osquery-defense-kit/process/unexpected-shell-parents.sql

SELECT p.name,
    p.path AS path,
    p.cmdline AS cmdline,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    hash.sha256 AS parent_sha256
FROM processes p
    LEFT JOIN processes pp ON pp.pid = p.parent
    LEFT JOIN hash ON pp.path = hash.path
WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
    -- Editors & terminals mostly
    AND parent_name NOT IN (
        'alacritty',
        'bash',
        'Code - Insiders Helper (Renderer)',
        'Code Helper (Renderer)',
        'containerd-shim',
        'dash',
        'demoit',
        'fish',
        'go',
        'goland',
        'kubectl',
        'monorail',
        'nvim',
        'perl',
        'python',
        'roxterm',
        'sdzoomplugin',
        'systemd',
        'terminator',
        'tmux:server',
        'node',
        'tmux',
        'test2json',
        'vi',
        'vim',
        'wezterm-gui',
        'xfce4-terminal',
        'zsh'
    )
    AND parent_path NOT IN (
        '/bin/dash',
        '/bin/sh',
        '/opt/X11/libexec/launchd_startx',
        '/sbin/launchd',
        '/usr/bin/alacritty',
        '/usr/bin/bash',
        '/usr/bin/crond',
        '/usr/bin/login',
        '/usr/bin/man',
        '/usr/bin/zsh',
        '/usr/libexec/gnome-terminal-server'
    )

    -- npm run server
    AND NOT p.cmdline IN (
        'sh -c -- exec-bin node_modules/.bin/hugo/hugo server'
    )

    AND NOT parent_cmdline LIKE "/Applications/Warp.app/%"
    AND NOT parent_name LIKE "terraform-provider-%"
    AND NOT parent_name LIKE "Emacs%"
    AND NOT parent_name LIKE "%term%"
    AND NOT parent_name LIKE "%Term%"
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`SELECT p.name,`
			`p.path AS path,`
			`p.cmdline AS cmdline,`
			`pp.name AS parent_name,`
			`pp.path AS parent_path,`
More tuning 2022-09-14 14:51:56 +00:00			`pp.cmdline AS parent_cmdline,`
			`hash.sha256 AS parent_sha256`
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`FROM processes p`
More tuning 2022-09-14 14:51:56 +00:00			`LEFT JOIN processes pp ON pp.pid = p.parent`
			`LEFT JOIN hash ON pp.path = hash.path`
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')`
More tuning 2022-09-15 13:34:45 +00:00			`-- Editors & terminals mostly`
More tuning 2022-09-14 14:51:56 +00:00			`AND parent_name NOT IN (`
			`'alacritty',`
			`'bash',`
More tuning 2022-09-15 13:34:45 +00:00			`'Code - Insiders Helper (Renderer)',`
More tuning 2022-09-14 14:51:56 +00:00			`'Code Helper (Renderer)',`
More tuning 2022-09-15 13:34:45 +00:00			`'containerd-shim',`
More tuning 2022-09-14 14:51:56 +00:00			`'dash',`
			`'demoit',`
			`'fish',`
			`'go',`
			`'goland',`
More tuning 2022-09-15 13:34:45 +00:00			`'kubectl',`
More tuning 2022-09-14 14:51:56 +00:00			`'monorail',`
More tuning 2022-09-15 13:34:45 +00:00			`'nvim',`
			`'perl',`
			`'python',`
More tuning 2022-09-14 14:51:56 +00:00			`'roxterm',`
			`'sdzoomplugin',`
			`'systemd',`
			`'terminator',`
			`'tmux:server',`
More tuning 2022-09-15 13:34:45 +00:00			`'node',`
More tuning 2022-09-14 14:51:56 +00:00			`'tmux',`
More tuning 2022-09-15 13:34:45 +00:00			`'test2json',`
			`'vi',`
			`'vim',`
More tuning 2022-09-14 14:51:56 +00:00			`'wezterm-gui',`
			`'xfce4-terminal',`
			`'zsh'`
			`)`
			`AND parent_path NOT IN (`
More tuning 2022-09-15 13:34:45 +00:00			`'/bin/dash',`
			`'/bin/sh',`
More tuning 2022-09-14 14:51:56 +00:00			`'/opt/X11/libexec/launchd_startx',`
More tuning 2022-09-15 13:34:45 +00:00			`'/sbin/launchd',`
More tuning 2022-09-14 14:51:56 +00:00			`'/usr/bin/alacritty',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/bash',`
More tuning 2022-09-14 14:51:56 +00:00			`'/usr/bin/crond',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/login',`
			`'/usr/bin/man',`
			`'/usr/bin/zsh',`
			`'/usr/libexec/gnome-terminal-server'`
More tuning 2022-09-14 14:51:56 +00:00			`)`

			`-- npm run server`
			`AND NOT p.cmdline IN (`
			`'sh -c -- exec-bin node_modules/.bin/hugo/hugo server'`
			`)`

			`AND NOT parent_cmdline LIKE "/Applications/Warp.app/%"`
More tuning 2022-09-15 13:34:45 +00:00			`AND NOT parent_name LIKE "terraform-provider-%"`
More tuning 2022-09-14 14:51:56 +00:00			`AND NOT parent_name LIKE "Emacs%"`
			`AND NOT parent_name LIKE "%term%"`
			`AND NOT parent_name LIKE "%Term%"`