From a100aa307f1bc125302ef0dc5de364382b104804 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 19 Jan 2023 11:42:44 -0500
Subject: [PATCH] Add more paths to unexpected-hidden-system-paths, rename

---
 ...sql => unexpected-hidden-system-paths.sql} | 52 +++++++++++++------
 1 file changed, 37 insertions(+), 15 deletions(-)
 rename detection/evasion/{unexpected-hidden-system-folders.sql => unexpected-hidden-system-paths.sql} (77%)

diff --git a/detection/evasion/unexpected-hidden-system-folders.sql b/detection/evasion/unexpected-hidden-system-paths.sql
similarity index 77%
rename from detection/evasion/unexpected-hidden-system-folders.sql
rename to detection/evasion/unexpected-hidden-system-paths.sql
index a4c3bcb..4a9b418 100644
--- a/detection/evasion/unexpected-hidden-system-folders.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -8,24 +8,22 @@
 --
 -- platform: posix
 -- tags: persistent filesystem state
-SELECT
-  file.path,
+SELECT file.path,
   file.directory,
   uid,
   gid,
   mode,
   mtime,
+  ((strftime('%s', 'now') - file.ctime) / 86400) AS mtime_age_days,
   ctime,
   type,
   size,
   hash.sha256,
   magic.data
-FROM
-  file
+FROM file
   LEFT JOIN hash ON file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (
+WHERE (
     file.path LIKE '/lib/.%'
     OR file.path LIKE '/.%'
     OR file.path LIKE '/bin/%/.%'
@@ -49,40 +47,62 @@ WHERE
     OR file.path LIKE '/usr/local/sbin/.%'
     OR file.path LIKE '/usr/sbin/.%'
     OR file.path LIKE '/var/.%'
+    OR file.path LIKE '/var/%/.%'
     OR file.path LIKE '/var/lib/.%'
     OR file.path LIKE '/var/tmp/.%'
-  ) -- Avoid mentioning extremely temporary files
+  )
+  AND file.path NOT LIKE '%/../'
+  AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
   AND strftime('%s', 'now') - file.ctime > 20
   AND file.path NOT IN (
     '/.autorelabel',
     '/dev/.mdadm/',
     '/etc/.clean',
     '/etc/.java/',
+    '/etc/.resolv.conf.systemd-resolved.bak',
     '/etc/selinux/.config_backup',
     '/etc/skel/.mozilla/',
     '/.file',
-    '/tmp/../',
-    '/tmp/./',
-    '/tmp/.DS_Store',
     '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
     '/tmp/._contentbarrier_installed',
     '/tmp/.dotnet/',
     '/tmp/.dracula-tmux-data',
     '/tmp/.dracula-tmux-weather.lock',
+    '/tmp/.DS_Store',
     '/tmp/.font-unix/',
     '/tmp/.ICE-unix/',
+    '/tmp/.terraform/',
+    '/tmp/.terraform.lock.hcl',
     '/tmp/.Test-unix/',
     '/tmp/.vbox-t-ipc/',
     '/tmp/.X0-lock',
-    '/tmp/.X1-lock',
-    '/tmp/.X2-lock',
     '/tmp/.X11-unix/',
     '/tmp/.X1-lock',
+    '/tmp/.X2-lock',
     '/tmp/.XIM-unix/',
+    '/var/db/.AppleUpgrade',
+    '/var/db/.com.apple.iokit.graphics',
+    '/var/db/.GKRearmTimer',
+    '/var/db/.LastGKApp',
+    '/var/db/.LastGKReject',
+    '/var/db/.MASManifest',
+    '/var/db/.StagedAppleUpgrade',
+    '/var/db/.SystemPolicy-default',
     '/var/.ntw_cache',
     '/var/.Parallels_swap/',
     '/var/.pwd_cache',
-    '/etc/.resolv.conf.systemd-resolved.bak',
+    '/var/root/.bash_history',
+    '/var/root/.cache/',
+    '/var/root/.CFUserTextEncoding',
+    '/var/root/.forward',
+    '/var/root/.nix-channels',
+    '/var/root/.nix-defexpr/',
+    '/var/root/.nix-profile/',
+    '/var/root/.osquery/',
+    '/var/root/.Trash/',
+    '/var/run/.heim_org.h5l.kcm-socket',
+    '/var/run/.sim_diagnosticd_socket',
+    '/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
     '/.vol/',
     '/.VolumeIcon.icns'
   )
@@ -97,8 +117,6 @@ WHERE
   AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
   AND file.path NOT LIKE '/tmp/.X1%-lock'
   AND file.path NOT LIKE '/usr/local/%/.keepme'
-  AND file.path NOT LIKE '%/../'
-  AND file.path NOT LIKE '%/./'
   AND file.path NOT LIKE '%/.build-id/'
   AND file.path NOT LIKE '%/.dwz/'
   AND file.path NOT LIKE '%/.updated'
@@ -133,3 +151,7 @@ WHERE
     AND file.type = 'socket'
     AND file.size = 0
   )
+  AND NOT (
+    file.path = '/var/root/.oracle_jre_usage/'
+    AND file.size = 96
+  )
\ No newline at end of file