osquery-defense-kit/detection/execution/tiny-executable-events.sql

-- Unusually small programs (events-based)
--
-- references:
--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- interval: 30
-- tags: transient process events
SELECT
  p.pid,
  p.path,
  p.cmdline,
  file.size,
  file.type,
  p.mode,
  p.cwd,
  p.euid,
  p.parent,
  p.syscall,
  pp.path AS parent_path,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline,
  pp.euid AS parent_euid,
  hash.sha256 AS child_sha256,
  phash.sha256 AS parent_sha256,
  magic.data AS magic
FROM
  process_events p
  LEFT JOIN file ON p.path = file.path
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN hash phash ON pp.path = phash.path
  LEFT JOIN magic ON p.path = magic.path
WHERE
  p.time > (strftime('%s', 'now') -30)
  AND file.size > 0
  AND file.size < 10000
  AND file.type = 'regular'
  AND p.path NOT LIKE '%.sh'
  AND p.path NOT LIKE '%.py'
  AND p.path NOT LIKE '%.rb'
  AND p.path != '/sbin/ldconfig'
  AND NOT (
    p.path LIKE '/Users/%'
    AND magic.data LIKE 'POSIX shell script%'
  )
  AND p.path NOT LIKE '/private/var/folders/%/T/iTerm2-scrip%sh'
  AND p.path NOT LIKE '/home/%/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/libexec/steam-runtime-tools-0/i386-linux-gnu-inspect-library'
  -- Removes a false-positive we've seen on Linux, generated through 'runc init'
  AND NOT (
    p.path = "/"
    AND file.size < 8192
  )
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Unusually small programs (events-based)`
			`--`
			`-- references:`
			`-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux`
			`--`
			`-- interval: 30`
			`-- tags: transient process events`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`SELECT`
			`p.pid,`
			`p.path,`
			`p.cmdline,`
			`file.size,`
tiny-executable-events: Add child hash & magic data, filter by regular 2022-11-09 14:14:10 +00:00			`file.type,`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`p.mode,`
			`p.cwd,`
			`p.euid,`
			`p.parent,`
			`p.syscall,`
			`pp.path AS parent_path,`
			`pp.name AS parent_name,`
			`pp.cmdline AS parent_cmdline,`
			`pp.euid AS parent_euid,`
tiny-executable-events: Add child hash & magic data, filter by regular 2022-11-09 14:14:10 +00:00			`hash.sha256 AS child_sha256,`
			`phash.sha256 AS parent_sha256,`
			`magic.data AS magic`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`FROM`
			`process_events p`
			`LEFT JOIN file ON p.path = file.path`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
tiny-executable-events: Add child hash & magic data, filter by regular 2022-11-09 14:14:10 +00:00			`LEFT JOIN hash ON p.path = hash.path`
			`LEFT JOIN hash phash ON pp.path = phash.path`
			`LEFT JOIN magic ON p.path = magic.path`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`WHERE`
			`p.time > (strftime('%s', 'now') -30)`
			`AND file.size > 0`
			`AND file.size < 10000`
tiny-executable-events: Add child hash & magic data, filter by regular 2022-11-09 14:14:10 +00:00			`AND file.type = 'regular'`
Flush out more false positives 2022-10-18 00:37:44 +00:00			`AND p.path NOT LIKE '%.sh'`
			`AND p.path NOT LIKE '%.py'`
			`AND p.path NOT LIKE '%.rb'`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`AND p.path != '/sbin/ldconfig'`
More false positive management 2022-11-16 19:49:36 +00:00			`AND NOT (`
			`p.path LIKE '/Users/%'`
			`AND magic.data LIKE 'POSIX shell script%'`
			`)`
tiny-executable-events: Add child hash & magic data, filter by regular 2022-11-09 14:14:10 +00:00			`AND p.path NOT LIKE '/private/var/folders/%/T/iTerm2-scrip%sh'`
Weekend false-positive flush 2023-01-14 13:19:26 +00:00			`AND p.path NOT LIKE '/home/%/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/libexec/steam-runtime-tools-0/i386-linux-gnu-inspect-library'`
Remove some false positives 2022-10-17 21:31:47 +00:00			`-- Removes a false-positive we've seen on Linux, generated through 'runc init'`
Apply 'npx sql-formatter -l sqlite' 2022-10-17 23:06:17 +00:00			`AND NOT (`
			`p.path = "/"`
Simplify exotic commands queries, remove more false positives 2022-10-18 15:32:18 +00:00			`AND file.size < 8192`
Apply 'npx sql-formatter -l sqlite' 2022-10-17 23:06:17 +00:00			`)`