mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-08 05:26:52 +00:00
45 lines
1.4 KiB
SQL
45 lines
1.4 KiB
SQL
-- Inspired by Operation Earth Berberoka
|
|
-- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
|
|
|
|
SELECT
|
|
file.path,
|
|
uid,
|
|
gid,
|
|
mode,
|
|
mtime,
|
|
ctime,
|
|
type,
|
|
size,
|
|
hash.sha256,
|
|
magic.data
|
|
FROM
|
|
file
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
LEFT JOIN magic ON file.path = magic.path
|
|
WHERE
|
|
file.path LIKE "/usr/lib/udev/rules.d/%"
|
|
AND file.size < 180
|
|
AND file.path NOT IN (
|
|
"/usr/lib/udev/rules.d/60-rfkill.rules",
|
|
"/usr/lib/udev/rules.d/50-apport.rules",
|
|
"/usr/lib/udev/rules.d/60-net.rules",
|
|
"/usr/lib/udev/rules.d/61-mutter.rules",
|
|
"/usr/lib/udev/rules.d/66-saned.rules",
|
|
"/usr/lib/udev/rules.d/70-hypervfcopy.rules",
|
|
"/usr/lib/udev/rules.d/70-hypervkvp.rules",
|
|
"/usr/lib/udev/rules.d/70-hypervvss.rules",
|
|
"/usr/lib/udev/rules.d/70-spice-vdagentd.rules",
|
|
"/usr/lib/udev/rules.d/70-spice-webdavd.rules",
|
|
"/usr/lib/udev/rules.d/75-probe_mtd.rules",
|
|
"/usr/lib/udev/rules.d/85-hdparm.rules",
|
|
"/usr/lib/udev/rules.d/85-regulatory.rules",
|
|
"/usr/lib/udev/rules.d/90-daxctl-device.rules",
|
|
"/usr/lib/udev/rules.d/91-drm-modeset.rules",
|
|
"/usr/lib/udev/rules.d/96-e2scrub.rules",
|
|
"/usr/lib/udev/rules.d/99-fuse.rules",
|
|
"/usr/lib/udev/rules.d/99-fuse3.rules",
|
|
"/usr/lib/udev/rules.d/99-libsane1.rules",
|
|
"/usr/lib/udev/rules.d/99-nfs.rules",
|
|
"/usr/lib/udev/rules.d/99-qemu-guest-agent.rules"
|
|
)
|