Run 'make reformat'

This commit is contained in:
Thomas Stromberg 2023-01-20 09:24:24 -05:00
parent e13773d9b7
commit e6824d87e9
Failed to extract signature
27 changed files with 114 additions and 76 deletions

View File

@ -210,7 +210,8 @@ WHERE
AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
)
AND NOT (
s.remote_port = 80 AND (
s.remote_port = 80
AND (
p.cgroup_path LIKE '/system.slice/docker-%'
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
)

View File

@ -210,4 +210,3 @@ WHERE
)
GROUP BY
pof.pid

View File

@ -48,7 +48,8 @@ SELECT
)
) AS exception_key
FROM
process_events pe, uptime
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN hash phash ON pp.path = phash.path

View File

@ -48,7 +48,8 @@ SELECT
)
) AS exception_key
FROM
process_events pe, uptime
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN hash phash ON pp.path = phash.path
@ -81,9 +82,7 @@ WHERE
'zsh'
)
)
AND exception_key NOT IN (
'netstat,0,sh,sudo'
)
AND exception_key NOT IN ('netstat,0,sh,sudo')
AND parent_cmd NOT IN ('/bin/sh /etc/periodic/daily/420.status-network')
GROUP BY
pe.pid

View File

@ -7,7 +7,8 @@
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
--
-- tags: transient process state
SELECT p.path,
SELECT
p.path,
p.cmdline,
p.cwd,
p.pid,
@ -22,11 +23,13 @@ SELECT p.path,
f.uid,
m.path,
f.gid
FROM processes p
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN magic m ON p.path = m.path
WHERE (
WHERE
(
ctime_age_days > 1050
OR mtime_age_days > 1050
)
@ -59,5 +62,6 @@ WHERE (
'Pandora Helper',
'dlv'
)
GROUP BY p.pid,
p.path
GROUP BY
p.pid,
p.path

View File

@ -35,7 +35,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
-- Unfortunately, there is no column for when an exception was granted, so
-- we're currently unable to filter out old entries.
exception_key NOT IN (
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',

View File

@ -4,7 +4,8 @@
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- tags: persistent state filesystem
SELECT file.path,
SELECT
file.path,
file.directory,
uid,
gid,
@ -13,10 +14,12 @@ SELECT file.path,
file.size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
-- This list is the result of multiple queries combined and can likely be minimized
file.path LIKE '/dev/%%'
OR file.path LIKE '/dev/%%/%%'
@ -68,4 +71,4 @@ WHERE (
AND file.mode = '0755'
AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
AND file.size > 1000000
)
)

View File

@ -8,7 +8,8 @@
--
-- platform: posix
-- tags: persistent filesystem state
SELECT file.path,
SELECT
file.path,
file.directory,
uid,
gid,
@ -20,10 +21,12 @@ SELECT file.path,
size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
@ -155,4 +158,4 @@ WHERE (
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)
)

View File

@ -5,7 +5,8 @@
--
-- tags: persistent
-- platform: posix
SELECT file.path,
SELECT
file.path,
uid,
gid,
mode,
@ -16,10 +17,12 @@ SELECT file.path,
file.size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
-- Recursive queries don't seem to work well with hidden directories :(
file.path LIKE '/tmp/%%'
OR file.path LIKE '/tmp/.%/%%'
@ -126,7 +129,7 @@ WHERE (
file.type = 'regular'
AND size < 10
)
-- Binaries we might actually see legitimately
-- Binaries we might actually see legitimately
AND NOT (
file.path LIKE '/tmp/%'
AND file.uid > 500
@ -136,7 +139,6 @@ WHERE (
OR file.filename LIKE "%-cli"
)
)
-- All checks with magic.data must first check for a lack of NULL value,
-- otherwise you filter out platforms without magic.data.
AND NOT (

View File

@ -5,7 +5,8 @@
--
-- tags: persistent
-- platform: macos
SELECT file.path,
SELECT
file.path,
uid,
gid,
mode,
@ -18,11 +19,13 @@ SELECT file.path,
magic.data,
signature.identifier,
signature.authority
FROM file
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN signature ON file.path = signature.path
WHERE (
WHERE
(
-- Recursive queries don't seem to work well with hidden directories :(
file.path LIKE '/tmp/%%'
OR file.path LIKE '/tmp/.%/%%'
@ -130,7 +133,7 @@ WHERE (
AND NOT (
magic.data IS NOT NULL
AND (
magic.data = 'JSON data'
OR magic.data LIKE 'ELF %-bit %SB executable%'
magic.data = 'JSON data'
OR magic.data LIKE 'ELF %-bit %SB executable%'
)
)
)

View File

@ -118,4 +118,4 @@ WHERE
file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'
AND file.size < 40000
AND file.uid = 501
)
)

View File

@ -9,7 +9,8 @@
-- tags: transient process events
-- platform: linux
-- interval: 30
SELECT pe.path AS path,
SELECT
pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
@ -31,7 +32,9 @@ SELECT pe.path AS path,
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
FROM process_events pe, uptime
FROM
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid

View File

@ -9,7 +9,8 @@
-- tags: transient process events
-- platform: darwin
-- interval: 45
SELECT pe.path AS path,
SELECT
pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
@ -41,7 +42,8 @@ SELECT pe.path AS path,
signature.authority,
esignature.authority
) AS parent_authority
FROM process_events pe
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@ -159,4 +161,4 @@ WHERE
AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
AND NOT cmd LIKE '%history'
AND NOT name IN ('cc1', 'compile')
AND NOT name IN ('cc1', 'compile')

View File

@ -134,11 +134,14 @@ WHERE
AND NOT (
addr IS NOT NULL
AND (
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
addr IN (
'releases.hashicorp.com',
'github.com',
'dl.enforce.dev'
)
-- Ignore local addresses (Docker development)
OR addr NOT LIKE '%.%'
OR ip LIKE '172.2%'
OR ip LIKE '192.168.%'
)
)

View File

@ -129,11 +129,14 @@ WHERE
AND NOT (
addr IS NOT NULL
AND (
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
addr IN (
'releases.hashicorp.com',
'github.com',
'dl.enforce.dev'
)
-- Ignore local addresses (Docker development)
OR addr NOT LIKE '%.%'
OR ip LIKE '172.21.%'
OR ip LIKE '192.168.%'
)
)

View File

@ -142,7 +142,7 @@ WHERE
'~/google-cloud-sdk/',
'~/homebrew/',
'~/.kuberlr/',
-- '~/Library/',
-- '~/Library/',
'~/.gradle/',
'~/.local/',
'~/Parallels/',
@ -193,7 +193,6 @@ WHERE
AND homedir NOT LIKE '~/%sigstore%'
AND homedir NOT LIKE '~/%/bin'
AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
-- These signers can run from wherever the hell they want.
AND signature.authority NOT IN (
'Apple iPhone OS Application Signing',

View File

@ -6,7 +6,8 @@
-- interval: 600
-- platform: posix
-- tags: process events
SELECT pe.path AS path,
SELECT
pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
@ -29,8 +30,9 @@ SELECT pe.path AS path,
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
REGEX_MATCH(TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
FROM process_events pe
REGEX_MATCH (TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@ -39,17 +41,19 @@ FROM process_events pe
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN hash thash ON target_path = thash.path
LEFT JOIN hash ehash ON ppe.path = ehash.path
WHERE pe.time > (strftime('%s', 'now') -600)
AND pe.path LIKE '%/chmod'
AND (
cmd LIKE '%chmod 7%'
OR cmd LIKE '%chmod 5%'
OR cmd LIKE '%chmod 1%'
OR cmd LIKE '%chmod +%x'
)
AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
AND NOT parent_cgroup LIKE '/system.slice/docker-%'
GROUP BY pe.pid
WHERE
pe.time > (strftime('%s', 'now') -600)
AND pe.path LIKE '%/chmod'
AND (
cmd LIKE '%chmod 7%'
OR cmd LIKE '%chmod 5%'
OR cmd LIKE '%chmod 1%'
OR cmd LIKE '%chmod +%x'
)
AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
AND NOT parent_cgroup LIKE '/system.slice/docker-%'
GROUP BY
pe.pid

View File

@ -87,4 +87,5 @@ WHERE
-- The following apply to all uids
AND NOT cmd = 'osascript -e user locale of (get system info)'
GROUP BY
pe.pid, pe.cmd
pe.pid,
pe.cmd

View File

@ -74,4 +74,3 @@ WHERE
AND p.name = "node"
AND parent_name IN ("vim", "nvim")
)

View File

@ -106,4 +106,4 @@ WHERE
)
AND NOT p.path IN ('/opt/socket_vmnet/bin/socket_vmnet')
GROUP BY
pmm.pid
pmm.pid

View File

@ -6,7 +6,8 @@
-- interval: 60
-- platform: darwin
-- tags: process events
SELECT pe.path AS path,
SELECT
pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
@ -38,7 +39,8 @@ SELECT pe.path AS path,
signature.authority,
esignature.authority
) AS parent_authority
FROM process_events pe
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@ -48,7 +50,8 @@ FROM process_events pe
LEFT JOIN hash ehash ON ppe.path = ehash.path
LEFT JOIN signature ON pp.path = signature.path
LEFT JOIN signature esignature ON ppe.path = esignature.path
WHERE pe.path = '/usr/bin/xattr'
WHERE
pe.path = '/usr/bin/xattr'
AND pe.status = 0
AND pe.time > (strftime('%s', 'now') -60)
AND cmd NOT IN (
@ -81,4 +84,6 @@ WHERE pe.path = '/usr/bin/xattr'
)
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
GROUP BY pe.pid, cmd
GROUP BY
pe.pid,
cmd

View File

@ -150,4 +150,5 @@ WHERE
)
AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY p.pid
GROUP BY
p.pid

View File

@ -66,4 +66,4 @@ WHERE
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'
AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'
AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'

View File

@ -15,7 +15,7 @@ SELECT
p.path,
p.cmdline,
p.cgroup_path,
datetime(file.mtime,'unixepoch') AS mtime,
datetime(file.mtime, 'unixepoch') AS mtime,
p.cwd,
hash.sha256,
CONCAT (

View File

@ -48,7 +48,8 @@ SELECT
)
) AS exception_key
FROM
process_events pe, uptime
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN hash phash ON pp.path = phash.path
@ -87,6 +88,5 @@ WHERE
AND NOT child_cmd LIKE 'systemctl show --property=%'
AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
AND NOT child_cmd LIKE '/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%/bus'
GROUP BY
pe.pid

View File

@ -23,4 +23,4 @@ FROM
WHERE
p.time > (strftime('%s', 'now') -60)
AND file.mode NOT LIKE '0%'
AND p.cmdline_size > 2048
AND p.cmdline_size > 2048

View File

@ -37,6 +37,9 @@ WHERE
AND filename LIKE "%-%-%.json"
AND size BETWEEN 2311 AND 2385
-- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(filename, CONCAT(u.username, "-")) == 1
AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
-- Don't alert on tokens that begin with the users full name and a dash
AND NOT INSTR(filename, REPLACE(LOWER(TRIM(description))," ", "-")) == 1
AND NOT INSTR(
filename,
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1