2022-10-14 18:19:13 +00:00
|
|
|
-- Find unexpected executables in temp directories, often used by malware droppers
|
2024-04-26 20:14:02 +00:00
|
|
|
--
|
2023-09-18 18:14:40 +00:00
|
|
|
-- tags: persistent
|
2023-01-26 21:30:14 +00:00
|
|
|
-- platform: linux
|
2023-02-09 22:01:29 +00:00
|
|
|
SELECT DISTINCT
|
|
|
|
|
file.path,
|
2022-09-24 15:12:23 +00:00
|
|
|
uid,
|
|
|
|
|
gid,
|
|
|
|
|
mode,
|
2023-02-09 01:06:10 +00:00
|
|
|
REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS extension,
|
2023-01-18 14:49:56 +00:00
|
|
|
file.btime,
|
|
|
|
|
file.ctime,
|
2022-09-24 15:12:23 +00:00
|
|
|
file.mtime,
|
|
|
|
|
file.size,
|
|
|
|
|
hash.sha256,
|
|
|
|
|
magic.data
|
2023-02-09 22:01:29 +00:00
|
|
|
FROM
|
|
|
|
|
file
|
2022-09-24 15:12:23 +00:00
|
|
|
LEFT JOIN hash on file.path = hash.path
|
|
|
|
|
LEFT JOIN magic ON file.path = magic.path
|
2023-02-09 01:06:10 +00:00
|
|
|
WHERE -- Optimization: don't join things until we have a whittled down list of files
|
|
|
|
|
file.path IN (
|
2023-02-09 22:01:29 +00:00
|
|
|
SELECT DISTINCT
|
|
|
|
|
path
|
|
|
|
|
FROM
|
|
|
|
|
file
|
|
|
|
|
WHERE
|
|
|
|
|
(
|
2023-02-09 01:06:10 +00:00
|
|
|
file.directory = '/tmp'
|
|
|
|
|
OR file.directory LIKE '/tmp/.%'
|
|
|
|
|
) -- Prevent weird recursion
|
|
|
|
|
AND NOT file.directory LIKE '%/../%'
|
|
|
|
|
AND NOT file.directory LIKE '%/./%' -- Exclude very temporary files
|
|
|
|
|
AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
|
|
|
|
|
AND file.type = 'regular'
|
|
|
|
|
AND (
|
|
|
|
|
file.mode LIKE '%7%'
|
|
|
|
|
or file.mode LIKE '%5%'
|
|
|
|
|
or file.mode LIKE '%1%'
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
uid > 500
|
|
|
|
|
AND (
|
|
|
|
|
file.path LIKE '%/go-build%'
|
|
|
|
|
OR file.directory LIKE '/tmp/%/out'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path IN ('/tmp/mkinitramfs', '/tmp/mission')
|
2023-02-09 22:01:29 +00:00
|
|
|
OR file.path LIKE '%/bin/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE "%/bin/bash"
|
|
|
|
|
OR file.path LIKE "%/bin/busybox"
|
2023-02-09 22:01:29 +00:00
|
|
|
OR file.path LIKE '%/checkout/%'
|
|
|
|
|
OR file.path LIKE '%/ci/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '%/configure'
|
2023-02-09 22:01:29 +00:00
|
|
|
OR file.path LIKE '%/debug/%'
|
|
|
|
|
OR file.path LIKE '%/dist/%'
|
|
|
|
|
OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%'
|
|
|
|
|
OR file.path LIKE '%/git/%'
|
|
|
|
|
OR file.path LIKE '%/github/%'
|
|
|
|
|
OR file.path LIKE '%/go.%.sum'
|
|
|
|
|
OR file.path LIKE "%/%/gradlew"
|
|
|
|
|
OR file.path LIKE '%/guile-%/guile-%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '%integration_test%'
|
2023-02-09 01:06:10 +00:00
|
|
|
OR file.path LIKE '%/ko/%'
|
2023-02-09 22:01:29 +00:00
|
|
|
OR file.path LIKE '%/kots/%'
|
|
|
|
|
OR file.path LIKE "%/lib/%.so"
|
|
|
|
|
OR file.path LIKE "%/lib/%.so.%"
|
2023-03-20 21:05:02 +00:00
|
|
|
OR file.path LIKE "%/melange%"
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '%/melange-guest-%'
|
2023-02-09 01:06:10 +00:00
|
|
|
OR file.path LIKE '%/pdf-tools/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '%/Rakefile'
|
2023-02-09 22:01:29 +00:00
|
|
|
OR file.path LIKE '%-release%/%'
|
|
|
|
|
OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%'
|
|
|
|
|
OR file.path LIKE '%/src/%'
|
|
|
|
|
OR file.path LIKE '%/target/%'
|
|
|
|
|
OR file.path LIKE '%/terraformer/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '%test_script'
|
2023-02-09 01:06:10 +00:00
|
|
|
OR file.path LIKE '%/tmp/epdf%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
|
|
|
|
|
OR file.path LIKE '/tmp/ko%/out'
|
|
|
|
|
OR file.path LIKE "/tmp/lima/%"
|
2023-02-24 21:30:17 +00:00
|
|
|
OR file.path LIKE '/tmp/lima/%/out/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
OR file.path LIKE '/tmp/wolfi%'
|
2023-02-09 01:06:10 +00:00
|
|
|
)
|
2023-03-28 20:25:26 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
2023-03-30 22:44:01 +00:00
|
|
|
file.path LIKE "%/lib/%.so"
|
|
|
|
|
OR file.path LIKE "%/lib/%.so.%"
|
|
|
|
|
OR file.path LIKE "%/lib64/%.so.%"
|
|
|
|
|
OR file.path LIKE "%/lib64/%.so"
|
2023-05-12 20:41:17 +00:00
|
|
|
OR file.path LIKE '/tmp/staged-updates%launcher'
|
2023-03-30 22:44:01 +00:00
|
|
|
OR file.path LIKE "%/melange%"
|
|
|
|
|
OR file.path LIKE "%/sbin/%"
|
|
|
|
|
OR file.path LIKE "%/bin/busybox"
|
|
|
|
|
OR file.path LIKE "%/bin/bash"
|
2023-03-28 20:25:26 +00:00
|
|
|
)
|
|
|
|
|
-- Nix
|
2023-02-09 01:06:10 +00:00
|
|
|
AND NOT (
|
|
|
|
|
file.directory LIKE '/tmp/tmp%'
|
|
|
|
|
AND gid = 0
|
|
|
|
|
AND uid > 300
|
|
|
|
|
AND uid < 350
|
|
|
|
|
) -- Babel
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.directory LIKE '/tmp/babel-%/sh-script-%'
|
|
|
|
|
AND gid > 900
|
|
|
|
|
AND uid = 1000
|
|
|
|
|
AND size < 1024
|
|
|
|
|
) -- Random Testdata
|
|
|
|
|
AND NOT (
|
|
|
|
|
gid > 900
|
|
|
|
|
AND uid = 1000
|
|
|
|
|
AND (
|
|
|
|
|
file.directory LIKE '/tmp/%/test'
|
|
|
|
|
OR file.directory LIKE '/tmp/%/testdata'
|
|
|
|
|
)
|
|
|
|
|
) -- Don't alert if the file is only on disk for a moment
|
|
|
|
|
AND NOT (
|
|
|
|
|
uid > 500
|
|
|
|
|
AND file.path LIKE '/tmp/terraform_%/terraform'
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.path LIKE '/tmp/%compressed'
|
|
|
|
|
AND size < 4000
|
|
|
|
|
AND uid > 500
|
|
|
|
|
) -- Executables too small to even hold '#!/bin/sh\nuid'
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.type = 'regular'
|
|
|
|
|
AND size < 10
|
|
|
|
|
) -- Weird cert
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.path LIKE '/tmp/tmp.%/ssl/default-fake-certificate.pem'
|
|
|
|
|
AND file.size < 4096
|
|
|
|
|
) -- Binaries we might actually see legitimately
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.path LIKE '/tmp/%'
|
2023-01-06 22:11:24 +00:00
|
|
|
AND file.uid > 500
|
2023-02-09 01:06:10 +00:00
|
|
|
AND (
|
|
|
|
|
file.filename LIKE "%ctl"
|
|
|
|
|
OR file.filename LIKE "%adm"
|
|
|
|
|
OR file.filename LIKE "%-cli"
|
2023-01-18 15:57:43 +00:00
|
|
|
)
|
2023-01-06 22:11:24 +00:00
|
|
|
)
|
2023-02-09 01:06:10 +00:00
|
|
|
AND NOT (
|
|
|
|
|
file.directory LIKE "%/lib"
|
|
|
|
|
OR file.directory LIKE "%/lib64"
|
|
|
|
|
AND file.uid > 500
|
|
|
|
|
AND (
|
|
|
|
|
file.filename LIKE "%.so.%"
|
|
|
|
|
OR file.filename LIKE "%.so"
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
) -- All checks with magic.data must first check for a lack of NULL value,
|
2023-01-18 19:41:36 +00:00
|
|
|
-- otherwise you filter out platforms without magic.data.
|
2023-01-18 19:10:33 +00:00
|
|
|
AND NOT (
|
2023-01-18 19:41:36 +00:00
|
|
|
file.uid > 500
|
|
|
|
|
AND magic.data IS NOT NULL
|
|
|
|
|
AND (
|
|
|
|
|
magic.data IN (
|
|
|
|
|
"POSIX shell script, ASCII text executable",
|
2023-03-28 20:25:26 +00:00
|
|
|
"libtool library file, ASCII text",
|
2023-04-21 00:45:35 +00:00
|
|
|
"ASCII text",
|
2023-01-18 19:41:36 +00:00
|
|
|
"JSON data"
|
|
|
|
|
)
|
|
|
|
|
OR magic.data LIKE "Unicode text%"
|
2023-03-20 21:05:02 +00:00
|
|
|
OR magic.data LIKE "ELF 64-bit LSB shared object,%"
|
2023-02-09 01:06:10 +00:00
|
|
|
OR magic.data LIKE "gzip compressed data%" -- Exotic platforms
|
2023-01-24 01:33:52 +00:00
|
|
|
OR magic.data LIKE 'ELF 64-bit MSB pie executable, IBM S/390%'
|
|
|
|
|
OR magic.data LIKE 'ELF 32-bit LSB pie executable, ARM, EABI5%'
|
2023-03-28 20:25:26 +00:00
|
|
|
OR magic.data LIKE 'symbolic link to %'
|
2024-09-26 16:40:04 +00:00
|
|
|
OR magic.data LIKE 'Linux kernel %'
|
2023-03-28 20:25:26 +00:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.uid = 0
|
|
|
|
|
AND magic.data IS NOT NULL
|
|
|
|
|
AND (
|
|
|
|
|
magic.data LIKE 'symbolic link to %'
|
|
|
|
|
OR magic.data IN (
|
|
|
|
|
"ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, stripped",
|
|
|
|
|
"libtool library file, ASCII text"
|
|
|
|
|
)
|
2023-01-18 19:41:36 +00:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2023-03-21 18:07:06 +00:00
|
|
|
file.size < 65000
|
2023-01-18 19:10:33 +00:00
|
|
|
AND file.uid > 500
|
2023-02-09 01:06:10 +00:00
|
|
|
AND file.filename LIKE "%.%"
|
|
|
|
|
AND extension IN (
|
|
|
|
|
'adoc',
|
2023-05-17 21:52:55 +00:00
|
|
|
'api',
|
|
|
|
|
'authn',
|
2023-02-09 01:06:10 +00:00
|
|
|
'bat',
|
2023-02-14 13:33:05 +00:00
|
|
|
'erb',
|
2023-05-17 21:52:55 +00:00
|
|
|
'iam',
|
2023-02-09 01:06:10 +00:00
|
|
|
'java',
|
|
|
|
|
'js',
|
|
|
|
|
'json',
|
|
|
|
|
'log',
|
|
|
|
|
'nib',
|
|
|
|
|
'pem',
|
|
|
|
|
'perl',
|
|
|
|
|
'pl',
|
|
|
|
|
'py',
|
2023-02-14 13:33:05 +00:00
|
|
|
'rb',
|
2024-04-26 20:14:02 +00:00
|
|
|
'pub',
|
2023-05-17 21:52:55 +00:00
|
|
|
'registry',
|
2023-02-09 01:06:10 +00:00
|
|
|
'script',
|
|
|
|
|
'sh',
|
|
|
|
|
'strings',
|
|
|
|
|
'txt',
|
|
|
|
|
'yaml',
|
|
|
|
|
'yml'
|
2023-01-18 19:41:36 +00:00
|
|
|
)
|
2023-02-09 22:01:29 +00:00
|
|
|
)
|
