2022-10-14 18:19:13 +00:00
|
|
|
-- Find unexpected executables in temp directories, often used by malware droppers
|
|
|
|
|
--
|
|
|
|
|
-- false positives:
|
|
|
|
|
-- * developers building code out of /tmp
|
|
|
|
|
--
|
|
|
|
|
-- tags: persistent
|
2023-01-26 21:30:14 +00:00
|
|
|
-- platform: linux
|
2023-01-20 14:24:24 +00:00
|
|
|
SELECT
|
|
|
|
|
file.path,
|
2022-09-24 15:12:23 +00:00
|
|
|
uid,
|
|
|
|
|
gid,
|
|
|
|
|
mode,
|
2023-01-09 20:10:48 +00:00
|
|
|
REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) AS extension,
|
2023-01-18 14:49:56 +00:00
|
|
|
file.btime,
|
|
|
|
|
file.ctime,
|
2022-09-24 15:12:23 +00:00
|
|
|
file.mtime,
|
|
|
|
|
file.size,
|
|
|
|
|
hash.sha256,
|
|
|
|
|
magic.data
|
2023-01-20 14:24:24 +00:00
|
|
|
FROM
|
|
|
|
|
file
|
2022-09-24 15:12:23 +00:00
|
|
|
LEFT JOIN hash on file.path = hash.path
|
|
|
|
|
LEFT JOIN magic ON file.path = magic.path
|
2023-01-20 14:24:24 +00:00
|
|
|
WHERE
|
|
|
|
|
(
|
2022-09-30 17:47:10 +00:00
|
|
|
-- Recursive queries don't seem to work well with hidden directories :(
|
|
|
|
|
file.path LIKE '/tmp/%%'
|
|
|
|
|
OR file.path LIKE '/tmp/.%/%%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/%%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/%/.%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/.%/%%'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND file.type = 'regular'
|
|
|
|
|
AND file.path NOT LIKE '%/../%'
|
|
|
|
|
AND file.path NOT LIKE '%/./%'
|
2022-09-24 15:12:23 +00:00
|
|
|
AND (
|
2022-10-13 18:59:32 +00:00
|
|
|
file.mode LIKE '%7%'
|
|
|
|
|
or file.mode LIKE '%5%'
|
|
|
|
|
or file.mode LIKE '%1%'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
uid > 500
|
2022-09-22 23:35:24 +00:00
|
|
|
AND (
|
2022-10-13 18:59:32 +00:00
|
|
|
file.path LIKE '%/go-build%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.directory LIKE '/tmp/%/out'
|
|
|
|
|
OR file.path LIKE '%/bin/%-gen'
|
|
|
|
|
OR file.path LIKE '%/ko/%'
|
|
|
|
|
OR file.path LIKE '%/pdf-tools/%'
|
|
|
|
|
OR file.path LIKE '/tmp/bin/%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/bin/busybox'
|
2022-10-13 18:59:32 +00:00
|
|
|
OR file.path LIKE '/tmp/checkout/%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE '/tmp/%/ci/%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/debug/%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/dist/%'
|
|
|
|
|
OR file.path LIKE '%/tmp/epdf%'
|
2022-10-13 18:59:32 +00:00
|
|
|
OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE '/tmp/%/git/%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/github/%'
|
2022-10-13 18:59:32 +00:00
|
|
|
OR file.path LIKE '/tmp/go.%.sum'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE "/tmp/%/gradlew"
|
2022-10-13 18:59:32 +00:00
|
|
|
OR file.path LIKE '/tmp/guile-%/guile-%'
|
2023-01-18 19:10:33 +00:00
|
|
|
OR file.path LIKE '/tmp/kots/%'
|
2023-02-03 02:46:53 +00:00
|
|
|
OR file.path LIKE '/tmp/%-release%/%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE '/tmp/%/site-packages/markupsafe/_speedups.cpython-%'
|
|
|
|
|
OR file.path LIKE '/tmp/%/src/%'
|
|
|
|
|
OR file.path LIKE '/tmp/src/%'
|
2023-01-20 14:04:00 +00:00
|
|
|
OR file.path LIKE '/tmp/%/target/%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE '/tmp/%/target/debug/build/%'
|
2022-10-13 18:59:32 +00:00
|
|
|
OR file.path LIKE '/tmp/terraformer/%'
|
|
|
|
|
OR file.path LIKE '/tmp/tmp.%'
|
2023-01-27 01:40:47 +00:00
|
|
|
OR file.path LIKE '/tmp/%/venv/bin/%'
|
2022-10-20 12:19:56 +00:00
|
|
|
OR -- These regular expressions can be narrowed down
|
2022-09-24 15:12:23 +00:00
|
|
|
(
|
2023-01-06 21:01:35 +00:00
|
|
|
file.size < 50000
|
2023-01-06 22:11:24 +00:00
|
|
|
AND file.uid > 500
|
2023-01-18 19:41:36 +00:00
|
|
|
AND file.filename LIKE "%.%"
|
2023-01-18 15:57:43 +00:00
|
|
|
AND extension IN (
|
|
|
|
|
'adoc',
|
|
|
|
|
'bat',
|
|
|
|
|
'java',
|
|
|
|
|
'js',
|
|
|
|
|
'json',
|
2023-01-26 21:30:14 +00:00
|
|
|
'pem',
|
2023-01-18 19:10:33 +00:00
|
|
|
'nib',
|
2023-01-18 15:57:43 +00:00
|
|
|
'log',
|
2023-01-18 19:10:33 +00:00
|
|
|
'strings',
|
2023-01-18 15:57:43 +00:00
|
|
|
'perl',
|
|
|
|
|
'pl',
|
|
|
|
|
'py',
|
|
|
|
|
'script',
|
|
|
|
|
'sh',
|
|
|
|
|
'txt',
|
|
|
|
|
'yaml',
|
|
|
|
|
'yml'
|
|
|
|
|
)
|
2023-01-06 22:11:24 +00:00
|
|
|
)
|
2022-09-22 23:35:24 +00:00
|
|
|
)
|
2022-10-20 12:19:56 +00:00
|
|
|
) -- Nix
|
2022-09-24 15:12:23 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
file.directory LIKE '/tmp/tmp%'
|
2022-09-24 15:12:23 +00:00
|
|
|
AND gid = 0
|
|
|
|
|
AND uid > 300
|
|
|
|
|
AND uid < 350
|
2022-10-20 12:19:56 +00:00
|
|
|
) -- Babel
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.directory LIKE '/tmp/babel-%/sh-script-%'
|
|
|
|
|
AND gid > 900
|
|
|
|
|
AND uid = 1000
|
|
|
|
|
AND size < 1024
|
|
|
|
|
) -- Random Testdata
|
|
|
|
|
AND NOT (
|
|
|
|
|
gid > 900
|
|
|
|
|
AND uid = 1000
|
|
|
|
|
AND (
|
|
|
|
|
file.directory LIKE '/tmp/%/test'
|
|
|
|
|
OR file.directory LIKE '/tmp/%/testdata'
|
|
|
|
|
)
|
|
|
|
|
) -- Don't alert if the file is only on disk for a moment
|
2022-09-24 15:12:23 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
file.directory LIKE '/tmp/%'
|
2022-10-20 12:19:56 +00:00
|
|
|
AND (strftime('%s', 'now') - ctime) < 30
|
2023-01-18 19:10:33 +00:00
|
|
|
)
|
2022-10-12 01:53:36 +00:00
|
|
|
AND NOT (
|
2022-11-18 15:27:43 +00:00
|
|
|
uid > 500
|
|
|
|
|
AND file.path LIKE '/tmp/terraform_%/terraform'
|
2022-11-16 21:52:39 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.path LIKE '/tmp/%compressed'
|
2022-10-12 01:53:36 +00:00
|
|
|
AND size < 4000
|
|
|
|
|
AND uid > 500
|
2023-01-18 15:57:43 +00:00
|
|
|
) -- Executables too small to even hold '#!/bin/sh\nuid'
|
2022-10-12 01:53:36 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
file.type = 'regular'
|
2022-10-12 01:53:36 +00:00
|
|
|
AND size < 10
|
2023-01-09 20:10:48 +00:00
|
|
|
)
|
2023-01-20 14:24:24 +00:00
|
|
|
-- Binaries we might actually see legitimately
|
2023-01-18 15:57:43 +00:00
|
|
|
AND NOT (
|
|
|
|
|
file.path LIKE '/tmp/%'
|
|
|
|
|
AND file.uid > 500
|
|
|
|
|
AND (
|
|
|
|
|
file.filename LIKE "%ctl"
|
|
|
|
|
OR file.filename LIKE "%adm"
|
|
|
|
|
OR file.filename LIKE "%-cli"
|
|
|
|
|
)
|
2023-01-18 14:49:56 +00:00
|
|
|
)
|
2023-01-18 19:41:36 +00:00
|
|
|
-- All checks with magic.data must first check for a lack of NULL value,
|
|
|
|
|
-- otherwise you filter out platforms without magic.data.
|
2023-01-18 19:10:33 +00:00
|
|
|
AND NOT (
|
2023-01-18 19:41:36 +00:00
|
|
|
file.uid > 500
|
|
|
|
|
AND magic.data IS NOT NULL
|
|
|
|
|
AND (
|
|
|
|
|
magic.data IN (
|
|
|
|
|
"POSIX shell script, ASCII text executable",
|
|
|
|
|
"JSON data"
|
|
|
|
|
)
|
|
|
|
|
OR magic.data LIKE "Unicode text%"
|
|
|
|
|
OR magic.data LIKE "gzip compressed data%"
|
2023-01-24 01:33:52 +00:00
|
|
|
-- Exotic platforms
|
|
|
|
|
OR magic.data LIKE 'ELF 64-bit MSB pie executable, IBM S/390%'
|
|
|
|
|
OR magic.data LIKE 'ELF 32-bit LSB pie executable, ARM, EABI5%'
|
2023-01-18 19:41:36 +00:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.directory LIKE "%/lib"
|
|
|
|
|
OR file.directory LIKE "%/lib64"
|
2023-01-18 19:10:33 +00:00
|
|
|
AND file.uid > 500
|
2023-01-18 19:41:36 +00:00
|
|
|
AND (
|
|
|
|
|
file.filename LIKE "%.so.%"
|
|
|
|
|
OR file.filename LIKE "%.so"
|
|
|
|
|
)
|
2023-01-18 19:10:33 +00:00
|
|
|
)
|
