Unexpected Etc Executables
osquery
Find unexpected executables in /etc
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Find unexpected executables in /etc
--
-- references:
-- * https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
--
-- tags: persistent
-- platform: posix
SELECT
file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(file.path LIKE '/etc/%%')
AND file.type = 'regular'
AND (
file.mode LIKE '%7%'
or file.mode LIKE '%5%'
or file.mode LIKE '%1%'
)
AND file.directory NOT IN (
'/etc/acpi',
'/etc/acpi/actions',
'/etc/alternatives',
'/etc/ansible/facts.d',
'/etc/apcupsd',
'/etc/apm/resume.d',
'/etc/apm/scripts.d',
'/etc/apm/suspend.d',
'/etc/avahi',
'/etc/bash_completion.d',
'/etc/brltty/Contraction',
'/etc/ca-certificates/update.d',
'/etc/chromium/native-messaging-hosts',
'/etc/cifs-utils',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/console-setup',
'/etc/cron.daily',
'/etc/cron.hourly',
'/etc/cron.monthly',
'/etc/cron.weekly',
'/etc/dconf/db/distro.d',
'/etc/dconf/db/distro.d/locks',
'/etc/dhcp/dhclient-enter-hooks.d',
'/etc/dhcp/dhclient-exit-hooks.d',
'/etc/dhcp/dhclient.d',
'/etc/distrobox',
'/etc/dkms',
'/etc/etckeeper/commit.d',
'/etc/flatpak/remotes.d',
'/etc/gdm',
'/etc/gdm/Init',
'/etc/gdm/PostLogin',
'/etc/gdm/PostSession',
'/etc/gdm/PreSession',
'/etc/gdm3',
'/etc/gdm3/Init',
'/etc/gdm3/PostLogin',
'/etc/gdm3/PostSession',
'/etc/gdm3/PreSession',
'/etc/gdm3/Prime',
'/etc/gdm3/PrimeOff',
'/etc/grub.d',
'/etc/httpd/modules',
'/etc/ifplugd',
'/etc/ifplugd/action.d',
'/etc/init.d',
'/etc/initramfs/post-update.d',
'/etc/kde/shutdown',
'/etc/kernel/header_postinst.d',
'/etc/kernel/install.d',
'/etc/kernel/postinst.d',
'/etc/kernel/postrm.d',
'/etc/kernel/preinst.d',
'/etc/kernel/prerm.d',
'/etc/lightdm',
'/etc/localtime',
'/etc/mc',
'/etc/mcelog/triggers',
'/etc/menu-methods',
'/etc/needrestart/hook.d',
'/etc/needrestart/notify.d',
'/etc/needrestart/restart.d',
'/etc/network',
'/etc/network/if-down.d',
'/etc/network/if-post-down.d',
'/etc/network/if-pre-up.d',
'/etc/network/if-up.d',
'/etc/NetworkManager/dispatcher.d',
'/etc/nix/result',
'/etc/nix/result/sw/bin',
'/etc/openvpn',
'/etc/periodic/daily',
'/etc/periodic/monthly',
'/etc/periodic/weekly',
'/etc/pinentry',
'/etc/pki/tls/misc',
'/etc/pm/sleep.d',
'/etc/pop-os/update-motd.d',
'/etc/ppp',
'/etc/ppp/ip-down.d',
'/etc/ppp/ip-up.d',
'/etc/ppp/ipv6-up.d',
'/etc/profile.d',
'/etc/qemu-ga',
'/etc/rc.d/init.d',
'/etc/rc.d/rc0.d',
'/etc/rc.d/rc1.d',
'/etc/rc.d/rc2.d',
'/etc/rc.d/rc3.d',
'/etc/rc.d/rc4.d',
'/etc/rc.d/rc5.d',
'/etc/rc.d/rc6.d',
'/etc/rc0.d',
'/etc/rc1.d',
'/etc/rc2.d',
'/etc/rc3.d',
'/etc/rc4.d',
'/etc/rc5.d',
'/etc/rc6.d',
'/etc/rcS.d',
'/etc/rdnssd',
'/etc/redhat-lsb',
'/etc/resolvconf/update-libc.d',
'/etc/resolvconf/update.d',
'/etc/schroot/setup.d',
'/etc/security',
'/etc/skel',
'/etc/smartmontools',
'/etc/smartmontools/run.d',
'/etc/ssl/certs',
'/etc/ssl/misc',
'/etc/ssl/trust-source',
'/etc/sysconfig/network-scripts',
'/etc/systemd/system-shutdown',
'/etc/systemd/system',
'/etc/systemd/system/graphical.target.wants',
'/etc/udev/rules.d',
'/etc/update-motd.d',
'/etc/vmware-tools',
'/etc/vmware-tools/scripts/vmware',
'/etc/vpnc',
'/etc/wpa_supplicant',
'/etc/X11',
'/etc/X11/xinit',
'/etc/X11/xinit/xinitrc.d',
'/etc/xdg/Xwayland-session.d',
'/etc/zfs-fuse',
'/etc/zfs/zed.d',
'/etc/zfs/zpool.d'
)
AND file.path NOT IN (
'/etc/auto.net',
'/etc/auto.smb',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/cloud/clean.d/99-installer',
'/etc/cron.yearly/0anacron',
'/etc/grub2-efi.cfg',
'/etc/grub2.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',
'/etc/modulefiles/vpl',
'/etc/nftables.conf',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
'/etc/paths.d/100-rvictl',
'/etc/pcp/pmcd/rc.local',
'/etc/pcp/pmie/rc',
'/etc/pcp/pmlogger/rc',
'/etc/pcp/pmproxy/rc',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/postfix/post-install',
'/etc/postfix/postfix-script',
'/etc/profile',
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/rmt',
'/etc/sddm/wayland-session',
'/etc/sddm/Xsession',
'/etc/sddm/Xsetup',
'/etc/sddm/Xstop',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',
'/etc/sv/ssh/finish',
'/etc/sv/ssh/log/run',
'/etc/sv/ssh/run',
'/etc/udev/powersave.sh',
'/etc/vpl/vars.sh'
)
AND file.directory LIKE '/etc/asciidoc/%'
-- Nix (on macOS) -- actually a symbolic link
AND file.path NOT LIKE '/etc/etckeeper/%'
AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'tags: SStagSS