osquery-defense-kit/detection/evasion/touched-executable-linux.sql

43 lines
1019 B
MySQL
Raw Normal View History

2022-10-04 13:37:40 +00:00
-- Programs which were spawned by an executable containing a matching ctime & mtime, which
-- on Linux only generally occurs occurs if you run 'touch <bin>'
2022-10-14 18:19:13 +00:00
--
-- references:
2022-10-19 20:56:32 +00:00
-- * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
2022-10-14 18:19:13 +00:00
--
-- tags: transient process state
-- platform: linux
SELECT
p.pid,
2022-10-04 13:37:40 +00:00
p.path,
p.name,
p.cmdline,
p.cwd,
p.euid,
p.parent,
f.ctime,
f.btime,
f.mtime,
p.start_time,
pp.path AS parent_path,
pp.cmdline AS parent_cmd,
pp.cwd AS parent_cwd,
hash.sha256 AS sha256
FROM
processes p
2022-10-04 13:37:40 +00:00
LEFT JOIN file f ON p.path = f.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
WHERE
f.ctime = f.mtime
AND p.path != '/'
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
AND f.path NOT LIKE '/snap/%'
2022-10-17 23:01:16 +00:00
AND f.path NOT LIKE '/home/%'
AND f.path NOT IN (
'/usr/local/bin/chainctl',
'/opt/google/endpoint-verification/bin/apihelper'
)
2022-10-30 13:39:48 +00:00
AND f.path NOT LIKE '/tmp/go-build%/exe/main'
GROUP by
p.pid