd')
+AND NOT (p.name='code-oss' AND filename='electron')
+AND NOT (p.name='gjs' AND filename='gjs-console')
+AND NOT (p.name='Isolated Web Co' AND filename='firefox')
+AND NOT (p.name='mysqld' AND filename='mariadbd')
+AND NOT (p.name='tmux:client' AND filename='tmux')
+AND NOT (p.name='tmux:server' AND filename='tmux')
+AND NOT (p.name='nix-daemon' AND filename='nix')
+AND NOT (p.name='Privileged Cont' AND filename='firefox')
+AND NOT (p.name='RDD Process' AND filename='firefox')
+AND NOT (p.name='sh' AND filename='dash')
+AND NOT (p.name='Socket Process' AND filename='firefox')
+AND NOT (p.name='systemd-udevd' AND filename='udevadm')
+AND NOT (p.name='update-notifier' AND filename='dash')
+AND NOT (p.name='Utility Process' AND filename='firefox')
+AND NOT (p.name='Web Content' AND filename='firefox')
+AND NOT (p.name='Web Content' AND filename='thunderbird')
+AND NOT (p.name='WebExtensions' AND filename='firefox')
+AND NOT (p.name='X' AND filename='Xorg')
+AND NOT p.path LIKE '/nix/store/%/bin/bash'
+AND NOT p.path LIKE '/usr/bin/python3%'
+AND NOT (p.name LIKE '%.sh' AND filename='dash')

process/sketchy-cmdline.sql

@@ -0,0 +1,52 @@
+SELECT p.pid,
+    p.path,
+    p.name,
+    p.cmdline,
+    p.cwd,
+    p.euid,
+    p.parent,
+    pp.path AS parent_path,
+    pp.name AS parent_name,
+    pp.cmdline AS parent_cmdline,
+    pp.euid AS parent_euid
+FROM processes p
+    JOIN processes pp ON p.parent = pp.pid
+WHERE
+
+-- Known attack scripts
+p.cmdline LIKE "%bitspin%" OR
+p.cmdline LIKE "%lushput%" OR
+p.cmdline LIKE "%incbit%" OR
+p.cmdline LIKE "%treason%" OR
+-- Unusual behaviors
+p.cmdline LIKE "%ufw disable%" OR
+p.cmdline LIKE "%iptables -P INPUT ACCEPT%" OR
+p.cmdline LIKE "%iptables -P OUTPUT ACCEPT%" OR
+p.cmdline LIKE "%iptables -P FORWARD ACCEPT%" OR
+p.cmdline LIKE "%iptables -F%" OR
+p.cmdline LIKE "%chattr -ia%" OR
+p.cmdline LIKE "%base64%" OR
+p.cmdline LIKE "%xxd%" OR
+p.cmdline LIKE "%touch%acmr%" OR
+p.cmdline LIKE "%ld.so.preload%" OR
+p.cmdline LIKE "%urllib.urlopen%" OR
+p.cmdline LIKE "%nohup%tmp%" OR
+-- Crypto miners
+p.cmdline LIKE "%c3pool%" OR
+p.cmdline LIKE "%cryptonight%" OR
+p.cmdline LIKE "%f2pool%" OR
+p.cmdline LIKE "%hashrate%" OR
+p.cmdline LIKE "%hashvault%" OR
+p.cmdline LIKE "%minerd%" OR
+p.cmdline LIKE "%monero%" OR
+p.cmdline LIKE "%nanopool%" OR
+p.cmdline LIKE "%nicehash%" OR
+p.cmdline LIKE "%stratum%" OR
+p.cmdline LIKE "%xig%" OR
+p.cmdline LIKE "%xmr%" OR
+-- Random keywords
+p.cmdline LIKE "%ransom%" OR
+p.cmdline LIKE "%hack%" OR
+p.cmdline LIKE "%malware%" OR
+p.cmdline LIKE "%plant%" OR
+(p.cmdline LIKE "%crypt%" AND p.path NOT LIKE "%CryptoTokenKit%")

process/unexpected-privilege-escalation.sql

@@ -16,7 +16,8 @@ WHERE p.euid < pp.euid
         '/usr/bin/fusermount3',
         '/usr/bin/login',
         '/usr/bin/sudo',
-        '/usr/bin/doas'
+        '/usr/bin/doas',
+        '/bin/ps'
     )
     AND p.path NOT LIKE "/nix/store/%/bin/sudo"
     AND p.path NOT LIKE "/nix/store/%/bin/dhcpcd"

process/unexpected-process-directory.sql

@@ -64,6 +64,7 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
         '/usr/libexec/ApplicationFirewall',
         '/usr/libexec/rosetta',
         '/usr/sbin',
+        '/Library/Printers/DYMO/Utilities',
         '/Library/Developer/CommandLineTools/usr/bin',
         '/usr/share/code'
     )

process/unexpected-setuid-running.sql

@@ -12,5 +12,7 @@ WHERE f.mode NOT LIKE '0%'
         '/usr/bin/fusermount3',
         '/usr/bin/login',
         '/usr/bin/sudo',
-        '/usr/bin/doas'
+        '/usr/bin/doas',
+        '/bin/ps',
+        '/usr/bin/ssh-agent'
     );

process/unexpectedly-high-writers.sql

@@ -14,6 +14,7 @@ WHERE bytes_per_second > 2000000
     AND path NOT IN (
         '/bin/bash',
         '/usr/bin/bash',
+        '/usr/bin/zsh',
         '/usr/bin/fish',
         '/usr/bin/gnome-shell',
         '/usr/lib/systemd/systemd-journald',
@@ -25,7 +26,8 @@ WHERE bytes_per_second > 2000000
         '/usr/libexec/rosetta/oahd',
         '/usr/libexec/secd',
         '/usr/bin/aptd',
-        '/usr/sbin/screencapture'
+        '/usr/sbin/screencapture',
+        '/usr/lib64/thunderbird/thunderbird'
     )
     AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1)
     AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%')

process/unusual-fetcher.sql

@@ -0,0 +1,44 @@
+SELECT p.pid,
+    p.path,
+    p.name,
+    p.cmdline,
+    p.cwd,
+    p.euid,
+    p.parent,
+    pp.path AS parent_path,
+    pp.name AS parent_name,
+    pp.cmdline AS parent_cmdline,
+    pp.euid AS parent_euid
+FROM processes p
+    JOIN processes pp ON p.parent = pp.pid
+WHERE
+p.cmdline LIKE "%.onion%" OR
+p.cmdline LIKE "%tor2web%" OR
+p.cmdline LIKE "%aliyun%" OR
+p.cmdline LIKE "%pastebin%" OR
+p.cmdline LIKE "%curl %/.%" OR
+p.cmdline LIKE "%curl %0%" OR
+p.cmdline LIKE "%curl %1%" OR
+p.cmdline LIKE "%curl %2%" OR
+p.cmdline LIKE "%curl %3%" OR
+p.cmdline LIKE "%curl %4%" OR
+p.cmdline LIKE "%curl %5%" OR
+p.cmdline LIKE "%curl %6%" OR
+p.cmdline LIKE "%curl %7%" OR
+p.cmdline LIKE "%curl %8%" OR
+p.cmdline LIKE "%curl %9%" OR
+p.cmdline LIKE "%curl %--user-agent%" OR
+p.cmdline LIKE "%curl -fsSL%" OR
+p.cmdline LIKE "%wget %/.%" OR
+p.cmdline LIKE "%wget %0%" OR
+p.cmdline LIKE "%wget %1%" OR
+p.cmdline LIKE "%wget %2%" OR
+p.cmdline LIKE "%wget %3%" OR
+p.cmdline LIKE "%wget %4%" OR
+p.cmdline LIKE "%wget %5%" OR
+p.cmdline LIKE "%wget %6%" OR
+p.cmdline LIKE "%wget %7%" OR
+p.cmdline LIKE "%wget %8%" OR
+p.cmdline LIKE "%wget %9%" OR
+p.cmdline LIKE "%wget %--user-agent%" OR
+p.cmdline LIKE "%wget %--no-check-certificate%"

startup/unexpected-systemd.sql

@@ -603,12 +603,15 @@ WHERE active_state != "inactive"
                 'zfs-scrub.timer',
                 'zfs-share.service',
                 'zfs-snapshot-daily.timer',
+                'zfs-snapshot-daily.service',
                 'zfs-snapshot-frequent.service',
                 'zfs-snapshot-frequent.timer',
                 'zfs-snapshot-hourly.service',
                 'zfs-snapshot-hourly.timer',
                 'zfs-snapshot-monthly.timer',
+                'zfs-snapshot-monthly.service',
                 'zfs-snapshot-weekly.timer',
+                'zfs-snapshot-weekly.service',
                 'zfs-volume-wait.service',
                 'zfs-volumes.target',
                 'zfs-zed.service',