mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-12 09:04:35 +00:00
54 lines
1.5 KiB
SQL
54 lines
1.5 KiB
SQL
-- Files where the timestamp falls along 12-hour boundaries - probably caused by 'touch <date>0000'
|
|
--
|
|
-- false positives:
|
|
-- * 1 in 43200 chance per binary
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
|
|
--
|
|
-- tags: persistent seldom filesystem
|
|
-- platform: linux
|
|
SELECT
|
|
file.path,
|
|
DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
|
|
DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
|
|
file.inode,
|
|
file.type,
|
|
hash.sha256,
|
|
magic.data
|
|
FROM
|
|
file
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
LEFT JOIN magic ON file.path = magic.path
|
|
WHERE
|
|
(
|
|
file.path LIKE "/bin/%%"
|
|
OR file.path LIKE "/etc/%%"
|
|
OR file.path LIKE "/sbin/%%"
|
|
OR file.path LIKE "/lib/%%"
|
|
OR file.path LIKE "/usr/%%"
|
|
)
|
|
-- This timestamp is in UTC
|
|
AND file.mtime > (strftime('%s', 'now') - (86400 * 720))
|
|
AND file.mtime % 3600 = 0
|
|
AND file.type = 'regular'
|
|
-- Narrow down to specific offsets in the users local timezone (there should be a better way!)
|
|
AND (
|
|
mod_time LIKE "% 12:00:00"
|
|
OR mod_time LIKE "% 00:00:00"
|
|
)
|
|
-- false positives
|
|
AND filename NOT IN (
|
|
'master.passwd',
|
|
'COPYING',
|
|
'NEWS',
|
|
'_libinput',
|
|
'printcap',
|
|
'strace-log-merge'
|
|
)
|
|
AND file.path NOT LIKE '%/lynis%'
|
|
AND file.path NOT LIKE '%/yelp-xsl%'
|
|
AND file.path NOT LIKE '/etc/cups/%'
|
|
AND file.path NOT LIKE '/usr/share/libinput/%.quirks'
|
|
AND file.path NOT LIKE '/usr/lib64/electron/locales/%.pak'
|