Unexpected Tmp Executables Macos
osquery
Find unexpected executables in temp directories, often used by malware droppers
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Find unexpected executables in temp directories, often used by malware droppers
--
-- false positives:
-- * developers building code out of /tmp
--
-- tags: persistent seldom
-- platform: darwin
SELECT DISTINCT
file.path,
uid,
gid,
mode,
REGEX_MATCH (RTRIM(file.path, '/'), '.*\\.(.*?)$', 1) AS extension,
file.btime,
file.ctime,
file.mtime,
file.type,
file.size,
hash.sha256,
magic.data,
signature.identifier,
signature.authority
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN signature ON file.path = signature.path
WHERE -- Optimization: don't join things until we have a whittled down list of files
file.path IN (
SELECT
path
FROM
file
WHERE
(
file.directory = '/tmp'
OR file.directory LIKE '/tmp/.%'
or file.directory LIKE '/tmp/.%/.%'
OR file.directory LIKE '/tmp/.%/%'
OR file.directory LIKE '/tmp/%'
OR file.directory LIKE '/tmp/%/.%'
OR file.directory LIKE '/tmp/%/%'
) -- Prevent weird recursion
AND NOT file.directory LIKE '%/../%'
AND NOT file.directory LIKE '%/./%' -- Exclude very temporary files
AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
AND file.type = 'regular'
AND (
file.mode LIKE '%7%'
or file.mode LIKE '%1%'
or file.mode LIKE '%5%'
)
AND NOT (
uid > 500
AND (
file.path LIKE '%/go-build%'
OR file.path LIKE '/tmp/%/AdobePIM.dylib'
OR file.path LIKE '/tmp/%ctl'
OR file.path LIKE '/tmp/com.apple.installer%'
OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
OR file.path LIKE '/tmp/GoLand/___Test%.test'
OR file.path LIKE '/tmp/KSInstallAction.%/m/.keystone_install'
OR file.path LIKE '/tmp/lima/%'
OR file.path LIKE '/tmp/melange%'
OR file.path LIKE '%-release%/%'
OR file.path LIKE '%.tfstate.sh'
OR file.path LIKE '%/bin/%'
OR file.path LIKE '%/CCLBS/%'
OR file.path LIKE '%/checkout/%'
OR file.path LIKE '%/ci/%'
OR file.path LIKE '%/debug/%'
OR file.path LIKE '%/dist/%'
OR file.path LIKE '%/elastic-agent-%'
OR file.path LIKE '%/etc/network/if-up.d/%'
OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%'
OR file.path LIKE '%/git/%'
OR file.path LIKE '%/github/%'
OR file.path LIKE '%/go.%.sum'
OR file.path LIKE '%/guile-%/guile-%'
OR file.path LIKE '%/ko/%'
OR file.path LIKE '%/kots/%'
OR file.path LIKE '%/nix/%'
OR file.path LIKE '%/pdf-tools/%'
OR file.path LIKE '%/Photoshop Installer.app/Contents/%'
OR file.path LIKE '%/sbin/%'
OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%'
OR file.path LIKE '%/src/%'
OR file.path LIKE '%/target/%'
OR file.path LIKE '%/terraformer/%'
OR file.path LIKE '%/tmp/epdf%'
OR file.path LIKE "%/%/gradlew"
OR file.path LIKE "%/lib/%.so.%"
OR file.path LIKE "%/lib/%.so"
OR file.filename IN (
'chainctl',
'configure',
'cosign',
'golangci-lint',
'goreleaser',
'grype',
'mysqld_exporter'
)
)
)
-- Melange
AND NOT file.directory LIKE '/tmp/melange-guest-%'
-- Nix
AND NOT (
file.directory LIKE '/tmp/tmp%'
AND gid = 0
AND uid > 300
AND uid < 350
) -- Babel
AND NOT (
file.directory LIKE '/tmp/babel-%/sh-script-%'
AND gid > 900
AND uid = 1000
AND size < 1024
) -- Random Testdata
AND NOT (
gid > 900
AND uid = 1000
AND (
file.directory LIKE '/tmp/%/test'
OR file.directory LIKE '/tmp/%/testdata'
)
) -- macOS updates
AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform
AND NOT file.directory LIKE '/tmp/staged-updates%'
AND NOT (
uid > 500
AND file.path LIKE '/tmp/terraform_%/terraform'
)
AND NOT (
file.path LIKE '/tmp/%compressed'
AND size < 4000
AND uid > 500
) -- Executables too small to even hold '#!/bin/sh\\nuid'
AND NOT (
file.type = 'regular'
AND size < 10
) -- TODO: Remove this hardcoded entry after Apr 2023
AND NOT (
file.path = '/tmp/policy-tester'
AND file.uid = 501
AND file.gid = 20
AND file.size = 90921938
)
)
AND NOT signature.authority IN (
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Docker Inc (9BNSXJN65R)'
)
AND NOT (
magic.data IN ('JSON data', 'ASCII text')
OR magic.data LIKE 'ELF %-bit %SB executable%'
OR magic.data LIKE 'symbolic link to %'
OR magic.data LIKE 'ELF %-bit LSB shared object%'
OR magic.data LIKE 'libtool library file,%'
OR magic.data LIKE "POSIX shell script, ASCII text executable%"
OR (
file.size < 50000
AND file.uid > 500
AND extension IN (
'adoc',
'bat',
'conf',
'java',
'js',
'json',
'log',
'md',
'nib',
'pem',
'perl',
'pl',
'py',
'rb',
'script',
'sh',
'status',
'strings',
'txt',
'yaml',
'yml'
)
AND (
magic.data IS NULL
OR magic.data NOT LIKE "%Mach-O%"
)
)
)tags: SStagSS