RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-25 06:42:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #63 from tstromberg/hidden-home

Browse Source 
Add detections for hidden home configuration directories
This commit is contained in:
Thomas Strömberg 2022-11-04 08:54:34 -04:00 committed by GitHub
commit 4aa32afc0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
detection/evasion/hidden-home-config-dir.sql Normal file
View File

@ -0,0 +1,38 @@
-- Find unexpected hidden files in a users config directory
--
-- references:
-- * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
--
-- false positives:
-- * programs which create new Library directories
--
-- tags: persistent state filesystem
-- platform: linux
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/home/%/.config/%%/.%/%'
OR file.path LIKE '/home/%/.config/.%/%'
OR file.path LIKE '/home/%/.config/%%/.%/.%'
OR file.path LIKE '/root/.config/%%/.%/%'
OR file.path LIKE '/root/.config/.%/%'
OR file.path LIKE '/root/.config/%%/.%/.%'
OR file.path LIKE '/root/.%/.%/%'
)
AND file.path NOT LIKE '%/../%'
AND file.path NOT LIKE '%/./%'
AND file.path NOT LIKE '/root/.debug/.build-id/%'

32
detection/evasion/hidden-home-library-dir.sql Normal file
View File

@ -0,0 +1,32 @@
-- Find unexpected hidden files in a users Library directory
--
-- references:
-- * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
--
-- false positives:
-- * programs which create new Library directories
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/Users/%/Library/%%/.%/%'
OR file.path LIKE '/Users/%/Library/.%/%'
OR file.path LIKE '/home/%/Library/%%/.%/.%'
)
AND file.path NOT LIKE '%/../%'
AND file.path NOT LIKE '%/./%'