RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more paths to unexpected-hidden-system-paths, rename

This commit is contained in:
Thomas Stromberg 2023-01-19 11:42:44 -05:00
parent 5abe66644b
commit a100aa307f
Failed to extract signature
1 changed files with 37 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
detection/evasion/unexpected-hidden-system-folders.sql → detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -8,24 +8,22 @@
-- --
-- platform: posix -- platform: posix
-- tags: persistent filesystem state -- tags: persistent filesystem state
SELECT SELECT file.path,
file.path,
file.directory, file.directory,
uid, uid,
gid, gid,
mode, mode,
mtime, mtime,
((strftime('%s', 'now') - file.ctime) / 86400) AS mtime_age_days,
ctime, ctime,
type, type,
size, size,
hash.sha256, hash.sha256,
magic.data magic.data
FROM FROM file
file
LEFT JOIN hash ON file.path = hash.path LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path LEFT JOIN magic ON file.path = magic.path
WHERE WHERE (
(
file.path LIKE '/lib/.%' file.path LIKE '/lib/.%'
OR file.path LIKE '/.%' OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%' OR file.path LIKE '/bin/%/.%'
@ -49,40 +47,62 @@ WHERE
OR file.path LIKE '/usr/local/sbin/.%' OR file.path LIKE '/usr/local/sbin/.%'
OR file.path LIKE '/usr/sbin/.%' OR file.path LIKE '/usr/sbin/.%'
OR file.path LIKE '/var/.%' OR file.path LIKE '/var/.%'
OR file.path LIKE '/var/%/.%'
OR file.path LIKE '/var/lib/.%' OR file.path LIKE '/var/lib/.%'
OR file.path LIKE '/var/tmp/.%' OR file.path LIKE '/var/tmp/.%'
) -- Avoid mentioning extremely temporary files )
AND file.path NOT LIKE '%/../'
AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
AND strftime('%s', 'now') - file.ctime > 20 AND strftime('%s', 'now') - file.ctime > 20
AND file.path NOT IN ( AND file.path NOT IN (
'/.autorelabel', '/.autorelabel',
'/dev/.mdadm/', '/dev/.mdadm/',
'/etc/.clean', '/etc/.clean',
'/etc/.java/', '/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
'/etc/selinux/.config_backup', '/etc/selinux/.config_backup',
'/etc/skel/.mozilla/', '/etc/skel/.mozilla/',
'/.file', '/.file',
'/tmp/../',
'/tmp/./',
'/tmp/.DS_Store',
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/._contentbarrier_installed', '/tmp/._contentbarrier_installed',
'/tmp/.dotnet/', '/tmp/.dotnet/',
'/tmp/.dracula-tmux-data', '/tmp/.dracula-tmux-data',
'/tmp/.dracula-tmux-weather.lock', '/tmp/.dracula-tmux-weather.lock',
'/tmp/.DS_Store',
'/tmp/.font-unix/', '/tmp/.font-unix/',
'/tmp/.ICE-unix/', '/tmp/.ICE-unix/',
'/tmp/.terraform/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/', '/tmp/.Test-unix/',
'/tmp/.vbox-t-ipc/', '/tmp/.vbox-t-ipc/',
'/tmp/.X0-lock', '/tmp/.X0-lock',
'/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.X11-unix/', '/tmp/.X11-unix/',
'/tmp/.X1-lock', '/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.XIM-unix/', '/tmp/.XIM-unix/',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
'/var/db/.GKRearmTimer',
'/var/db/.LastGKApp',
'/var/db/.LastGKReject',
'/var/db/.MASManifest',
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/.ntw_cache', '/var/.ntw_cache',
'/var/.Parallels_swap/', '/var/.Parallels_swap/',
'/var/.pwd_cache', '/var/.pwd_cache',
'/etc/.resolv.conf.systemd-resolved.bak', '/var/root/.bash_history',
'/var/root/.cache/',
'/var/root/.CFUserTextEncoding',
'/var/root/.forward',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.osquery/',
'/var/root/.Trash/',
'/var/run/.heim_org.h5l.kcm-socket',
'/var/run/.sim_diagnosticd_socket',
'/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
'/.vol/', '/.vol/',
'/.VolumeIcon.icns' '/.VolumeIcon.icns'
) )
@ -97,8 +117,6 @@ WHERE
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%' AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
AND file.path NOT LIKE '/tmp/.X1%-lock' AND file.path NOT LIKE '/tmp/.X1%-lock'
AND file.path NOT LIKE '/usr/local/%/.keepme' AND file.path NOT LIKE '/usr/local/%/.keepme'
AND file.path NOT LIKE '%/../'
AND file.path NOT LIKE '%/./'
AND file.path NOT LIKE '%/.build-id/' AND file.path NOT LIKE '%/.build-id/'
AND file.path NOT LIKE '%/.dwz/' AND file.path NOT LIKE '%/.dwz/'
AND file.path NOT LIKE '%/.updated' AND file.path NOT LIKE '%/.updated'
@ -133,3 +151,7 @@ WHERE
AND file.type = 'socket' AND file.type = 'socket'
AND file.size = 0 AND file.size = 0
) )
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)