osquery-defense-kit/detection/evasion/old-binaries-running.sql

33 lines
906 B
SQL

-- Alert on programs running that are unusually old (poor timestomping)
--
-- false positive:
-- * legimitely ancient programs. For instance, printer drivers.
--
-- references:
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
--
-- tags: transient process state
SELECT
p.path,
p.cmdline,
p.cwd,
((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days,
((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days,
h.sha256,
f.uid,
f.gid
FROM
processes p
JOIN file f ON p.path = f.path
JOIN hash h ON p.path = h.path
WHERE
(
ctime_age_days > 1050
OR mtime_age_days > 1050
)
AND p.path NOT LIKE '%/opt/brackets/Brackets%'
AND h.sha256 NOT IN (
'f61dcfce6f0c04263780700e0e9a8ff2363edefc344c08bd792fd401ddaa160f' -- jp.co.canon.MSU.app.Installer
)