osquery-defense-kit/fs/unexpected-dev-entries.sql

30 lines
1.2 KiB
MySQL
Raw Normal View History

2022-09-08 13:53:43 +00:00
-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
2022-09-21 01:56:01 +00:00
SELECT file.path, file.type, file.mtime, file.uid, file.ctime, file.gid, hash.sha256, magic.data
2022-09-08 13:53:43 +00:00
FROM file
2022-09-21 01:56:01 +00:00
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
2022-09-08 13:53:43 +00:00
WHERE (
2022-09-21 01:56:01 +00:00
file.path LIKE "/dev/shm/%%"
OR file.path LIKE "/dev/shm/.%"
OR file.path LIKE "/dev/shm/.%/%"
OR file.path LIKE "/dev/%/.%"
OR file.path LIKE "/dev/.%"
OR file.path LIKE "/dev/.%/%"
OR file.path LIKE "/dev/mqueue/%%"
OR file.path LIKE "/dev/mqueue/.%/%"
OR file.path LIKE "/dev/mqueue/.%"
2022-09-08 13:53:43 +00:00
)
2022-09-21 01:56:01 +00:00
AND file.path NOT LIKE '/dev/shm/.com.google.%'
AND file.path NOT LIKE '/dev/shm/.org.chromium.%'
AND file.path NOT LIKE '/dev/shm/wayland.mozilla.%'
AND file.path NOT LIKE "/dev/shm/jack_db%"
2022-09-21 11:42:51 +00:00
AND file.path NOT LIKE "/dev/shm/flatpak-%"
2022-09-22 09:18:03 +00:00
AND file.path NOT LIKE "/dev/shm/libpod_rootless_lock_%"
2022-09-21 01:56:01 +00:00
AND file.path NOT LIKE "%/../%"
AND file.path NOT LIKE "%/./%"
2022-09-09 16:51:52 +00:00
AND filename NOT IN ('..')
2022-09-08 21:58:56 +00:00
AND filename NOT LIKE "pulse-shm-%"
AND filename NOT LIKE "u1000-Shm%"
2022-09-09 16:51:52 +00:00
AND filename NOT LIKE "u1000-Valve%"
2022-09-21 01:56:01 +00:00
AND file.path NOT IN ('/dev/.mdadm/')