osquery-defense-kit/process/unexpected-shell-parents.sql

SELECT p.name,
    p.path AS path,
    p.cmdline AS cmdline,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    hash.sha256 AS parent_sha256
FROM processes p
    LEFT JOIN processes pp ON pp.pid = p.parent
    LEFT JOIN hash ON pp.path = hash.path
WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
    -- Editors & terminals mostly
    AND parent_name NOT IN (
        'alacritty',
        'bash',
        'Code - Insiders Helper (Renderer)',
        'Code Helper (Renderer)',
        'containerd-shim',
        'dash',
        'FinderSyncExtension',
        'PK-Backend',
        'demoit',
        'fish',
        'go',
        'goland',
        'kubectl',
        'java',
        'swift',
        'make',
        'skhd',
        'monorail',
        'nvim',
        'perl',
        'python',
        'roxterm',
        'sdzoomplugin',
        'systemd',
        'terminator',
        'tmux:server',
        'node',
        'tmux',
        'test2json',
        'watch',
        'vi',
        'vim',
        'wezterm-gui',
        'xfce4-terminal',
        'zsh'
    )
    AND parent_path NOT IN (
        '/bin/dash',
        '/bin/sh',
        '/opt/X11/libexec/launchd_startx',
        '/sbin/launchd',
        '/usr/bin/alacritty',
        '/usr/bin/bash',
        '/usr/bin/crond',
        '/usr/bin/login',
        '/Applications/Docker.app/Contents/MacOS/Docker',
        '/usr/bin/man',
        '/usr/bin/bwrap',
        '/usr/bin/sudo',
        '/usr/libexec/periodic-wrapper',
        '/usr/bin/zsh',
        '/usr/libexec/gnome-terminal-server'
    )

    -- npm run server
    AND NOT p.cmdline IN (
        'sh -c -- exec-bin node_modules/.bin/hugo/hugo server'
    )
    AND NOT parent_cmdline LIKE "/Applications/Warp.app/%"
    AND NOT parent_cmdline LIKE "%Code Helper%"

    AND NOT parent_name LIKE "terraform-provider-%"
    AND NOT parent_name LIKE "Emacs%"
    AND NOT parent_name LIKE "%term%"
    AND NOT parent_name LIKE "%Term%"
    AND NOT p.cmdline LIKE "%gcloud config config-helper%"
    AND NOT p.cmdline LIKE "%/Library/Apple/System/Library/InstallerSandboxes%"
    AND NOT parent_cmdline LIKE "%gcloud.py config config-helper%"
    AND NOT (parent_name='sshd' AND p.cmdline LIKE "%askpass%")
    AND NOT parent_path LIKE "/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent"

    -- Oh, NixOS.
    AND NOT parent_name LIKE "%/bin/bash"
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`SELECT p.name,`
			`p.path AS path,`
			`p.cmdline AS cmdline,`
			`pp.name AS parent_name,`
			`pp.path AS parent_path,`
More tuning 2022-09-14 14:51:56 +00:00			`pp.cmdline AS parent_cmdline,`
			`hash.sha256 AS parent_sha256`
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`FROM processes p`
More tuning 2022-09-14 14:51:56 +00:00			`LEFT JOIN processes pp ON pp.pid = p.parent`
			`LEFT JOIN hash ON pp.path = hash.path`
Add more queries: preload, setuid, shell parents 2022-09-07 02:08:41 +00:00			`WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')`
More tuning 2022-09-15 13:34:45 +00:00			`-- Editors & terminals mostly`
More tuning 2022-09-14 14:51:56 +00:00			`AND parent_name NOT IN (`
			`'alacritty',`
			`'bash',`
More tuning 2022-09-15 13:34:45 +00:00			`'Code - Insiders Helper (Renderer)',`
More tuning 2022-09-14 14:51:56 +00:00			`'Code Helper (Renderer)',`
More tuning 2022-09-15 13:34:45 +00:00			`'containerd-shim',`
More tuning 2022-09-14 14:51:56 +00:00			`'dash',`
Rewrite sketchy events, remove some false positives 2022-09-20 12:16:06 +00:00			`'FinderSyncExtension',`
			`'PK-Backend',`
More tuning 2022-09-14 14:51:56 +00:00			`'demoit',`
			`'fish',`
			`'go',`
			`'goland',`
More tuning 2022-09-15 13:34:45 +00:00			`'kubectl',`
More filtering of false positives 2022-09-15 15:28:50 +00:00			`'java',`
Rewrite sketchy events, remove some false positives 2022-09-20 12:16:06 +00:00			`'swift',`
More filtering of false positives 2022-09-15 15:28:50 +00:00			`'make',`
More tuning 2022-09-15 19:34:59 +00:00			`'skhd',`
More tuning 2022-09-14 14:51:56 +00:00			`'monorail',`
More tuning 2022-09-15 13:34:45 +00:00			`'nvim',`
			`'perl',`
			`'python',`
More tuning 2022-09-14 14:51:56 +00:00			`'roxterm',`
			`'sdzoomplugin',`
			`'systemd',`
			`'terminator',`
			`'tmux:server',`
More tuning 2022-09-15 13:34:45 +00:00			`'node',`
More tuning 2022-09-14 14:51:56 +00:00			`'tmux',`
More tuning 2022-09-15 13:34:45 +00:00			`'test2json',`
More filtering of false positives 2022-09-15 15:28:50 +00:00			`'watch',`
More tuning 2022-09-15 13:34:45 +00:00			`'vi',`
			`'vim',`
More tuning 2022-09-14 14:51:56 +00:00			`'wezterm-gui',`
			`'xfce4-terminal',`
			`'zsh'`
			`)`
			`AND parent_path NOT IN (`
More tuning 2022-09-15 13:34:45 +00:00			`'/bin/dash',`
			`'/bin/sh',`
More tuning 2022-09-14 14:51:56 +00:00			`'/opt/X11/libexec/launchd_startx',`
More tuning 2022-09-15 13:34:45 +00:00			`'/sbin/launchd',`
More tuning 2022-09-14 14:51:56 +00:00			`'/usr/bin/alacritty',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/bash',`
More tuning 2022-09-14 14:51:56 +00:00			`'/usr/bin/crond',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/login',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'/Applications/Docker.app/Contents/MacOS/Docker',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/man',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'/usr/bin/bwrap',`
Rewrite sketchy events, remove some false positives 2022-09-20 12:16:06 +00:00			`'/usr/bin/sudo',`
More tuning 2022-09-15 19:34:59 +00:00			`'/usr/libexec/periodic-wrapper',`
More tuning 2022-09-15 13:34:45 +00:00			`'/usr/bin/zsh',`
			`'/usr/libexec/gnome-terminal-server'`
More tuning 2022-09-14 14:51:56 +00:00			`)`

			`-- npm run server`
			`AND NOT p.cmdline IN (`
			`'sh -c -- exec-bin node_modules/.bin/hugo/hugo server'`
			`)`
			`AND NOT parent_cmdline LIKE "/Applications/Warp.app/%"`
Rewrite sketchy events, remove some false positives 2022-09-20 12:16:06 +00:00			`AND NOT parent_cmdline LIKE "%Code Helper%"`

More tuning 2022-09-15 13:34:45 +00:00			`AND NOT parent_name LIKE "terraform-provider-%"`
More tuning 2022-09-14 14:51:56 +00:00			`AND NOT parent_name LIKE "Emacs%"`
			`AND NOT parent_name LIKE "%term%"`
			`AND NOT parent_name LIKE "%Term%"`
More filtering 2022-09-16 15:22:50 +00:00			`AND NOT p.cmdline LIKE "%gcloud config config-helper%"`
			`AND NOT p.cmdline LIKE "%/Library/Apple/System/Library/InstallerSandboxes%"`
			`AND NOT parent_cmdline LIKE "%gcloud.py config config-helper%"`
More tuning 2022-09-15 19:34:59 +00:00			`AND NOT (parent_name='sshd' AND p.cmdline LIKE "%askpass%")`
More filtering 2022-09-16 15:22:50 +00:00			`AND NOT parent_path LIKE "/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent"`
More filtering of false positives 2022-09-15 15:28:50 +00:00
			`-- Oh, NixOS.`
			`AND NOT parent_name LIKE "%/bin/bash"`