osquery-defense-kit/detection/evasion/unexpected-dev-entries.sql

-- Find unexpected files in /dev
--
-- references:
--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- false positives:
--   * programs which have legimate uses for /dev/shm (Chrome, etc)
--
-- tags: persistent state filesystem
-- platform: posix
SELECT
  file.path,
  file.type,
  file.size,
  file.mtime,
  file.uid,
  file.ctime,
  file.gid,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash ON file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  (
    file.path LIKE '/dev/shm/%%'
    OR file.path LIKE '/dev/%/.%'
    OR file.path LIKE '/dev/.%'
    OR file.path LIKE '/dev/.%/%'
    OR file.path LIKE '/dev/%%/.%/%'
    OR file.path LIKE '/dev/mqueue/%%'
  ) -- We should also use uid for making decisions here
  AND NOT (
    file.uid > 499
    AND (
      file.path LIKE '/dev/shm/.com.google.%'
      OR file.path LIKE '/dev/shm/.org.chromium.%'
      OR file.path LIKE '/dev/shm/wayland.mozilla.%'
      OR file.path LIKE '/dev/shm/shm-%-%-%'
      OR file.path LIKE '/dev/shm/pulse-shm-%'
      OR file.path LIKE '/dev/shm/u1000-Shm%'
      OR file.path LIKE '/dev/shm/u1000-Valve%'
      OR file.path LIKE '/dev/shm/aomshm.%'
      OR file.path LIKE '/dev/shm/jack_db%'
    )
  )
  AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%'
  AND file.path NOT LIKE '/dev/shm/flatpak-%'
  AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%'
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
  AND file.path NOT IN ('/dev/.mdadm/')
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Find unexpected files in /dev`
			`--`
			`-- references:`
			`-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/`
			`--`
			`-- false positives:`
Flush out more false positives 2022-10-18 00:37:44 +00:00			`-- * programs which have legimate uses for /dev/shm (Chrome, etc)`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- tags: persistent state filesystem`
Don't mask directories, run on macOS 2022-10-20 11:59:06 +00:00			`-- platform: posix`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`file.path,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`file.type,`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`file.size,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`file.mtime,`
			`file.uid,`
			`file.ctime,`
			`file.gid,`
			`hash.sha256,`
			`magic.data`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`FROM`
			`file`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`LEFT JOIN hash ON file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`WHERE`
			`(`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`file.path LIKE '/dev/shm/%%'`
			`OR file.path LIKE '/dev/%/.%'`
			`OR file.path LIKE '/dev/.%'`
			`OR file.path LIKE '/dev/.%/%'`
			`OR file.path LIKE '/dev/%%/.%/%'`
			`OR file.path LIKE '/dev/mqueue/%%'`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`) -- We should also use uid for making decisions here`
			`AND NOT (`
			`file.uid > 499`
fpr everything 2023-04-17 20:20:35 +00:00			`AND (`
fpr: Grammarly, semodule, docker-compose, xdg, etc 2023-03-30 22:44:01 +00:00			`file.path LIKE '/dev/shm/.com.google.%'`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`OR file.path LIKE '/dev/shm/.org.chromium.%'`
			`OR file.path LIKE '/dev/shm/wayland.mozilla.%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR file.path LIKE '/dev/shm/shm-%-%-%'`
fpr: Grammarly, semodule, docker-compose, xdg, etc 2023-03-30 22:44:01 +00:00			`OR file.path LIKE '/dev/shm/pulse-shm-%'`
			`OR file.path LIKE '/dev/shm/u1000-Shm%'`
			`OR file.path LIKE '/dev/shm/u1000-Valve%'`
fpr: lghub, brew, pve, chrome exts, etc 2023-04-21 00:45:35 +00:00			`OR file.path LIKE '/dev/shm/aomshm.%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR file.path LIKE '/dev/shm/jack_db%'`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%'`
			`AND file.path NOT LIKE '/dev/shm/flatpak-%'`
			`AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%'`
			`AND file.path NOT LIKE '%/../%'`
			`AND file.path NOT LIKE '%/./%'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`AND file.path NOT IN ('/dev/.mdadm/')`