osquery-defense-kit/process/missing-from-disk-macos.sql

32 lines
1.3 KiB
MySQL
Raw Normal View History

SELECT p.pid, p.path, p.parent, p.state, p.cwd, p.gid, p.uid, p.euid, p.cmdline AS cmd, p.cwd,
2022-09-21 11:42:51 +00:00
p.on_disk, p.state,
pp.on_disk AS parent_on_disk, pp.path AS parent_path, pp.cmdline AS parent_cmd, pp.cwd AS parent_cwd, hash.sha256 AS parent_sha256
2022-09-14 00:46:04 +00:00
FROM processes p
2022-09-16 15:22:50 +00:00
LEFT JOIN processes pp ON p.parent = pp.pid
2022-09-14 00:46:04 +00:00
LEFT JOIN hash ON pp.path = hash.path
WHERE p.on_disk != 1
2022-09-21 11:42:51 +00:00
AND (strftime('%s', 'now') - p.start_time) > 60 -- false positives from recently spawned processes
2022-09-14 00:46:04 +00:00
AND p.pid > 0
AND p.parent != 2 -- kthreadd
AND p.state != 'Z'
2022-09-14 00:46:04 +00:00
AND NOT (
p.gid=20 AND
(
-- NOTE: p.path is typically empty when on_disk != 1, so don't depend on it.
cmd LIKE "/Library/Apple/System/%"
2022-09-21 11:42:51 +00:00
OR cmd LIKE "/Applications/%/Contents/%"
OR cmd LIKE "/Library/Apple/System/%"
OR cmd LIKE "/Library/Application Support/Logitech.localized/%"
OR cmd LIKE "/Library/Developer/CommandLineTools/%"
OR cmd LIKE "/opt/homebrew/Cellar/%"
OR cmd LIKE "/private/var/folders/%/Visual Studio Code.app/Contents/%"
OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%"
-- Sometimes cmd is empty also :(
OR parent_cmd LIKE "/Applications/Google Chrome.app/%"
2022-09-22 09:18:03 +00:00
-- The system has no idea who this is.
OR (p.parent=1 AND p.path='')
2022-09-14 00:46:04 +00:00
)
)