osquery-defense-kit/detection/evasion/missing-from-disk-macos.sql

-- Processes that do not exist on disk
--
-- false positives:
--   * Self-updating programs that remain running
--
-- references:
--   * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)
--
-- platform: darwin
-- tags: persistent process state
SELECT
  p.pid,
  p.path,
  p.name,
  p.parent,
  p.state,
  p.cwd,
  p.gid,
  p.uid,
  p.euid,
  p.cmdline AS cmd,
  p.cwd,
  p.on_disk,
  p.state,
  pp.on_disk AS parent_on_disk,
  pp.path AS parent_path,
  pp.cmdline AS parent_cmd,
  pp.cwd AS parent_cwd,
  hash.sha256 AS parent_sha256
FROM
  processes p
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON pp.path = hash.path
WHERE
  p.on_disk != 1 -- false positives from recently spawned processes
  AND (strftime('%s', 'now') - p.start_time) > 15
  AND p.pid > 0
  AND p.parent != 2 -- kthreadd
  AND p.state != 'Z' -- The kernel no longer has enough tracking information for this alert to be useful
  AND NOT (
    p.parent = 1
    AND p.path = ''
  )
  AND NOT (
    p.gid = 20
    AND (
      -- NOTE: p.path is typically empty when on_disk != 1, so don't depend on it.
      cmd LIKE '/Library/Apple/System/%'
      OR cmd LIKE '/Applications/%/Contents/%'
      OR cmd LIKE '/Library/Apple/System/%'
      OR cmd LIKE '/Library/Application Support/Logitech.localized/%'
      OR cmd LIKE '/Library/Developer/CommandLineTools/%'
      OR p.path IN (
        '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
        '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)'
      )
      OR cmd LIKE '/opt/homebrew/Cellar/%'
      OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
      OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
      OR p.path LIKE '/Users/%/homebrew/Cellar/%'
      OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
      OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
      OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
      OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
      OR cmd LIKE '/opt/homebrew/opt/%'
      OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
      OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(
      OR cmd LIKE '%/go/src/github.com/%'
      OR cmd LIKE '%/.terraform/providers/%'
      OR parent_cmd LIKE '/Applications/Google Chrome.app/%'
    )
  )
  AND NOT (
    p.name = ''
    AND parent_cmd = '/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox -foreground'
  )
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- Processes that do not exist on disk`
			`--`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- false positives:`
			`-- * Self-updating programs that remain running`
			`--`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)`
			`--`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- platform: darwin`
Update interval tags, mostly for persistence 2022-10-14 18:26:49 +00:00			`-- tags: persistent process state`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`p.pid,`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`p.path,`
			`p.name,`
			`p.parent,`
			`p.state,`
			`p.cwd,`
			`p.gid,`
			`p.uid,`
			`p.euid,`
			`p.cmdline AS cmd,`
			`p.cwd,`
			`p.on_disk,`
			`p.state,`
			`pp.on_disk AS parent_on_disk,`
			`pp.path AS parent_path,`
			`pp.cmdline AS parent_cmd,`
			`pp.cwd AS parent_cwd,`
			`hash.sha256 AS parent_sha256`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`FROM`
			`processes p`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON pp.path = hash.path`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`WHERE`
			`p.on_disk != 1 -- false positives from recently spawned processes`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND (strftime('%s', 'now') - p.start_time) > 15`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`AND p.pid > 0`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`AND p.parent != 2 -- kthreadd`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND p.state != 'Z' -- The kernel no longer has enough tracking information for this alert to be useful`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`AND NOT (`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`p.parent = 1`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND p.path = ''`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`)`
			`AND NOT (`
			`p.gid = 20`
			`AND (`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- NOTE: p.path is typically empty when on_disk != 1, so don't depend on it.`
			`cmd LIKE '/Library/Apple/System/%'`
			`OR cmd LIKE '/Applications/%/Contents/%'`
			`OR cmd LIKE '/Library/Apple/System/%'`
			`OR cmd LIKE '/Library/Application Support/Logitech.localized/%'`
			`OR cmd LIKE '/Library/Developer/CommandLineTools/%'`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`OR p.path IN (`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',`
			`'/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)'`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR cmd LIKE '/opt/homebrew/Cellar/%'`
False positive reduction: Messenger, Chrome, Final Cut Pro, etc 2023-01-18 14:49:56 +00:00			`OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`OR p.path LIKE '/Users/%/homebrew/Cellar/%'`
Final KubeCon 2022 false-positive cleanup 2022-10-28 23:24:00 +00:00			`OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'`
Sort out more false positives 2022-12-16 22:37:32 +00:00			`OR p.path LIKE '/Users/%/node_modules/.pnpm/%'`
false positives: dots, ipn, apport-gtk, homebrew, hyperkey, contexts 2023-01-09 14:34:20 +00:00			`OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'`
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 15:46:30 +00:00			`OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR cmd LIKE '/opt/homebrew/opt/%'`
			`OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'`
			`OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`OR cmd LIKE '%/go/src/github.com/%'`
			`OR cmd LIKE '%/.terraform/providers/%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`OR parent_cmd LIKE '/Applications/Google Chrome.app/%'`
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`)`
Weekend false-positive removal 2022-09-24 15:07:34 +00:00			`)`
More false positive removal 2022-09-30 17:47:10 +00:00			`AND NOT (`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`p.name = ''`
			`AND parent_cmd = '/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox -foreground'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`)`