Merge pull request #151 from tstromberg/perf-analysis

Tune queries to decrease CPU overhead on macOS
2025-02-21 12:36:50 +00:00 · 2023-02-01 16:18:54 -05:00 · 2023-02-01 16:18:54 -05:00 · fd1b5d28c4
commit fd1b5d28c4
parent 97a3661e1d cdcb2d48f3
16 changed files with 55 additions and 51 deletions
--- a/detection/c2/unexpected-icmp-socket-events.sql
+++ b/detection/c2/unexpected-icmp-socket-events.sql
@ -3,7 +3,7 @@
 -- references:
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
-- interval: 30
+-- interval: 300
 -- tags: transient events net
 SELECT
  se.*,
@ -15,7 +15,7 @@ FROM
  socket_events se
  LEFT JOIN processes p ON se.pid = p.pid
 WHERE
-  se.time > (strftime('%s', 'now') -30)
+  se.time > (strftime('%s', 'now') -300)
  AND family = 2 -- PF_INET
  AND protocol = 1 -- ICMP
  AND p.name NOT IN ('ping')
--- a/detection/discovery/unexpected-netutil-calls-linux.sql
+++ b/detection/discovery/unexpected-netutil-calls-linux.sql
@ -5,7 +5,7 @@
 --
 -- tags: transient process state often
 -- platform: linux
-- interval: 60
+-- interval: 300
 SELECT
  -- Child
  pe.path AS p0_path,
@ -66,7 +66,7 @@ WHERE
    '/sbin/nft'
  )
  AND pe.cmdline != ''
-  AND pe.time > (strftime('%s', 'now') -60)
+  AND pe.time > (strftime('%s', 'now') -300)
  AND NOT (
    pe.euid > 500
    AND p1_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
--- a/detection/evasion/unexpected-alf-exceptions-macos.sql
+++ b/detection/evasion/unexpected-alf-exceptions-macos.sql
@ -31,11 +31,22 @@ FROM
  LEFT JOIN file ON ae.path = file.path
  LEFT JOIN hash ON ae.path = hash.path
  LEFT JOIN signature ON ae.path = signature.path
-WHERE -- NOTE:We intentionally want to preserve missing files
-  -- Unfortunately, there is no column for when an exception was granted, so
-  -- we're currently unable to filter out old entries.
-  exception_key NOT IN (
-    ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
+WHERE
+  -- Filter out stock exceptions to decrease overhead
+  ae.path NOT IN (
+    '/System/Library/CoreServices/UniversalControl.app/',
+    '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig',
+    '/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/',
+    '/usr/bin/nmblookup',
+    '/usr/libexec/bootpd',
+    '/usr/libexec/configd',
+    '/usr/libexec/discoveryd',
+    '/usr/libexec/xartstorageremoted',
+    '/usr/sbin/mDNSResponder',
+    '/usr/sbin/racoon'
+  )
+  AND exception_key NOT IN (
+     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
    'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
    'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
    'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
@ -55,26 +66,16 @@ WHERE -- NOTE:We intentionally want to preserve missing files
    'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
    'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
    'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
-    ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', -- thanks Jed!
    ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
    ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
    'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
-    'Software Signing,com.apple.bootpd,/usr/libexec/bootpd,0',
-    'Software Signing,com.apple.configd,/usr/libexec/configd,0',
    'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
-    'Software Signing,com.apple.EmbeddedOSInstallService,/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/,0',
-    'Software Signing,com.apple.mDNSResponder,/usr/sbin/mDNSResponder,0',
    'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
    'Software Signing,com.apple.nc,/usr/bin/nc,0',
-    'Software Signing,com.apple.racoon,/usr/sbin/racoon,0',
-    'Software Signing,com.apple.universalcontrol,/System/Library/CoreServices/UniversalControl.app/,0',
    'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
    'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
-    ',,/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig,',
    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
-    ',,/usr/bin/nmblookup,',
-    ',,/usr/libexec/discoveryd,'
  )
  AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
  AND NOT exception_key LIKE  ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -8,7 +8,7 @@
 --
 -- tags: transient process events
 -- platform: linux
-- interval: 60
+-- interval: 300
 SELECT
  -- Child
  pe.path AS p0_path,
@ -51,7 +51,7 @@ FROM
  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  pe.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -300)
  AND pe.cmdline != ''
  AND (
    p0_name IN (
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -8,7 +8,7 @@
 --
 -- tags: transient process events
 -- platform: darwin
-- interval: 30
+-- interval: 180
 SELECT -- Child
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
@ -74,7 +74,7 @@ FROM process_events pe,
  LEFT JOIN signature p1_p2_sig ON p1_p2.path = p1_p2_sig.path
  LEFT JOIN signature pe1_p2_sig ON pe1_p2.path = pe1_p2_sig.path
  LEFT JOIN signature pe1_pe2_sig ON pe1_pe2.path = pe1_pe2_sig.path
-WHERE pe.time > (strftime('%s', 'now') -30)
+WHERE pe.time > (strftime('%s', 'now') -180)
  AND pe.status = 0
  AND pe.cmdline != ''
  AND pe.cmdline IS NOT NULL
--- a/detection/execution/relative-exec-low-uid-events.sql
+++ b/detection/execution/relative-exec-low-uid-events.sql
@ -4,7 +4,7 @@
 --   * https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/
 --
 -- platform: posix
-- interval: 45
+-- interval: 180
 -- tags: process events
 SELECT
  -- Child
@ -46,7 +46,7 @@ FROM
  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  pe.time > (strftime('%s', 'now') -45)
+  pe.time > (strftime('%s', 'now') -180)
  AND pe.cmdline != ''
  AND pe.euid < 500
  AND pe.cmdline LIKE './%'
--- a/detection/execution/sketchy-fetcher-events.sql
+++ b/detection/execution/sketchy-fetcher-events.sql
@ -4,7 +4,7 @@
 --   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
 --   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
 --
-- interval: 60
+-- interval: 120
 -- tags: transient process events
 -- platform: posix
 SELECT
@ -54,7 +54,7 @@ FROM
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
  -- Extra fields
 WHERE
-  pe.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -120)
  AND pe.cmdline != ''
  -- NOTE: Sync remaining portion with sketchy-fetchers
  AND (
--- a/detection/execution/tiny-executable-events.sql
+++ b/detection/execution/tiny-executable-events.sql
@ -3,7 +3,7 @@
 -- references:
 --   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
 --
-- interval: 30
+-- interval: 300
 -- tags: transient process events
 SELECT
  p.pid,
@ -31,7 +31,7 @@ FROM
  LEFT JOIN hash phash ON pp.path = phash.path
  LEFT JOIN magic ON p.path = magic.path
 WHERE
-  p.time > (strftime('%s', 'now') -30)
+  p.time > (strftime('%s', 'now') -300)
  AND file.size > 0
  AND file.size < 10000
  AND file.type = 'regular'
--- a/detection/execution/unexpected-env-values-macos.sql
+++ b/detection/execution/unexpected-env-values-macos.sql
@ -5,7 +5,7 @@
 --
 -- WARNING: This query is known to require a higher than average wall time.
 --
-- interval: 20
+-- interval: 30
 -- platform: darwin
 SELECT
  key,
--- a/detection/execution/unexpected-execdir-events-linux.sql
+++ b/detection/execution/unexpected-execdir-events-linux.sql
@ -6,7 +6,7 @@
 -- false positives:
 --   * programs running in alternative namespaces (Docker)
 --
-- interval: 60
+-- interval: 300
 -- platform: linux
 -- tags: process events
 SELECT
@ -30,7 +30,7 @@ FROM
  LEFT JOIN hash ON pe.path = hash.path
  LEFT JOIN hash phash ON pp.path = hash.path
 WHERE
-  pe.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -300)
  AND dirname NOT LIKE '/home/%'
  AND dirname NOT LIKE '/nix/store/%/bin'
  AND dirname NOT LIKE '/nix/store/%/lib/%'
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -7,7 +7,7 @@
 --   * software installers and updaters
 --   * developers running programs out of /tmp
 --
-- interval: 60
+-- interval: 240
 -- platform: darwin
 -- tags: filesystem events
 SELECT
@ -49,7 +49,7 @@ FROM
  LEFT JOIN hash phash ON pp.path = phash.path
  LEFT JOIN signature ON p.path = signature.path
 WHERE
-  p.time > (strftime('%s', 'now') -60)
+  p.time > (strftime('%s', 'now') -240)
  -- The process_events table on macOS ends up with relative directories for some reason?
  AND dir LIKE '/%'
  AND file.size > 0
--- a/detection/persistence/fake-apple-launchd.sql
+++ b/detection/persistence/fake-apple-launchd.sql
@ -1,4 +1,4 @@
-- Find launchd entries which purport to be by Apple, but are not signed by Apple.
+-- Find launchd entries which purport to be by Apple, but point to binaries that are not signed by Apple.
 --
 -- references:
 --   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
@ -9,15 +9,17 @@
 --
 -- platform: darwin
 -- tags: persistent launchd state
-select
-  *
-FROM
-  signature s
-  JOIN launchd d ON d.program_arguments = s.path
-WHERE
-  d.name LIKE 'com.apple.%'
-  AND (
-    signed = 0
-    OR authority != 'Software Signing'
+SELECT *
+FROM launchd
+  LEFT JOIN file ON launchd.path = file.path
+  LEFT JOIN signature ON launchd.program_arguments = signature.path
+WHERE launchd.name LIKE 'com.apple.%'
+  -- Optimization, assumes SIP
+  AND file.directory NOT IN (
+    '/System/Library/LaunchAgents',
+    '/System/Library/LaunchDaemons',
+    '/Library/Apple/System/Library/LaunchDaemons',
+    '/Library/Apple/System/Library/LaunchAgents'
  )
-  AND d.run_at_load = 1;
+  AND launchd.run_at_load = 1
+  AND signature.authority != 'Software Signing'
--- a/detection/persistence/unexpected-launchd-program-arguments.sql
+++ b/detection/persistence/unexpected-launchd-program-arguments.sql
@ -31,6 +31,7 @@ WHERE
    OR program = ''
  )
  AND l.path NOT LIKE '/System/%'
+  AND l.path NOT LIKE '/Library/Apple/System/%'
  AND program_authority NOT IN (
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -240,7 +240,7 @@ WHERE
    '/usr/sbin/systemstats',
    '/usr/sbin/WirelessRadioManagerd'
  )
-  AND signature.identifier IN (
+  AND NOT signature.identifier IN (
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
    'Developer ID Application: Foxit Corporation (8GN47HTP75)',
--- a/detection/privesc/unexpected-elevated-children-events_linux.sql
+++ b/detection/privesc/unexpected-elevated-children-events_linux.sql
@ -9,7 +9,7 @@
 --
 -- tags: events process escalation
 -- platform: linux
-- interval: 60
+-- interval: 300
 SELECT
  file.mode AS p0_binary_mode,
  pe.cmdline_size AS p0_cmd_size,
@ -52,7 +52,7 @@ FROM
  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  pe.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -300)
  AND pe.euid < p1_euid
  AND pe.path NOT IN (
    '/',
--- a/detection/privesc/unexpected-elevated-children-events_macos.sql
+++ b/detection/privesc/unexpected-elevated-children-events_macos.sql
@ -9,7 +9,7 @@
 --
 -- tags: events process escalation
 -- platform: darwin
-- interval: 60
+-- interval: 300
 SELECT
  -- Child
  pe.path AS p0_path,
@ -60,7 +60,7 @@ FROM
  LEFT JOIN signature pe1_p2_sig ON pe1_p2.path = pe1_p2_sig.path
  LEFT JOIN signature pe1_pe2_sig ON pe1_pe2.path = pe1_pe2_sig.path
 WHERE
-  pe.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -300)
  AND p0_euid < p1_euid
  AND p1_path NOT IN (
    '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',