osquery-defense-kit/detection/evasion/touched-executable-linux.sql

-- Programs which were spawned by an executable containing a matching ctime & mtime, which
-- on Linux only generally occurs occurs if you run 'touch <bin>'
--
-- references:
--   * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
--
-- tags: transient process state
-- platform: linux
SELECT
  p.pid,
  p.path,
  p.name,
  p.cmdline,
  p.cwd,
  p.euid,
  p.parent,
  f.ctime,
  f.btime,
  f.mtime,
  p.start_time,
  pp.path AS parent_path,
  pp.cmdline AS parent_cmd,
  pp.cwd AS parent_cwd,
  hash.sha256 AS sha256
FROM
  processes p
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
WHERE
  f.ctime = f.mtime
  AND p.path != '/'
  AND f.path != '/opt/google/endpoint-verification/bin/apihelper'
  AND f.path NOT LIKE '/home/%'
  AND f.path NOT LIKE '/snap/%'
  AND f.path NOT LIKE '/tmp/go-build%/exe/main'
  AND f.path NOT LIKE '/usr/local/bin/%'
  AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
  AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
GROUP by
  p.pid
Detect touched executables 2022-10-04 13:37:40 +00:00			`-- Programs which were spawned by an executable containing a matching ctime & mtime, which`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- on Linux only generally occurs occurs if you run 'touch <bin>'`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- references:`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- tags: transient process state`
			`-- platform: linux`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`p.pid,`
Detect touched executables 2022-10-04 13:37:40 +00:00			`p.path,`
			`p.name,`
			`p.cmdline,`
			`p.cwd,`
			`p.euid,`
			`p.parent,`
			`f.ctime,`
			`f.btime,`
			`f.mtime,`
			`p.start_time,`
			`pp.path AS parent_path,`
			`pp.cmdline AS parent_cmd,`
			`pp.cwd AS parent_cwd,`
			`hash.sha256 AS sha256`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`FROM`
			`processes p`
Detect touched executables 2022-10-04 13:37:40 +00:00			`LEFT JOIN file f ON p.path = f.path`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON p.path = hash.path`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`WHERE`
			`f.ctime = f.mtime`
Work through another series of false positives 2022-10-19 19:26:03 +00:00			`AND p.path != '/'`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`AND f.path != '/opt/google/endpoint-verification/bin/apihelper'`
Add more false positive filters 2022-10-17 23:01:16 +00:00			`AND f.path NOT LIKE '/home/%'`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`AND f.path NOT LIKE '/snap/%'`
Add exception for 'go run' 2022-10-30 13:39:48 +00:00			`AND f.path NOT LIKE '/tmp/go-build%/exe/main'`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`AND f.path NOT LIKE '/usr/local/bin/%'`
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 13:50:19 +00:00			`AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'`
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 23:06:06 +00:00			`AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`GROUP by`
			`p.pid`