osquery-defense-kit/detection/evasion/unexpected-var-run-linux.sql

88 lines
1.8 KiB
MySQL
Raw Normal View History

-- Find unexpected regular files in /var/run
--
-- false positives:
-- * none known
--
-- references:
-- * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
2023-05-11 14:33:51 +00:00
-- tags: persistent
-- platform: linux
2023-05-11 14:33:51 +00:00
SELECT
file.filename,
uid,
gid,
mode,
file.ctime,
file.atime,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
file.directory = "/var/run"
AND file.type = "regular"
AND file.filename NOT IN (
'acpid.pid',
'adduser',
2023-05-11 14:33:51 +00:00
'agetty.reload',
'alsactl.pid',
'apcupsd.pid',
2023-05-11 14:33:51 +00:00
'apport.lock',
'atd.pid',
2023-08-15 22:13:06 +00:00
'auditd.pid',
'com.rapid7.cnchub.pid',
'com.rapid7.component_insight_agent.pid',
'com.rapid7.ir_agent.pid',
2023-08-15 22:13:06 +00:00
'crond.pid',
2023-05-11 14:33:51 +00:00
'crond.reboot',
'cron.reboot',
2023-08-15 22:13:06 +00:00
'dnf-metadata.lock',
'docker.pid',
2023-05-11 14:33:51 +00:00
'firefox-restart-required',
'gdm3.pid',
'gssproxy.pid',
'haproxy.pid',
2023-08-15 22:13:06 +00:00
'lightdm.pid',
'lima-boot-done',
'lima-ssh-ready',
'lxcfs.pid',
'machine-id',
2023-05-11 14:33:51 +00:00
'mcelog.pid',
'motd',
'motd.dynamic',
'multipathd.pid',
'nginx.pid',
'nvidia-powerd.pid',
2023-05-11 14:33:51 +00:00
'nvidia_runtimepm_enabled',
'nvidia_runtimepm_supported',
'ostree-booted',
'pulseaudio-enable-autospawn',
2023-05-11 14:33:51 +00:00
'reboot-required',
'reboot-required.pkgs',
'rsyslogd.pid',
'sm-notify.pid',
'sshd.pid',
'ublue-update.lock',
2023-05-11 14:33:51 +00:00
'u-d-c-nvidia-drm-was-loaded',
'u-d-c-nvidia-was-loaded',
2023-08-15 22:13:06 +00:00
'ufw.lock',
2023-05-11 14:33:51 +00:00
'unattended-upgrades.lock',
2023-08-15 22:13:06 +00:00
'unattended-upgrades.pid',
2023-05-11 14:33:51 +00:00
'unattended-upgrades.progress',
'usbmuxd.pid',
2023-08-15 22:13:06 +00:00
'utmp',
'xtables.lock',
2023-05-11 14:33:51 +00:00
'zed.pid',
'zed.state',
'zfs_fs_name',
'zfs_unlock_complete'
)
AND NOT file.filename LIKE 'u-d-c-gpu-0%'
GROUP BY
file.path;