osquery-defense-kit/detection/evasion/touched-executable-linux.sql

-- Programs which were spawned by an executable containing a matching ctime & mtime, which
-- on Linux only generally occurs occurs if you run 'touch <bin>'
--
-- references:
--   * https://attack.mitre.org/techniques/T1070/006/
--
-- tags: transient process state
-- platform: linux
SELECT
  p.pid,
  p.path,
  p.name,
  p.cmdline,
  p.cwd,
  p.euid,
  p.parent,
  f.ctime,
  f.btime,
  f.mtime,
  p.start_time,
  pp.path AS parent_path,
  pp.cmdline AS parent_cmd,
  pp.cwd AS parent_cwd,
  hash.sha256 AS sha256
FROM
  processes p
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
WHERE
  f.ctime = f.mtime
  AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
  AND f.path NOT LIKE '/snap/%'
  AND f.path NOT LIKE '/home/%/go/bin/%'
  AND f.path NOT LIKE '/home/%/.rustup/%'
  AND f.path NOT LIKE '/home/eddiezane/.local/share/JetBrains/Toolbox/bin/%'
  AND f.path NOT LIKE '/home/%/.cache/cloud-code/bin/%'
GROUP by
  p.pid
Detect touched executables 2022-10-04 13:37:40 +00:00			`-- Programs which were spawned by an executable containing a matching ctime & mtime, which`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- on Linux only generally occurs occurs if you run 'touch <bin>'`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1070/006/`
			`--`
			`-- tags: transient process state`
			`-- platform: linux`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`p.pid,`
Detect touched executables 2022-10-04 13:37:40 +00:00			`p.path,`
			`p.name,`
			`p.cmdline,`
			`p.cwd,`
			`p.euid,`
			`p.parent,`
			`f.ctime,`
			`f.btime,`
			`f.mtime,`
			`p.start_time,`
			`pp.path AS parent_path,`
			`pp.cmdline AS parent_cmd,`
			`pp.cwd AS parent_cwd,`
			`hash.sha256 AS sha256`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`FROM`
			`processes p`
Detect touched executables 2022-10-04 13:37:40 +00:00			`LEFT JOIN file f ON p.path = f.path`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON p.path = hash.path`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`WHERE`
			`f.ctime = f.mtime`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'`
			`AND f.path NOT LIKE '/snap/%'`
			`AND f.path NOT LIKE '/home/%/go/bin/%'`
			`AND f.path NOT LIKE '/home/%/.rustup/%'`
			`AND f.path NOT LIKE '/home/eddiezane/.local/share/JetBrains/Toolbox/bin/%'`
			`AND f.path NOT LIKE '/home/%/.cache/cloud-code/bin/%'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`GROUP by`
			`p.pid`