Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Sample queries for use with osquery (https://osquery.io/) to find executables which are writable by users other than root for simple root escalations. Presented at Objective by the Sea v2.0 (https://objectivebythesea.com/v2/)
/*
This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users.
Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives. Reccomended to be used with process monitoring as well.
*/
select
distinct p.launchd_path as launchd_path,
p.launchd_label as launchd_label,
f.path,
f.uid as fuid,
f.gid as fgid,
f.mode as fmode,
d.uid as duid,
d.gid as dgid,
d.mode as dmode,
fu.username as fusername,
fu.description as fdescription,
du.username as dusername,
du.description as ddescription
from
(
SELECT
program AS command,
path AS launchd_path,
label as launchd_label
FROM
launchd
WHERE
program NOT LIKE ""
and path like "%LaunchDaemons%"
UNION ALL
SELECT
substr(
program_arguments,
1,
(
case when pos = 0 then 1000 else pos - 1 end
)
) AS command,
launchd_path,
launchd_label
FROM
(
SELECT
program_arguments,
instr(program_arguments, " ") AS pos,
path as launchd_path,
label as launchd_label
FROM
launchd
WHERE
path like "%LaunchDaemons%"
and program_arguments not like ""
and program_arguments like "/%"
)
) p
join file f on p.command = f.path
join file d on f.directory = d.path
join users fu on f.uid = fu.uid
join users du on f.uid = du.uid
where
(
d.uid != 0
or (
d.gid != 0
and (
d.mode like "__7_"
or d.mode like "__6_"
)
)
or (
d.mode like "___7"
or d.mode like "___6"
)
or f.uid != 0
or (
f.gid != 0
and (
f.mode like "__7_"
or f.mode like "__6_"
)
)
or (
f.mode like "___7"
or f.mode like "___6"
)
);
select distinct
p.name,
f.path,
f.directory,
f.uid as fuid,
u.username as fusername,
f.gid as fgid,
g.groupname as fgroupname,
f.mode as fmode,
d.uid as duid,
d.gid as dgid,
d.mode as dmode,
p.uid as puid,
p.pid as pid,
p.cmdline as cmdline,
p.parent as parent_pid,
pp.path as parent_path,
pp.cmdline as parent_cmdline,
gp.pid as grandparent_pid,
gp.path as grandparent_path,
gp.cmdline as grandparent_cmdline
from
file f
join processes p on f.path = p.path
join file d on f.directory = d.path
join processes pp on p.parent = pp.pid
join processes gp on pp.parent = gp.pid
join users u on f.uid = u.uid
join groups g on f.gid = g.gid
where
p.uid = 0
and (
d.uid != 0
or (
d.gid != 0
and (
d.mode like "__7_"
or d.mode like "__6_"
)
)
or (
d.mode like "___7"
or d.mode like "___6"
)
or f.uid != 0
or (
f.gid != 0
and (
f.mode like "__7_"
or f.mode like "__6_"
)
)
or (
f.mode like "___7"
or f.mode like "___6"
)
);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.