RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 03:24:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #132 from tstromberg/net-parents

Browse Source 
old binaries: fix errant mtime comparison
This commit is contained in:
Thomas Strömberg 2023-01-19 11:42:19 -05:00 committed by GitHub
commit 22b2594d58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
detection/evasion/old-binaries-running.sql
View File

@ -7,26 +7,54 @@
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp) -- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
-- --
-- tags: transient process state -- tags: transient process state
SELECT SELECT p.path,
p.path,
p.cmdline, p.cmdline,
p.cwd, p.cwd,
p.pid,
p.name,
f.mtime,
f.ctime,
p.cgroup_path,
((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days, ((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days, ((strftime('%s', 'now') - f.mtime) / 86400) AS mtime_age_days,
((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days, ((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days,
h.sha256, h.sha256,
f.uid, f.uid,
m.path,
f.gid f.gid
FROM FROM processes p
processes p LEFT JOIN file f ON p.path = f.path
JOIN file f ON p.path = f.path LEFT JOIN hash h ON p.path = h.path
JOIN hash h ON p.path = h.path LEFT JOIN magic m ON p.path = m.path
WHERE WHERE (
(
ctime_age_days > 1050 ctime_age_days > 1050
OR mtime_age_days > 1050 OR mtime_age_days > 1050
) )
AND p.path NOT LIKE '%/opt/brackets/Brackets%' AND f.mtime > 1
AND h.sha256 NOT IN ( AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%'
'f61dcfce6f0c04263780700e0e9a8ff2363edefc344c08bd792fd401ddaa160f' -- jp.co.canon.MSU.app.Installer AND f.path NOT IN (
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
'/Applications/Gitter.app/Contents/Library/LoginItems/GitterHelperApp.app/Contents/MacOS/GitterHelperApp',
'/Applications/Divvy.app/Contents/MacOS/Divvy',
'/opt/homebrew/Cellar/watch/3.3.16/bin/watch',
'/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
'/opt/homebrew/Cellar/bash/5.1.16/bin/bash',
'/snap/brackets/138/opt/brackets/Brackets',
'/snap/brackets/138/opt/brackets/Brackets-node',
'/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_14',
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
'/usr/bin/i3blocks'
) )
AND p.name NOT IN (
'buildkitd',
'BluejeansHelper',
'J8RPQ294UB.com.skitch.SkitchHelper',
'Pandora',
'Pandora Helper'
)
GROUP BY p.pid,
p.path