RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/evasion/hidden-home-config-dir.sql

43 lines
1.3 KiB
SQL
Raw Blame History

-- Find unexpected hidden files in a users config directory
--
-- references:
-- * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
--
-- false positives:
-- * programs which create new Library directories
--
-- tags: persistent state filesystem
-- platform: posix
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE "/home/%/.config/.%"
OR file.path LIKE '/home/%/.config/%%/.%/%'
OR file.path LIKE '/home/%/.config/.%/%'
OR file.path LIKE '/home/%/.config/%%/.%/.%'
OR file.path LIKE '/root/.config/%%/.%/%'
OR file.path LIKE '/root/.config/.%/%'
OR file.path LIKE '/root/.config/%%/.%/.%'
OR file.path LIKE '/root/.%/.%/%'
)
AND file.path NOT LIKE '%/../%'
AND file.path NOT LIKE '%/./%'
AND file.path NOT LIKE '/root/.cache/.flatpak/%'
AND file.path NOT LIKE '/root/.debug/.build-id/%'
AND file.path NOT LIKE '/home/%/.config/%/.git%'
AND file.path NOT LIKE '/home/%/.config/.gsd-keyboard.settings-ported'
AND file.path NOT LIKE '/home/%/.config/.org.chromium.Chromium.%'
Reference in New Issue View Git Blame Copy Permalink