Unexpected Process Extension Linux

osquery
Processes that have an unusual extension
Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Processes that have an unusual extension
--
-- false positives:
--   * none observed
--
-- references:
--   * https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
--
-- tags: persistent process state
-- platform: linux
SELECT
  -- Child
  p0.pid AS p0_pid,
  p0.path AS p0_path,
  p0.name AS p0_name,
  p0.start_time AS p0_start,
  p0.cmdline AS p0_cmd,
  p0.cwd AS p0_cwd,
  REGEX_MATCH (p0.path, '.*\\/(.*?)$', 1) AS basename,
  REGEX_MATCH (p0.path, '.*\\.(\\w+)$', 1) AS extension,
  p0.cgroup_path AS p0_cgroup,
  p0.euid AS p0_euid,
  p0_hash.sha256 AS p0_sha256,
  -- Parent
  p0.parent AS p1_pid,
  p1.path AS p1_path,
  p1.name AS p1_name,
  p1.start_time AS p1_start,
  p1.euid AS p1_euid,
  p1.cmdline AS p1_cmd,
  p1_hash.sha256 AS p1_sha256,
  -- Grandparent
  p1.parent AS p2_pid,
  p2.name AS p2_name,
  p2.start_time AS p2_start,
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
FROM
  processes p0
  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
  LEFT JOIN processes p1 ON p0.parent = p1.pid
  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
  LEFT JOIN processes p2 ON p1.parent = p2.pid
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
  extension IS NOT NULL
  AND extension NOT IN (
    '0',
    '1',
    '2',
    '3',
    '4',
    '5',
    '7',
    '10',
    '11',
    '12',
    '13',
    '14',
    '15',
    '16',
    '17',
    '18',
    '19',
    '20',
    '21',
    '22',
    '23',
    '24',
    '25',
    '26',
    '27',
    '28',
    '29',
    '30',
    '31',
    '32',
    '33',
    '34',
    'AppImage',
    'backend',
    'basic',
    'bfd',
    'bin',
    'build',
    'emacs',
    'ext',
    'nox',
    'real',
    'test',
    'tiny'
  )
  AND NOT basename IN ('io.elementary.appcenter')
  AND NOT basename IN ('rpc.mountd')
  AND NOT basename LIKE 'kubectl-%'
  AND NOT basename LIKE 'ld-%.so'
  AND NOT basename LIKE 'python2.%'
  AND NOT basename LIKE 'python3.%'
  AND NOT basename LIKE 'terraform-provider%'
  AND NOT basename LIKE 'unison-%'

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit