osquery-defense-kit/detection/initial_access/unexpected-shell-parent-eve...

-- Unexpected process that spawns shell processes (event-based)
--
-- false positives:
--   * IDE's
--
-- references:
--   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
--   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
--
-- tags: process events
-- interval: 300
-- platform: posix
SELECT
  -- Child
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
  pe.parent AS p1_pid,
  p1.cgroup_path AS p1_cgroup,
  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
  COALESCE(p1.path, pe1.path) AS p1_path,
  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
  REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
  -- Grandparent
  COALESCE(p1.parent, pe1.parent) AS p2_pid,
  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
  TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
  COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
  REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name,
  -- Exception key
  REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS exception_key
FROM
  process_events pe
  LEFT JOIN processes p ON pe.pid = p.pid
  -- Parents (via two paths)
  LEFT JOIN processes p1 ON pe.parent = p1.pid
  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path

  -- Grandparents (via 3 paths)
  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
WHERE
  pe.time > (strftime('%s', 'now') -300)
  AND pe.cmdline != ''
  AND pe.parent > 0
  AND p0_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
  AND NOT (
    p1_name IN (
      'abrt-handle-eve',
      'alacritty',
      'at-spi-bus-launcher',
      'bash',
      'build-script-build',
      'chainctl',
      'chezmoi',
      'clang-11',
      'code',
      'Code Helper (Renderer)',
      'Code - Insiders Helper (Renderer)',
      'collect2',
      'com.docker.backend',
      'conmon',
      'containerd-shim',
      'cpptools',
      'dash',
      'demoit',
      'direnv',
      'doas',
      'docker-credential-desktop',
      'docker-credential-gcr',
      'Docker Desktop',
      'Emacs-arm64-11',
      'env',
      'erl_child_setup',
      'find',
      'FinderSyncExtension',
      'fish',
      'gatherheaderdoc',
      'gdm3',
      'gdm-session-worker',
      'gdm-x-session',
      'git',
      'gke-gcloud-auth-plugin',
      'gnome-session-binary',
      'gnome-shell',
      'gnome-terminal-server',
      'go',
      'goland',
      'gopls',
      'helm',
      'HP Diagnose & Fix',
      'i3bar',
      'i3blocks',
      'java',
      'kitty',
      'ko',
      'kubectl',
      'lightdm',
      'local-path-provisioner',
      'login',
      'make',
      'monorail',
      'my_print_defaults',
      'ninja',
      'nix',
      'nix-build',
      'nix-daemon',
      'nm-dispatcher',
      'node',
      'nvim',
      'package_script_service',
      'perl',
      'PK-Backend',
      'pulumi',
      -- 'python' - do not include this, or you won't detect supply-chain attacks.
      'roxterm',
      'sdk',
      'sdzoomplugin',
      'sh',
      'ShellLauncher',
      'skhd',
      'snyk',
      'sshd',
      'Stream Deck',
      'sudo',
      'swift',
      'systemd',
      'systemd-sleep',
      'terminator',
      'terraform-ls',
      'test2json',
      'tmux',
      'tmux:server',
      'update-notifier',
      'vi',
      'vim',
      'Vim',
      'watch',
      'wezterm-gui',
      'xargs',
      'xcrun',
      'xfce4-terminal',
      'Xorg',
      'yay',
      'yum',
      'zed'','
      'zellij',
      'zsh'
    )
    OR p1_name LIKE 'terraform-provider-%'
    -- Do not add shells to this list if you want your query to detect
    -- bad programs that were started from a shell.
    OR p2_name IN ('env', 'git')
    -- Homebrew, except we don't want to allow all of ruby
    OR p0_cmd IN (
      '/bin/bash /usr/bin/xdg-settings set default-url-scheme-handler slack Slack.desktop',
      '/bin/sh -c lsb_release -a --short',
      '/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
      '/bin/sh /usr/bin/lsb_release -a --short',
      '/bin/zsh -c ls',
      'sh -c /bin/stty size 2>/dev/null',
      "sh -c osascript -e 'user locale of (get system info)'",
      'sh -c python3.7 --version 2>&1',
      'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
    )
    OR (
      p1_name = 'WhatsApp'
      -- WhatsApp grabs the serial number from people's machines :(
      AND p0_cmd = '/bin/sh -c ioreg -c IOPlatformExpertDevice -d 2'
    )
    OR p1_cmd IN (
      '/usr/bin/python3 /usr/share/apport/apport-gtk',
      'php ./autodocs update images'
    )
    OR (
      p1_cmd LIKE '%Python% /opt/homebrew/bin/jupyter%'
      AND p0_cmd = '/bin/sh -c osascript'
    )
    OR (
      p1_name = 'osqueryd'
      AND p0_cmd LIKE '/bin/sh /etc/NetworkManager/dispatcher.d/%'
    )
    OR (
      p1_name = 'ssh'
      AND p0_cmd LIKE 'gcloud.py compute start-iap-tunnel%'
    )

    OR exception_key IN (
      'bash,0,pia-daemon,launchd',
      'zsh,500,python3.10,gnome-shell'
    )
    OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
    OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
    OR p0_cmd LIKE '/bin/bash /opt/homebrew/%'
    OR p0_cmd LIKE '/bin/sh -c pkg-config %'
    OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
    OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
    OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %'
    OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'
    OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings set %'
    OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %'
    OR p0_cmd LIKE '%gcloud config config-helper --format=json'
    OR p0_cmd LIKE '%gcloud config get-value%'
    OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
    OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
    OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'
  )
GROUP BY
  pe.pid
detection/initial_access/unexpected-shell-parent-events.sql new detector: unexpected shell parent events 2023-01-04 16:43:26 +00:00			`-- Unexpected process that spawns shell processes (event-based)`
			`--`
			`-- false positives:`
			`-- * IDE's`
			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)`
			`-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)`
			`--`
			`-- tags: process events`
			`-- interval: 300`
			`-- platform: posix`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`SELECT`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`-- Child`
			`pe.path AS p0_path,`
			`REGEX_MATCH (pe.path, './(.)', 1) AS p0_name,`
			`TRIM(pe.cmdline) AS p0_cmd,`
			`pe.pid AS p0_pid,`
			`p.cgroup_path AS p0_cgroup,`
			`-- Parent`
			`pe.parent AS p1_pid,`
			`p1.cgroup_path AS p1_cgroup,`
			`TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,`
			`COALESCE(p1.path, pe1.path) AS p1_path,`
			`COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,`
			`REGEX_MATCH(COALESCE(p1.path, pe1.path), './(.)', 1) AS p1_name,`
			`-- Grandparent`
			`COALESCE(p1.parent, pe1.parent) AS p2_pid,`
			`COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,`
			`TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,`
			`COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,`
			`COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,`
			`REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), './(.)', 1) AS p2_name,`
			`-- Exception key`
			`REGEX_MATCH (pe.path, './(.)', 1) \|\| ',' \|\| MIN(pe.euid, 500) \|\| ',' \|\| REGEX_MATCH(COALESCE(p1.path, pe1.path), './(.)', 1) \|\| ',' \|\| REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), './(.)', 1) AS exception_key`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`FROM`
			`process_events pe`
			`LEFT JOIN processes p ON pe.pid = p.pid`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`-- Parents (via two paths)`
			`LEFT JOIN processes p1 ON pe.parent = p1.pid`
			`LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path`
			`LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''`
			`LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path`

			`-- Grandparents (via 3 paths)`
			`LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes`
			`LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events`
			`LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events`
			`LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path`
			`LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path`
			`LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`WHERE`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`pe.time > (strftime('%s', 'now') -300)`
			`AND pe.cmdline != ''`
			`AND pe.parent > 0`
			`AND p0_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`AND NOT (`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`p1_name IN (`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'abrt-handle-eve',`
			`'alacritty',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'at-spi-bus-launcher',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'bash',`
			`'build-script-build',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'chainctl',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'chezmoi',`
			`'clang-11',`
			`'code',`
			`'Code Helper (Renderer)',`
			`'Code - Insiders Helper (Renderer)',`
			`'collect2',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'com.docker.backend',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'conmon',`
			`'containerd-shim',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'cpptools',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'dash',`
			`'demoit',`
			`'direnv',`
			`'doas',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'docker-credential-desktop',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'docker-credential-gcr',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'Docker Desktop',`
			`'Emacs-arm64-11',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'env',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'erl_child_setup',`
			`'find',`
			`'FinderSyncExtension',`
			`'fish',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'gatherheaderdoc',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'gdm3',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'gdm-session-worker',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'gdm-x-session',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'git',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'gke-gcloud-auth-plugin',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'gnome-session-binary',`
			`'gnome-shell',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'gnome-terminal-server',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'go',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'goland',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'gopls',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'helm',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'HP Diagnose & Fix',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'i3bar',`
			`'i3blocks',`
			`'java',`
			`'kitty',`
			`'ko',`
			`'kubectl',`
			`'lightdm',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'local-path-provisioner',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'login',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'make',`
			`'monorail',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'my_print_defaults',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'ninja',`
			`'nix',`
			`'nix-build',`
			`'nix-daemon',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'nm-dispatcher',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'node',`
			`'nvim',`
			`'package_script_service',`
			`'perl',`
			`'PK-Backend',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'pulumi',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`-- 'python' - do not include this, or you won't detect supply-chain attacks.`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'roxterm',`
			`'sdk',`
			`'sdzoomplugin',`
			`'sh',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'ShellLauncher',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'skhd',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'snyk',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'sshd',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'Stream Deck',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'sudo',`
			`'swift',`
			`'systemd',`
Flush out more false positives across the stack 2023-01-06 15:36:48 +00:00			`'systemd-sleep',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'terminator',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'terraform-ls',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'test2json',`
			`'tmux',`
			`'tmux:server',`
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 13:13:04 +00:00			`'update-notifier',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'vi',`
			`'vim',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'Vim',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'watch',`
			`'wezterm-gui',`
			`'xargs',`
			`'xcrun',`
			`'xfce4-terminal',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'Xorg',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'yay',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'yum',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'zed'','`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'zellij',`
			`'zsh'`
Add enough exceptions to make this useful 2023-01-04 16:58:54 +00:00			`)`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR p1_name LIKE 'terraform-provider-%'`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`-- Do not add shells to this list if you want your query to detect`
			`-- bad programs that were started from a shell.`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR p2_name IN ('env', 'git')`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`-- Homebrew, except we don't want to allow all of ruby`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR p0_cmd IN (`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'/bin/bash /usr/bin/xdg-settings set default-url-scheme-handler slack Slack.desktop',`
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-27 01:40:47 +00:00			`'/bin/sh -c lsb_release -a --short',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'/bin/sh /usr/bin/lsb_release -a --short',`
			`'/bin/zsh -c ls',`
			`'sh -c /bin/stty size 2>/dev/null',`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`"sh -c osascript -e 'user locale of (get system info)'",`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`'sh -c python3.7 --version 2>&1',`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'`
			`)`
Remove unused active fields, add WhatsApp ioreg exception 2023-01-27 13:46:48 +00:00			`OR (`
			`p1_name = 'WhatsApp'`
			`-- WhatsApp grabs the serial number from people's machines :(`
			`AND p0_cmd = '/bin/sh -c ioreg -c IOPlatformExpertDevice -d 2'`
			`)`
False positives: autodocs, jupyter, apko 2023-01-27 15:38:01 +00:00			`OR p1_cmd IN (`
			`'/usr/bin/python3 /usr/share/apport/apport-gtk',`
			`'php ./autodocs update images'`
			`)`
			`OR (`
			`p1_cmd LIKE '%Python% /opt/homebrew/bin/jupyter%'`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`AND p0_cmd = '/bin/sh -c osascript'`
			`)`
			`OR (`
			`p1_name = 'osqueryd'`
			`AND p0_cmd LIKE '/bin/sh /etc/NetworkManager/dispatcher.d/%'`
			`)`
			`OR (`
			`p1_name = 'ssh'`
			`AND p0_cmd LIKE 'gcloud.py compute start-iap-tunnel%'`
			`)`

			`OR exception_key IN (`
			`'bash,0,pia-daemon,launchd',`
			`'zsh,500,python3.10,gnome-shell'`
False positives: autodocs, jupyter, apko 2023-01-27 15:38:01 +00:00			`)`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'`
			`OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'`
			`OR p0_cmd LIKE '/bin/bash /opt/homebrew/%'`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR p0_cmd LIKE '/bin/sh -c pkg-config %'`
			`OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %'`
Remove unused active fields, add WhatsApp ioreg exception 2023-01-27 13:46:48 +00:00			`OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings set %'`
			`OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %'`
			`OR p0_cmd LIKE '%gcloud config config-helper --format=json'`
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 19:58:47 +00:00			`OR p0_cmd LIKE '%gcloud config get-value%'`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'`
			`OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'`
Fix more false positives, particularly in shell/fetcher parents 2023-01-06 15:18:19 +00:00			`)`
			`GROUP BY`
			`pe.pid`