osquery-defense-kit/detection/credentials/unexpected-dev-opener-linux...

176 lines
4.1 KiB
MySQL
Raw Normal View History

-- Detects unexpected programs opening files in /dev on Linux
--
-- references:
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
--
-- platform: linux
SELECT
pof.pid,
pof.path AS device,
p.path AS program,
p.name AS program_name,
p.cmdline AS cmdline,
hash.sha256,
CONCAT (
IIF(
REGEX_MATCH (
2022-09-29 19:42:27 +00:00
REPLACE(pof.path, " (deleted)", ""),
"(/dev/.*)[\d ]+$",
1
) != "",
REGEX_MATCH (
2022-09-29 19:42:27 +00:00
REPLACE(pof.path, " (deleted)", ""),
"(/dev/.*)[\d ]+$",
1
),
2022-09-27 15:54:17 +00:00
REPLACE(pof.path, " (deleted)", "")
),
",",
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, "/", "")),
""
2022-09-21 01:56:01 +00:00
)
) AS path_exception,
CONCAT (
TRIM(
REPLACE(
pof.path,
CONCAT (
"/",
REPLACE(
pof.path,
RTRIM(pof.path, REPLACE(pof.path, "/", "")),
""
)
),
""
)
),
",",
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, "/", "")),
""
2022-09-21 01:56:01 +00:00
)
) AS dir_exception
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN hash ON hash.path = p.path
WHERE
pof.path LIKE "/dev/%"
AND pof.path NOT IN (
"/dev/dri/card0",
"/dev/dri/card1",
"/dev/dri/renderD128",
"/dev/dri/renderD129",
"/dev/fuse",
"/dev/io8log",
"/dev/io8logmt",
"/dev/io8logtemp",
"/dev/null",
"/dev/nvidia-modeset",
"/dev/nvidia-uvm",
"/dev/nvidia0",
"/dev/nvidiactl",
"/dev/ptmx",
"/dev/pts/ptmx",
"/dev/random",
"/dev/rfkill",
"/dev/snd/seq",
"/dev/urandom",
"/dev/vga_arbiter",
"/dev/video10" -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE "/dev/pts/%"
AND pof.path NOT LIKE "/dev/snd/%"
AND pof.path NOT LIKE "/dev/tty%"
AND pof.path NOT LIKE "/dev/hidraw%"
AND pof.path NOT LIKE "/dev/shm/.com.google.Chrome.%"
AND pof.path NOT LIKE "/dev/shm/.org.chromium.Chromium.%"
AND pof.path NOT LIKE "/dev/shm/authentik_%"
AND NOT dir_exception IN (
"/dev/bus/usb,pcscd",
"/dev/bus/usb/001,pcscd",
"/dev/bus/usb/005,python3.10",
"/dev/input,acpid",
"/dev/kmsg,systemd-coredump",
"/dev/input,gnome-shell",
"/dev/input,systemd-logind",
"/dev/input,systemd",
"/dev/input,upowerd",
"/dev/input,Xorg",
"/dev/net,.tailscaled-wrapped",
"/dev/net,tailscaled",
"/dev/shm,1password",
"/dev/shm,chrome",
"/dev/shm,code",
"/dev/shm,electron",
"/dev/shm,Brackets",
"/dev/shm,firefox",
"/dev/shm,gopls",
"/dev/shm,java",
"/dev/shm,jcef_helper",
"/dev/shm,slack",
"/dev/shm,spotify",
"/dev/shm,steam",
"/dev/shm,steamwebhelper",
"/dev/shm,wine64-preloader",
"/dev/shm,winedevice.exe",
"/dev/snd,.pulseaudio-wrapped",
"/dev/snd,alsactl",
"/dev/net/tun,qemu-system-x86_64",
"/dev/snd,pipewire",
"/dev/snd,pulseaudio",
"/dev/snd,wireplumber"
)
AND NOT path_exception IN (
"/dev/autofs,systemd",
"/dev/hidraw,chrome",
2022-09-27 15:54:17 +00:00
"/dev/input/event,thermald",
"/dev/input/event,Xorg",
"/dev/kmsg,kubelet",
"/dev/kmsg,systemd",
2022-09-27 15:54:17 +00:00
"/dev/kmsg,systemd-journald",
"/dev/kvm,qemu-system-x86_64",
2022-09-27 15:54:17 +00:00
"/dev/mapper/control,dockerd",
"/dev/mcelog,mcelog",
"/dev/media,pipewire",
"/dev/media,wireplumber",
"/dev/net/tun,slirp4netns",
"/dev/tty,agetty",
"/dev/tty,gdm-wayland-session",
"/dev/tty,gdm-x-session",
"/dev/tty,systemd-logind",
"/dev/tty,Xorg",
"/dev/uinput,bluetoothd",
"/dev/usb/hiddev,apcupsd",
"/dev/usb/hiddev,upowerd",
"/dev/video,chrome",
"/dev/video,ffmpeg",
"/dev/video,firefox",
"/dev/video,obs",
2022-09-27 15:54:17 +00:00
"/dev/video,pipewire",
"/dev/video,zoom",
2022-09-27 15:54:17 +00:00
"/dev/video,obs-ffmpeg-mux",
"/dev/video,vlc",
2022-09-27 15:54:17 +00:00
"/dev/video,wireplumber",
"/dev/zfs,zed",
2022-09-27 15:54:17 +00:00
"/dev/zfs,zfs",
"/dev/zfs,zpool"
)
AND NOT (
device LIKE "/dev/bus/usb/%"
2022-09-29 19:42:27 +00:00
AND program_name IN (
"streamdeck",
"gphoto2",
"fwupd",
"pcscd",
"gvfs-gphoto2-vo",
"gvfs-gphoto2-volume-monitor"
)
)
GROUP BY
pof.pid