RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-25 06:42:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add detections for hidden home configuration directories

Browse Source
This commit is contained in:
Thomas Stromberg 2022-11-04 08:50:34 -04:00
parent 0c0a38df44
commit 91f0d3e283
Failed to extract signature
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
detection/evasion/hidden-home-config-dir.sql Normal file
View File

@ -0,0 +1,38 @@
-- Find unexpected hidden files in a users config directory
--
-- references:
-- * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
--
-- false positives:
-- * programs which create new Library directories
--
-- tags: persistent state filesystem
-- platform: linux
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/home/%/.config/%%/.%/%'
OR file.path LIKE '/home/%/.config/.%/%'
OR file.path LIKE '/home/%/.config/%%/.%/.%'
OR file.path LIKE '/root/.config/%%/.%/%'
OR file.path LIKE '/root/.config/.%/%'
OR file.path LIKE '/root/.config/%%/.%/.%'
OR file.path LIKE '/root/.%/.%/%'
)
AND file.path NOT LIKE '%/../%'
AND file.path NOT LIKE '%/./%'
AND file.path NOT LIKE '/root/.debug/.build-id/%'