osquery-defense-kit/fs/unexpected-tmp-executables.sql

-- Find unexpected executables in temp directories
SELECT
  file.path,
  uid,
  gid,
  mode,
  file.mtime,
  file.size,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  (
    -- Recursive queries don't seem to work well with hidden directories :(
    file.path LIKE '/tmp/%%'
    OR file.path LIKE '/tmp/.%/%%'
    OR file.path LIKE '/tmp/%/%%'
    OR file.path LIKE '/tmp/%/%/.%'
    OR file.path LIKE '/tmp/%/.%/%%'

    OR file.path LIKE '/var/tmp/%%'
    OR file.path LIKE '/var/tmp/.%/%%'
    OR file.path LIKE '/var/tmp/%/%%'
    OR file.path LIKE '/var/tmp/%/%/.%'
    OR file.path LIKE '/var/tmp/%/.%/%%'

    OR file.path LIKE '/var/spool/%%'
    OR file.path LIKE '/var/spool/.%/%%'
    OR file.path LIKE '/var/spool/%/%%'
    OR file.path LIKE '/var/spool/%/%/.%'
    OR file.path LIKE '/var/spool/%/.%/%%'

    OR file.path LIKE '/dev/mqueue/%%'
    OR file.path LIKE '/dev/mqueue/.%/%%'
    OR file.path LIKE '/dev/mqueue/%/%%'
    OR file.path LIKE '/dev/mqueue/%/%/.%'
    OR file.path LIKE '/dev/mqueue/%/.%/%%'

    OR file.path LIKE '/dev/shm/%%'
    OR file.path LIKE '/dev/shm/.%/%%'
    OR file.path LIKE '/dev/shm/%/%%'
    OR file.path LIKE '/dev/shm/%/%/.%'
    OR file.path LIKE '/dev/shm/%/.%/%%'
  )
  AND file.type = "regular"
  AND file.path NOT LIKE "%/../%"
  AND file.path NOT LIKE "%/./%"
  AND (
    file.mode LIKE "%7%"
    or file.mode LIKE "%5%"
    or file.mode LIKE "%1%"
  )
  AND NOT (
    uid > 500
    AND (
      file.path LIKE "%/go-build%"
      OR file.path LIKE "/tmp/checkout/%"
      OR file.path LIKE "/tmp/com.apple.installer%"
      OR file.path LIKE "/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%"
      OR file.path LIKE "/tmp/go.%.sum"
      OR file.path LIKE "/tmp/guile-%/guile-%"
      OR file.path LIKE "/tmp/terraformer/%"
      OR file.path LIKE "/tmp/tmp.%"
      OR file.path LIKE "%/bin/%-gen"
      OR file.path LIKE "%/bin/%"
      OR file.path LIKE "%/CCLBS/%"
      OR file.path LIKE "%/ko/%"
      OR file.path LIKE "%/pdf-tools/%"
      OR file.path LIKE "%/tmp/epdf%"
      OR
      -- These regular expressions can be narrowed down
      (
        file.size < 4000
        AND file.path LIKE "/tmp/%.sh"
      )
      OR (
        file.size < 4000
        AND file.path LIKE "/tmp/%.py"
      )
    )
  )
  -- Nix
  AND NOT (
    file.directory LIKE "/tmp/tmp%"
    AND gid = 0
    AND uid > 300
    AND uid < 350
  )
  AND NOT magic.data LIKE "%nix-shell script%"
  -- Don't alert if the file is only on disk for a moment
  AND NOT (
    file.directory LIKE "/tmp/%"
    AND (strftime('%s', 'now') - ctime) < 60
  )
  -- macOS updates
  AND NOT file.directory LIKE "/tmp/msu-target-%"
  -- I don't know man. I don't work here.
  AND NOT (file.path LIKE ("/tmp/%compressed") AND size < 4000 AND uid>500)
  -- Executables too small to even hold "#!/bin/sh\nuid"
  AND NOT (file.type = "regular" AND size < 10)
Launch day final cleanup 2022-09-22 23:35:24 +00:00			`-- Find unexpected executables in temp directories`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`file.path,`
			`uid,`
			`gid,`
			`mode,`
			`file.mtime,`
			`file.size,`
			`hash.sha256,`
			`magic.data`
			`FROM`
			`file`
			`LEFT JOIN hash on file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
			`WHERE`
			`(`
More false positive removal 2022-09-30 17:47:10 +00:00			`-- Recursive queries don't seem to work well with hidden directories :(`
			`file.path LIKE '/tmp/%%'`
			`OR file.path LIKE '/tmp/.%/%%'`
			`OR file.path LIKE '/tmp/%/%%'`
			`OR file.path LIKE '/tmp/%/%/.%'`
			`OR file.path LIKE '/tmp/%/.%/%%'`

			`OR file.path LIKE '/var/tmp/%%'`
			`OR file.path LIKE '/var/tmp/.%/%%'`
			`OR file.path LIKE '/var/tmp/%/%%'`
			`OR file.path LIKE '/var/tmp/%/%/.%'`
			`OR file.path LIKE '/var/tmp/%/.%/%%'`

			`OR file.path LIKE '/var/spool/%%'`
			`OR file.path LIKE '/var/spool/.%/%%'`
			`OR file.path LIKE '/var/spool/%/%%'`
			`OR file.path LIKE '/var/spool/%/%/.%'`
			`OR file.path LIKE '/var/spool/%/.%/%%'`

			`OR file.path LIKE '/dev/mqueue/%%'`
			`OR file.path LIKE '/dev/mqueue/.%/%%'`
			`OR file.path LIKE '/dev/mqueue/%/%%'`
			`OR file.path LIKE '/dev/mqueue/%/%/.%'`
			`OR file.path LIKE '/dev/mqueue/%/.%/%%'`

			`OR file.path LIKE '/dev/shm/%%'`
			`OR file.path LIKE '/dev/shm/.%/%%'`
			`OR file.path LIKE '/dev/shm/%/%%'`
			`OR file.path LIKE '/dev/shm/%/%/.%'`
			`OR file.path LIKE '/dev/shm/%/.%/%%'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
			`AND file.type = "regular"`
More false positive removal 2022-09-30 17:47:10 +00:00			`AND file.path NOT LIKE "%/../%"`
			`AND file.path NOT LIKE "%/./%"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND (`
			`file.mode LIKE "%7%"`
			`or file.mode LIKE "%5%"`
			`or file.mode LIKE "%1%"`
			`)`
			`AND NOT (`
			`uid > 500`
Launch day final cleanup 2022-09-22 23:35:24 +00:00			`AND (`
More false positive removal 2022-09-30 17:47:10 +00:00			`file.path LIKE "%/go-build%"`
More false-positive removal 2022-09-27 15:54:17 +00:00			`OR file.path LIKE "/tmp/checkout/%"`
			`OR file.path LIKE "/tmp/com.apple.installer%"`
			`OR file.path LIKE "/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%"`
			`OR file.path LIKE "/tmp/go.%.sum"`
			`OR file.path LIKE "/tmp/guile-%/guile-%"`
			`OR file.path LIKE "/tmp/terraformer/%"`
			`OR file.path LIKE "/tmp/tmp.%"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`OR file.path LIKE "%/bin/%-gen"`
			`OR file.path LIKE "%/bin/%"`
			`OR file.path LIKE "%/CCLBS/%"`
More false-positive removal 2022-09-27 15:54:17 +00:00			`OR file.path LIKE "%/ko/%"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`OR file.path LIKE "%/pdf-tools/%"`
More false-positive removal 2022-09-27 15:54:17 +00:00			`OR file.path LIKE "%/tmp/epdf%"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`OR`
			`-- These regular expressions can be narrowed down`
			`(`
			`file.size < 4000`
			`AND file.path LIKE "/tmp/%.sh"`
			`)`
			`OR (`
			`file.size < 4000`
			`AND file.path LIKE "/tmp/%.py"`
			`)`
Launch day final cleanup 2022-09-22 23:35:24 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
			`-- Nix`
			`AND NOT (`
			`file.directory LIKE "/tmp/tmp%"`
			`AND gid = 0`
			`AND uid > 300`
			`AND uid < 350`
			`)`
			`AND NOT magic.data LIKE "%nix-shell script%"`
			`-- Don't alert if the file is only on disk for a moment`
			`AND NOT (`
			`file.directory LIKE "/tmp/%"`
			`AND (strftime('%s', 'now') - ctime) < 60`
			`)`
			`-- macOS updates`
			`AND NOT file.directory LIKE "/tmp/msu-target-%"`
More false-positive removal 2022-09-27 15:54:17 +00:00			`-- I don't know man. I don't work here.`
			`AND NOT (file.path LIKE ("/tmp/%compressed") AND size < 4000 AND uid>500)`
Add detectors for unexpected executables in strange places 2022-09-29 15:38:14 +00:00			`-- Executables too small to even hold "#!/bin/sh\nuid"`
			`AND NOT (file.type = "regular" AND size < 10)`