2022-10-13 18:59:32 +00:00
|
|
|
-- Alert on programs running that are unusually old (poor timestomping)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
2022-10-19 20:56:32 +00:00
|
|
|
-- false positive:
|
|
|
|
|
-- * legimitely ancient programs. For instance, printer drivers.
|
|
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
|
-- tags: transient process state
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
|
p.path,
|
|
|
|
|
p.cmdline,
|
|
|
|
|
p.cwd,
|
|
|
|
|
((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
|
|
|
|
|
((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days,
|
|
|
|
|
((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days,
|
|
|
|
|
h.sha256,
|
|
|
|
|
f.uid,
|
|
|
|
|
f.gid
|
|
|
|
|
FROM
|
|
|
|
|
processes p
|
|
|
|
|
JOIN file f ON p.path = f.path
|
|
|
|
|
JOIN hash h ON p.path = h.path
|
|
|
|
|
WHERE
|
|
|
|
|
(
|
2022-09-29 19:42:27 +00:00
|
|
|
ctime_age_days > 1050
|
|
|
|
|
OR mtime_age_days > 1050
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.path NOT LIKE '%/opt/brackets/Brackets%'
|
2022-09-24 15:12:23 +00:00
|
|
|
AND h.sha256 NOT IN (
|
2022-09-14 11:54:39 +00:00
|
|
|
'f61dcfce6f0c04263780700e0e9a8ff2363edefc344c08bd792fd401ddaa160f' -- jp.co.canon.MSU.app.Installer
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
