Merge pull request #256 from tstromberg/var-run

New detector: unexpected /var/run files
2023-05-11 10:35:25 -04:00 · 2023-05-11 10:35:25 -04:00 · 53a6d583c3
parent 240d03463e 099d6664fe
commit 53a6d583c3
2 changed files with 126 additions and 0 deletions
--- a/detection/evasion/unexpected-var-run-linux.sql
+++ b/detection/evasion/unexpected-var-run-linux.sql
@ -0,0 +1,67 @@
+-- Find unexpected regular files in /var/run
+--
+-- false positives:
+--   * none known
+--
+-- references:
+--   * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+--
+-- tags: persistent
+-- platform: linux
+SELECT
+  file.filename,
+  uid,
+  gid,
+  mode,
+  file.ctime,
+  file.atime,
+  file.mtime,
+  file.size,
+  hash.sha256,
+  magic.data
+FROM
+  file
+  LEFT JOIN hash on file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE
+  file.directory = "/var/run"
+  AND file.type = "regular"
+  AND file.filename NOT IN (
+    'acpid.pid',
+    'agetty.reload',
+    'alsactl.pid',
+    'apport.lock',
+    'atd.pid',
+    "auditd.pid",
+    "crond.pid",
+    'crond.reboot',
+    "cron.reboot",
+    "docker.pid",
+    'firefox-restart-required',
+    'gdm3.pid',
+    'gssproxy.pid',
+    'haproxy.pid',
+    "lightdm.pid",
+    'mcelog.pid',
+    'motd',
+    'nvidia_runtimepm_enabled',
+    'nvidia_runtimepm_supported',
+    'reboot-required',
+    'reboot-required.pkgs',
+    'rsyslogd.pid',
+    'sm-notify.pid',
+    'sshd.pid',
+    'u-d-c-nvidia-drm-was-loaded',
+    'u-d-c-nvidia-was-loaded',
+    'unattended-upgrades.lock',
+    'unattended-upgrades.progress',
+    "utmp",
+    "xtables.lock",
+    'zed.pid',
+    'zed.state',
+    'zfs_fs_name',
+    'zfs_unlock_complete'
+  )
+  AND NOT file.filename LIKE 'u-d-c-gpu-0%'
+GROUP BY
+  file.path;
--- a/detection/evasion/unexpected-var-run-macos.sql
+++ b/detection/evasion/unexpected-var-run-macos.sql
@ -0,0 +1,59 @@
+-- Find unexpected regular files in /var/run
+--
+-- false positives:
+--   * none known
+--
+-- references:
+--   * https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+--
+-- tags: persistent
+-- platform: darwin
+SELECT
+  file.filename,
+  uid,
+  gid,
+  mode,
+  file.ctime,
+  file.atime,
+  file.mtime,
+  file.size,
+  hash.sha256,
+  magic.data
+FROM
+  file
+  LEFT JOIN hash on file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE
+  file.directory = "/var/run"
+  AND file.type = "regular"
+  AND file.filename NOT IN (
+    'appfwd.pid',
+    'auditd.pid',
+    '.autoBackup',
+    'automount.initialized',
+    'com.apple.DumpPanic.finishedPMUFaultHandling',
+    'com.apple.DumpPanic.finishedThisBoot',
+    'com.apple.logind.didRunThisBoot',
+    'com.apple.loginwindow.didRunThisBoot',
+    'com.apple.mdmclient.daemon.didRunThisBoot',
+    'com.apple.mobileassetd-MobileAssetBrain',
+    'com.apple.parentalcontrols.webfilterctl.mutex',
+    'com.apple.softwareupdate.availableupdatesupdated',
+    'com.apple.WindowServer.didRunThisBoot',
+    'diskarbitrationd.pid',
+    'FirstBootAfterUpdate',
+    'FirstBootCleanupHandled',
+    'hdiejectd.pid',
+    'prl_disp_service.pid',
+    'prl_naptd.pid',
+    'prl_watchdog-ebdba5702a20.pid',
+    'resolv.conf',
+    'rtadvd.pid',
+    'socketfilterfw.launchd',
+    'syslog.pid',
+    'systemkeychaincheck.done',
+    'utmpx',
+    'wifi'
+  )
+GROUP BY
+  file.path;