Tiny Executable

osquery

Unusually small programs (state-based)

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Unusually small programs (state-based)
--
-- references:
--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--
-- tags: transient process state
SELECT
  p.pid,
  p.path,
  p.cmdline,
  file.size,
  p.start_time,
  file.mode,
  file.type,
  p.cwd,
  p.euid,
  p.parent,
  pp.path AS parent_path,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline,
  pp.euid AS parent_euid,
  hash.sha256 AS parent_sha256
FROM
  processes p
  LEFT JOIN file ON p.path = file.path
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON pp.path = hash.path
WHERE
  file.size > 0
  AND file.size < 10000
  AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
  AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
  AND NOT file.path LIKE '/home/%/.zsh/completion'
  AND NOT file.path LIKE '/Users/%/.zsh/completion'
  AND NOT file.path IN ('/', '/usr/bin/ruby')
  AND NOT (
    file.path = '/sbin/ldconfig'
    AND pp.euid = 1000
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit