osquery-defense-kit/detection/evasion/unexpected-hidden-system-pa...

203 lines
5.6 KiB
MySQL
Raw Normal View History

-- Find unexpected hidden directories in operating-system foldersbin/
2022-10-14 18:19:13 +00:00
--
2022-10-18 14:08:34 +00:00
-- references:
-- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
--
2022-10-14 18:19:13 +00:00
-- false positives:
-- * unusual installers
--
2022-10-18 14:08:34 +00:00
-- platform: posix
2022-10-14 18:19:13 +00:00
-- tags: persistent filesystem state
2023-05-08 17:20:47 +00:00
SELECT
file.path,
2023-02-17 15:41:42 +00:00
file.inode,
2022-10-18 18:26:47 +00:00
file.directory,
uid,
gid,
mode,
atime,
btime,
mtime,
ctime,
type,
size,
hash.sha256,
magic.data
2023-05-08 17:20:47 +00:00
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
2023-05-08 17:20:47 +00:00
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
2022-10-18 18:26:47 +00:00
OR file.path LIKE '/dev/.%'
OR file.path LIKE '/etc/.%'
OR file.path LIKE '/etc/%/.%'
OR file.path LIKE '/lib/%/.%'
OR file.path LIKE '/libexec/.%'
OR file.path LIKE '/Library/.%'
OR file.path LIKE '/sbin/.%'
OR file.path LIKE '/sbin/%/.%'
OR file.path LIKE '/tmp/.%'
OR file.path LIKE '/usr/bin/.%'
OR file.path LIKE '/usr/lib/.%'
OR file.path LIKE '/usr/lib/%/.%'
OR file.path LIKE '/usr/libexec/.%'
OR file.path LIKE '/usr/local/bin/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/libexec/.%'
OR file.path LIKE '/usr/local/sbin/.%'
OR file.path LIKE '/usr/sbin/.%'
OR file.path LIKE '/var/.%'
OR file.path LIKE '/var/%/.%'
OR file.path LIKE '/var/lib/.%'
OR file.path LIKE '/var/tmp/.%'
)
AND file.path NOT LIKE '%/../'
AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
AND strftime('%s', 'now') - file.ctime > 20
AND file.path NOT IN (
'/.autorelabel',
'/dev/.mdadm/',
2022-10-18 18:26:47 +00:00
'/etc/.clean',
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
'/etc/selinux/.config_backup',
'/etc/skel/.mozilla/',
'/etc/.#sudoers',
2022-10-18 18:26:47 +00:00
'/.file',
2023-05-08 16:19:19 +00:00
'/.lesshst',
2023-02-03 02:46:53 +00:00
'/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/.mozilla/',
2023-05-08 16:19:19 +00:00
'/tmp/.accounts-agent/',
'/tmp/.audio-agent/',
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
2023-05-08 16:19:19 +00:00
'/tmp/.content-agent/',
2022-10-18 18:26:47 +00:00
'/tmp/._contentbarrier_installed',
2023-05-08 16:19:19 +00:00
'/tmp/.docker/',
'/tmp/.docker-tmp/',
'/tmp/.dotnet/',
2022-10-18 18:26:47 +00:00
'/tmp/.dracula-tmux-data',
'/tmp/.dracula-tmux-weather.lock',
'/tmp/.DS_Store',
2023-05-08 16:19:19 +00:00
'/tmp/.eos-update-notifier.log',
'/tmp/.featureflags-agent/',
'/tmp/.font-unix/',
'/tmp/.go-version',
'/tmp/.ICE-unix/',
2023-05-08 16:19:19 +00:00
'/tmp/.last_survey_prompt.yaml',
'/tmp/.last_update_check.json',
'/tmp/.metrics-agent/',
'/tmp/.PKGINFO',
2023-05-08 16:19:19 +00:00
'/tmp/.settings-agent/',
'/tmp/.terraform/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/',
2023-05-08 16:19:19 +00:00
'/tmp/.ui-agent/',
'/tmp/.updater-agent/',
2022-10-18 18:26:47 +00:00
'/tmp/.vbox-t-ipc/',
'/tmp/.X0-lock',
'/tmp/.X11-unix/',
2022-10-18 18:26:47 +00:00
'/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.XIM-unix/',
2023-02-03 02:46:53 +00:00
'/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/var/db/.AppleInstallType.plist',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
'/var/db/.GKRearmTimer',
'/var/db/.LastGKApp',
'/var/db/.LastGKReject',
'/var/db/.MASManifest',
'/var/db/.SoftwareUpdateOptions',
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/.ntw_cache',
'/var/.Parallels_swap/',
2022-10-18 18:26:47 +00:00
'/var/.pwd_cache',
'/var/root/.bash_history',
2023-02-03 02:46:53 +00:00
'/var/root/.bash_profile',
'/var/root/.cache/',
'/var/root/.CFUserTextEncoding',
'/var/root/.docker/',
'/var/root/.forward',
2023-05-08 16:19:19 +00:00
'/var/root/.lesshst',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.osquery/',
'/var/root/.Trash/',
2023-02-03 02:46:53 +00:00
'/var/root/.viminfo',
'/var/run/.heim_org.h5l.kcm-socket',
'/var/run/.sim_diagnosticd_socket',
'/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
2023-02-03 02:46:53 +00:00
'/var/setup/.AppleSetupUser',
2023-05-08 16:19:19 +00:00
'/var/setup/.TemporaryItems',
'/var/setup/.TemporaryItems/',
'/var/tmp/.ses',
'/var/tmp/.ses.bak',
2022-10-18 18:26:47 +00:00
'/.vol/',
'/.VolumeIcon.icns'
)
2022-10-18 18:26:47 +00:00
AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config')
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
AND file.path NOT LIKE '/tmp/.#%'
AND file.path NOT LIKE '/tmp/.lark_cache_%'
2023-01-13 20:24:18 +00:00
AND file.path NOT LIKE '/tmp/.wine-%'
2022-10-18 18:26:47 +00:00
AND file.path NOT LIKE '/tmp/.%.gcode'
AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'
AND file.path NOT LIKE '/tmp/.io.nwjs.%'
AND file.path NOT LIKE '/tmp/.xfsm-ICE-%'
AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
2023-02-24 21:30:17 +00:00
AND file.path NOT LIKE '/var/run/.vfs_rsrc_streams_%/'
AND file.path NOT LIKE '/tmp/.X1%-lock'
AND file.path NOT LIKE '/usr/local/%/.keepme'
AND file.path NOT LIKE '%/.build-id/'
AND file.path NOT LIKE '%/.dwz/'
AND file.path NOT LIKE '%/.updated'
AND file.filename NOT LIKE '.%.swo'
AND file.filename NOT LIKE '.%.swp'
AND file.path NOT LIKE '%/google-cloud-sdk/.install/'
AND NOT (
type = 'regular'
AND (
filename LIKE '%.swp'
OR size < 2
2022-08-31 18:34:42 +00:00
)
)
2022-10-18 18:26:47 +00:00
AND NOT (
type = 'regular'
AND filename = '.placeholder'
) -- A curious addition seen on NixOS and Fedora machines
2022-09-29 19:42:27 +00:00
AND NOT (
file.path = '/.cache/'
2022-09-29 19:42:27 +00:00
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size < 4
2023-05-08 16:19:19 +00:00
) -- Ecamm Live
AND NOT (
file.path LIKE "/tmp/.elive%"
AND file.size < 7
)
2022-09-29 19:42:27 +00:00
AND NOT (
file.path = '/.config/'
2022-09-29 19:42:27 +00:00
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
2022-09-29 19:42:27 +00:00
AND file.size = 4
)
AND NOT (
file.path LIKE '/tmp/.java_pid%'
AND file.type = 'socket'
AND file.size = 0
)
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
2023-05-08 17:20:47 +00:00
)