mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-10 14:37:03 +00:00
39 lines
1.0 KiB
SQL
39 lines
1.0 KiB
SQL
-- Find unexpected hidden files in a users config directory
|
|
--
|
|
-- references:
|
|
-- * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
|
|
--
|
|
-- false positives:
|
|
-- * programs which create new Library directories
|
|
--
|
|
-- tags: persistent state filesystem
|
|
-- platform: linux
|
|
SELECT
|
|
file.path,
|
|
file.type,
|
|
file.size,
|
|
file.mtime,
|
|
file.uid,
|
|
file.ctime,
|
|
file.gid,
|
|
hash.sha256,
|
|
magic.data
|
|
FROM
|
|
file
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
LEFT JOIN magic ON file.path = magic.path
|
|
WHERE
|
|
(
|
|
file.path LIKE '/home/%/.config/%%/.%/%'
|
|
OR file.path LIKE '/home/%/.config/.%/%'
|
|
OR file.path LIKE '/home/%/.config/%%/.%/.%'
|
|
OR file.path LIKE '/root/.config/%%/.%/%'
|
|
OR file.path LIKE '/root/.config/.%/%'
|
|
OR file.path LIKE '/root/.config/%%/.%/.%'
|
|
OR file.path LIKE '/root/.%/.%/%'
|
|
)
|
|
AND file.path NOT LIKE '%/../%'
|
|
AND file.path NOT LIKE '%/./%'
|
|
AND file.path NOT LIKE '/root/.debug/.build-id/%'
|
|
AND file.path NOT LIKE '/home/%/.config/%/.git%'
|