RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-17 01:47:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
0371505d75
osquery-defense-kit/fs/unexpected-dev-entries.sql
Thomas Stromberg c6797e3496
Reorganize paths, tune queries a bit
2022-09-09 12:51:52 -04:00

25 lines
839 B
SQL
Raw Blame History

-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
SELECT path, type, mtime
FROM file
WHERE (
path LIKE "/dev/shm/%%"
OR path LIKE "/dev/shm/.%"
OR path LIKE "/dev/shm/.%/%"
OR path LIKE "/dev/%/.%"
OR path LIKE "/dev/.%"
OR path LIKE "/dev/.%/%"
OR path LIKE "/dev/mqueue/%%"
OR path LIKE "/dev/mqueue/.%/%"
OR path LIKE "/dev/mqueue/.%"
)
AND filename NOT IN ('..')
AND path NOT LIKE "%/./%"
AND path NOT LIKE "%/../%"
AND filename NOT LIKE "pulse-shm-%"
AND filename NOT LIKE "u1000-Shm%"
AND filename NOT LIKE "u1000-Valve%"
AND path NOT LIKE "/dev/shm/jack_db%"
AND path NOT LIKE '/dev/shm/.com.google.%'
AND path NOT LIKE '/dev/shm/.org.chromium.%'
AND path NOT LIKE '/dev/shm/wayland.mozilla.%'
Reference in New Issue View Git Blame Copy Permalink