osquery-defense-kit/detection/evasion/empty_root_environ_macos.sql
2023-05-17 10:54:16 -04:00

76 lines
2.3 KiB
SQL

-- Find programs which spawn root children without propagating environment variables
--
-- references:
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- tags: persistent state daemon process seldom disabled
-- platform: darwin
-- interval: 600
SELECT
COUNT(key) AS count,
p.pid,
p.path,
p.name,
p.euid,
p.on_disk,
p.parent,
p.cmdline,
p.cwd,
pp.name AS parent_name,
pp.cmdline AS parent_cmd,
signature.identifier,
signature.authority,
hash.sha256,
CONCAT (
MIN(p.euid, 500),
',',
p.name,
',',
signature.identifier,
',',
signature.authority
) AS exception_key
FROM
processes p
LEFT JOIN process_envs pe ON p.pid = pe.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE
p.pid IN (
SELECT
pid
FROM
processes
WHERE
euid = 0
AND start_time > (strftime('%s', 'now') - 601)
AND start_time < (strftime('%s', 'now') - 1)
AND path NOT LIKE '/System/Library/%'
AND path NOT LIKE '/opt/homebrew/Cellar/%'
)
AND signature.authority NOT IN (
'Software Signing',
'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: GitHub (VEKTX9H2N7)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Mozilla Corporation (43AQ936H96)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: Yubico Limited (LQA3CS5MM7)'
)
GROUP BY
p.pid
HAVING
count == 0;