osquery-defense-kit/detection/credentials/unexpected-dev-opener-linux...

180 lines
4.2 KiB
MySQL
Raw Normal View History

-- Detects unexpected programs opening files in /dev on Linux
--
-- references:
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
--
2022-10-14 14:18:01 +00:00
-- false positives:
-- * any program which needs access to device drivers
--
-- platform: linux
-- tags: persistent state sniffer
SELECT
pof.pid,
pof.path AS device,
p.path AS program,
p.name AS program_name,
p.cmdline AS cmdline,
hash.sha256,
CONCAT (
IIF(
REGEX_MATCH (
2022-10-14 14:18:01 +00:00
TRIM(REPLACE(pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
2022-09-29 19:42:27 +00:00
1
) != '',
REGEX_MATCH (
2022-10-14 14:18:01 +00:00
TRIM(REPLACE(pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
2022-09-29 19:42:27 +00:00
1
),
2022-10-14 14:18:01 +00:00
TRIM(REPLACE(pof.path, ' (deleted)', ''))
),
',',
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
2022-09-21 01:56:01 +00:00
)
) AS path_exception,
CONCAT (
TRIM(
REPLACE(
pof.path,
CONCAT (
'/',
REPLACE(
pof.path,
RTRIM(pof.path, REPLACE(pof.path, '/', '')),
''
)
),
''
)
),
',',
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
2022-09-21 01:56:01 +00:00
)
) AS dir_exception
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN hash ON hash.path = p.path
WHERE
pof.path LIKE '/dev/%'
AND pof.path NOT IN (
'/dev/dri/card0',
'/dev/dri/card1',
'/dev/dri/renderD128',
'/dev/dri/renderD129',
'/dev/fuse',
'/dev/io8log',
'/dev/io8logmt',
'/dev/io8logtemp',
'/dev/null',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia0',
'/dev/nvidiactl',
'/dev/ptmx',
'/dev/pts/ptmx',
'/dev/random',
'/dev/rfkill',
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE '/dev/pts/%'
AND pof.path NOT LIKE '/dev/snd/%'
AND pof.path NOT LIKE '/dev/tty%'
AND pof.path NOT LIKE '/dev/hidraw%'
AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%'
AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%'
AND pof.path NOT LIKE '/dev/shm/authentik_%'
AND NOT dir_exception IN (
'/dev/bus/usb,pcscd',
'/dev/input,acpid',
'/dev/input,gnome-shell',
'/dev/input,systemd',
2022-10-14 14:18:01 +00:00
'/dev/input,systemd-logind',
'/dev/input,thermald',
'/dev/input,upowerd',
'/dev/input,Xorg',
2022-10-14 14:18:01 +00:00
'/dev/kmsg,systemd-coredump',
'/dev/net,tailscaled',
2022-10-14 14:18:01 +00:00
'/dev/net,.tailscaled-wrapped',
'/dev/net/tun,qemu-system-x86_64',
'/dev/shm,1password',
2022-10-14 14:18:01 +00:00
'/dev/shm,Brackets',
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/shm,electron',
'/dev/shm,firefox',
'/dev/shm,gopls',
'/dev/shm,java',
'/dev/shm,jcef_helper',
'/dev/shm,slack',
'/dev/shm,spotify',
'/dev/shm,steam',
'/dev/shm,steamwebhelper',
'/dev/shm,wine64-preloader',
'/dev/shm,winedevice.exe',
'/dev/snd,alsactl',
'/dev/snd,pipewire',
'/dev/snd,pulseaudio',
2022-10-14 14:18:01 +00:00
'/dev/snd,.pulseaudio-wrapped',
'/dev/snd,wireplumber'
)
AND NOT path_exception IN (
'/dev/autofs,systemd',
'/dev/hidraw,chrome',
'/dev/input/event,thermald',
'/dev/input/event,Xorg',
'/dev/kmsg,kubelet',
'/dev/kmsg,systemd',
'/dev/kmsg,systemd-journald',
'/dev/kvm,qemu-system-x86_64',
'/dev/mapper/control,dockerd',
'/dev/mcelog,mcelog',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/net/tun,slirp4netns',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/tty,systemd-logind',
'/dev/tty,Xorg',
'/dev/uinput,bluetoothd',
'/dev/usb/hiddev,apcupsd',
'/dev/usb/hiddev,upowerd',
2022-10-14 14:18:01 +00:00
'/dev/video0,chrome',
'/dev/video,chrome',
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/video,obs',
'/dev/video,pipewire',
'/dev/video,zoom',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,vlc',
'/dev/video,wireplumber',
'/dev/zfs,zed',
'/dev/zfs,zfs',
'/dev/zfs,zpool'
)
AND NOT (
device LIKE '/dev/bus/usb/%'
2022-09-29 19:42:27 +00:00
AND program_name IN (
'streamdeck',
'gphoto2',
'fwupd',
'pcscd',
'gvfs-gphoto2-vo',
'gvfs-gphoto2-volume-monitor'
2022-09-29 19:42:27 +00:00
)
)
GROUP BY
pof.pid