Unexpected Var Executables Macos

osquery
Find unexpected executables in /var
Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Find unexpected executables in /var
--
-- false positives:
--   * none known
--
-- tags: persistent seldom
-- platform: darwin
SELECT
  file.path,
  file.directory,
  uid,
  gid,
  mode,
  file.mtime,
  file.size,
  hash.sha256,
  magic.data,
  signature.authority,
  signature.identifier
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
  LEFT JOIN signature ON file.path = signature.path
WHERE -- Optimization: don't join things until we have a whittled down list of files
  file.path IN (
    SELECT DISTINCT
      path
    FROM
      file
    WHERE
      (
        file.directory = '/var/tmp'
        OR file.directory = '/var/spool'
        OR file.directory LIKE '/var/spool/.%'
        OR file.directory LIKE '/var/spool/.%/.%'
        OR file.directory LIKE '/var/spool/.%/%'
        OR file.directory LIKE '/var/spool/%'
        OR file.directory LIKE '/var/spool/%/.%'
        OR file.directory LIKE '/var/spool/%/%'
        OR file.directory LIKE '/var/tmp/.%'
        OR file.directory LIKE '/var/tmp/.%/.%'
        OR file.directory LIKE '/var/tmp/.%/%'
        OR file.directory LIKE '/var/tmp/%'
        OR file.directory LIKE '/var/tmp/%/.%'
        OR file.directory LIKE '/var/tmp/%/%'
      ) -- Prevent weird recursion
      AND NOT file.directory LIKE '%/../%'
      AND NOT file.directory LIKE '%/./%' -- Exclude very temporary files
      AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
      AND file.type = 'regular'
      AND (
        file.mode LIKE '%7%'
        or file.mode LIKE '%5%'
        or file.mode LIKE '%1%'
      ) -- Rosetta cache, SIP protected
      AND file.path NOT LIKE '/var/db/oah/%'
      AND file.path NOT LIKE '/var/folders/%/C/com.apple.FontRegistry/annex_aux'
      AND file.path NOT LIKE '/var/folders/%/T/freefn-%_emacs_%.eln'
      AND file.path NOT LIKE '/var/folders/%/T/go.%.%.sum'
      AND file.path NOT LIKE '/var/folders/%/T/iTerm2-script%'
      AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib'
      AND file.path NOT LIKE '/var/folders/%/T/pulumi-go.%'
      AND file.path NOT LIKE '/var/folders/%/T/sp_relauncher'
      AND file.path NOT LIKE '/var/run/current-system/etc/profiles/per-user/%'
      AND file.path NOT LIKE '/var/tmp/epdfinfo%'
      AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/%.log'
      AND file.path NOT LIKE '/var/tmp/sysdiagnose_%/mddiagnose.mdsdiagnostic/%.log'
      AND file.directory NOT IN (
        '/var/db/xcode_select_link/Makefiles/VersioningSystems/',
        '/var/db/xcode_select_link/usr/bin',
        '/var/db/xcode_select_link/usr/lib',
        '/var/db/xcode_select_link/usr/libexec',
        '/var/ossec/agentless',
        '/var/ossec/bin',
        '/var/ossec/wodles',
        '/var/run/booted-system',
        '/var/run/current-system',
        '/var/run/current-system/sw/bin',
        '/var/select',
        '/var/select/X11/bin',
        '/var/select/X11/lib',
        '/var/select/X11/lib/dri',
        '/var/select/X11/lib/flat_namespace',
        '/var/select/X11/libexec'
      )
      AND file.path NOT IN (
        '/var/log/acroUpdaterTools.log',
        '/var/vm/sleepimage'
      )
      AND file.size > 10
      AND NOT (
        file.path LIKE '/var/folders/%/T/sp_update/%'
        AND file.gid = 20
        AND file.uid = 501
      ) -- JetBrains (Delve)
      AND NOT (
        file.path LIKE '/var/folders/%/T/dlvLauncher%.sh'
        AND file.size < 1024
        AND file.mode = '0744'
      )
      AND NOT (
        file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'
        AND file.size < 40000
        AND file.uid = 501
      )
      AND NOT (
        file.path LIKE '/var/tmp/_bazel_%/%/install/%'
        AND file.uid = 501
      )
  ) -- It's pretty rare, but some vendors install updates into /var. Spotify, I'm looking at you!
  AND NOT signature.authority IN (
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
    'Developer ID Application: GitHub (VEKTX9H2N7)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
    'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    'Developer ID Application: Mozilla Corporation (43AQ936H96)',
    'Developer ID Application: Spotify (2FNC3A47ZF)',
    'Software Signing'
  )
  AND NOT (
    file.path LIKE '/var/db/timezone/zoneinfo/%'
    AND magic.data LIKE 'timezone%'
    AND file.size < 3000
    AND file.mode = '0755'
  ) -- Epson
  AND NOT (
    file.path LIKE '/var/tmp/InstallLog/%.plist'
    AND magic.data = 'Apple binary property list'
    AND file.size < 3000
    AND file.mode = '0777'
  )
GROUP BY
  file.path

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit