Last active
July 15, 2019 12:40
-
-
Save keeleysam/b4dded30f13c59b22d67c245ec6fa7a9 to your computer and use it in GitHub Desktop.
Sample queries for use with osquery (https://osquery.io/) to find executables which are writable by users other than root for simple root escalations. Presented at Objective by the Sea v2.0 (https://objectivebythesea.com/v2/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users. | |
Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives. Reccomended to be used with process monitoring as well. | |
*/ | |
select | |
distinct p.launchd_path as launchd_path, | |
p.launchd_label as launchd_label, | |
f.path, | |
f.uid as fuid, | |
f.gid as fgid, | |
f.mode as fmode, | |
d.uid as duid, | |
d.gid as dgid, | |
d.mode as dmode, | |
fu.username as fusername, | |
fu.description as fdescription, | |
du.username as dusername, | |
du.description as ddescription | |
from | |
( | |
SELECT | |
program AS command, | |
path AS launchd_path, | |
label as launchd_label | |
FROM | |
launchd | |
WHERE | |
program NOT LIKE "" | |
and path like "%LaunchDaemons%" | |
UNION ALL | |
SELECT | |
substr( | |
program_arguments, | |
1, | |
( | |
case when pos = 0 then 1000 else pos - 1 end | |
) | |
) AS command, | |
launchd_path, | |
launchd_label | |
FROM | |
( | |
SELECT | |
program_arguments, | |
instr(program_arguments, " ") AS pos, | |
path as launchd_path, | |
label as launchd_label | |
FROM | |
launchd | |
WHERE | |
path like "%LaunchDaemons%" | |
and program_arguments not like "" | |
and program_arguments like "/%" | |
) | |
) p | |
join file f on p.command = f.path | |
join file d on f.directory = d.path | |
join users fu on f.uid = fu.uid | |
join users du on f.uid = du.uid | |
where | |
( | |
d.uid != 0 | |
or ( | |
d.gid != 0 | |
and ( | |
d.mode like "__7_" | |
or d.mode like "__6_" | |
) | |
) | |
or ( | |
d.mode like "___7" | |
or d.mode like "___6" | |
) | |
or f.uid != 0 | |
or ( | |
f.gid != 0 | |
and ( | |
f.mode like "__7_" | |
or f.mode like "__6_" | |
) | |
) | |
or ( | |
f.mode like "___7" | |
or f.mode like "___6" | |
) | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
select distinct | |
p.name, | |
f.path, | |
f.directory, | |
f.uid as fuid, | |
u.username as fusername, | |
f.gid as fgid, | |
g.groupname as fgroupname, | |
f.mode as fmode, | |
d.uid as duid, | |
d.gid as dgid, | |
d.mode as dmode, | |
p.uid as puid, | |
p.pid as pid, | |
p.cmdline as cmdline, | |
p.parent as parent_pid, | |
pp.path as parent_path, | |
pp.cmdline as parent_cmdline, | |
gp.pid as grandparent_pid, | |
gp.path as grandparent_path, | |
gp.cmdline as grandparent_cmdline | |
from | |
file f | |
join processes p on f.path = p.path | |
join file d on f.directory = d.path | |
join processes pp on p.parent = pp.pid | |
join processes gp on pp.parent = gp.pid | |
join users u on f.uid = u.uid | |
join groups g on f.gid = g.gid | |
where | |
p.uid = 0 | |
and ( | |
d.uid != 0 | |
or ( | |
d.gid != 0 | |
and ( | |
d.mode like "__7_" | |
or d.mode like "__6_" | |
) | |
) | |
or ( | |
d.mode like "___7" | |
or d.mode like "___6" | |
) | |
or f.uid != 0 | |
or ( | |
f.gid != 0 | |
and ( | |
f.mode like "__7_" | |
or f.mode like "__6_" | |
) | |
) | |
or ( | |
f.mode like "___7" | |
or f.mode like "___6" | |
) | |
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment