osquery-defense-kit/detection/execution/unexpected-env-values-linux...

37 lines
985 B
MySQL
Raw Normal View History

2022-10-14 18:19:13 +00:00
-- Applications setting environment variables to bypass security protections
--
2022-09-08 21:58:56 +00:00
-- Inpsired by BPFdoor and other intrusions
-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
2022-10-14 18:19:13 +00:00
--
-- WARNING: This query is known to require a higher than average wall time.
--
-- tags: transient state often
-- platform: linux
SELECT
key,
value,
p.pid,
p.path,
p.cmdline,
p.parent AS parent_pid,
2022-10-14 18:19:13 +00:00
pp.cmdline AS parent_cmd
FROM
process_envs pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
WHERE
(
key = 'HISTFILE'
AND NOT VALUE LIKE '/home/%/.%_history'
)
OR (
key = 'LD_PRELOAD'
AND NOT p.path LIKE '%/firefox'
AND NOT pe.value = 'libfakeroot.so'
AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
AND NOT pe.value LIKE ':/snap/%'
AND NOT pe.value LIKE '/app/bin/%'
AND NOT pe.value LIKE 'libmozsandbox.so%'
)