osquery-defense-kit/process/high-disk-bytes-written.sql

SELECT p.name,
    p.path,
    p.cmdline,
    p.on_disk,
    p.parent,
    p.start_time,
    hash.sha256,
    p.disk_bytes_written,
    p.cwd,
    (strftime('%s', 'now') - start_time) AS age,
    disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second
FROM processes p
LEFT JOIN hash ON p.path = hash.path
WHERE bytes_per_second > 2000000
    AND age > 120
    AND p.path NOT IN (
        '/bin/bash',
        '/usr/bin/curl',
        '/usr/bin/bash',
        '/usr/bin/zsh',
        '/usr/bin/fish',
        '/usr/bin/gnome-shell',
        '/usr/lib/systemd/systemd-journald',
        '/usr/libexec/sharingd',
        '/usr/lib/systemd/systemd',
        '/usr/libexec/coreduetd',
        '/usr/libexec/coreduetd',
        '/usr/libexec/packagekitd',
        '/usr/lib/flatpak-system-helper',
        '/usr/libexec/rosetta/oahd',
        '/usr/libexec/secd',
        '/usr/bin/aptd',
        '/usr/bin/qemu-system-x86_64',
        '/usr/bin/bwrap',
        '/usr/sbin/screencapture',
        '/usr/lib64/thunderbird/thunderbird',
        '/usr/bin/yay'
    )
    AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1)
    AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%')
    AND NOT (name = 'btrfs-transaction' AND on_disk = -1)
    AND NOT (name = 'kernel_task' AND p.path = '' AND parent IN (0, 1) AND on_disk = -1)
    AND NOT (name = 'launchd' AND p.path = '/sbin/launchd' AND parent = 0)
    AND NOT (name = 'logd' AND cmdline = '/usr/libexec/logd' AND parent = 1)
    AND NOT name IN (
        'firefox',
        'gopls',
        'containerd',
        'slack',
        'chrome',
        'goland',
        'esbuild',
        'slack',
        'wineserver',
        'com.apple.MobileSoftwareUpdate.UpdateBrainService'
    )
    AND p.path NOT LIKE '/Applications/%.app/Contents/%'
    AND p.path NOT LIKE '/System/Applications/%'
    AND p.path NOT LIKE '/System/Library/%'
    AND p.path NOT LIKE '/home/%/.local/share/Steam'
    AND p.path NOT LIKE '/nix/store/%/bin/%sh'
    AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`SELECT p.name,`
			`p.path,`
			`p.cmdline,`
			`p.on_disk,`
			`p.parent,`
			`p.start_time,`
			`hash.sha256,`
			`p.disk_bytes_written,`
			`p.cwd,`
			`(strftime('%s', 'now') - start_time) AS age,`
More tuning 2022-09-02 14:56:04 +00:00			`disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`FROM processes p`
			`LEFT JOIN hash ON p.path = hash.path`
More updates 2022-09-02 16:56:31 +00:00			`WHERE bytes_per_second > 2000000`
More tuning 2022-09-02 14:56:04 +00:00			`AND age > 120`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`AND p.path NOT IN (`
More updates 2022-09-02 16:56:31 +00:00			`'/bin/bash',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/curl',`
More updates 2022-09-02 16:56:31 +00:00			`'/usr/bin/bash',`
More scripts 2022-09-09 14:16:28 +00:00			`'/usr/bin/zsh',`
More updates 2022-09-02 16:56:31 +00:00			`'/usr/bin/fish',`
			`'/usr/bin/gnome-shell',`
More tuning 2022-09-02 14:56:04 +00:00			`'/usr/lib/systemd/systemd-journald',`
More tuning 2022-09-07 02:08:17 +00:00			`'/usr/libexec/sharingd',`
More tuning 2022-09-02 14:56:04 +00:00			`'/usr/lib/systemd/systemd',`
More updates 2022-09-02 16:56:31 +00:00			`'/usr/libexec/coreduetd',`
			`'/usr/libexec/coreduetd',`
			`'/usr/libexec/packagekitd',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'/usr/lib/flatpak-system-helper',`
More updates 2022-09-02 16:56:31 +00:00			`'/usr/libexec/rosetta/oahd',`
More tuning 2022-09-07 02:08:17 +00:00			`'/usr/libexec/secd',`
			`'/usr/bin/aptd',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'/usr/bin/qemu-system-x86_64',`
			`'/usr/bin/bwrap',`
More scripts 2022-09-09 14:16:28 +00:00			`'/usr/sbin/screencapture',`
First weekend tuning 2022-09-10 11:24:17 +00:00			`'/usr/lib64/thunderbird/thunderbird',`
			`'/usr/bin/yay'`
More tuning 2022-09-02 14:56:04 +00:00			`)`
			`AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1)`
			`AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%')`
			`AND NOT (name = 'btrfs-transaction' AND on_disk = -1)`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`AND NOT (name = 'kernel_task' AND p.path = '' AND parent IN (0, 1) AND on_disk = -1)`
			`AND NOT (name = 'launchd' AND p.path = '/sbin/launchd' AND parent = 0)`
More updates 2022-09-02 16:56:31 +00:00			`AND NOT (name = 'logd' AND cmdline = '/usr/libexec/logd' AND parent = 1)`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`AND NOT name IN (`
			`'firefox',`
			`'gopls',`
			`'containerd',`
			`'slack',`
			`'chrome',`
			`'goland',`
			`'esbuild',`
			`'slack',`
			`'wineserver',`
			`'com.apple.MobileSoftwareUpdate.UpdateBrainService'`
			`)`
			`AND p.path NOT LIKE '/Applications/%.app/Contents/%'`
			`AND p.path NOT LIKE '/System/Applications/%'`
			`AND p.path NOT LIKE '/System/Library/%'`
			`AND p.path NOT LIKE '/home/%/.local/share/Steam'`
Launch day fixes 2022-09-22 17:18:16 +00:00			`AND p.path NOT LIKE '/nix/store/%/bin/%sh'`
			`AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'`