From 288ec9e0f50c8a05d6a35b4c3014ab19f3f894dd Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Wed, 16 Nov 2022 20:55:49 -0500
Subject: [PATCH] Add hidden-executable rule

---
 detection/evasion/hidden-executable.sql | 31 +++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 detection/evasion/hidden-executable.sql

diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
new file mode 100644
index 0000000..eba42ae
--- /dev/null
+++ b/detection/evasion/hidden-executable.sql
@@ -0,0 +1,31 @@
+-- Programs running with a hidden file path or process name
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
+--
+-- tags: transient
+-- platform: posix
+SELECT
+  p.pid,
+  p.path,
+  p.name,
+  p.cmdline,
+  p.cwd,
+  p.euid,
+  p.parent,
+  pp.path AS parent_path,
+  pp.name AS parent_name,
+  pp.cmdline AS parent_cmdline,
+  pp.cwd AS parent_cwd,
+  pp.euid AS parent_euid,
+  hash.sha256
+FROM
+  processes p
+  LEFT JOIN file f ON p.path = f.path
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN users u ON p.uid = u.uid
+  LEFT JOIN hash ON p.path = hash.path
+WHERE
+  (p.name LIKE '.%' OR f.filename LIKE '.%')
+AND NOT f.path LIKE '/nix/store/%/%-wrapped'
+AND NOT p.name = '.firefox-wrappe'
\ No newline at end of file