2022-10-14 18:19:13 +00:00
|
|
|
-- Unexpected long-running processes running as root
|
|
|
|
--
|
|
|
|
-- false positives:
|
|
|
|
-- * new software requiring escalated privileges
|
|
|
|
--
|
2022-10-19 20:56:32 +00:00
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1543/
|
|
|
|
--
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent process state
|
2022-10-14 18:19:13 +00:00
|
|
|
-- platform: darwin
|
2023-02-09 22:01:29 +00:00
|
|
|
SELECT
|
|
|
|
s.authority AS p0_auth,
|
2023-02-01 18:55:55 +00:00
|
|
|
s.identifier AS p0_id,
|
|
|
|
DATETIME(f.ctime, 'unixepoch') AS p0_changed,
|
|
|
|
DATETIME(f.mtime, 'unixepoch') AS p0_modified,
|
|
|
|
(strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
|
|
|
|
-- Child
|
2023-02-09 22:01:29 +00:00
|
|
|
p0.pid AS p0_pid,
|
2023-02-01 18:55:55 +00:00
|
|
|
p0.path AS p0_path,
|
|
|
|
p0.name AS p0_name,
|
|
|
|
p0.cmdline AS p0_cmd,
|
|
|
|
p0.cwd AS p0_cwd,
|
|
|
|
p0.euid AS p0_euid,
|
|
|
|
p0_hash.sha256 AS p0_sha256,
|
|
|
|
-- Parent
|
|
|
|
p0.parent AS p1_pid,
|
|
|
|
p1.path AS p1_path,
|
|
|
|
p1.name AS p1_name,
|
|
|
|
p1_f.mode AS p1_mode,
|
|
|
|
p1.euid AS p1_euid,
|
|
|
|
p1.cmdline AS p1_cmd,
|
|
|
|
p1_hash.sha256 AS p1_sha256,
|
|
|
|
-- Grandparent
|
|
|
|
p1.parent AS p2_pid,
|
|
|
|
p2.name AS p2_name,
|
|
|
|
p2.path AS p2_path,
|
|
|
|
p2.cmdline AS p2_cmd,
|
|
|
|
p2_hash.sha256 AS p2_sha256
|
2023-02-09 22:01:29 +00:00
|
|
|
FROM
|
|
|
|
processes p0
|
2023-02-01 18:55:55 +00:00
|
|
|
LEFT JOIN file f ON p0.path = f.path
|
|
|
|
LEFT JOIN signature s ON p0.path = s.path
|
|
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
|
|
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
|
|
|
LEFT JOIN file p1_f ON p1.path = p1_f.path
|
|
|
|
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
|
|
|
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
|
|
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
2023-02-08 19:37:09 +00:00
|
|
|
WHERE -- Focus on longer-running programs
|
|
|
|
p0.pid IN (
|
2023-02-09 22:01:29 +00:00
|
|
|
SELECT
|
|
|
|
pid
|
|
|
|
FROM
|
|
|
|
processes
|
|
|
|
WHERE
|
|
|
|
euid = 0
|
2023-02-08 19:37:09 +00:00
|
|
|
AND start_time < (strftime('%s', 'now') - 900)
|
|
|
|
AND parent != 0 -- Assume STP
|
|
|
|
AND path NOT IN (
|
|
|
|
'/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService',
|
|
|
|
'/Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon',
|
|
|
|
'/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim',
|
|
|
|
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service',
|
|
|
|
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd',
|
2023-02-18 20:02:40 +00:00
|
|
|
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/bin/bash',
|
|
|
|
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect',
|
|
|
|
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService',
|
|
|
|
'/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer',
|
|
|
|
'/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon',
|
2023-02-18 20:02:40 +00:00
|
|
|
'/Library/Application Support/Paragon Software/com.paragon-software.extfsd',
|
|
|
|
'/Library/Application Support/Paragon Software/com.paragon-software.ntfsd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-bridge',
|
|
|
|
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-dhcpd',
|
|
|
|
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd',
|
|
|
|
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
|
|
|
|
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/xrdd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc',
|
|
|
|
'/Library/Nessus/run/sbin/nessusd',
|
|
|
|
'/Library/Nessus/run/sbin/nessus-service',
|
|
|
|
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2',
|
|
|
|
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
|
|
|
|
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
|
|
|
|
'/Library/PrivilegedHelperTools/keybase.Helper',
|
|
|
|
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
|
|
|
|
'/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
|
2023-05-17 14:54:16 +00:00
|
|
|
'/Library/SystemExtensions/4D1BF33A-9817-45D7-A242-8C39810C7F11/com.redcanary.agent.securityextension.systemextension/Contents/MacOS/com.redcanary.agent.securityextension',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/opt/socket_vmnet/bin/socket_vmnet',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/sbin/launchd',
|
|
|
|
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd',
|
|
|
|
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper',
|
|
|
|
'/System/Library/CoreServices/CrashReporterSupportHelper',
|
|
|
|
'/System/Library/CoreServices/iconservicesagent',
|
|
|
|
'/System/Library/CoreServices/launchservicesd',
|
|
|
|
'/System/Library/CoreServices/logind',
|
|
|
|
'/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow',
|
|
|
|
'/System/Library/CoreServices/osanalyticshelper',
|
|
|
|
'/System/Library/CoreServices/powerd.bundle/powerd',
|
|
|
|
'/System/Library/CoreServices/ReportCrash',
|
|
|
|
'/System/Library/CoreServices/sharedfilelistd',
|
|
|
|
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd',
|
|
|
|
'/System/Library/CoreServices/SubmitDiagInfo',
|
|
|
|
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader',
|
|
|
|
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle',
|
|
|
|
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice',
|
|
|
|
'/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar',
|
|
|
|
'/System/Library/Frameworks/AudioToolbox.framework/XPCServices/CAReportingService.xpc/Contents/MacOS/CAReportingService',
|
|
|
|
'/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper',
|
|
|
|
'/System/Library/Frameworks/ColorSync.framework/Versions/A/XPCServices/com.apple.ColorSyncXPCAgent.xpc/Contents/MacOS/com.apple.ColorSyncXPCAgent',
|
|
|
|
'/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/com.apple.cmio.registerassistantservice',
|
|
|
|
'/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/XPCServices/csnameddatad.xpc/Contents/MacOS/csnameddatad',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores',
|
|
|
|
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync',
|
|
|
|
'/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp',
|
|
|
|
'/System/Library/Frameworks/GSS.framework/Helpers/GSSCred',
|
|
|
|
'/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd',
|
|
|
|
'/System/Library/Frameworks/Metal.framework/Versions/A/XPCServices/MTLCompilerService.xpc/Contents/MacOS/MTLCompilerService',
|
|
|
|
'/System/Library/Frameworks/NetFS.framework/Versions/A/XPCServices/PlugInLibraryService.xpc/Contents/MacOS/PlugInLibraryService',
|
|
|
|
'/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer',
|
|
|
|
'/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd',
|
|
|
|
'/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant',
|
|
|
|
'/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd',
|
|
|
|
'/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper',
|
|
|
|
'/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd',
|
|
|
|
'/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper',
|
|
|
|
'/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent',
|
|
|
|
'/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon',
|
|
|
|
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService',
|
|
|
|
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer',
|
|
|
|
'/System/Library/PrivateFrameworks/ApplePushService.framework/apsd',
|
|
|
|
'/System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSODaemon',
|
|
|
|
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService',
|
|
|
|
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService',
|
|
|
|
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService',
|
|
|
|
'/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd',
|
|
|
|
'/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd',
|
|
|
|
'/System/Library/PrivateFrameworks/BridgeOSInstallReporting.framework/Versions/A/Resources/bosreporter',
|
|
|
|
'/System/Library/PrivateFrameworks/CacheDelete.framework/deleted_helper',
|
|
|
|
'/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd',
|
|
|
|
'/System/Library/PrivateFrameworks/CoreAccessories.framework/Support/accessoryd',
|
|
|
|
'/System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored',
|
|
|
|
'/System/Library/PrivateFrameworks/CoreKDL.framework/Support/corekdld',
|
|
|
|
'/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd',
|
|
|
|
'/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd',
|
|
|
|
'/System/Library/PrivateFrameworks/FindMyMac.framework/Versions/A/Resources/FindMyMacd',
|
|
|
|
'/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond',
|
|
|
|
'/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagd',
|
|
|
|
'/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagwatcher',
|
|
|
|
'/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted',
|
|
|
|
'/System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/Contents/MacOS/com.apple.MobileInstallationHelperService',
|
|
|
|
'/System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Versions/A/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.CleanupPreparePathService',
|
|
|
|
'/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated',
|
|
|
|
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd',
|
|
|
|
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd',
|
|
|
|
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service',
|
|
|
|
'/System/Library/PrivateFrameworks/SiriInference.framework/Support/siriinferenced',
|
|
|
|
'/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer',
|
|
|
|
'/System/Library/PrivateFrameworks/StorageKit.framework/Versions/A/Resources/storagekitd',
|
|
|
|
'/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig',
|
|
|
|
'/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd',
|
|
|
|
'/System/Library/PrivateFrameworks/SystemStatusServer.framework/Support/systemstatusd',
|
|
|
|
'/System/Library/PrivateFrameworks/TCC.framework/Support/tccd',
|
|
|
|
'/System/Library/PrivateFrameworks/Uninstall.framework/Versions/A/Resources/uninstalld',
|
|
|
|
'/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary',
|
|
|
|
'/System/Library/PrivateFrameworks/WiFiPolicy.framework/XPCServices/WiFiCloudAssetsXPCService.xpc/Contents/MacOS/WiFiCloudAssetsXPCService',
|
|
|
|
'/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd',
|
|
|
|
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XProtectBehaviorService.xpc/Contents/MacOS/XProtectBehaviorService',
|
|
|
|
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService',
|
|
|
|
'/usr/bin/login',
|
|
|
|
'/usr/bin/sudo',
|
|
|
|
'/usr/bin/sysdiagnose',
|
|
|
|
'/usr/libexec/AirPlayXPCHelper',
|
|
|
|
'/usr/libexec/airportd',
|
|
|
|
'/usr/libexec/amfid',
|
|
|
|
'/usr/libexec/aned',
|
|
|
|
'/usr/libexec/apfsd',
|
|
|
|
'/usr/libexec/applessdstatistics',
|
|
|
|
'/usr/libexec/ApplicationFirewall/socketfilterfw',
|
|
|
|
'/usr/libexec/ASPCarryLog',
|
|
|
|
'/usr/libexec/autofsd',
|
|
|
|
'/usr/libexec/automountd',
|
|
|
|
'/usr/libexec/batteryintelligenced',
|
|
|
|
'/usr/libexec/biokitaggdd',
|
|
|
|
'/usr/libexec/biometrickitd',
|
|
|
|
'/usr/libexec/bootinstalld',
|
|
|
|
'/usr/libexec/colorsyncd',
|
|
|
|
'/usr/libexec/colorsync.displayservices',
|
|
|
|
'/usr/libexec/configd',
|
|
|
|
'/usr/libexec/containermanagerd',
|
|
|
|
'/usr/libexec/corebrightnessd',
|
|
|
|
'/usr/libexec/coreduetd',
|
|
|
|
'/usr/libexec/corestoraged',
|
|
|
|
'/usr/libexec/cryptexd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/dasd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/dirhelper',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/diskarbitrationd',
|
|
|
|
'/usr/libexec/diskmanagementd',
|
|
|
|
'/usr/libexec/dprivacyd',
|
|
|
|
'/usr/libexec/endpointsecurityd',
|
|
|
|
'/usr/libexec/findmydeviced',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/firmwarecheckers/ethcheck/ethcheck',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/InternetSharing',
|
|
|
|
'/usr/libexec/IOMFB_bics_daemon',
|
|
|
|
'/usr/libexec/ioupsd',
|
|
|
|
'/usr/libexec/kernelmanagerd',
|
|
|
|
'/usr/libexec/keybagd',
|
|
|
|
'/usr/libexec/logd',
|
|
|
|
'/usr/libexec/logd_helper',
|
|
|
|
'/usr/libexec/lsd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/mdmclient',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/memoryanalyticsd',
|
|
|
|
'/usr/libexec/microstackshot',
|
|
|
|
'/usr/libexec/misagent',
|
|
|
|
'/usr/libexec/mobileactivationd',
|
|
|
|
'/usr/libexec/mobileassetd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/multiversed',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/nehelper',
|
|
|
|
'/usr/libexec/nesessionmanager',
|
|
|
|
'/usr/libexec/online-authd',
|
|
|
|
'/usr/libexec/opendirectoryd',
|
|
|
|
'/usr/libexec/PerfPowerServices',
|
|
|
|
'/usr/libexec/periodic-wrapper',
|
|
|
|
'/usr/libexec/powerdatad',
|
|
|
|
'/usr/libexec/PowerUIAgent',
|
|
|
|
'/usr/libexec/remoted',
|
|
|
|
'/usr/libexec/rtcreportingd',
|
|
|
|
'/usr/libexec/runningboardd',
|
|
|
|
'/usr/libexec/sandboxd',
|
|
|
|
'/usr/libexec/searchpartyd',
|
|
|
|
'/usr/libexec/secinitd',
|
|
|
|
'/usr/libexec/securityd_service',
|
|
|
|
'/usr/libexec/smd',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/storagekitd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/symptomsd-diag',
|
|
|
|
'/usr/libexec/sysmond',
|
|
|
|
'/usr/libexec/syspolicyd',
|
|
|
|
'/usr/libexec/tailspind',
|
|
|
|
'/usr/libexec/taskgated',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/thermald',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/thermalmonitord',
|
|
|
|
'/usr/libexec/TouchBarServer',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/trustdFileHelper',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/tzd',
|
|
|
|
'/usr/libexec/tzlinkd',
|
|
|
|
'/usr/libexec/usbd',
|
|
|
|
'/usr/libexec/UserEventAgent',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/libexec/usermanagerd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/libexec/warmd',
|
|
|
|
'/usr/libexec/watchdogd',
|
|
|
|
'/usr/libexec/wifianalyticsd',
|
|
|
|
'/usr/libexec/wifip2pd',
|
|
|
|
'/usr/libexec/wifivelocityd',
|
|
|
|
'/usr/local/kolide-k2/bin/osquery-extension.ext',
|
|
|
|
'/usr/sbin/aslmanager',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/sbin/audioclocksyncd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/sbin/auditd',
|
|
|
|
'/usr/sbin/BlueTool',
|
|
|
|
'/usr/sbin/bluetoothd',
|
|
|
|
'/usr/sbin/BTLEServer',
|
|
|
|
'/usr/sbin/cfprefsd',
|
|
|
|
'/usr/sbin/distnoted',
|
|
|
|
'/usr/sbin/filecoordinationd',
|
|
|
|
'/usr/sbin/KernelEventAgent',
|
|
|
|
'/usr/sbin/mDNSResponderHelper',
|
|
|
|
'/usr/sbin/notifyd',
|
|
|
|
'/usr/sbin/securityd',
|
|
|
|
'/usr/sbin/spindump',
|
2023-04-17 20:20:35 +00:00
|
|
|
'/usr/sbin/sshd',
|
2023-02-08 19:37:09 +00:00
|
|
|
'/usr/sbin/syslogd',
|
|
|
|
'/usr/sbin/systemsoundserverd',
|
|
|
|
'/usr/sbin/systemstats',
|
|
|
|
'/usr/sbin/WirelessRadioManagerd'
|
|
|
|
)
|
2023-02-09 22:01:29 +00:00
|
|
|
AND NOT path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
|
|
|
|
AND NOT path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
|
2023-05-11 15:29:55 +00:00
|
|
|
AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop'
|
2023-02-09 22:01:29 +00:00
|
|
|
GROUP BY
|
|
|
|
path
|
2022-10-12 01:53:36 +00:00
|
|
|
)
|
2023-02-02 22:16:35 +00:00
|
|
|
AND NOT s.authority IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
2023-06-01 15:52:20 +00:00
|
|
|
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
2023-02-08 19:37:09 +00:00
|
|
|
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
|
2023-04-17 20:20:35 +00:00
|
|
|
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
|
2023-04-17 20:20:35 +00:00
|
|
|
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
2023-06-12 14:10:57 +00:00
|
|
|
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
2023-04-17 20:20:35 +00:00
|
|
|
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
|
|
|
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
|
2023-02-02 22:58:19 +00:00
|
|
|
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
|
2023-06-02 23:08:08 +00:00
|
|
|
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
2023-02-03 01:33:34 +00:00
|
|
|
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
|
|
|
|
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
|
|
|
|
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
2023-04-17 20:20:35 +00:00
|
|
|
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
|
2023-02-02 22:58:19 +00:00
|
|
|
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
|
|
|
|
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
|
|
|
|
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
2023-04-17 20:20:35 +00:00
|
|
|
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Software Signing'
|
2022-10-12 01:53:36 +00:00
|
|
|
)
|
2023-02-08 19:44:22 +00:00
|
|
|
AND NOT (
|
|
|
|
p0.path LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
|
|
|
|
AND s.identifier = 'socket_vmnet'
|
|
|
|
)
|
2023-02-08 19:37:09 +00:00
|
|
|
AND NOT (
|
|
|
|
p0.path LIKE '/nix/store/%-nix-%/bin/nix'
|
|
|
|
AND s.identifier = 'nix'
|
|
|
|
)
|
2023-02-08 19:44:22 +00:00
|
|
|
AND NOT (
|
|
|
|
p0.path = '/Library/Printers/DYMO/Utilities/pnpd'
|
|
|
|
AND s.identifier = 'pnpd'
|
|
|
|
AND s.authority = 'Developer ID Application: Sanford, L.P. (N3S6676K3E)'
|
|
|
|
)
|
2023-02-09 22:01:29 +00:00
|
|
|
GROUP BY
|
|
|
|
p0.path
|