osquery-defense-kit/detection/evasion/unexpected-dev-executables-...

-- Find unexpected executables in /dev
--
-- references:
--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- tags: persistent state filesystem
SELECT
  file.path,
  file.directory,
  uid,
  gid,
  mode,
  file.mtime,
  file.size,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  (
    -- This list is the result of multiple queries combined and can likely be minimized
    file.path LIKE '/dev/%%'
    OR file.path LIKE '/dev/%%/%%'
    OR file.path LIKE '/dev/mqueue/%%'
    OR file.path LIKE '/dev/mqueue/.%/%%'
    OR file.path LIKE '/dev/mqueue/%/%%'
    OR file.path LIKE '/dev/mqueue/%/%/.%'
    OR file.path LIKE '/dev/mqueue/%/.%/%%'
    OR file.path LIKE '/dev/shm/%%'
    OR file.path LIKE '/dev/shm/.%/%%'
    OR file.path LIKE '/dev/shm/%/%%'
    OR file.path LIKE '/dev/shm/%/%/.%'
    OR file.path LIKE '/dev/shm/%/.%/%%'
  )
  AND file.type = 'regular'
  AND file.size > 64
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
  AND (
    file.mode LIKE '%7%'
    or file.mode LIKE '%5%'
    or file.mode LIKE '%1%'
  ) -- Seen on Ubuntu
  AND NOT (
    file.uid = 1000
    AND file.gid = 1000
    AND file.mode = '0700'
    AND magic.data = 'data'
    AND file.path LIKE '/dev/shm/pulse-shm-%'
    AND file.size > 60000000
  ) -- Seen with Steam
  AND NOT (
    file.uid = 1000
    AND file.gid IN (100, 1000)
    AND file.mode IN ('0755', '0775')
    AND magic.data IN (
      'data',
      'Applesoft BASIC program data, first line number 86',
      'mc68k executable (shared)',
      'OpenPGP Secret Key',
      '',
      'floppy image data (IBM SaveDskF, old)',
      'DOS executable (COM)'
    )
    AND file.path LIKE '/dev/shm/u1000-Shm_%'
  )
  AND NOT (
    file.uid = 1000
    AND file.gid IN (100, 1000)
    AND file.mode IN ('0755', '0775')
    AND magic.data IS NULL
    AND file.path LIKE '/dev/shm/u1000-Shm_%'
  )
  AND NOT (
    file.uid = 1000
    AND file.mode = '0755'
    AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
    AND file.size > 1000000
  )
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`-- Find unexpected executables in /dev`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- references:`
			`-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/`
			`--`
			`-- tags: persistent state filesystem`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`SELECT`
			`file.path,`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`file.directory,`
			`uid,`
			`gid,`
			`mode,`
			`file.mtime,`
			`file.size,`
			`hash.sha256,`
			`magic.data`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`FROM`
			`file`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`LEFT JOIN hash on file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`WHERE`
			`(`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`-- This list is the result of multiple queries combined and can likely be minimized`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`file.path LIKE '/dev/%%'`
			`OR file.path LIKE '/dev/%%/%%'`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`OR file.path LIKE '/dev/mqueue/%%'`
			`OR file.path LIKE '/dev/mqueue/.%/%%'`
			`OR file.path LIKE '/dev/mqueue/%/%%'`
			`OR file.path LIKE '/dev/mqueue/%/%/.%'`
			`OR file.path LIKE '/dev/mqueue/%/.%/%%'`
			`OR file.path LIKE '/dev/shm/%%'`
			`OR file.path LIKE '/dev/shm/.%/%%'`
			`OR file.path LIKE '/dev/shm/%/%%'`
			`OR file.path LIKE '/dev/shm/%/%/.%'`
			`OR file.path LIKE '/dev/shm/%/.%/%%'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND file.type = 'regular'`
False positives: apt-daily, github runner, Slack helper, Foxit, syncthing 2023-01-19 16:52:31 +00:00			`AND file.size > 64`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`AND file.path NOT LIKE '%/../%'`
			`AND file.path NOT LIKE '%/./%'`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`AND (`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`file.mode LIKE '%7%'`
			`or file.mode LIKE '%5%'`
			`or file.mode LIKE '%1%'`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`) -- Seen on Ubuntu`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`AND NOT (`
			`file.uid = 1000`
			`AND file.gid = 1000`
Fix file.mode comparisons 2022-11-16 16:01:22 +00:00			`AND file.mode = '0700'`
			`AND magic.data = 'data'`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`AND file.path LIKE '/dev/shm/pulse-shm-%'`
			`AND file.size > 60000000`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`) -- Seen with Steam`
Add exceptions for Jetbrains/Delve, more for Steam 2022-10-30 16:00:43 +00:00			`AND NOT (`
			`file.uid = 1000`
Filter out new false positives 2023-01-13 20:24:18 +00:00			`AND file.gid IN (100, 1000)`
			`AND file.mode IN ('0755', '0775')`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`AND magic.data IN (`
			`'data',`
			`'Applesoft BASIC program data, first line number 86',`
			`'mc68k executable (shared)',`
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 17:56:39 +00:00			`'OpenPGP Secret Key',`
fpr: minikube, tailscale, dex, pacman, virtualbox, steam, lsmod, busybox, etc 2023-01-24 01:33:52 +00:00			`'',`
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 17:56:39 +00:00			`'floppy image data (IBM SaveDskF, old)',`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`'DOS executable (COM)'`
			`)`
Add exceptions for Jetbrains/Delve, more for Steam 2022-10-30 16:00:43 +00:00			`AND file.path LIKE '/dev/shm/u1000-Shm_%'`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`)`
			`AND NOT (`
			`file.uid = 1000`
			`AND file.gid IN (100, 1000)`
			`AND file.mode IN ('0755', '0775')`
			`AND magic.data IS NULL`
			`AND file.path LIKE '/dev/shm/u1000-Shm_%'`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`)`
Catch up to other false positives over winter break 2023-01-04 16:03:38 +00:00			`AND NOT (`
			`file.uid = 1000`
			`AND file.mode = '0755'`
			`AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'`
			`AND file.size > 1000000`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`)`