Unexpected Env Values Macos

osquery

Applications setting environment variables to bypass security protections

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Applications setting environment variables to bypass security protections
--
-- Inpsired by BPFdoor and other intrusions
-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
--
-- WARNING: This query is known to require a higher than average wall time.
--
-- interval: 60
-- platform: darwin
SELECT
  key,
  value,
  p.pid,
  p.path,
  p.cwd,
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
  -- Querying processes first and filtering by time gives a massive 20X speed improvement
  -- over querying process_envs first and JOIN'ing against processes
FROM
  processes p
  LEFT JOIN process_envs pe ON p.pid = pe.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE -- This time should match the interval
  p.start_time > (strftime('%s', 'now') - 60)
  AND (
    key = 'HISTFILE'
    AND NOT value LIKE '/Users/%/.%_history'
    AND NOT value = '~/.tramp_history'
  )
  OR (
    key = 'LD_PRELOAD'
    AND NOT p.path LIKE '%/firefox'
    AND NOT pe.value = 'libfakeroot.so'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
    AND NOT pe.value LIKE ':/snap/%' -- Yes, on macOS (emote)
  )
  OR (
    key = 'DYLD_INSERT_LIBRARIES' -- actively exploited on programs which disable library security
    AND NOT pe.value = '/System/Library/PrivateFrameworks/PreviewsInjection.framework/PreviewsInjection'
    AND NOT pe.value LIKE '/opt/homebrew/Cellar/r/4.%/lib/R/lib/libR.dylib'
    AND NOT pe.value LIKE '%/libsamply_mac_preload.dylib'
    AND NOT pe.value LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/steamloader.dylib:%/Steam/Steam.AppBundle/Steam/Contents/MacOS/gameoverlayrenderer.dylib'
    AND NOT pe.value LIKE '%/libtrace.dylib'
  )
  OR (
    key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers
    AND NOT pe.value LIKE '%/IDLE.app/%'
    AND NOT pe.value = '/System/Library/Frameworks'
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit