RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-18 02:17:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
49f2d5a579
osquery-defense-kit/fs/unexpected-dev-entries.sql
Thomas Stromberg 5b7858e3cf
More false-positive removal
2022-09-27 11:54:17 -04:00

42 lines
1.2 KiB
SQL
Raw Blame History

-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
SELECT
file.path,
file.type,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE "/dev/shm/%%"
OR file.path LIKE "/dev/shm/.%"
OR file.path LIKE "/dev/shm/.%/%"
OR file.path LIKE "/dev/%/.%"
OR file.path LIKE "/dev/.%"
OR file.path LIKE "/dev/.%/%"
OR file.path LIKE "/dev/mqueue/%%"
OR file.path LIKE "/dev/mqueue/.%/%"
OR file.path LIKE "/dev/mqueue/.%"
)
AND file.path NOT LIKE '/dev/shm/.com.google.%'
AND file.path NOT LIKE '/dev/shm/.org.chromium.%'
AND file.path NOT LIKE '/dev/shm/wayland.mozilla.%'
AND file.path NOT LIKE "/dev/shm/jack_db%"
AND file.path NOT LIKE "/dev/shm/lttng-ust-wait-%"
AND file.path NOT LIKE "/dev/shm/flatpak-%"
AND file.path NOT LIKE "/dev/shm/libpod_rootless_lock_%"
AND file.path NOT LIKE "%/../%"
AND file.path NOT LIKE "%/./%"
AND filename NOT IN ('..')
AND filename NOT LIKE "pulse-shm-%"
AND filename NOT LIKE "u1000-Shm%"
AND filename NOT LIKE "u1000-Valve%"
AND file.path NOT IN ('/dev/.mdadm/')
Reference in New Issue View Git Blame Copy Permalink