RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fpr: aws, java, arch, cody, google, wireshark, etc

This commit is contained in:
Thomas Stromberg 2023-10-31 11:40:10 -04:00
parent 51baf32292
commit 0060bb087e
Failed to extract signature
22 changed files with 77 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-https-macos.sql
View File

@ -95,6 +95,7 @@ WHERE
AND p0.path NOT LIKE '/Users/%/src/%'
AND p0.path NOT LIKE '/Users/%/bin/%'
AND p0.path NOT LIKE '/System/%'
AND p0.path NOT LIKE '/Users/%/Library/Caches/JetBrains/%/tmp/GoLand/___%'
AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
AND p0.path NOT LIKE '/usr/libexec/%'
AND p0.path NOT LIKE '/usr/sbin/%'

20
detection/c2/unexpected-talker-events.sql
View File

@ -89,6 +89,7 @@ WHERE
'/System/Volumes',
'/usr/libexec',
'/usr/local',
'/usr/bin',
'/usr/sbin',
'~/.provisio',
'~/Applications',
@ -100,11 +101,16 @@ WHERE
'~/src',
'~/work'
)
AND NOT homedir = '~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS'
AND NOT homedir IN (
'~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS',
'/opt/spotify'
)
AND NOT exception_key IN (
'500,0,110,syncthing',
'500,0,1234,spotify',
'500,0,123,sntp',
'500,500,32768,Code Helper',
'500,0,443,Authy',
'500,0,20480,io.tailscale.ipn.macsys.network-extension',
'500,0,22,ssh',
'500,0,31488,sntp',
@ -119,6 +125,7 @@ WHERE
'500,0,443,chrome_crashpad_handler',
'500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,443,com.apple.NRD.UpdateBrainService',
'500,500,32768,Chromium Helper',
'500,0,443,com.google.one.NetworkExtension',
'500,0,443,curl',
'500,0,443,electron',
@ -126,6 +133,8 @@ WHERE
'500,0,443,fwupdmgr',
'500,0,443,git-remote-http',
'500,0,443,gnome-software',
'500,0,53,electron',
'500,0,443,kioslave5',
'500,0,443,http',
'500,0,443,io.tailscale.ipn.macsys.network-extension',
'500,0,443,ksfetch',
@ -136,6 +145,7 @@ WHERE
'500,0,443,OneDriveStandaloneUpdater',
'500,0,443,slack',
'500,0,443,snapd',
'500,500,32768,Code Helper',
'500,0,443,spotify',
'500,0,443,ssh',
'500,0,443,syncthing',
@ -147,6 +157,7 @@ WHERE
'500,0,53,launcher',
'500,0,53,NetworkManager',
'500,0,53,slack',
'500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
'500,0,53,spotify',
'500,0,53,wget',
'500,0,5632,ssh',
@ -161,6 +172,7 @@ WHERE
'500,500,13568,Code Helper',
'500,500,20480,Code Helper',
'500,500,20480,GoogleUpdater',
'500,0,4070,spotify',
'500,500,20480,ksfetch',
'500,500,22,ssh',
'500,500,2304,cloud_sql_proxy',
@ -188,6 +200,7 @@ WHERE
'500,500,443,git-remote-http',
'500,500,443,gitsign',
'500,500,443,GitX',
'500,500,32768,melange',
'500,500,443,go',
'500,500,443,Google Chrome Helper',
'500,500,443,GoogleUpdater',
@ -196,6 +209,7 @@ WHERE
'500,500,443,kubectl',
'500,500,443,minikube',
'500,500,443,node',
'500,500,2304,terraform-provider-google_v4.37.0_x5',
'500,500,443,old',
'500,500,443,Signal',
'500,500,443,Signal Helper (Renderer)',
@ -213,6 +227,10 @@ WHERE
AND NOT exception_key LIKE '500,500,443,terraform%'
AND NOT exception_key LIKE '500,0,%,syncthing'
AND NOT exception_key LIKE '500,0,%,chrome'
AND NOT p0_path LIKE '/Users/%/code/%'
AND NOT p0_path LIKE '/Users/%/go/%'
AND NOT p0_path LIKE '/Users/%/src/%'
AND NOT p0_path LIKE '/Users/%/dev/%'
AND NOT (
basename = "Python"
AND (

4
detection/c2/unexpected-talkers-macos.sql
View File

@ -221,8 +221,12 @@ WHERE
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',

3
detection/evasion/hidden-home-library-dir.sql
View File

@ -43,8 +43,7 @@ WHERE
'~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
'~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA/',
'~/Library/Preferences/.wrangler',
'~/Library/Mobile Documents/.Trash/2.0',
'~/Library/Mobile Documents/.Trash',
'~/Library/Mobile Documents/.Trash%',
'~/Library/Group Containers/.SiriTodayViewExtension/Library',
'~/Library/Group Containers/.SiriTodayViewExtension',
'~/Library/Saved Searches/.DockTags',

1
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -75,6 +75,7 @@ WHERE
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',

10
detection/evasion/unusual-executable-name-macos.sql
View File

@ -6,7 +6,10 @@
-- tags: persistent process
SELECT
COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS pname,
COALESCE(REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext,
COALESCE(
REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1),
""
) AS pext,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
@ -29,7 +32,7 @@ SELECT
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN signature s ON p0.path = s.path
@ -82,13 +85,14 @@ WHERE
OR REGEX_MATCH (pname, "^(\W)", 1) != ""
OR (
REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)"
AND pname NOT LIKE "%)"
)
AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
)
AND NOT pname IN (
'cpu',
'BetterTouchToolAppleScriptRunner',
'ThingsWidgetExtensionMacAppStore',
'BetterTouchToolShellScriptRunner',
'at.obdev.littlesnitch.networkextension',
'EcammLiveVideoOutAssistantXPCHelper'

1
detection/evasion/unusual-process-name-macos.sql
View File

@ -97,6 +97,7 @@ WHERE
AND NOT pname IN (
'cpu',
'com.microsoft.teams2.notificationcenter',
'at.obdev.littlesnitch.endpointsecurity',
'BetterTouchToolAppleScriptRunner',
'BetterTouchToolShellScriptRunner',
'TwitterNotificationServiceExtension',

5
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -143,13 +143,12 @@ WHERE
'/Library/Application Support/GPGTools',
'/Library/Application Support/com.canonical.multipass',
'/Library/Application Support/org.pqrs',
'~/Library/Application Support/Steam',
'/Library/Developer/CommandLineTools',
'/Library/Screen Savers/XScreenSaverUpdater.app',
'/Library/Google/GoogleSoftwareUpdate',
'/Library/Java/JavaVirtualMachines',
'/Library/Plug-Ins/FxPlug',
'/Library/Printers/Canon',
'/Library/Screen Savers/XScreenSaverUpdater.app',
'/Volumes/Google Chrome/Google Chrome.app',
'/Volumes/Slack/Slack.app',
'/opt/homebrew/Caskroom',
@ -168,6 +167,8 @@ WHERE
'~/Library/Application Support/Foxit Software',
'~/Library/Application Support/JetBrains',
'~/Library/Application Support/LogMeInInc',
'~/Library/Application Support/OpenLens',
'~/Library/Application Support/Steam',
'~/Library/Application Support/com.elgato.StreamDeck',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'~/Library/Application Support/minecraft',

2
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -130,6 +130,7 @@ WHERE
'500,go,a.out,',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,monday.com,com.monday.desktop,Apple Mac OS Application Signing',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
@ -216,6 +217,7 @@ WHERE
AND NOT exception_key LIKE '500,copilot-agent-macos-%,copilot-agent-macos-%,'
AND NOT exception_key LIKE '500,samply,samply-%,'
AND NOT exception_key LIKE '500,gopls_%,a.out,'
AND NOT exception_key LIKE '500,terraform-provider-%,,'
AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'
AND NOT exception_key LIKE '500,kubectl.%,a.out,'

1
detection/execution/unexpected-sysutils-macos.sql
View File

@ -101,6 +101,7 @@ WHERE
'sysctl -n hw.optional.arm64',
'sw_vers -productName',
'sysctl -n sysctl.proc_translated',
'/usr/sbin/system_profiler SPUSBDataType',
'/usr/sbin/sysctl kern.hv_support',
'/usr/sbin/sysctl -n hw.cputype',
'/usr/sbin/sysctl sysctl.proc_translated'

13
detection/exfil/high_disk_bytes_read.sql
View File

@ -55,6 +55,11 @@ WHERE
AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
AND p0.name NOT IN (
'GoogleSoftwareUpdateAgent',
'LogiFacecamService',
'Safari',
'UpdateBrainService',
'ZwiftAppMetal',
'baloo_file',
'baloo_file_extr',
'bash',
@ -79,7 +84,6 @@ WHERE
'gnome-software',
'go',
'golangci-lint',
'GoogleSoftwareUpdateAgent',
'gopls',
'grype',
'java',
@ -89,7 +93,6 @@ WHERE
'kube-scheduler',
'kue',
'launcher',
'LogiFacecamService',
'mediawriter',
'melange',
'nautilus',
@ -105,7 +108,6 @@ WHERE
'qemu-system-x86-64',
'rpi-imager',
'rsync',
'Safari',
'sh',
'slack',
'spotify',
@ -117,14 +119,13 @@ WHERE
'thunderbird',
'tilt',
'unattended-upgr',
'UpdateBrainService',
'vim',
'wineserver',
'wolfictl',
'yay',
'ykman-gui',
'yum',
'zsh',
'ZwiftAppMetal'
'zsh'
)
AND NOT p0.path IN (
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',

2
detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View File

@ -72,11 +72,13 @@ WHERE
'crane',
'op',
'kubectl',
'yay',
'go',
'docker',
'lima-guestagent',
'containerd-star',
'gopls',
'ollama',
'launcher',
'tflint',
'cloud-sql-proxy',

2
detection/exfil/yara-unexpected-rust-http-exec-process.sql
View File

@ -1,5 +1,4 @@
-- Rust Program that uses both HTTP and Exec
-- tags: persistent
-- interval: 7200
-- platform: posix
@ -52,6 +51,7 @@ WHERE
AND p0.name NOT IN (
'old',
'stable',
'nvim',
'Cody',
'fig-darwin-universal',
'wezterm-gui'

1
detection/impact/unexpected-etc-hosts.sql
View File

@ -41,5 +41,6 @@ WHERE
AND hostnames NOT LIKE '%.test'
AND hostnames NOT LIKE '%.internal'
AND hostnames NOT LIKE '%.local'
AND hostnames NOT LIKE "%.cloud"
AND hostnames NOT LIKE 'ip6-%'
AND hostnames NOT LIKE "%.example.com"

21
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -97,27 +97,29 @@ WHERE
'openra.net',
'oracle.com',
'osuosl.org',
'perforce.com',
'pqrs.org',
'prusa3d.com',
'remarkable.com',
'rewind.ai',
's3.amazonaws.com',
'synaptics.com',
'securew2.com',
'signal.org',
'skype.com',
'slack-edge.com',
'slack.com',
'stclairsoft.com',
'steampowered.com',
'synaptics.com',
'tableplus.com',
'teams.cdn.office.net',
'techsmith.com',
'slack.com',
'ubuntu.com',
'umd.edu',
'usa.canon.com',
'uubyte.com',
'vc.logitech.com',
'vimcal.com',
'virtualbox.org',
'vmware.com',
'warp.dev',
@ -130,35 +132,36 @@ WHERE
)
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
AND host NOT IN (
'arc.net',
'presenting.app',
'adoptium.net',
'mimestream.com',
'arc.net',
'balsamiq.com',
'bearly.ai',
'brave.com',
'calibre-ebook.com',
'cron.com',
'opalcamera.com',
'discord.com',
'dl.discordapp.net',
'flipperzero.one',
'dl.google.com',
'duckduckgo.com',
'go.dev',
'dygma.com',
'emacsformacosx.com',
'flipperzero.one',
'getkap.co',
'github.com',
'go.dev',
'krisp.ai',
'mail.google.com',
'manual.canon',
'mimestream.com',
'mnvoip.mm.fcix.net',
'mutedeck.com',
'obdev.at',
'obsidian.md',
'obsproject.com',
'opalcamera.com',
'posit.co',
'presenting.app',
'proton.me',
'mnvoip.mm.fcix.net',
'rancherdesktop.io',
'rectangleapp.com',
'stclairsoft.s3.amazonaws.com',

4
detection/initial_access/unexpected-shell-parents.sql
View File

@ -63,6 +63,7 @@ WHERE
'PK-Backend',
'Rancher Desktop',
'Runner.Listener',
'terraform-provi',
'Runner.Worker',
'abrt-action-per',
'abrt-handle-eve',
@ -91,6 +92,7 @@ WHERE
'fish',
'gephi',
'git',
'GoogleUpdater',
'git-remote-http',
'git-remote-https',
'gnome-session-b',
@ -246,7 +248,7 @@ WHERE
AND NOT p1.name LIKE '%term%'
AND NOT p1.name LIKE '%Term%'
AND NOT p1.name LIKE 'Emacs%'
AND NOT p1.name LIKE 'terraform-provider-%'
AND NOT p1.name LIKE 'terraform-prov%'
AND NOT p1.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent'
-- Oh, NixOS.
AND NOT p1.name LIKE '%/bin/bash'

1
detection/persistence/unexpected-launchd-program-macos.sql
View File

@ -33,6 +33,7 @@ WHERE
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',

7
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -53,6 +53,7 @@ WHERE
-- port is capped at 49152 to represent transient ports
AND NOT exception_key IN (
'10011,6,0,launchd,Software Signing',
'10011,6,0,webfilterproxyd,Software Signing',
'1024,6,0,systemmigrationd,Software Signing',
'1313,6,500,hugo,',
'1338,6,500,registry,',
@ -65,7 +66,6 @@ WHERE
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'2112,6,500,fake,',
'2112,6,500,rekor-server,',
'3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'2112,6,500,timestamp-server,',
'22,6,0,launchd,Software Signing',
'22000,6,500,syncthing,',
@ -80,6 +80,8 @@ WHERE
'3080,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'3090,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'3180,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'3182,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'3306,6,500,mariadbd,',
'3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
@ -117,6 +119,8 @@ WHERE
'49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,node,',
'49152,6,500,qemu-system-aarch64,',
'33333,6,500,Ultimate,',
'49152,6,500,rapportd,Software Signing',
'49152,6,500,telepresence,',
'49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)',
@ -144,7 +148,6 @@ WHERE
'80,6,500,limactl,',
'8081,6,500,crane,',
'81,6,500,nginx,',
'49152,6,500,qemu-system-aarch64,',
'8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
'8770,6,500,sharingd,Software Signing',
'8771,6,500,sharingd,Software Signing',

1
detection/persistence/unexpected-small-udev-entry-linux.sql
View File

@ -35,6 +35,7 @@ WHERE
'/usr/lib/udev/rules.d/45-i2c-tools.rules',
'/usr/lib/udev/rules.d/50-apport.rules',
'/usr/lib/udev/rules.d/60-ddcutil.rules',
'/usr/lib/udev/rules.d/60-ddcutil-i2c.rules',
'/usr/lib/udev/rules.d/60-drm.rules',
'/usr/lib/udev/rules.d/60-net.rules',
'/usr/lib/udev/rules.d/60-rfkill.rules',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -97,6 +97,7 @@ WHERE
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',

1
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -204,6 +204,7 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/colorsync.displayservices',
'/usr/libexec/colorsyncd',
'/usr/libexec/configd',
'/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater',
'/usr/libexec/containermanagerd',
'/usr/libexec/corebrightnessd',
'/usr/libexec/coreduetd',

3
detection/persistence/yara-suspicious-strings-process-linux.sql
View File

@ -66,7 +66,7 @@ WHERE
$avahi = "avahi-daemon:"
$redhat4 = "Red Hat 4"
condition:
filesize < 25MB and 3 of them
filesize < 25MB and 4 of them
}'
AND yara.count > 0
AND p0.name NOT IN (
@ -83,6 +83,7 @@ WHERE
AND p0.path NOT LIKE '%/chrome_crashpad_handler'
AND p0.path NOT LIKE '/nix/store/%/bin/%'
AND p0.path NOT LIKE '/nix/store/%/libexec/%'
AND p0.path NOT LIKE '/usr/local/aws-cli/%/aws'
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
AND p0.path NOT IN (
'/bin/bash',