osquery-defense-kit/detection/evasion/unexpected-dev-executables-linux.sql

-- Find unexpected executables in /dev
SELECT
  file.path,
  file.directory,
  uid,
  gid,
  mode,
  file.mtime,
  file.size,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
  -- For some reason /dev/%% is not recursive?
WHERE
  (
    file.path LIKE '/dev/%%'
    OR file.path LIKE '/dev/%%/%%'
  )
  AND file.type = 'regular'
  AND (
    file.mode LIKE '%7%'
    or file.mode LIKE '%5%'
    or file.mode LIKE '%1%'
  )