116 lines
3.7 KiB
SQL
116 lines
3.7 KiB
SQL
-- Things that call chmod to set executable permissions
|
|
--
|
|
-- references:
|
|
-- * https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
|
|
--
|
|
-- false positives:
|
|
-- * loads of them
|
|
--
|
|
-- tags: transient process events
|
|
-- platform: linux
|
|
-- interval: 180
|
|
SELECT
|
|
IFNULL(
|
|
REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1),
|
|
CONCAT (
|
|
pe.cwd,
|
|
'/',
|
|
REGEX_MATCH (TRIM(pe.cmdline), '.* (.*)', 1)
|
|
)
|
|
) AS f_path,
|
|
f.mode AS f_mode,
|
|
f.type AS f_type,
|
|
hash.sha256 AS f_hash,
|
|
magic.data AS f_magic,
|
|
-- Child
|
|
pe.path AS p0_path,
|
|
TRIM(pe.cmdline) AS p0_cmd,
|
|
pe.cwd AS p0_cwd,
|
|
pe.pid AS p0_pid,
|
|
-- Parent
|
|
pe.parent AS p1_pid,
|
|
p1.cgroup_path AS p1_cgroup,
|
|
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
|
|
COALESCE(p1.path, pe1.path) AS p1_path,
|
|
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
|
|
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
|
|
-- Grandparent
|
|
COALESCE(p1.parent, pe1.parent) AS p2_pid,
|
|
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
|
|
TRIM(
|
|
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
|
|
) AS p2_cmd,
|
|
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
|
|
COALESCE(
|
|
p1_p2_hash.path,
|
|
pe1_p2_hash.path,
|
|
pe1_pe2_hash.path
|
|
) AS p2_hash,
|
|
REGEX_MATCH (
|
|
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
|
|
'.*/(.*)',
|
|
1
|
|
) AS p2_name,
|
|
-- Exception key
|
|
REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
|
|
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
|
|
'.*/(.*)',
|
|
1
|
|
) AS exception_key
|
|
FROM
|
|
process_events pe
|
|
LEFT JOIN processes p ON pe.pid = p.pid
|
|
-- Wow, you can do that?
|
|
LEFT JOIN file f ON IFNULL(
|
|
REGEX_MATCH (TRIM(pe.cmdline), '.* (/.*)', 1),
|
|
CONCAT (
|
|
pe.cwd,
|
|
'/',
|
|
REGEX_MATCH (TRIM(pe.cmdline), '.* (.*)', 1)
|
|
)
|
|
) = f.path
|
|
LEFT JOIN hash ON f.path = hash.path
|
|
LEFT JOIN magic ON f.path = magic.path
|
|
-- Parents (via two paths)
|
|
LEFT JOIN processes p1 ON pe.parent = p1.pid
|
|
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
|
|
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
|
|
AND pe1.cmdline != ''
|
|
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
|
|
-- Grandparents (via 3 paths)
|
|
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
|
|
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
|
|
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
|
|
AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
|
|
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
|
|
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
|
|
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
|
|
WHERE
|
|
pe.pid IN (
|
|
SELECT DISTINCT
|
|
pid
|
|
FROM
|
|
process_events
|
|
WHERE
|
|
time > (strftime('%s', 'now') -180)
|
|
AND pe.syscall = "execve"
|
|
AND (
|
|
cmdline LIKE '%chmod% 7%'
|
|
OR cmdline LIKE '%chmod% +rwx%'
|
|
OR cmdline LIKE '%chmod% +x%'
|
|
OR cmdline LIKE '%chmod% u+x%'
|
|
OR cmdline LIKE '%chmod% a+x%'
|
|
)
|
|
AND cmdline NOT LIKE 'chmod 777 /app/%'
|
|
AND cmdline NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
|
|
AND cmdline NOT LIKE 'chmod 700 /home/%/snap/%/%/.config'
|
|
)
|
|
AND pe.syscall = "execve"
|
|
AND f.type != 'directory'
|
|
AND p1_cgroup NOT LIKE '/system.slice/docker-%'
|
|
AND p1_cgroup NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
|
|
AND p2_cgroup NOT LIKE '/system.slice/docker-%'
|
|
AND p2_cgroup NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
|
|
GROUP BY
|
|
p0_pid
|