osquery-defense-kit/unexpected-hidden-system-fo...

SELECT *
FROM file
WHERE (
        path LIKE '/lib/.%'
        OR path LIKE '/tmp/.%'
        OR path LIKE '/usr/lib/.%'
        OR path LIKE '/usr/local/lib/.%'
        OR path LIKE '/var/lib/.%'
        OR path LIKE '/var/tmp/.%'
        OR path LIKE '/.%'
        OR path LIKE '/bin/%/.%'
        OR path LIKE '/lib/%/.%'
        OR path LIKE '/libexec/.%'
        OR path LIKE '/sbin/.%'
        OR path LIKE '/sbin/%/.%'
        OR path LIKE '/usr/bin/.%'
        OR path LIKE '/usr/lib/%/.%'
        OR path LIKE '/usr/libexec/.%'
        OR path LIKE '/usr/local/bin/.%'
        OR path LIKE '/usr/local/lib/.%'
        OR path LIKE '/usr/local/libexec/.%'
        OR path LIKE '/usr/local/sbin/.%'
        OR path LIKE '/usr/sbin/.%'
        OR path LIKE '/var/.%'
        OR path LIKE '/tmp/.%.gcode'
    )
    AND path NOT IN (
        '/.autorelabel',
        '/.file',
        '/.vol/',
        '/.VolumeIcon.icns',
        '/tmp/._contentbarrier_installed',
        '/tmp/../',
        '/tmp/./',
        '/tmp/.%.lock',
        '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
        '/tmp/.font-unix/',
        '/tmp/.ICE-unix/',
        '/tmp/.Test-unix/',
        '/tmp/.X0-lock',
        '/tmp/.X1-lock',
        '/tmp/.X11-unix/',
        '/tmp/.XIM-unix/',
        '/var/.Parallels_swap/'
    )
    AND path NOT LIKE '/tmp/.#%'
    AND path NOT LIKE '/tmp/.com.google.Chrome.%'
    AND path NOT LIKE '/tmp/.org.chromium.Chromium%'
    AND path NOT LIKE '/tmp/.X1%-lock'
    AND PATH NOT LIKE '/usr/local/%/.keepme'
    AND PATH NOT LIKE '%/../'
    AND PATH NOT LIKE '%/./'
    AND PATH NOT LIKE '%/.build-id/'
    AND PATH NOT LIKE '%/.dwz/'
    AND PATH NOT LIKE '%/.updated'
    AND PATH NOT LIKE '/%bin/bootstrapping/.default_components'
    AND (
        type != 'regular'
        OR size > 1
    )
Add osquery packs 2022-08-31 18:34:42 +00:00			`SELECT *`
			`FROM file`
			`WHERE (`
			`path LIKE '/lib/.%'`
			`OR path LIKE '/tmp/.%'`
			`OR path LIKE '/usr/lib/.%'`
			`OR path LIKE '/usr/local/lib/.%'`
			`OR path LIKE '/var/lib/.%'`
			`OR path LIKE '/var/tmp/.%'`
more updates 2022-09-01 18:47:27 +00:00			`OR path LIKE '/.%'`
			`OR path LIKE '/bin/%/.%'`
			`OR path LIKE '/lib/%/.%'`
			`OR path LIKE '/libexec/.%'`
			`OR path LIKE '/sbin/.%'`
			`OR path LIKE '/sbin/%/.%'`
			`OR path LIKE '/usr/bin/.%'`
			`OR path LIKE '/usr/lib/%/.%'`
			`OR path LIKE '/usr/libexec/.%'`
			`OR path LIKE '/usr/local/bin/.%'`
			`OR path LIKE '/usr/local/lib/.%'`
			`OR path LIKE '/usr/local/libexec/.%'`
			`OR path LIKE '/usr/local/sbin/.%'`
			`OR path LIKE '/usr/sbin/.%'`
			`OR path LIKE '/var/.%'`
			`OR path LIKE '/tmp/.%.gcode'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`)`
			`AND path NOT IN (`
more updates 2022-09-01 18:47:27 +00:00			`'/.autorelabel',`
			`'/.file',`
			`'/.vol/',`
			`'/.VolumeIcon.icns',`
			`'/tmp/._contentbarrier_installed',`
			`'/tmp/../',`
			`'/tmp/./',`
			`'/tmp/.%.lock',`
			`'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',`
			`'/tmp/.font-unix/',`
			`'/tmp/.ICE-unix/',`
			`'/tmp/.Test-unix/',`
			`'/tmp/.X0-lock',`
			`'/tmp/.X1-lock',`
			`'/tmp/.X11-unix/',`
			`'/tmp/.XIM-unix/',`
			`'/var/.Parallels_swap/'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`)`
more updates 2022-09-01 18:47:27 +00:00			`AND path NOT LIKE '/tmp/.#%'`
			`AND path NOT LIKE '/tmp/.com.google.Chrome.%'`
			`AND path NOT LIKE '/tmp/.org.chromium.Chromium%'`
			`AND path NOT LIKE '/tmp/.X1%-lock'`
			`AND PATH NOT LIKE '/usr/local/%/.keepme'`
			`AND PATH NOT LIKE '%/../'`
			`AND PATH NOT LIKE '%/./'`
			`AND PATH NOT LIKE '%/.build-id/'`
			`AND PATH NOT LIKE '%/.dwz/'`
			`AND PATH NOT LIKE '%/.updated'`
			`AND PATH NOT LIKE '/%bin/bootstrapping/.default_components'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`AND (`
more updates 2022-09-01 18:47:27 +00:00			`type != 'regular'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`OR size > 1`
			`)`