Hidden Home Config Dir

Find unexpected hidden files in a users config directory

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Find unexpected hidden files in a users config directory
--
-- references:
--   * https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
--
-- false positives:
--   * programs which create new Library directories
--
-- tags: persistent state filesystem
-- platform: posix
SELECT
  file.path,
  file.type,
  file.size,
  file.mtime,
  file.uid,
  file.ctime,
  file.gid,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash ON file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  (
    file.path LIKE "/home/%/.config/.%"
    OR file.path LIKE '/home/%/.config/.%/%'
    OR file.path LIKE '/home/%/.config/%%/.%/.%'
    OR file.path LIKE '/home/%/.config/%%/.%/%'
    OR file.path LIKE '/root/.%/.%/%'
    OR file.path LIKE '/root/.config/.%/%'
    OR file.path LIKE '/root/.config/%%/.%/.%'
    OR file.path LIKE '/root/.config/%%/.%/%'
  )
  AND file.path NOT LIKE '/home/%/.config/.gsd-keyboard.settings-ported'
  AND file.path NOT LIKE '/home/%/.config/.org.chromium.Chromium.%'
  AND file.path NOT LIKE '/home/%/.config/%/.git%'
  AND file.path NOT LIKE '/root/.cache/.flatpak/%'
  AND file.path NOT LIKE '/root/.debug/.build-id/%'
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit