diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql new file mode 100644 index 00000000..1d1a902f --- /dev/null +++ b/detection/evasion/hidden-cwd-events-linux.sql @@ -0,0 +1,76 @@ +-- Programs running with a hidden current working directory (event-based) +-- +-- false positives: +-- * Users rummaging through their configuration files +-- +-- NOTES: +-- * Disabled on macOS, as the cwd field as NULL there +-- +-- references: +-- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories) +-- +-- tags: transient +-- platform: linux +-- interval: 600 +SELECT + COALESCE(REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*?)\/", 1), REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1)) AS hidden_base, + REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1) AS hidden_part, + COALESCE(REGEX_MATCH (TRIM(pe.cwd, '"'), '.*/(.*)', 1), pe.cwd) AS basename, + CONCAT ( + COALESCE(REGEX_MATCH (TRIM(pe.path, '"'), '.*/(.*)', 1), pe.path), + ',', + REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*?)\/", 1), REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1) + ) AS exception_key, + -- Child + pe.path AS p0_path, + COALESCE(REGEX_MATCH (pe.path, '.*/(.*)', 1), pe.path) AS p0_name, + TRIM(pe.cmdline) AS p0_cmd, + TRIM(pe.cwd, '"') AS p0_cwd, + pe.status AS p0_status, + pe.time AS p0_time, + pe.pid AS p0_pid, + pe.euid AS p0_euid, + -- Parent + pe.parent AS p1_pid, + TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd, + p1.cwd AS p1_cwd, + COALESCE(p1.path, pe1.path) AS p1_path, + COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash, + REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name +FROM + process_events pe + LEFT JOIN users u ON pe.uid = u.uid + LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths) + LEFT JOIN processes p1 ON pe.parent = p1.pid + LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path + LEFT JOIN process_events pe1 ON pe.parent = pe1.pid + AND pe1.time > (strftime('%s', 'now') -60660) + AND pe1.cmdline != '' + LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path +WHERE + pe.time > (strftime('%s', 'now') -60600) + AND pe.cwd LIKE '%/.%' + AND NOT ( + hidden_base IN ( + '.cache', + '.cargo', + '.gradle', + '.kotlin', + '.npm', + '.git', + '.gimme', + '.vscode', + '.vim', + '.config', + '.provisio', + '.terraform.d', + '.emacs.d', + '.gmailctl', + '.oh-my-zsh', + '.zsh' + ) + OR exception_key LIKE '%sh,~/.Trash' + ) +GROUP BY + p.cmdline, + p.cwd; \ No newline at end of file