RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-19 11:16:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
26ee658c4a
osquery-defense-kit/detection/evasion/unexpected-var-executables-linux.sql

32 lines
600 B
SQL
Raw Blame History

-- Find unexpected executables in /var
SELECT
file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(file.path LIKE "/var/%%")
AND file.type = "regular"
AND (
file.mode LIKE "%7%"
or file.mode LIKE "%5%"
or file.mode LIKE "%1%"
)
AND file.directory NOT IN (
"/var/lib/colord",
"/var/ossec/agentless",
"/var/ossec/bin",
"/var/ossec/wodles",
"/var/run/booted-system",
"/var/run/current-system"
)
Reference in New Issue View Git Blame Copy Permalink