osquery-defense-kit/detection/evasion/unexpected-etc-executables-linux.sql

131 lines
3.1 KiB
SQL

-- Find unexpected executables in /etc
-- Motivation: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
SELECT
file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(file.path LIKE "/etc/%%")
AND file.type = "regular"
AND (
file.mode LIKE "%7%"
or file.mode LIKE "%5%"
or file.mode LIKE "%1%"
)
AND file.directory NOT IN (
"/etc/X11/xinit/xinitrc.d",
"/etc/apcupsd",
"/etc/menu-methods",
"/etc/avahi",
"/etc/chromium/native-messaging-hosts",
"/etc/cifs-utils",
"/etc/cron.hourly",
"/etc/flatpak/remotes.d",
"/etc/gdm/Init",
"/etc/gdm/PostLogin",
"/etc/gdm/PostSession",
"/etc/gdm/PreSession",
"/etc/gdm",
"/etc/grub.d",
"/etc/httpd/modules",
"/etc/ifplugd",
"/etc/init.d",
"/etc/lightdm",
"/etc/pinentry",
"/etc/ppp",
"/etc/ppp/ip-down.d",
"/etc/ppp/ip-up.d",
"/etc/ppp/ipv6-up.d",
"/etc/profile.d",
"/etc/rdnssd",
"/etc/security",
"/etc/skel",
"/etc/ssl/misc",
"/etc/systemd/system",
"/etc/systemd/system/graphical.target.wants",
"/etc/vpnc",
"/etc/xdg/Xwayland-session.d",
"/etc/NetworkManager/dispatcher.d",
"/etc/X11",
"/etc/X11/xinit",
"/etc/acpi",
"/etc/alternatives",
"/etc/apm/resume.d",
"/etc/apm/scripts.d",
"/etc/apm/suspend.d",
"/etc/brltty/Contraction",
"/etc/console-setup",
"/etc/cron.daily",
"/etc/cron.monthly",
"/etc/cron.weekly",
"/etc/dhcp/dhclient-enter-hooks.d",
"/etc/dhcp/dhclient-exit-hooks.d",
"/etc/dkms",
"/etc/gdm3/Init",
"/etc/gdm3/PostLogin",
"/etc/gdm3/PostSession",
"/etc/gdm3/PreSession",
"/etc/gdm3/Prime",
"/etc/gdm3/PrimeOff",
"/etc/gdm3",
"/etc/ifplugd/action.d",
"/etc/kernel/header_postinst.d",
"/etc/kernel/install.d",
"/etc/kernel/postinst.d",
"/etc/kernel/postrm.d",
"/etc/kernel/preinst.d",
"/etc/kernel/prerm.d",
"/etc/network/if-down.d",
"/etc/network/if-post-down.d",
"/etc/network/if-pre-up.d",
"/etc/network/if-up.d",
"/etc/openvpn",
"/etc/pm/sleep.d",
"/etc/rc0.d",
"/etc/rc1.d",
"/etc/rc2.d",
"/etc/rc3.d",
"/etc/rc4.d",
"/etc/rc5.d",
"/etc/rc6.d",
"/etc/rcS.d",
"/etc/update-motd.d",
"/etc/wpa_supplicant",
"/etc/zfs/zed.d",
"/etc/zfs/zpool.d",
"/etc/bash_completion.d",
"/etc/dhcp/dhclient.d",
"/etc/mcelog/triggers",
"/etc/qemu-ga",
"/etc/rc.d/init.d",
"/etc/rc.d/rc0.d",
"/etc/rc.d/rc1.d",
"/etc/rc.d/rc2.d",
"/etc/rc.d/rc3.d",
"/etc/rc.d/rc4.d",
"/etc/rc.d/rc5.d",
"/etc/rc.d/rc6.d",
"/etc/vmware-tools",
"/etc/zfs-fuse",
"/etc/ssl/certs",
"/etc/ssl/trust-source",
"/etc/systemd/system-shutdown"
)
AND file.path NOT IN (
"/etc/nftables.conf",
"/etc/rmt",
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
"/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json"
)