osquery-defense-kit/detection/credentials/unexpected-sensitive-file-a...

133 lines
4.6 KiB
SQL

-- Unexpected programs accessing sensitive data stores (state-based)
--
-- This query is unfortunately of limited use, as the query is slow (250ms)
-- and it requires catching a program at the exact moment it has
-- the file open. An event-based version is advised.
--
-- references:
-- * https://attack.mitre.org/techniques/T1555/ (Credentials from Password Stores)
--
-- tags: transient state file access
SELECT
pof.pid,
pof.fd,
pof.path,
f.uid AS file_uid,
p.cwd AS cwd,
p.euid,
p.start_time,
p.uid AS process_uid,
p.name AS program_name,
p.cmdline AS cmdline,
pp.name AS parent_name,
pp.cwd AS parent_cwd,
pp.path AS parent_path,
pf.filename AS program_base,
hash.sha256,
REPLACE(f.directory, u.directory, '~') AS dir,
CONCAT (
pf.filename,
',',
p.name,
',',
IIF(
REGEX_MATCH (
REPLACE(f.directory, u.directory, '~'),
'([/~].*?/.*?/.*?)/',
1
) != '',
REGEX_MATCH (
REPLACE(f.directory, u.directory, '~'),
'([/~].*?/.*?/.*?)/',
1
),
REPLACE(f.directory, u.directory, '~')
)
) AS exception_key
FROM
-- Starting with processes is just slightly faster than starting with pof
processes p
LEFT JOIN process_open_files pof ON p.pid = pof.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file f ON pof.path = f.path
LEFT JOIN file pf ON p.path = pf.path
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash hp ON pp.path = hp.path
WHERE
-- minor optimization: filtering out low parents saves us another 5% of runtime
p.parent > 2
-- Large files are probably not secrets
AND pf.filename != ''
AND f.size < 1000000
AND (
pof.path IN ('/var/run/docker.sock')
OR pof.path LIKE '/home/%/.ssh/%'
OR pof.path LIKE '/home/%/.mozilla/firefox/%'
OR pof.path LIKE '/home/%/.config/google-chrome/%'
OR pof.path LIKE '/root/.ssh/%'
OR pof.path LIKE '/root/.bash_history'
OR pof.path LIKE '/home/%/.config/gcloud/%'
OR pof.path LIKE '/home/%/.config/Slack/%'
OR pof.path LIKE '/home/%/.bash_history'
OR pof.path LIKE '/home/%/.cache/mozilla/firefox%'
OR pof.path LIKE '/home/%/.config/mozilla/firefox%'
OR pof.path LIKE '/home/%/.aws%'
)
AND NOT p.cmdline LIKE 'less %id_rsa.pub'
AND NOT (
file_uid == process_uid
AND exception_key IN (
'aws,aws,~/.aws',
'chrome,chrome,~/.config/google-chrome',
'chrome_crashpad_handler,chrome_crashpad,',
'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
'firefox,.firefox-wrappe,~/.cache/mozilla',
'firefox,.firefox-wrappe,~/.mozilla/firefox',
'firefox,Isolated Servic,~/.cache/mozilla',
'firefox,Isolated Servic,~/.mozilla/firefox',
'firefox,Isolated Servic,~/snap/firefox',
'firefox,Isolated Web Co,~/.cache/mozilla',
'firefox,Isolated Web Co,~/.mozilla/firefox',
'firefox,Isolated Web Co,~/snap/firefox',
'firefox,Privileged Cont,~/.cache/mozilla',
'firefox,Privileged Cont,~/.mozilla/firefox',
'firefox,Privileged Cont,~/snap/firefox',
'firefox,Privileged Mozi,~/.mozilla/firefox',
'firefox,Sandbox Forked,~/snap/firefox',
'firefox,Web Content,~/.cache/mozilla',
'firefox,Web Content,~/.mozilla/firefox',
'firefox,Web Content,~/snap/firefox',
'firefox,WebExtensions,~/.cache/mozilla',
'firefox,WebExtensions,~/.mozilla/firefox',
'firefox,WebExtensions,~/snap/firefox',
'updater,updater,~/.mozilla/firefox',
'firefox,file:// Content,~/.cache/mozilla',
'firefox,file:// Content,~/.mozilla/firefox',
'firefox,file:// Content,~/snap/firefox',
'firefox,firefox,~/.cache/mozilla',
'firefox,firefox,~/.mozilla/firefox',
'firefox,firefox,~/snap/firefox',
'updater,updater,~/.cache/mozilla',
'firefox-bin,Isolated Web Co,~/.mozilla/firefox',
'firefox-bin,Privileged Cont,~/.mozilla/firefox',
'firefox-bin,WebExtensions,~/.mozilla/firefox',
'firefox-bin,file:// Content,~/.mozilla/firefox',
'firefox-bin,firefox-bin,~/.cache/mozilla',
'firefox-bin,firefox-bin,~/.mozilla/firefox',
'plugin-container,MainThread,~/.mozilla/firefox',
'plugin-container,MainThread,~/snap/firefox',
'python3,python3,~/.config/gcloud',
'python3.10,python3,~/.config/gcloud',
'python3.11,python3,~/.config/gcloud',
'python3.12,python3,~/.config/gcloud',
'slack,slack,~/.config/Slack',
'slack,slack,~/snap/slack',
'soffice.bin,soffice.bin,~/.mozilla/firefox',
'vim,vim,~/.aws'
)
)
GROUP BY
pof.pid,
pof.path