RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/fs/unexpected-dev-entries.sql

30 lines
1.2 KiB
SQL
Raw Blame History

-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
SELECT file.path, file.type, file.mtime, file.uid, file.ctime, file.gid, hash.sha256, magic.data
FROM file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
file.path LIKE "/dev/shm/%%"
OR file.path LIKE "/dev/shm/.%"
OR file.path LIKE "/dev/shm/.%/%"
OR file.path LIKE "/dev/%/.%"
OR file.path LIKE "/dev/.%"
OR file.path LIKE "/dev/.%/%"
OR file.path LIKE "/dev/mqueue/%%"
OR file.path LIKE "/dev/mqueue/.%/%"
OR file.path LIKE "/dev/mqueue/.%"
)
AND file.path NOT LIKE '/dev/shm/.com.google.%'
AND file.path NOT LIKE '/dev/shm/.org.chromium.%'
AND file.path NOT LIKE '/dev/shm/wayland.mozilla.%'
AND file.path NOT LIKE "/dev/shm/jack_db%"
AND file.path NOT LIKE "/dev/shm/flatpak-%"
AND file.path NOT LIKE "/dev/shm/libpod_rootless_lock_%"
AND file.path NOT LIKE "%/../%"
AND file.path NOT LIKE "%/./%"
AND filename NOT IN ('..')
AND filename NOT LIKE "pulse-shm-%"
AND filename NOT LIKE "u1000-Shm%"
AND filename NOT LIKE "u1000-Valve%"
AND file.path NOT IN ('/dev/.mdadm/')
Reference in New Issue View Git Blame Copy Permalink