248 lines
6.1 KiB
SQL
248 lines
6.1 KiB
SQL
-- Detects unexpected programs opening files in /dev on Linux
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
|
|
--
|
|
-- false positives:
|
|
-- * any program which needs access to device drivers
|
|
--
|
|
-- platform: linux
|
|
-- tags: persistent state sniffer
|
|
SELECT
|
|
pof.path AS device,
|
|
CONCAT (
|
|
IIF(
|
|
REGEX_MATCH (
|
|
TRIM(REPLACE(pof.path, ' (deleted)', '')),
|
|
'(/dev/.*)[\d ]+$',
|
|
1
|
|
) != '',
|
|
REGEX_MATCH (
|
|
TRIM(REPLACE(pof.path, ' (deleted)', '')),
|
|
'(/dev/.*)[\d ]+$',
|
|
1
|
|
),
|
|
TRIM(REPLACE(pof.path, ' (deleted)', ''))
|
|
),
|
|
',',
|
|
REPLACE(
|
|
p0.path,
|
|
RTRIM(p0.path, REPLACE(p0.path, '/', '')),
|
|
''
|
|
)
|
|
) AS path_exception,
|
|
CONCAT (
|
|
TRIM(
|
|
REPLACE(
|
|
pof.path,
|
|
CONCAT (
|
|
'/',
|
|
REPLACE(
|
|
pof.path,
|
|
RTRIM(pof.path, REPLACE(pof.path, '/', '')),
|
|
''
|
|
)
|
|
),
|
|
''
|
|
)
|
|
),
|
|
',',
|
|
REPLACE(
|
|
p0.path,
|
|
RTRIM(p0.path, REPLACE(p0.path, '/', '')),
|
|
''
|
|
)
|
|
) AS dir_exception,
|
|
-- Child
|
|
p0.pid AS p0_pid,
|
|
p0.path AS p0_path,
|
|
p0.name AS p0_name,
|
|
p0.cmdline AS p0_cmd,
|
|
p0.cwd AS p0_cwd,
|
|
p0.cgroup_path AS p0_cgroup,
|
|
p0.euid AS p0_euid,
|
|
p0_hash.sha256 AS p0_sha256,
|
|
-- Parent
|
|
p0.parent AS p1_pid,
|
|
p1.path AS p1_path,
|
|
p1.name AS p1_name,
|
|
p1_f.mode AS p1_mode,
|
|
p1.euid AS p1_euid,
|
|
p1.cmdline AS p1_cmd,
|
|
p1_hash.sha256 AS p1_sha256,
|
|
-- Grandparent
|
|
p1.parent AS p2_pid,
|
|
p2.name AS p2_name,
|
|
p2.path AS p2_path,
|
|
p2.cmdline AS p2_cmd,
|
|
p2_hash.sha256 AS p2_sha256
|
|
FROM
|
|
process_open_files pof
|
|
LEFT JOIN processes p0 ON pof.pid = p0.pid
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
|
LEFT JOIN file p1_f ON p1.path = p1_f.path
|
|
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
|
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
|
WHERE
|
|
pof.path LIKE '/dev/%'
|
|
AND pof.path NOT IN (
|
|
'/dev/dri/card0',
|
|
'/dev/dri/card1',
|
|
'/dev/dri/renderD128',
|
|
'/dev/dri/renderD129',
|
|
'/dev/fuse',
|
|
'/dev/io8log',
|
|
'/dev/io8logmt',
|
|
'/dev/io8logtemp',
|
|
'/dev/null',
|
|
'/dev/nvidia-modeset',
|
|
'/dev/nvidia-uvm',
|
|
'/dev/nvidia0',
|
|
'/dev/nvidiactl',
|
|
'/dev/ptmx',
|
|
'/dev/pts/ptmx',
|
|
'/dev/shm/u1000-ValveIPCSharedObj-Steam',
|
|
'/dev/random',
|
|
'/dev/rfkill',
|
|
'/dev/snd/seq',
|
|
'/dev/urandom',
|
|
'/dev/vga_arbiter',
|
|
'/dev/video10' -- workaround for poor regex management (ffmpeg)
|
|
)
|
|
AND pof.path NOT LIKE '/dev/pts/%'
|
|
AND pof.path NOT LIKE '/dev/snd/%'
|
|
AND pof.path NOT LIKE '/dev/tty%'
|
|
AND pof.path NOT LIKE '/dev/hidraw%'
|
|
AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%'
|
|
AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%'
|
|
-- Zoom
|
|
AND pof.path NOT LIKE '/dev/shm/aomshm.%'
|
|
AND pof.path NOT LIKE '/dev/shm/authentik_%'
|
|
AND NOT dir_exception IN (
|
|
'/dev/bus/usb,pcscd',
|
|
'/dev/input,acpid',
|
|
'/dev/input,gnome-shell',
|
|
'/dev/input,systemd',
|
|
'/dev/input,systemd-logind',
|
|
'/dev/input,thermald',
|
|
'/dev/input,upowerd',
|
|
'/dev/input,Xorg',
|
|
'/dev/input,Hyprland',
|
|
'/dev/net,tailscaled',
|
|
'/dev/net,.tailscaled-wrapped',
|
|
'/dev/net/tun,qemu-system-x86_64',
|
|
'/dev/shm,1password',
|
|
'/dev/shm,Brackets',
|
|
'/dev/shm,chrome',
|
|
'/dev/shm,code',
|
|
'/dev/shm,electron',
|
|
'/dev/shm,firefox',
|
|
'/dev/shm,gameoverlayui',
|
|
'/dev/shm,gopls',
|
|
'/dev/shm,hl2_linux',
|
|
'/dev/shm,java',
|
|
'/dev/shm,jcef_helper',
|
|
'/dev/shm,Melvor Idle',
|
|
'/dev/shm,reaper',
|
|
'/dev/shm,slack',
|
|
'/dev/shm,spotify',
|
|
'/dev/shm,steam',
|
|
'/dev/shm,xdg-desktop-portal-hyprland',
|
|
'/dev/shm,Hyprland',
|
|
'/dev/shm,steamwebhelper',
|
|
'/dev/shm,wine64-preloader',
|
|
'/dev/shm,winedevice.exe',
|
|
'/dev/snd,alsactl',
|
|
'/dev/snd,pipewire',
|
|
'/dev/snd,pulseaudio',
|
|
'/dev/snd,.pulseaudio-wrapped',
|
|
'/dev/snd,wireplumber',
|
|
'/dev/usb,apcupsd',
|
|
'/dev/usb,upowerd'
|
|
)
|
|
AND NOT path_exception IN (
|
|
'/dev/autofs,systemd',
|
|
'/dev/cpu/0/msr,nvidia-powerd',
|
|
'/dev/drm_dp_aux,fwupd',
|
|
'/dev/fb,Xorg',
|
|
'/dev/hidraw,chrome',
|
|
'/dev/hwrng,rngd',
|
|
'/dev/input/event,thermald',
|
|
'/dev/input/event,touchegg',
|
|
'/dev/input/event,Xorg',
|
|
'/dev/kmsg,bpfilter_umh',
|
|
'/dev/kmsg,dmesg',
|
|
'/dev/kmsg,k3s',
|
|
'/dev/kmsg,kubelet',
|
|
'/dev/kmsg,systemd',
|
|
'/dev/kmsg,systemd-coredump',
|
|
'/dev/kmsg,systemd-journald',
|
|
'/dev/kvm,qemu-system-x86_64',
|
|
'/dev/mapper/control,dockerd',
|
|
'/dev/mapper/control,gpartedbin',
|
|
'/dev/mapper/control,multipathd',
|
|
'/dev/mcelog,mcelog',
|
|
'/dev/media0,pipewire',
|
|
'/dev/media0,wireplumber',
|
|
'/dev/media,pipewire',
|
|
'/dev/media,wireplumber',
|
|
'/dev/net/tun,openvpn',
|
|
'/dev/net/tun,slirp4netns',
|
|
'/dev/shm/envoy_shared_memory_1,envoy',
|
|
'/dev/tpmrm,launcher',
|
|
'/dev/tty,agetty',
|
|
'/dev/tty,gdm-wayland-session',
|
|
'/dev/tty,gdm-x-session',
|
|
'/dev/tty,systemd-logind',
|
|
'/dev/tty,Xorg',
|
|
'/dev/uhid,bluetoothd',
|
|
'/dev/uinput,bluetoothd',
|
|
'/dev/usb/hiddev,apcupsd',
|
|
'/dev/usb/hiddev,upowerd',
|
|
'/dev/video0,chrome',
|
|
'/dev/video,brave',
|
|
'/dev/video,cheese',
|
|
'/dev/video,chrome',
|
|
'/dev/video,ffmpeg',
|
|
'/dev/video,firefox',
|
|
'/dev/video,guvcview',
|
|
'/dev/video,obs',
|
|
'/dev/video,obs-ffmpeg-mux',
|
|
'/dev/video,pipewire',
|
|
'/dev/video,slack',
|
|
'/dev/video,vlc',
|
|
'/dev/video,wireplumber',
|
|
'/dev/video,zoom',
|
|
'/dev/video,zoom.real',
|
|
'/dev/zfs,',
|
|
'/dev/zfs,zed',
|
|
'/dev/zfs,zfs',
|
|
'/dev/zfs,zpool'
|
|
)
|
|
-- Halflife
|
|
AND path_exception NOT LIKE '/dev/shm/u1000-Shm_%,bash'
|
|
-- lvmdbusd
|
|
AND path_exception NOT LIKE '/dev/shm/pym-%python3.%'
|
|
-- celery
|
|
AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
|
|
AND NOT (
|
|
pof.path LIKE '/dev/bus/usb/%'
|
|
AND p0.name IN (
|
|
'adb',
|
|
'fprintd',
|
|
'fwupd',
|
|
'gphoto2',
|
|
'gvfsd-gphoto2',
|
|
'gvfsd-mtp',
|
|
'gvfs-gphoto2-vo',
|
|
'gvfs-gphoto2-volume-monitor',
|
|
'pcscd',
|
|
'streamdeck',
|
|
'usbmuxd'
|
|
)
|
|
)
|
|
GROUP BY
|
|
pof.pid
|