RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-03 03:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor execdir, remove false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2022-11-07 20:36:37 -05:00
parent b2d518f690
commit f93a18d112
Failed to extract signature
17 changed files with 179 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -63,6 +63,7 @@ WHERE
'8.8.8.8', -- Google '8.8.8.8', -- Google
'8.8.4.4', -- Google (backup) '8.8.4.4', -- Google (backup)
'208.67.222.222', -- OpenDNS '208.67.222.222', -- OpenDNS
'208.67.222.123', -- OpenDNS
'75.75.75.75', -- Comcast '75.75.75.75', -- Comcast
'75.75.76.76', -- Comcast '75.75.76.76', -- Comcast
'68.105.28.13' -- Cox '68.105.28.13' -- Cox
@ -71,6 +72,7 @@ WHERE
AND exception_key NOT IN ( AND exception_key NOT IN (
'coredns,0.0.0.0,53', 'coredns,0.0.0.0,53',
'syncthing,46.162.192.181,53', 'syncthing,46.162.192.181,53',
'Code Helper,208.67.222.123,53',
'Jabra Direct Helper,208.67.222.123,53' 'Jabra Direct Helper,208.67.222.123,53'
) )
AND p.name != 'nessusd' AND p.name != 'nessusd'

5
detection/c2/unexpected-https-client-linux.sql
View File

@ -89,11 +89,11 @@ WHERE
'500,/home/chainctl,500u,500g,chainctl', '500,/home/chainctl,500u,500g,chainctl',
'500,/home/code,500u,500g,code', '500,/home/code,500u,500g,code',
'500,/home/gitsign,500u,500g,gitsign', '500,/home/gitsign,500u,500g,gitsign',
'500,/home/ko,500u,500g,ko',
'500,/home/go,500u,500g,go', '500,/home/go,500u,500g,go',
'500,/home/grype,500u,500g,grype', '500,/home/grype,500u,500g,grype',
'500,/home/java,500u,500g,java', '500,/home/java,500u,500g,java',
'500,/home/jcef_helper,500u,500g,jcef_helper', '500,/home/jcef_helper,500u,500g,jcef_helper',
'500,/home/ko,500u,500g,ko',
'500,/home/steam,500u,100g,steam', '500,/home/steam,500u,100g,steam',
'500,/home/steamwebhelper,500u,100g,steamwebhelper', '500,/home/steamwebhelper,500u,100g,steamwebhelper',
'500,/home/WPILibInstaller,500u,500g,WPILibInstaller', '500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
@ -101,6 +101,7 @@ WHERE
'500,/ko-app/controlplane,u,g,controlplane', '500,/ko-app/controlplane,u,g,controlplane',
'500,/opt/1password,0u,0g,1password', '500,/opt/1password,0u,0g,1password',
'500,/opt/Brackets,0u,0g,Brackets', '500,/opt/Brackets,0u,0g,Brackets',
'500,/opt/todoist,0u,0g,todoist',
'500,/opt/chrome,0u,0g,chrome', '500,/opt/chrome,0u,0g,chrome',
'500,/opt/Discord,0u,0g,Discord', '500,/opt/Discord,0u,0g,Discord',
'500,/opt/firefox,0u,0g,firefox', '500,/opt/firefox,0u,0g,firefox',
@ -108,6 +109,7 @@ WHERE
'500,/opt/kubectl,0u,0g,kubectl', '500,/opt/kubectl,0u,0g,kubectl',
'500,/opt/slack,0u,0g,slack', '500,/opt/slack,0u,0g,slack',
'500,/opt/spotify,0u,0g,spotify', '500,/opt/spotify,0u,0g,spotify',
'500,/usr/spotify,0u,0g,spotify',
'500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb', '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
'500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,/usr/bom,500u,500g,bom', '500,/usr/bom,500u,500g,bom',
@ -138,6 +140,7 @@ WHERE
'500,/usr/rpi-imager,0u,0g,rpi-imager', '500,/usr/rpi-imager,0u,0g,rpi-imager',
'500,/usr/signal-desktop,0u,0g,signal-desktop', '500,/usr/signal-desktop,0u,0g,signal-desktop',
'500,/usr/slack,0u,0g,slack', '500,/usr/slack,0u,0g,slack',
'500,/usr/spotify,0u,0g,spotify',
'500,/usr/syncthing,0u,0g,syncthing', '500,/usr/syncthing,0u,0g,syncthing',
'500,/usr/terraform,0u,0g,terraform', '500,/usr/terraform,0u,0g,terraform',
'500,/usr/trivy,0u,0g,trivy', '500,/usr/trivy,0u,0g,trivy',

4
detection/c2/unexpected-talkers-linux.sql
View File

@ -92,11 +92,12 @@ WHERE
'32768,6,0,/usr/tailscaled,0u,0g,tailscaled', '32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
'3443,6,500,/opt/chrome,0u,0g,chrome', '3443,6,500,/opt/chrome,0u,0g,chrome',
'3478,6,500,/opt/chrome,0u,0g,chrome', '3478,6,500,/opt/chrome,0u,0g,chrome',
'4070,6,500,/opt/spotify,0u,0g,spotify',
'3478,6,500,/usr/firefox,0u,0g,firefox', '3478,6,500,/usr/firefox,0u,0g,firefox',
'4070,6,500,/opt/spotify,0u,0g,spotify',
'43,6,500,/usr/whois,0u,0g,whois', '43,6,500,/usr/whois,0u,0g,whois',
'5228,6,500,/opt/chrome,0u,0g,chrome', '5228,6,500,/opt/chrome,0u,0g,chrome',
'5228,6,500,/usr/chrome,0u,0g,chrome', '5228,6,500,/usr/chrome,0u,0g,chrome',
'67,17,0,/usr/NetworkManager,0u,0g,NetworkManager',
'8000,6,500,/opt/chrome,0u,0g,chrome', '8000,6,500,/opt/chrome,0u,0g,chrome',
'8000,6,500,/usr/firefox,0u,0g,firefox', '8000,6,500,/usr/firefox,0u,0g,firefox',
'80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm', '80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm',
@ -125,6 +126,7 @@ WHERE
'8443,6,500,/opt/chrome,0u,0g,chrome', '8443,6,500,/opt/chrome,0u,0g,chrome',
'8443,6,500,/usr/firefox,0u,0g,firefox', '8443,6,500,/usr/firefox,0u,0g,firefox',
'8801,17,500,/app/zoom.real,u,g,zoom.real', '8801,17,500,/app/zoom.real,u,g,zoom.real',
'8801,17,500,/opt/zoom,0u,0g,zoom',
'993,6,500,/app/thunderbird,u,g,thunderbird' '993,6,500,/app/thunderbird,u,g,thunderbird'
) )
AND NOT ( AND NOT (

2
detection/evasion/empty_environ_linux.sql
View File

@ -34,6 +34,8 @@ WHERE -- This time should match the interval
'chrome', 'chrome',
'jcef_helper', 'jcef_helper',
'slack', 'slack',
'gnome-boxes-sea',
'gnome-contacts-',
'sshd', 'sshd',
'zoom.real', 'zoom.real',
'zypak-sandbox' 'zypak-sandbox'

1
detection/execution/exotic-command-events-linux.sql
View File

@ -69,6 +69,7 @@ WHERE
OR cmd LIKE '%iptables -F%' OR cmd LIKE '%iptables -F%'
OR cmd LIKE '%chattr -ia%' OR cmd LIKE '%chattr -ia%'
OR cmd LIKE '%chmod 777 %' OR cmd LIKE '%chmod 777 %'
OR cmd LIKE '%history'
OR cmd LIKE '%touch%acmr%' OR cmd LIKE '%touch%acmr%'
OR cmd LIKE '%touch -r%' OR cmd LIKE '%touch -r%'
OR cmd LIKE '%ld.so.preload%' OR cmd LIKE '%ld.so.preload%'

3
detection/execution/exotic-command-events-macos.sql
View File

@ -82,6 +82,7 @@ WHERE
OR cmd LIKE '%rm -f /tmp%' OR cmd LIKE '%rm -f /tmp%'
OR cmd LIKE '%xargs kill -9%' OR cmd LIKE '%xargs kill -9%'
OR cmd LIKE '%nohup /bin/bash%' OR cmd LIKE '%nohup /bin/bash%'
OR cmd LIKE '%history'
OR cmd LIKE '%echo%|%base64 --decode %|%' OR cmd LIKE '%echo%|%base64 --decode %|%'
OR cmd LIKE '%launchctl list%' OR cmd LIKE '%launchctl list%'
OR ( OR (
@ -123,7 +124,7 @@ WHERE
'/bin/launchctl list homebrew.mxcl.yabai', '/bin/launchctl list homebrew.mxcl.yabai',
'/bin/launchctl asuser 0 /bin/launchctl list' '/bin/launchctl asuser 0 /bin/launchctl list'
) )
AND p.parent = -1 OR p.parent = -1
) )
AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%' AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%'
AND NOT cmd LIKE 'rm -f /tmp/locate%/_updatedb%' AND NOT cmd LIKE 'rm -f /tmp/locate%/_updatedb%'

10
detection/execution/recently-created-executables-linux.sql
View File

@ -59,8 +59,9 @@ WHERE
'/usr/bin/rpi-imager', '/usr/bin/rpi-imager',
'/usr/bin/tailscaled', '/usr/bin/tailscaled',
'/usr/bin/udevadm', '/usr/bin/udevadm',
'/usr/libexec/snapd/snapd', '/usr/bin/wpa_supplicant',
'/usr/share/spotify-client/spotify', '/usr/lib64/firefox/firefox',
'/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/at-spi2-registryd', '/usr/lib/at-spi2-registryd',
'/usr/lib/at-spi-bus-launcher', '/usr/lib/at-spi-bus-launcher',
'/usr/libexec/docker/docker-proxy', '/usr/libexec/docker/docker-proxy',
@ -73,12 +74,10 @@ WHERE
'/usr/lib/gdm-x-session', '/usr/lib/gdm-x-session',
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3', '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/polkit-1/polkitd', '/usr/lib/polkit-1/polkitd',
'/usr/bin/wpa_supplicant',
'/usr/lib/slack/chrome_crashpad_handler', '/usr/lib/slack/chrome_crashpad_handler',
'/usr/lib/slack/slack', '/usr/lib/slack/slack',
'/usr/lib/snapd/snapd', '/usr/lib/snapd/snapd',
'/usr/lib/systemd/systemd', '/usr/lib/systemd/systemd',
'/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/systemd/systemd-journald', '/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-logind', '/usr/lib/systemd/systemd-logind',
'/usr/lib/systemd/systemd-oomd', '/usr/lib/systemd/systemd-oomd',
@ -88,7 +87,8 @@ WHERE
'/usr/lib/xf86-video-intel-backlight-helper', '/usr/lib/xf86-video-intel-backlight-helper',
'/usr/sbin/chronyd', '/usr/sbin/chronyd',
'/usr/sbin/cupsd', '/usr/sbin/cupsd',
'/usr/sbin/tailscaled' '/usr/sbin/tailscaled',
'/usr/share/spotify-client/spotify'
) )
AND NOT p.path LIKE '%-go-build%' AND NOT p.path LIKE '%-go-build%'
AND NOT p.path LIKE '/home/%/bin/%' AND NOT p.path LIKE '/home/%/bin/%'

26
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -16,7 +16,7 @@ SELECT
REGEX_MATCH (p.path, '(.*)/', 1) AS dir, REGEX_MATCH (p.path, '(.*)/', 1) AS dir,
REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep
REPLACE(file.directory, u.directory, '~') AS homedir, REPLACE(file.directory, u.directory, '~') AS homedir,
REGEX_MATCH (REPLACE(file.directory, u.directory, '~'), '(~/.*?/.*?/)', 1) AS top_homedir, -- 2 levels deep REGEX_MATCH (REPLACE(file.directory, u.directory, '~'), '(~/.*?/)', 1) AS top_homedir, -- 1 level deep
p.cmdline, p.cmdline,
p.mode, p.mode,
p.cwd, p.cwd,
@ -110,23 +110,23 @@ WHERE
'~/projects/go/bin' '~/projects/go/bin'
) )
AND top_homedir NOT IN ( AND top_homedir NOT IN (
'~/Applications/Chrome Apps.localized/', '~/Applications/',
'~/.config/nvm/', '~/code/',
'~/homebrew/Cellar/', '~/.config/',
'~/Library/Application Support/', '~/homebrew/',
'~/Library/Printers', '~/Library/',
'~/.local/share', '~/.local/',
'~/projects/go', '~/projects/',
'~/code/src', '~/src/',
'~/.tflint.d/plugins', '~/.tflint.d/',
'~/.vscode/extensions', '~/.vscode/',
'~/.vs-kubernetes/tools' '~/.vs-kubernetes/'
) )
-- Locally built executables -- Locally built executables
AND NOT ( AND NOT (
signature.identifier = "a.out" signature.identifier = "a.out"
AND homedir LIKE '~/%' AND homedir LIKE '~/%'
AND pp.name LIKE '%sh' AND pp.name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code')
) )
AND dir NOT LIKE '../%' -- data issue AND dir NOT LIKE '../%' -- data issue
AND dir NOT LIKE '/Applications/%' AND dir NOT LIKE '/Applications/%'

24
detection/execution/unexpected-execdir-macos.sql
View File

@ -17,7 +17,7 @@ SELECT
f.directory AS dir, f.directory AS dir,
REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep
REPLACE(f.directory, u.directory, '~') AS homedir, REPLACE(f.directory, u.directory, '~') AS homedir,
REGEX_MATCH (REPLACE(f.directory, u.directory, '~'), '(~/.*?/.*?/)', 1) AS top_homedir, -- 2 levels deep REGEX_MATCH (REPLACE(f.directory, u.directory, '~'), '(~/.*?/)', 1) AS top_homedir, -- 1 level deep
p.cmdline, p.cmdline,
hash.sha256, hash.sha256,
pp.path AS parent_path, pp.path AS parent_path,
@ -101,17 +101,17 @@ WHERE
'~/projects/go/bin' '~/projects/go/bin'
) )
AND top_homedir NOT IN ( AND top_homedir NOT IN (
'~/Applications/Chrome Apps.localized/', '~/Applications/',
'~/.config/nvm/', '~/code/',
'~/homebrew/Cellar/', '~/.config/',
'~/Library/Application Support/', '~/homebrew/',
'~/Library/Printers', '~/Library/',
'~/.local/share', '~/.local/',
'~/projects/go', '~/projects/',
'~/code/src', '~/src/',
'~/.tflint.d/plugins', '~/.tflint.d/',
'~/.vscode/extensions', '~/.vscode/',
'~/.vs-kubernetes/tools' '~/.vs-kubernetes/'
) )
-- Locally built executables -- Locally built executables
AND NOT ( AND NOT (

1
detection/c2/unexpected-listening-port-linux.sql → detection/persistence/unexpected-listening-port-linux.sql
View File

@ -75,6 +75,7 @@ WHERE
'32768,6,0,.tailscaled-wra', '32768,6,0,.tailscaled-wra',
'32768,6,500,com.docker.backend', '32768,6,500,com.docker.backend',
'32768,6,500,dleyna-renderer', '32768,6,500,dleyna-renderer',
'32768,6,500,jetbrains-toolb',
'32768,6,500,spotify', '32768,6,500,spotify',
'3551,6,0,apcupsd', '3551,6,0,apcupsd',
'4143,6,500,linkerd2-proxy', '4143,6,500,linkerd2-proxy',

0
detection/c2/unexpected-listening-port-macos.sql → detection/persistence/unexpected-listening-port-macos.sql
View File

2
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -53,6 +53,7 @@ WHERE
'/usr/bin/crond', '/usr/bin/crond',
'/usr/bin/dbus-daemon', '/usr/bin/dbus-daemon',
'/usr/bin/dbus-launch', '/usr/bin/dbus-launch',
'/usr/bin/dnsmasq',
'/usr/bin/dockerd', '/usr/bin/dockerd',
'/usr/bin/docker-proxy', '/usr/bin/docker-proxy',
'/usr/bin/fish', '/usr/bin/fish',
@ -65,6 +66,7 @@ WHERE
'/usr/bin/sshd', '/usr/bin/sshd',
'/usr/bin/tailscaled', '/usr/bin/tailscaled',
'/usr/bin/vim', '/usr/bin/vim',
'/usr/bin/virtlogd',
'/usr/bin/wpa_supplicant', '/usr/bin/wpa_supplicant',
'/usr/libexec/accounts-daemon', '/usr/libexec/accounts-daemon',
'/usr/libexec/docker/docker-proxy', '/usr/libexec/docker/docker-proxy',

36
detection/privesc/setxid-env-overflow-attempt.sql Normal file
View File

@ -0,0 +1,36 @@
-- Find setuid process events with large environment sizes
--
-- ******************************************************************
-- NOTE: This is a rare case of a non-working query. It does not work
-- in my environment (osquery 5.5.1 running with Kolide) as
-- process_events.env_size is NULL. I believe this to be a bug, but
-- requires more investigation.
-- ******************************************************************
--
-- tags: events process escalation disabled seldom
-- platform: posix
--
-- Uncomment once the underlying problem is addressed:
-- XintervalX: 60
SELECT
p.pid AS child_pid,
p.path AS child_path,
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
p.cmdline AS child_cmdline,
p.euid AS child_euid,
file.mode AS child_mode,
p.parent AS parent_pid,
pp.cmdline AS parent_cmdline,
p.env,
p.env_size
FROM
process_events p
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.time > (strftime('%s', 'now') -60)
AND file.mode NOT LIKE '0%'
AND p.env_size > 3500

6
detection/privesc/unexpected-privilege-escalation-events.sql → detection/privesc/unexpected-elevated-children-events_linux.sql
View File

@ -8,13 +8,15 @@
-- * unexpected-privilege-escalation.sql -- * unexpected-privilege-escalation.sql
-- --
-- tags: events process escalation -- tags: events process escalation
-- platform: posix -- platform: linux
-- interval: 30 -- interval: 30
SELECT SELECT
p.pid AS child_pid, p.pid AS child_pid,
p.path AS child_path, p.path AS child_path,
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name, REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
p.cmdline AS child_cmdline, p.cmdline AS child_cmdline,
p.time,
pp.start_time,
p.euid AS child_euid, p.euid AS child_euid,
file.mode AS child_mode, file.mode AS child_mode,
hash.sha256 AS child_hash, hash.sha256 AS child_hash,
@ -24,7 +26,7 @@ SELECT
pp.cmdline AS parent_cmdline, pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid, pp.euid AS parent_euid,
pfile.mode AS parent_mode, pfile.mode AS parent_mode,
hash.sha256 AS parent_hash phash.sha256 AS parent_hash
FROM FROM
process_events p process_events p
JOIN processes pp ON p.parent = pp.pid JOIN processes pp ON p.parent = pp.pid

45
detection/privesc/unexpected-elevated-children-events_macos.sql Normal file
View File

@ -0,0 +1,45 @@
-- Find processes that run with a lower effective UID than their parent (event-based)
--
-- references:
-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- related:
-- * unexpected-privilege-escalation.sql
--
-- tags: events process escalation
-- platform: darwin
-- interval: 30
SELECT
p.pid AS child_pid,
p.path AS child_path,
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
p.cmdline AS child_cmdline,
p.time,
pp.start_time,
p.euid AS child_euid,
file.mode AS child_mode,
hash.sha256 AS child_hash,
p.parent AS parent_pid,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
pfile.mode AS parent_mode,
phash.sha256 AS parent_hash
FROM
process_events p
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid
AND p.path NOT IN (
'/usr/bin/login',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/local/bin/doas'
)

6
detection/privesc/unexpected-privilege-escalation.sql → detection/privesc/unexpected-privilege-escalation_linux.sql
View File

@ -8,7 +8,7 @@
-- * unexpected-privilege-escalation-events.sql -- * unexpected-privilege-escalation-events.sql
-- --
-- tags: transient rapid state process escalation -- tags: transient rapid state process escalation
-- platform: posix -- platform: linux
SELECT SELECT
p.pid AS child_pid, p.pid AS child_pid,
p.path AS child_path, p.path AS child_path,
@ -24,7 +24,7 @@ SELECT
pp.cmdline AS parent_cmdline, pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid, pp.euid AS parent_euid,
pfile.mode AS parent_mode, pfile.mode AS parent_mode,
hash.sha256 AS parent_hash phash.sha256 AS parent_hash
FROM FROM
processes p processes p
JOIN processes pp ON p.parent = pp.pid JOIN processes pp ON p.parent = pp.pid
@ -33,7 +33,7 @@ FROM
LEFT JOIN file AS pfile ON pp.path = pfile.path LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE WHERE
p.euid < pp.euid p.euid < p.uid
AND p.path NOT IN ( AND p.path NOT IN (
'/bin/ps', '/bin/ps',
'/usr/bin/doas', '/usr/bin/doas',

44
detection/privesc/unexpected-privilege-escalation_macos.sql Normal file
View File

@ -0,0 +1,44 @@
-- Find processes that run with a lower effective UID than their parent (state-based)
--
-- references:
-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- related:
-- * unexpected-privilege-escalation-events.sql
--
-- tags: transient rapid state process escalation
-- platform: darwin
SELECT
p.pid AS child_pid,
p.path AS child_path,
p.name AS child_name,
p.cmdline AS child_cmdline,
p.euid AS child_euid,
p.state AS child_state,
file.mode AS child_mode,
hash.sha256 AS child_hash,
p.parent AS parent_pid,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
pfile.mode AS parent_mode,
phash.sha256 AS parent_hash
FROM
processes p
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE
p.euid < p.uid
AND p.path NOT IN (
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/usr/bin/login',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/local/bin/doas',
'/usr/bin/top'
)