osquery-defense-kit/detection/persistence/unexpected-global-lock.sql

-- Find unexpected world readable run locks
--
-- false positives:
--   * none known
--
-- references:
--   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
--
-- tags: persistent filesystem state seldom
-- platform: posix
SELECT
  *,
  CONCAT (
    MIN(file.uid, 500),
    ",",
    file.gid,
    ",",
    file.path,
    ",",
    file.type,
    ',',
    mode
  ) AS exception_key
FROM
  file
WHERE
  (
    path LIKE "/dev/mqueue/.%.lock"
    OR path LIKE "/dev/mqueue/%.lock"
    OR path LIKE "/dev/shm/.%.lock"
    OR path LIKE "/dev/shm/%.lock"
    OR path LIKE "/tmp/.%.lock"
    OR path LIKE "/tmp/%.lock"
    OR path LIKE "/var/run/.%.lock"
    OR path LIKE "/var/run/%.lock"
    OR path LIKE "/var/tmp/.%.lock"
    OR path LIKE "/var/tmp/%.lock"
  )
  AND exception_key NOT IN (
    '0,0,/var/run/apport.lock,regular,0600',
    '0,0,/var/run/dnf-metadata.lock,regular,0644',
    '0,0,/var/run/ublue-update.lock,regular,0755',
    '0,0,/var/run/ufw.lock,regular,0644',
    '0,0,/var/run/unattended-upgrades.lock,regular,0640',
    '0,0,/var/run/xtables.lock,regular,0600',
    '0,1,/var/run/prl_desktop_services_foreground.lock,regular,0644',
    '0,1,/var/run/prl_desktop_services.lock,regular,0644',
    '0,1,/var/run/VMware Fusion Services.lock,regular,0600',
    '0,1,/var/run/xv-update-resolv-conf.lock,regular,0600',
    '0,1001,/var/run/keyd.socket.lock,regular,0600',
    '500,0,/tmp/mysql.sock.lock,regular,0600',
    '500,0,/tmp/mysqlx.sock.lock,regular,0600',
    '500,0,/tmp/write.lock,regular,0644',
    '500,1000,/tmp/golangci-lint.lock,regular,0600',
    '500,1001,/tmp/nwg-dock.lock,regular,0600',
    '74,0,/tmp/mysql.sock.lock,regular,0600',
    '74,0,/tmp/mysqlx.sock.lock,regular,0600'
  )
  AND NOT exception_key LIKE '500,0,/tmp/.s.PGSQL.%.lock,regular,0600'
  AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644'
  AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0664'
  AND NOT exception_key LIKE '500,1000,/tmp/vscode-remote-ssh-%-install.lock,regular,0664'
Improve detection for bpfdoor and similar backdoors. 2023-05-16 20:31:31 +00:00			`-- Find unexpected world readable run locks`
			`--`
			`-- false positives:`
			`-- * none known`
			`--`
			`-- references:`
			`-- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game`
			`--`
Remove file sizes from systemd exception key 2023-06-08 22:26:57 +00:00			`-- tags: persistent filesystem state seldom`
Improve detection for bpfdoor and similar backdoors. 2023-05-16 20:31:31 +00:00			`-- platform: posix`
Fix errors 2023-08-15 22:29:27 +00:00			`SELECT`
			`*,`
			`CONCAT (`
			`MIN(file.uid, 500),`
			`",",`
			`file.gid,`
			`",",`
			`file.path,`
			`",",`
			`file.type,`
			`',',`
			`mode`
			`) AS exception_key`
			`FROM`
			`file`
			`WHERE`
			`(`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`path LIKE "/dev/mqueue/.%.lock"`
Fix errors 2023-08-15 22:29:27 +00:00			`OR path LIKE "/dev/mqueue/%.lock"`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`OR path LIKE "/dev/shm/.%.lock"`
			`OR path LIKE "/dev/shm/%.lock"`
Fix errors 2023-08-15 22:29:27 +00:00			`OR path LIKE "/tmp/.%.lock"`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`OR path LIKE "/tmp/%.lock"`
Fix errors 2023-08-15 22:29:27 +00:00			`OR path LIKE "/var/run/.%.lock"`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`OR path LIKE "/var/run/%.lock"`
Fix errors 2023-08-15 22:29:27 +00:00			`OR path LIKE "/var/tmp/.%.lock"`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`OR path LIKE "/var/tmp/%.lock"`
Fix errors 2023-08-15 22:29:27 +00:00			`)`
			`AND exception_key NOT IN (`
Massive false-positive reduction, particularly for uBlue 2024-06-27 13:23:52 +00:00			`'0,0,/var/run/apport.lock,regular,0600',`
			`'0,0,/var/run/dnf-metadata.lock,regular,0644',`
			`'0,0,/var/run/ublue-update.lock,regular,0755',`
			`'0,0,/var/run/ufw.lock,regular,0644',`
Fix errors 2023-08-15 22:29:27 +00:00			`'0,0,/var/run/unattended-upgrades.lock,regular,0640',`
Massive false-positive reduction, particularly for uBlue 2024-06-27 13:23:52 +00:00			`'0,0,/var/run/xtables.lock,regular,0600',`
fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. 2025-01-17 20:43:01 +00:00			`'0,1,/var/run/prl_desktop_services_foreground.lock,regular,0644',`
			`'0,1,/var/run/prl_desktop_services.lock,regular,0644',`
Massive false-positive reduction, particularly for uBlue 2024-06-27 13:23:52 +00:00			`'0,1,/var/run/VMware Fusion Services.lock,regular,0600',`
fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. 2025-01-17 20:43:01 +00:00			`'0,1,/var/run/xv-update-resolv-conf.lock,regular,0600',`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`'0,1001,/var/run/keyd.socket.lock,regular,0600',`
Fix errors 2023-08-15 22:29:27 +00:00			`'500,0,/tmp/mysql.sock.lock,regular,0600',`
			`'500,0,/tmp/mysqlx.sock.lock,regular,0600',`
fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. 2025-01-17 20:43:01 +00:00			`'500,0,/tmp/write.lock,regular,0644',`
Massive false-positive reduction, particularly for uBlue 2024-06-27 13:23:52 +00:00			`'500,1000,/tmp/golangci-lint.lock,regular,0600',`
			`'500,1001,/tmp/nwg-dock.lock,regular,0600',`
Fix errors 2023-08-15 22:29:27 +00:00			`'74,0,/tmp/mysql.sock.lock,regular,0600',`
fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. 2025-01-17 20:43:01 +00:00			`'74,0,/tmp/mysqlx.sock.lock,regular,0600'`
Fix errors 2023-08-15 22:29:27 +00:00			`)`
Sort a bunch of lines and remove duplicates 2025-01-22 21:28:09 +00:00			`AND NOT exception_key LIKE '500,0,/tmp/.s.PGSQL.%.lock,regular,0600'`
fpr: sddm-helper, smartd, Xorg, elastic, WebEx, BambuStudio, keepass, etc 2024-07-26 17:26:37 +00:00			`AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644'`
False-positives be damned 2024-08-27 22:40:43 +00:00			`AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0664'`
fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. 2025-01-17 20:43:01 +00:00			`AND NOT exception_key LIKE '500,1000,/tmp/vscode-remote-ssh-%-install.lock,regular,0664'`