2022-10-03 19:45:08 +00:00
|
|
|
-- Programs which claim to be from the future, based on (btime,ctime,mtime)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
|
-- false positives:
|
|
|
|
|
-- * None observed
|
|
|
|
|
--
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent state process
|
2022-10-12 01:53:36 +00:00
|
|
|
SELECT
|
|
|
|
|
p.pid,
|
2022-10-03 19:45:08 +00:00
|
|
|
p.path,
|
|
|
|
|
p.name,
|
|
|
|
|
p.cmdline,
|
|
|
|
|
p.cwd,
|
|
|
|
|
p.euid,
|
|
|
|
|
p.parent,
|
|
|
|
|
f.ctime,
|
|
|
|
|
f.btime,
|
|
|
|
|
f.mtime,
|
|
|
|
|
p.start_time,
|
2023-01-06 22:11:24 +00:00
|
|
|
f.mtime > (strftime('%s', 'now') + 43200) AS mtime_newer,
|
|
|
|
|
f.ctime > (strftime('%s', 'now') + 43200) AS ctime_newer,
|
|
|
|
|
f.btime > (strftime('%s', 'now') + 43200) AS btime_newer,
|
2022-10-03 19:45:08 +00:00
|
|
|
hash.sha256 AS child_hash256,
|
|
|
|
|
pp.path AS parent_path,
|
|
|
|
|
pp.cmdline AS parent_cmd,
|
|
|
|
|
pp.cwd AS parent_cwd,
|
|
|
|
|
hash.sha256 AS parent_sha256
|
2022-10-12 01:53:36 +00:00
|
|
|
FROM
|
|
|
|
|
processes p
|
2022-10-03 19:45:08 +00:00
|
|
|
LEFT JOIN file f ON p.path = f.path
|
|
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
2022-10-12 01:53:36 +00:00
|
|
|
WHERE
|
|
|
|
|
mtime_newer == 1
|
|
|
|
|
OR ctime_newer == 1
|
|
|
|
|
OR btime_newer == 1
|
