From dea818239f1f5b810975e340df2bdb4c3c0c3a0a Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 9 Sep 2022 10:16:28 -0400 Subject: [PATCH] More scripts --- fd/unexpected-dev-opener.sql | 2 + fs/unexpected-hidden-system-folders.sql | 1 + fs/unexpected-tmp-executables.sql | 4 +- process/hidden-cwd.sql | 19 ++++++++ process/masqueraders.sql | 30 ++++++++++++ process/sketchy-cmdline.sql | 52 +++++++++++++++++++++ process/unexpected-privilege-escalation.sql | 3 +- process/unexpected-process-directory.sql | 1 + process/unexpected-setuid-running.sql | 4 +- process/unexpectedly-high-writers.sql | 4 +- process/unusual-fetcher.sql | 44 +++++++++++++++++ startup/unexpected-systemd.sql | 3 ++ 12 files changed, 162 insertions(+), 5 deletions(-) create mode 100644 process/hidden-cwd.sql create mode 100644 process/masqueraders.sql create mode 100644 process/sketchy-cmdline.sql create mode 100644 process/unusual-fetcher.sql diff --git a/fd/unexpected-dev-opener.sql b/fd/unexpected-dev-opener.sql index 18ac479..6b7eb50 100644 --- a/fd/unexpected-dev-opener.sql +++ b/fd/unexpected-dev-opener.sql @@ -31,6 +31,7 @@ WHERE pof.path LIKE '/dev/%' ) AND NOT pof.path LIKE '/dev/ttys%' AND NOT pof.path LIKE '/dev/pts/%' +AND NOT pof.path LIKE '/dev/snd/pcm%' AND NOT pof.path LIKE '/dev/snd/control%' AND NOT pof.path LIKE '/dev/shm/.com.google.%' AND NOT pof.path LIKE '/dev/shm/.org.chromium.%' @@ -48,6 +49,7 @@ AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd' AND device='/dev/kmsg') AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%') AND NOT (p.name='chrome' AND device LIKE '/dev/video%') +AND NOT (p.name='chrome' AND device LIKE '/dev/hidraw%') AND NOT (p.name='firefox' AND device LIKE '/dev/shm/.%') AND NOT (program='/sbin/launchd' AND device='/dev/console') AND NOT (program='/System/Library/Frameworks/GSS.framework/Helpers/GSSCred' AND device='/dev/auditsessions') diff --git a/fs/unexpected-hidden-system-folders.sql b/fs/unexpected-hidden-system-folders.sql index 9c2bc09..425352d 100644 --- a/fs/unexpected-hidden-system-folders.sql +++ b/fs/unexpected-hidden-system-folders.sql @@ -29,6 +29,7 @@ WHERE ( '/.file', '/.vol/', '/.VolumeIcon.icns', + '/tmp/.dotnet/' '/tmp/._contentbarrier_installed', '/tmp/../', '/tmp/./', diff --git a/fs/unexpected-tmp-executables.sql b/fs/unexpected-tmp-executables.sql index fbfe877..dab92fa 100644 --- a/fs/unexpected-tmp-executables.sql +++ b/fs/unexpected-tmp-executables.sql @@ -1,4 +1,4 @@ -SELECT file.path, uid, gid, mode, strftime('%s', 'now') - ctime AS mtime_age, magic.*, hash.sha256 +SELECT file.path, uid, gid, mode, file.mtime, magic.data, hash.sha256 FROM file JOIN magic ON file.path = magic.path JOIN hash on file.path = hash.path @@ -20,4 +20,4 @@ AND file.path NOT LIKE "/tmp/com.apple.installer%" -- Nix AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350) -- Don't alert if it's only on disk for a moment -AND NOT (file.directory LIKE "/tmp/%" AND mtime_age < 60) \ No newline at end of file +AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60) \ No newline at end of file diff --git a/process/hidden-cwd.sql b/process/hidden-cwd.sql new file mode 100644 index 0000000..5de597c --- /dev/null +++ b/process/hidden-cwd.sql @@ -0,0 +1,19 @@ +SELECT p.pid, + p.path, + p.name, + p.cmdline, + p.cwd, + p.euid, + p.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid +FROM processes p + JOIN processes pp ON p.parent = pp.pid +WHERE +p.cwd LIKE "%/.%" AND NOT ( + p.cwd LIKE "%/.local/share%" OR + p.cwd LIKE "%/.vscode/extensions%" OR + p.name = 'bindfs' +) diff --git a/process/masqueraders.sql b/process/masqueraders.sql new file mode 100644 index 0000000..20067c8 --- /dev/null +++ b/process/masqueraders.sql @@ -0,0 +1,30 @@ +SELECT p.name, + f.filename, + p.path, + p.cmdline +FROM processes p + JOIN file f ON p.path = f.path +WHERE SUBSTR(f.filename, 0, 8) != SUBSTR(p.name, 0, 8) +AND NOT (p.name='.firefox-wrappe' AND filename='firefox') +AND NOT (p.name='(sd-pam)' AND filename='systemd') +AND NOT (p.name='code-oss' AND filename='electron') +AND NOT (p.name='gjs' AND filename='gjs-console') +AND NOT (p.name='Isolated Web Co' AND filename='firefox') +AND NOT (p.name='mysqld' AND filename='mariadbd') +AND NOT (p.name='tmux:client' AND filename='tmux') +AND NOT (p.name='tmux:server' AND filename='tmux') +AND NOT (p.name='nix-daemon' AND filename='nix') +AND NOT (p.name='Privileged Cont' AND filename='firefox') +AND NOT (p.name='RDD Process' AND filename='firefox') +AND NOT (p.name='sh' AND filename='dash') +AND NOT (p.name='Socket Process' AND filename='firefox') +AND NOT (p.name='systemd-udevd' AND filename='udevadm') +AND NOT (p.name='update-notifier' AND filename='dash') +AND NOT (p.name='Utility Process' AND filename='firefox') +AND NOT (p.name='Web Content' AND filename='firefox') +AND NOT (p.name='Web Content' AND filename='thunderbird') +AND NOT (p.name='WebExtensions' AND filename='firefox') +AND NOT (p.name='X' AND filename='Xorg') +AND NOT p.path LIKE '/nix/store/%/bin/bash' +AND NOT p.path LIKE '/usr/bin/python3%' +AND NOT (p.name LIKE '%.sh' AND filename='dash') diff --git a/process/sketchy-cmdline.sql b/process/sketchy-cmdline.sql new file mode 100644 index 0000000..6921fc2 --- /dev/null +++ b/process/sketchy-cmdline.sql @@ -0,0 +1,52 @@ +SELECT p.pid, + p.path, + p.name, + p.cmdline, + p.cwd, + p.euid, + p.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid +FROM processes p + JOIN processes pp ON p.parent = pp.pid +WHERE + +-- Known attack scripts +p.cmdline LIKE "%bitspin%" OR +p.cmdline LIKE "%lushput%" OR +p.cmdline LIKE "%incbit%" OR +p.cmdline LIKE "%treason%" OR +-- Unusual behaviors +p.cmdline LIKE "%ufw disable%" OR +p.cmdline LIKE "%iptables -P INPUT ACCEPT%" OR +p.cmdline LIKE "%iptables -P OUTPUT ACCEPT%" OR +p.cmdline LIKE "%iptables -P FORWARD ACCEPT%" OR +p.cmdline LIKE "%iptables -F%" OR +p.cmdline LIKE "%chattr -ia%" OR +p.cmdline LIKE "%base64%" OR +p.cmdline LIKE "%xxd%" OR +p.cmdline LIKE "%touch%acmr%" OR +p.cmdline LIKE "%ld.so.preload%" OR +p.cmdline LIKE "%urllib.urlopen%" OR +p.cmdline LIKE "%nohup%tmp%" OR +-- Crypto miners +p.cmdline LIKE "%c3pool%" OR +p.cmdline LIKE "%cryptonight%" OR +p.cmdline LIKE "%f2pool%" OR +p.cmdline LIKE "%hashrate%" OR +p.cmdline LIKE "%hashvault%" OR +p.cmdline LIKE "%minerd%" OR +p.cmdline LIKE "%monero%" OR +p.cmdline LIKE "%nanopool%" OR +p.cmdline LIKE "%nicehash%" OR +p.cmdline LIKE "%stratum%" OR +p.cmdline LIKE "%xig%" OR +p.cmdline LIKE "%xmr%" OR +-- Random keywords +p.cmdline LIKE "%ransom%" OR +p.cmdline LIKE "%hack%" OR +p.cmdline LIKE "%malware%" OR +p.cmdline LIKE "%plant%" OR +(p.cmdline LIKE "%crypt%" AND p.path NOT LIKE "%CryptoTokenKit%") \ No newline at end of file diff --git a/process/unexpected-privilege-escalation.sql b/process/unexpected-privilege-escalation.sql index f7aa9fe..db57999 100644 --- a/process/unexpected-privilege-escalation.sql +++ b/process/unexpected-privilege-escalation.sql @@ -16,7 +16,8 @@ WHERE p.euid < pp.euid '/usr/bin/fusermount3', '/usr/bin/login', '/usr/bin/sudo', - '/usr/bin/doas' + '/usr/bin/doas', + '/bin/ps' ) AND p.path NOT LIKE "/nix/store/%/bin/sudo" AND p.path NOT LIKE "/nix/store/%/bin/dhcpcd" diff --git a/process/unexpected-process-directory.sql b/process/unexpected-process-directory.sql index a25d1ee..7e66aac 100644 --- a/process/unexpected-process-directory.sql +++ b/process/unexpected-process-directory.sql @@ -64,6 +64,7 @@ WHERE directory NOT LIKE '/Applications/%.app/%' '/usr/libexec/ApplicationFirewall', '/usr/libexec/rosetta', '/usr/sbin', + '/Library/Printers/DYMO/Utilities', '/Library/Developer/CommandLineTools/usr/bin', '/usr/share/code' ) diff --git a/process/unexpected-setuid-running.sql b/process/unexpected-setuid-running.sql index 51f4fe4..f1e205d 100644 --- a/process/unexpected-setuid-running.sql +++ b/process/unexpected-setuid-running.sql @@ -12,5 +12,7 @@ WHERE f.mode NOT LIKE '0%' '/usr/bin/fusermount3', '/usr/bin/login', '/usr/bin/sudo', - '/usr/bin/doas' + '/usr/bin/doas', + '/bin/ps', + '/usr/bin/ssh-agent' ); \ No newline at end of file diff --git a/process/unexpectedly-high-writers.sql b/process/unexpectedly-high-writers.sql index f9a4f51..eaf9cd5 100644 --- a/process/unexpectedly-high-writers.sql +++ b/process/unexpectedly-high-writers.sql @@ -14,6 +14,7 @@ WHERE bytes_per_second > 2000000 AND path NOT IN ( '/bin/bash', '/usr/bin/bash', + '/usr/bin/zsh', '/usr/bin/fish', '/usr/bin/gnome-shell', '/usr/lib/systemd/systemd-journald', @@ -25,7 +26,8 @@ WHERE bytes_per_second > 2000000 '/usr/libexec/rosetta/oahd', '/usr/libexec/secd', '/usr/bin/aptd', - '/usr/sbin/screencapture' + '/usr/sbin/screencapture', + '/usr/lib64/thunderbird/thunderbird' ) AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1) AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%') diff --git a/process/unusual-fetcher.sql b/process/unusual-fetcher.sql new file mode 100644 index 0000000..d20203b --- /dev/null +++ b/process/unusual-fetcher.sql @@ -0,0 +1,44 @@ +SELECT p.pid, + p.path, + p.name, + p.cmdline, + p.cwd, + p.euid, + p.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid +FROM processes p + JOIN processes pp ON p.parent = pp.pid +WHERE +p.cmdline LIKE "%.onion%" OR +p.cmdline LIKE "%tor2web%" OR +p.cmdline LIKE "%aliyun%" OR +p.cmdline LIKE "%pastebin%" OR +p.cmdline LIKE "%curl %/.%" OR +p.cmdline LIKE "%curl %0%" OR +p.cmdline LIKE "%curl %1%" OR +p.cmdline LIKE "%curl %2%" OR +p.cmdline LIKE "%curl %3%" OR +p.cmdline LIKE "%curl %4%" OR +p.cmdline LIKE "%curl %5%" OR +p.cmdline LIKE "%curl %6%" OR +p.cmdline LIKE "%curl %7%" OR +p.cmdline LIKE "%curl %8%" OR +p.cmdline LIKE "%curl %9%" OR +p.cmdline LIKE "%curl %--user-agent%" OR +p.cmdline LIKE "%curl -fsSL%" OR +p.cmdline LIKE "%wget %/.%" OR +p.cmdline LIKE "%wget %0%" OR +p.cmdline LIKE "%wget %1%" OR +p.cmdline LIKE "%wget %2%" OR +p.cmdline LIKE "%wget %3%" OR +p.cmdline LIKE "%wget %4%" OR +p.cmdline LIKE "%wget %5%" OR +p.cmdline LIKE "%wget %6%" OR +p.cmdline LIKE "%wget %7%" OR +p.cmdline LIKE "%wget %8%" OR +p.cmdline LIKE "%wget %9%" OR +p.cmdline LIKE "%wget %--user-agent%" OR +p.cmdline LIKE "%wget %--no-check-certificate%" \ No newline at end of file diff --git a/startup/unexpected-systemd.sql b/startup/unexpected-systemd.sql index 61b6a3a..2d69336 100644 --- a/startup/unexpected-systemd.sql +++ b/startup/unexpected-systemd.sql @@ -603,12 +603,15 @@ WHERE active_state != "inactive" 'zfs-scrub.timer', 'zfs-share.service', 'zfs-snapshot-daily.timer', + 'zfs-snapshot-daily.service', 'zfs-snapshot-frequent.service', 'zfs-snapshot-frequent.timer', 'zfs-snapshot-hourly.service', 'zfs-snapshot-hourly.timer', 'zfs-snapshot-monthly.timer', + 'zfs-snapshot-monthly.service', 'zfs-snapshot-weekly.timer', + 'zfs-snapshot-weekly.service', 'zfs-volume-wait.service', 'zfs-volumes.target', 'zfs-zed.service',