Split up the unexpected-filesystem-entries by platform

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -4,6 +4,7 @@
 --   * locally built software
 --
 -- tags: persistent state filesystem
+-- platform: darwin
 SELECT
   ae.path,
   ae.state,

detection/evasion/unexpected-dev-entries.sql

@@ -7,6 +7,7 @@
 --   * programs which have legimate uses for /dev/shm
 --
 -- tags: persistent state filesystem
+-- platform: linux
 SELECT
   file.path,
   file.type,

detection/evasion/unexpected-dev-executables-linux.sql

@@ -18,13 +18,25 @@ FROM
   file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-  -- For some reason /dev/%% is not recursive?
 WHERE
   (
+    -- This list is the result of multiple queries combined and can likely be minimized
     file.path LIKE '/dev/%%'
     OR file.path LIKE '/dev/%%/%%'
+    OR file.path LIKE '/dev/mqueue/%%'
+    OR file.path LIKE '/dev/mqueue/.%/%%'
+    OR file.path LIKE '/dev/mqueue/%/%%'
+    OR file.path LIKE '/dev/mqueue/%/%/.%'
+    OR file.path LIKE '/dev/mqueue/%/.%/%%'
+    OR file.path LIKE '/dev/shm/%%'
+    OR file.path LIKE '/dev/shm/.%/%%'
+    OR file.path LIKE '/dev/shm/%/%%'
+    OR file.path LIKE '/dev/shm/%/%/.%'
+    OR file.path LIKE '/dev/shm/%/.%/%%'
   )
   AND file.type = 'regular'
+  AND file.path NOT LIKE '%/../%'
+  AND file.path NOT LIKE '%/./%'
   AND (
     file.mode LIKE '%7%'
     or file.mode LIKE '%5%'

detection/evasion/unexpected-etc-executables.sql

@@ -5,8 +5,7 @@
 --
 -- tags: persistent
 -- platform: posix
-SELECT
-  file.path,
+SELECT file.path,
   file.directory,
   uid,
   gid,
@@ -15,12 +14,10 @@ SELECT
   file.size,
   hash.sha256,
   magic.data
-FROM
-  file
+FROM file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (file.path LIKE '/etc/%%')
+WHERE (file.path LIKE '/etc/%%')
   AND file.type = 'regular'
   AND (
     file.mode LIKE '%7%'
@@ -116,7 +113,7 @@ WHERE
     '/etc/ssl/trust-source',
     '/etc/systemd/system',
     '/etc/systemd/system/graphical.target.wants',
-    '/etc/systemd/system-shutdown'
+    '/etc/systemd/system-shutdown',
     '/etc/update-motd.d',
     '/etc/vmware-tools',
     '/etc/vpnc',
@@ -127,8 +124,7 @@ WHERE
     '/etc/xdg/Xwayland-session.d',
     '/etc/zfs-fuse',
     '/etc/zfs/zed.d',
-    '/etc/zfs/zpool.d',
-
+    '/etc/zfs/zpool.d'
   )
   AND file.path NOT IN (
     '/etc/nftables.conf',
@@ -136,4 +132,4 @@ WHERE
     '/etc/qemu-ifdown',
     '/etc/qemu-ifup',
     '/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json'
-  )
+  )

detection/evasion/unexpected-tmp-executables.sql

@@ -26,26 +26,6 @@ WHERE
     OR file.path LIKE '/tmp/%/%%'
     OR file.path LIKE '/tmp/%/%/.%'
     OR file.path LIKE '/tmp/%/.%/%%'
-    OR file.path LIKE '/var/tmp/%%'
-    OR file.path LIKE '/var/tmp/.%/%%'
-    OR file.path LIKE '/var/tmp/%/%%'
-    OR file.path LIKE '/var/tmp/%/%/.%'
-    OR file.path LIKE '/var/tmp/%/.%/%%'
-    OR file.path LIKE '/var/spool/%%'
-    OR file.path LIKE '/var/spool/.%/%%'
-    OR file.path LIKE '/var/spool/%/%%'
-    OR file.path LIKE '/var/spool/%/%/.%'
-    OR file.path LIKE '/var/spool/%/.%/%%'
-    OR file.path LIKE '/dev/mqueue/%%'
-    OR file.path LIKE '/dev/mqueue/.%/%%'
-    OR file.path LIKE '/dev/mqueue/%/%%'
-    OR file.path LIKE '/dev/mqueue/%/%/.%'
-    OR file.path LIKE '/dev/mqueue/%/.%/%%'
-    OR file.path LIKE '/dev/shm/%%'
-    OR file.path LIKE '/dev/shm/.%/%%'
-    OR file.path LIKE '/dev/shm/%/%%'
-    OR file.path LIKE '/dev/shm/%/%/.%'
-    OR file.path LIKE '/dev/shm/%/.%/%%'
   )
   AND file.type = 'regular'
   AND file.path NOT LIKE '%/../%'

detection/evasion/unexpected-var-executables-linux.sql

@@ -0,0 +1,53 @@
+-- Find unexpected executables in /var
+--
+-- false positives:
+--   * none known
+--
+-- tags: persistent
+-- platform: linux
+SELECT
+  file.path,
+  file.directory,
+  uid,
+  gid,
+  mode,
+  file.mtime,
+  file.size,
+  hash.sha256,
+  magic.data
+FROM
+  file
+  LEFT JOIN hash on file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE
+  (
+    -- This list is the result of multiple queries combined and can likely be minimized
+    file.path LIKE '/var/%%'
+    OR file.path LIKE '/var/tmp/%%'
+    OR file.path LIKE '/var/tmp/.%/%%'
+    OR file.path LIKE '/var/tmp/%/%%'
+    OR file.path LIKE '/var/tmp/%/%/.%'
+    OR file.path LIKE '/var/tmp/%/.%/%%'
+    OR file.path LIKE '/var/spool/%%'
+    OR file.path LIKE '/var/spool/.%/%%'
+    OR file.path LIKE '/var/spool/%/%%'
+    OR file.path LIKE '/var/spool/%/%/.%'
+    OR file.path LIKE '/var/spool/%/.%/%%'
+  )
+  AND file.type = 'regular'
+  AND file.path NOT LIKE '%/../%'
+  AND file.path NOT LIKE '%/./%'
+  AND (
+    file.mode LIKE '%7%'
+    or file.mode LIKE '%5%'
+    or file.mode LIKE '%1%'
+  )
+  AND file.directory NOT IN (
+    '/var/lib/colord',
+    '/var/ossec/agentless',
+    '/var/ossec/bin',
+    '/var/ossec/wodles',
+    '/var/run/booted-system',
+    '/var/run/current-system'
+  )
+  AND file.size > 10

detection/evasion/unexpected-var-executables-macos.sql

@@ -0,0 +1,73 @@
+-- Find unexpected executables in /var
+--
+-- false positives:
+--   * none known
+--
+-- tags: persistent
+-- platform: macos
+SELECT
+  file.path,
+  file.directory,
+  uid,
+  gid,
+  mode,
+  file.mtime,
+  file.size,
+  hash.sha256,
+  magic.data
+FROM
+  file
+  LEFT JOIN hash on file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE
+  (
+    -- This list is the result of multiple queries combined and can likely be minimized
+    file.path LIKE '/var/%%'
+    OR file.path LIKE '/var/tmp/%%'
+    OR file.path LIKE '/var/tmp/.%/%%'
+    OR file.path LIKE '/var/tmp/%/%%'
+    OR file.path LIKE '/var/tmp/%/%/.%'
+    OR file.path LIKE '/var/tmp/%/.%/%%'
+    OR file.path LIKE '/var/spool/%%'
+    OR file.path LIKE '/var/spool/.%/%%'
+    OR file.path LIKE '/var/spool/%/%%'
+    OR file.path LIKE '/var/spool/%/%/.%'
+    OR file.path LIKE '/var/spool/%/.%/%%'
+  )
+  AND file.type = 'regular'
+  AND file.path NOT LIKE '%/../%'
+  AND file.path NOT LIKE '%/./%'
+  -- Rosetta cache, SIP protected
+  AND file.path NOT LIKE '/var/db/oah/%'
+  AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'
+  AND file.path NOT LIKE '/var/tmp/epdfinfo%'
+  AND (
+    file.mode LIKE '%7%'
+    or file.mode LIKE '%5%'
+    or file.mode LIKE '%1%'
+  )
+  AND file.directory NOT IN (
+    '/var/ossec/agentless',
+    '/var/ossec/bin',
+    '/var/ossec/wodles',
+    '/var/run/booted-system',
+    '/var/run/current-system',
+    '/var/run/current-system/sw/bin',
+    '/var/select',
+    '/var/db/xcode_select_link/usr/bin',
+    '/var/db/xcode_select_link/usr/lib',
+    '/var/db/xcode_select_link/usr/libexec',
+    '/var/select/X11/bin',
+    '/var/select/X11/lib/dri',
+    '/var/select/X11/lib/flat_namespace',
+    '/var/select/X11/lib',
+    '/var/select/X11/libexec'
+  )
+  AND file.path NOT IN (
+    '/var/log/acroUpdaterTools.log',
+    '/var/vm/sleepimage'
+  )
+  AND file.size > 10
+  AND hash.sha256 NOT IN (
+    'fd53abe096b3617c32d46db34fad58770f697a3bf4aef3d8861f37d8471f6c98' -- sp_relauncher (Spotify)
+  )

detection/evasion/unexpected-var-executables.sql

@@ -1,39 +0,0 @@
--- Find unexpected executables in /var
---
--- false positives:
---   * none known
---
--- tags: persistent seldom
--- platform: posix
-SELECT
-  file.path,
-  file.directory,
-  uid,
-  gid,
-  mode,
-  file.mtime,
-  file.size,
-  hash.sha256,
-  magic.data
-FROM
-  file
-  LEFT JOIN hash on file.path = hash.path
-  LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (file.path LIKE '/var/%%')
-  AND file.type = 'regular'
-  AND (
-    file.mode LIKE '%7%'
-    or file.mode LIKE '%5%'
-    or file.mode LIKE '%1%'
-  )
-  AND file.directory NOT IN (
-    '/var/lib/colord',
-    '/var/ossec/agentless',
-    '/var/ossec/bin',
-    '/var/ossec/wodles',
-    '/var/run/booted-system',
-    '/var/run/current-system',
-    '/var/run/current-system/sw/bin',
-    '/var/vm'
-  )