osquery-defense-kit/detection/evasion/unexpected-var-executables-...

-- Find unexpected executables in /var
--
-- false positives:
--   * none known
--
-- tags: persistent
-- platform: darwin
SELECT
  file.path,
  file.directory,
  uid,
  gid,
  mode,
  file.mtime,
  file.size,
  hash.sha256,
  magic.data,
  signature.authority,
  signature.identifier
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
  LEFT JOIN signature ON file.path = signature.path
WHERE
  (
    -- This list is the result of multiple queries combined and can likely be minimized
    file.path LIKE '/var/%%'
    OR file.path LIKE '/var/tmp/%%'
    OR file.path LIKE '/var/tmp/.%/%%'
    OR file.path LIKE '/var/tmp/%/%%'
    OR file.path LIKE '/var/tmp/%/%/.%'
    OR file.path LIKE '/var/tmp/%/.%/%%'
    OR file.path LIKE '/var/spool/%%'
    OR file.path LIKE '/var/spool/.%/%%'
    OR file.path LIKE '/var/spool/%/%%'
    OR file.path LIKE '/var/spool/%/%/.%'
    OR file.path LIKE '/var/spool/%/.%/%%'
  )
  AND file.type = 'regular'
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
  -- Rosetta cache, SIP protected
  AND file.path NOT LIKE '/var/db/oah/%'
  AND file.path NOT LIKE '/var/folders/%/C/com.apple.FontRegistry/annex_aux'
  AND file.path NOT LIKE '/var/folders/%/T/go.%.%.sum'
  AND file.path NOT LIKE '/var/folders/%/T/pulumi-go.%'
  AND file.path NOT LIKE '/var/folders/%/T/sp_relauncher'
  AND file.path NOT LIKE '/var/folders/%/T/iTerm2-script%'
  AND file.path NOT LIKE '/var/tmp/epdfinfo%'
  AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib'
  AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'
  AND file.path NOT LIKE '/var/run/current-system/etc/profiles/per-user/%'
  AND file.path NOT LIKE '/var/folders/%/T/freefn-%_emacs_%.eln'
  AND (
    file.mode LIKE '%7%'
    or file.mode LIKE '%5%'
    or file.mode LIKE '%1%'
  )
  AND file.directory NOT IN (
    '/var/ossec/agentless',
    '/var/ossec/bin',
    '/var/ossec/wodles',
    '/var/run/booted-system',
    '/var/run/current-system',
    '/var/run/current-system/sw/bin',
    '/var/select',
    '/var/db/xcode_select_link/usr/bin',
    '/var/db/xcode_select_link/usr/lib',
    '/var/db/xcode_select_link/usr/libexec',
    '/var/select/X11/bin',
    '/var/select/X11/lib/dri',
    '/var/select/X11/lib/flat_namespace',
    '/var/select/X11/lib',
    '/var/select/X11/libexec'
  )
  -- It's pretty rare, but some vendors install updates into /var. Spotify, I'm looking at you!
  AND NOT signature.authority IN (
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
    'Developer ID Application: GitHub (VEKTX9H2N7)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
    'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    'Developer ID Application: Mozilla Corporation (43AQ936H96)',
    'Developer ID Application: Spotify (2FNC3A47ZF)',
    'Software Signing'
  )
  AND file.path NOT IN (
    '/var/log/acroUpdaterTools.log',
    '/var/vm/sleepimage'
  )
  AND file.size > 10
  AND NOT (
    file.path LIKE '/var/folders/%/T/sp_update/%'
    AND file.gid = 20
    AND file.uid = 501
  )
  AND NOT (
    file.path LIKE '/var/db/timezone/zoneinfo/%'
    AND magic.data LIKE 'timezone%'
    AND file.size < 3000
    AND file.mode = '0755'
  )
  -- JetBrains (Delve)
  AND NOT (
    file.path LIKE '/var/folders/%/T/dlvLauncher%.sh'
    AND file.size < 1024
    AND file.mode = '0744'
  )
  -- Epson
  AND NOT (
    file.path LIKE '/var/tmp/InstallLog/%.plist'
    AND magic.data = 'Apple binary property list'
    AND file.size < 3000
    AND file.mode = '0777'
  )
  AND NOT (
    file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'
    AND file.size < 40000
    AND file.uid = 501
  )
AND NOT (
  file.path LIKE '/var/tmp/_bazel_%/%/install/%'
  AND file.uid = 501
)
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`-- Find unexpected executables in /var`
			`--`
			`-- false positives:`
			`-- * none known`
			`--`
			`-- tags: persistent`
Flush out more false positives 2022-10-18 00:37:44 +00:00			`-- platform: darwin`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`SELECT`
			`file.path,`
			`file.directory,`
			`uid,`
			`gid,`
			`mode,`
			`file.mtime,`
			`file.size,`
			`hash.sha256,`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`magic.data,`
			`signature.authority,`
			`signature.identifier`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`FROM`
			`file`
			`LEFT JOIN hash on file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`LEFT JOIN signature ON file.path = signature.path`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`WHERE`
			`(`
			`-- This list is the result of multiple queries combined and can likely be minimized`
			`file.path LIKE '/var/%%'`
			`OR file.path LIKE '/var/tmp/%%'`
			`OR file.path LIKE '/var/tmp/.%/%%'`
			`OR file.path LIKE '/var/tmp/%/%%'`
			`OR file.path LIKE '/var/tmp/%/%/.%'`
			`OR file.path LIKE '/var/tmp/%/.%/%%'`
			`OR file.path LIKE '/var/spool/%%'`
			`OR file.path LIKE '/var/spool/.%/%%'`
			`OR file.path LIKE '/var/spool/%/%%'`
			`OR file.path LIKE '/var/spool/%/%/.%'`
			`OR file.path LIKE '/var/spool/%/.%/%%'`
			`)`
			`AND file.type = 'regular'`
			`AND file.path NOT LIKE '%/../%'`
			`AND file.path NOT LIKE '%/./%'`
			`-- Rosetta cache, SIP protected`
			`AND file.path NOT LIKE '/var/db/oah/%'`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`AND file.path NOT LIKE '/var/folders/%/C/com.apple.FontRegistry/annex_aux'`
			`AND file.path NOT LIKE '/var/folders/%/T/go.%.%.sum'`
More false positive management 2022-11-16 19:49:36 +00:00			`AND file.path NOT LIKE '/var/folders/%/T/pulumi-go.%'`
FPR: Meta Pixel Helper, systemctl, pia-daemon, 1Passwd, iTerm, Brave 2023-01-20 14:04:00 +00:00			`AND file.path NOT LIKE '/var/folders/%/T/sp_relauncher'`
			`AND file.path NOT LIKE '/var/folders/%/T/iTerm2-script%'`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`AND file.path NOT LIKE '/var/tmp/epdfinfo%'`
Add exceptions for Steam on Linux 2022-10-30 14:19:33 +00:00			`AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib'`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`AND file.path NOT LIKE '/var/run/current-system/etc/profiles/per-user/%'`
Simplify macos-execdir, reduce false positives 2022-11-07 15:03:43 +00:00			`AND file.path NOT LIKE '/var/folders/%/T/freefn-%_emacs_%.eln'`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`AND (`
			`file.mode LIKE '%7%'`
			`or file.mode LIKE '%5%'`
			`or file.mode LIKE '%1%'`
			`)`
			`AND file.directory NOT IN (`
			`'/var/ossec/agentless',`
			`'/var/ossec/bin',`
			`'/var/ossec/wodles',`
			`'/var/run/booted-system',`
			`'/var/run/current-system',`
			`'/var/run/current-system/sw/bin',`
			`'/var/select',`
			`'/var/db/xcode_select_link/usr/bin',`
			`'/var/db/xcode_select_link/usr/lib',`
			`'/var/db/xcode_select_link/usr/libexec',`
			`'/var/select/X11/bin',`
			`'/var/select/X11/lib/dri',`
			`'/var/select/X11/lib/flat_namespace',`
			`'/var/select/X11/lib',`
			`'/var/select/X11/libexec'`
			`)`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`-- It's pretty rare, but some vendors install updates into /var. Spotify, I'm looking at you!`
			`AND NOT signature.authority IN (`
			`'Developer ID Application: Adobe Inc. (JQ525L2MZD)',`
			`'Developer ID Application: Docker Inc (9BNSXJN65R)',`
			`'Developer ID Application: GitHub (VEKTX9H2N7)',`
			`'Developer ID Application: Google LLC (EQHXZ8M8AV)',`
			`'Developer ID Application: Microsoft Corporation (UBF8T346G9)',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'Developer ID Application: Mozilla Corporation (43AQ936H96)',`
			`'Developer ID Application: Spotify (2FNC3A47ZF)',`
			`'Software Signing'`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`)`
Split up the unexpected-filesystem-entries by platform 2022-10-14 19:14:24 +00:00			`AND file.path NOT IN (`
			`'/var/log/acroUpdaterTools.log',`
			`'/var/vm/sleepimage'`
			`)`
			`AND file.size > 10`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`AND NOT (`
			`file.path LIKE '/var/folders/%/T/sp_update/%'`
			`AND file.gid = 20`
			`AND file.uid = 501`
Apply 'npx sql-formatter -l sqlite' 2022-10-17 23:06:17 +00:00			`)`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`AND NOT (`
Allow executable tz files in the top-level zoneinfo dir 2022-11-04 12:07:34 +00:00			`file.path LIKE '/var/db/timezone/zoneinfo/%'`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`AND magic.data LIKE 'timezone%'`
			`AND file.size < 3000`
var executables: put quote marks around modes with leading zeros 2022-11-11 12:53:45 +00:00			`AND file.mode = '0755'`
Add exceptions for Jetbrains/Delve, more for Steam 2022-10-30 16:00:43 +00:00			`)`
			`-- JetBrains (Delve)`
			`AND NOT (`
Purge false positives, again and again 2023-02-03 02:46:53 +00:00			`file.path LIKE '/var/folders/%/T/dlvLauncher%.sh'`
Add exceptions for Jetbrains/Delve, more for Steam 2022-10-30 16:00:43 +00:00			`AND file.size < 1024`
var executables: put quote marks around modes with leading zeros 2022-11-11 12:53:45 +00:00			`AND file.mode = '0744'`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`)`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`-- Epson`
			`AND NOT (`
			`file.path LIKE '/var/tmp/InstallLog/%.plist'`
			`AND magic.data = 'Apple binary property list'`
			`AND file.size < 3000`
			`AND file.mode = '0777'`
			`)`
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 17:56:39 +00:00			`AND NOT (`
			`file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'`
			`AND file.size < 40000`
			`AND file.uid = 501`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`)`
Massive reduction of false positives across the board 2023-02-09 01:06:26 +00:00			`AND NOT (`
			`file.path LIKE '/var/tmp/_bazel_%/%/install/%'`
			`AND file.uid = 501`
			`)`