diff --git a/detection/impact/unexpected-etc-hosts.sql b/detection/impact/unexpected-etc-hosts.sql index 3f30807..0b6a3cf 100644 --- a/detection/impact/unexpected-etc-hosts.sql +++ b/detection/impact/unexpected-etc-hosts.sql @@ -21,6 +21,7 @@ WHERE ) AND hostnames NOT LIKE 'localhost.%' AND hostnames NOT LIKE '%.svc' + AND hostnames NOT LIKE '%.%-%.%.dev' AND hostnames NOT LIKE '%.test' AND hostnames NOT LIKE '%.internal' AND hostnames NOT LIKE '%.local' diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index b5f2d4e..6792247 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -1,5 +1,5 @@ SELECT - description AS "desc", + description AS 'desc', fragment_path AS path, hash.sha256, file.ctime, diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 8124ad1..5668db9 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -1,7 +1,7 @@ SELECT name, profile, - chrome_extensions.description AS "descr", + chrome_extensions.description AS 'descr', persistent AS persists, author, chrome_extensions.path, @@ -9,7 +9,7 @@ SELECT file.ctime, from_webstore AS in_store, CAST(permissions AS text) AS perms, - state AS "enabled", + state AS 'enabled', CONCAT ( from_webstore, ',', diff --git a/{}.conf b/{}.conf new file mode 100644 index 0000000..bc32144 --- /dev/null +++ b/{}.conf @@ -0,0 +1,5858 @@ +{ + "queries": { + "unexpected-dns-traffic": { + "query": "SELECT \ + s.family, \ + protocol, \ + s.local_port, \ + s.remote_port, \ + s.local_address, \ + s.remote_address, \ + p.name, \ + p.path, \ + p.cmdline AS child_cmd, \ + p.cwd, \ + s.pid, \ + p.parent AS parent_pid, \ + pp.cmdline AS parent_cmd, \ + hash.sha256, \ + GROUP_CONCAT( \ + ( \ + SELECT DISTINCT \ + address \ + FROM \ + dns_resolvers \ + WHERE \ + type = 'nameserver' \ + AND address != '' \ + ), \ + ',' \ + ) AS sys_resolvers, \ + CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key \ + FROM \ + process_open_sockets s \ + LEFT JOIN processes p ON s.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + remote_port IN (53, 5353) \ + AND remote_address NOT LIKE '%:%' \ + AND s.remote_address NOT LIKE '172.1%' \ + AND s.remote_address NOT LIKE '172.2%' \ + AND s.remote_address NOT LIKE '172.30.%' \ + AND s.remote_address NOT LIKE '172.31.%' \ + AND s.remote_address NOT LIKE '10.%' \ + AND s.remote_address NOT LIKE '192.168.%' \ + AND s.remote_address NOT LIKE '127.%' \ + AND remote_address NOT IN ( \ + SELECT DISTINCT \ + address \ + FROM \ + dns_resolvers \ + WHERE \ + type = 'nameserver' \ + and address != '' \ + ) \ + AND NOT ( \ + s.pid = -1 \ + AND s.remote_port = 53 \ + and s.protocol = 17 \ + and p.parent = '' \ + ) \ + AND s.remote_address NOT IN ( \ + '1.1.1.1', \ + '1.1.1.2', \ + '8.8.8.8', \ + '8.8.4.4', \ + '208.67.222.222', \ + '75.75.75.75', \ + '68.105.28.13' \ + ) \ + AND exception_key NOT IN ( \ + 'coredns,0.0.0.0,53', \ + 'nessusd,50.16.123.71,53', \ + 'syncthing,46.162.192.181,53' \ + ) \ + AND p.path NOT IN ( \ + '/usr/lib/systemd/systemd-resolved', \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', \ + '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper' \ + ) \ + AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' \ + GROUP BY \ + s.remote_address, \ + s.remote_port \ + HAVING \ + remote_address != '';", + "interval": "10800", + "description": "Catch DNS traffic going to machines other than the host-configured DNS server (state-based)" + }, + "unexpected-dns-traffic-events": { + "query": "SELECT \ + protocol, \ + s.remote_port, \ + s.remote_address, \ + p.name, \ + p.path, \ + p.cmdline AS child_cmd, \ + p.cwd, \ + s.pid, \ + p.parent AS parent_pid, \ + pp.cmdline AS parent_cmd, \ + hash.sha256, \ + CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key \ + FROM \ + socket_events s \ + LEFT JOIN processes p ON s.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + s.time > (strftime('%s', 'now') -120) \ + AND remote_port IN (53, 5353) \ + AND remote_address NOT LIKE '%:%' \ + AND s.remote_address NOT LIKE '172.1%' \ + AND s.remote_address NOT LIKE '172.2%' \ + AND s.remote_address NOT LIKE '172.30.%' \ + AND s.remote_address NOT LIKE '172.31.%' \ + AND s.remote_address NOT LIKE '10.%' \ + AND s.remote_address NOT LIKE '192.168.%' \ + AND s.remote_address NOT LIKE '127.%' \ + AND remote_address NOT IN ( \ + SELECT DISTINCT \ + address \ + FROM \ + dns_resolvers \ + WHERE \ + type = 'nameserver' \ + and address != '' \ + ) \ + AND NOT ( \ + s.pid = -1 \ + AND s.remote_port = 53 \ + and p.parent = '' \ + ) \ + AND s.remote_address NOT IN ( \ + '1.1.1.1', \ + '1.1.1.2', \ + '8.8.8.8', \ + '8.8.4.4', \ + '208.67.222.222', \ + '75.75.75.75', \ + '75.75.76.76', \ + '68.105.28.13' \ + ) \ + AND exception_key NOT IN ( \ + 'coredns,0.0.0.0,53', \ + 'syncthing,46.162.192.181,53' \ + ) \ + AND p.name != 'nessusd' \ + AND p.path NOT IN ( \ + '/usr/lib/systemd/systemd-resolved', \ + '/Library/Nessus/run/sbin/nessusd', \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', \ + '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper' \ + ) \ + AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' \ + GROUP BY \ + s.remote_address, \ + s.remote_port \ + HAVING \ + remote_address != '';", + "interval": "120", + "description": "Catch DNS traffic going to machines other than the host-configured DNS server (event-based)" + }, + "unexpected-icmp-socket": { + "query": "SELECT \ + pop.pid, \ + p.path, \ + p.cmdline \ + FROM \ + process_open_sockets pop \ + JOIN processes p ON pop.pid = p.pid \ + WHERE \ + family = 2 \ + AND protocol = 1 \ + AND p.name NOT IN ('ping');", + "interval": "10800", + "description": "Unexpected programs speaking over ICMP (state-based)" + }, + "unexpected-listening-port-linux": { + "query": "SELECT \ + lp.address, \ + lp.port, \ + lp.protocol, \ + p.uid, \ + p.pid, \ + p.name, \ + p.path, \ + p.cmdline, \ + p.cwd, \ + hash.sha256, \ + CONCAT ( \ + MIN(lp.port, 32768), \ + ',', \ + lp.protocol, \ + ',', \ + MIN(p.uid, 500), \ + ',', \ + p.name \ + ) AS exception_key \ + FROM \ + listening_ports lp \ + LEFT JOIN processes p ON lp.pid = p.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + port != 0 \ + AND lp.address NOT IN ('224.0.0.251', '::1') \ + AND lp.address NOT LIKE '127.0.0.%' \ + AND lp.address NOT LIKE '172.1%' \ + AND lp.address NOT LIKE 'fe80::%' \ + AND lp.address NOT LIKE '::ffff:127.0.0.%' \ + AND NOT ( \ + lp.protocol = 17 \ + AND lp.port > 1024 \ + ) \ + AND NOT ( \ + p.uid > 500 \ + AND lp.port IN (8000, 8080) \ + AND lp.protocol = 6 \ + ) \ + AND NOT (p.pid == '') \ + AND NOT CONCAT ( \ + MIN(lp.port, 32768), \ + ',', \ + lp.protocol, \ + ',', \ + MIN(p.uid, 500), \ + ',', \ + p.name \ + ) IN ( \ + '10250,6,0,kubelet', \ + '10256,6,0,kube-proxy', \ + '1716,6,500,kdeconnectd', \ + '17,255,0,dhcpcd', \ + '17,255,500,dhcpcd', \ + '22000,6,500,syncthing', \ + '22,6,0,sshd', \ + '3000,6,472,grafana-server', \ + '3000,6,500,grafana-server', \ + '32768,6,0,tailscaled', \ + '32768,6,0,.tailscaled-wra', \ + '32768,6,500,com.docker.backend', \ + '32768,6,500,dleyna-renderer', \ + '32768,6,500,spotify', \ + '3551,6,0,apcupsd', \ + '4143,6,500,linkerd2-proxy', \ + '4191,6,500,linkerd2-proxy', \ + '443,6,500,jcef_helper', \ + '4443,6,500,metrics-server', \ + '5000,6,500,ControlCenter', \ + '5001,6,0,registry', \ + '53,17,0,coredns', \ + '53,17,500,dnsmasq', \ + '5355,6,193,systemd-resolve', \ + '53,6,0,coredns', \ + '53,6,500,dnsmasq', \ + '5432,6,70,postgres', \ + '546,17,500,dhcpcd', \ + '58,255,0,dhcpcd', \ + '58,255,0,NetworkManager', \ + '58,255,500,dhcpcd', \ + '631,17,0,cups-browsed', \ + '6379,6,500,redis-server', \ + '6443,6,0,kube-apiserver', \ + '67,17,500,dnsmasq', \ + '68,17,500,dhcpcd', \ + '7000,6,500,ControlCenter', \ + '8008,6,500,controlplane', \ + '8009,6,0,java', \ + '80,6,60,nginx', \ + '8080,6,0,coredns', \ + '8080,6,0,java', \ + '8086,6,0,influxd', \ + '8086,6,500,controller', \ + '8086,6,500,influxd', \ + '8090,6,500,linkerd-policy-', \ + '8123,6,500,Brackets-node', \ + '8181,6,0,coredns', \ + '8443,6,0,kube-apiserver', \ + '8443,6,500,controller', \ + '8443,6,500,controlplane', \ + '9000,6,500,authentik-proxy', \ + '9090,6,500,controlplane', \ + '9153,6,0,coredns', \ + '9300,6,500,authentik-proxy' \ + ) \ + AND NOT ( \ + p.path LIKE ',ko-app,%' \ + AND lp.port > 1024 \ + and lp.protocol = 6 \ + ) \ + AND NOT ( \ + p.name IN ('hugo', 'docker-proxy', 'rootlessport') \ + AND lp.port > 1024 \ + and lp.protocol = 6 \ + ) \ + GROUP BY \ + exception_key;", + "interval": "10800", + "platform": "linux", + "description": "Unexpected programs listening on a TCP port (state-based)." + }, + "unexpected-listening-port-macos": { + "query": "SELECT \ + lp.address, \ + lp.port, \ + lp.protocol, \ + p.uid, \ + p.pid, \ + p.name, \ + p.path, \ + p.cmdline, \ + p.cwd, \ + hash.sha256, \ + signature.authority AS program_authority, \ + CONCAT ( \ + MIN(lp.port, 49152), \ + ',', \ + lp.protocol, \ + ',', \ + MIN(p.uid, 500), \ + ',', \ + p.name, \ + ',', \ + signature.authority \ + ) AS exception_key \ + FROM \ + listening_ports lp \ + LEFT JOIN processes p ON lp.pid = p.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN signature ON p.path = signature.path \ + WHERE \ + port != 0 \ + AND lp.address NOT IN ('224.0.0.251', '::1') \ + AND lp.address NOT LIKE '127.0.0.%' \ + AND lp.address NOT LIKE '172.1%' \ + AND lp.address NOT LIKE 'fe80::%' \ + AND lp.address NOT LIKE '::ffff:127.0.0.%' \ + AND NOT ( \ + lp.protocol = 17 \ + AND lp.port > 1024 \ + ) \ + AND NOT ( \ + p.uid > 500 \ + AND lp.port IN (8000, 8080) \ + AND lp.protocol = 6 \ + ) \ + AND NOT (p.pid == '') \ + AND NOT exception_key IN ( \ + '10011,6,0,launchd,Software Signing', \ + '1313,6,500,hugo,', \ + '1338,6,500,registry,', \ + '137,17,0,launchd,Software Signing', \ + '137,17,222,netbiosd,Software Signing', \ + '138,17,0,launchd,Software Signing', \ + '138,17,222,netbiosd,Software Signing', \ + '16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)', \ + '17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \ + '2112,6,500,fake,', \ + '2112,6,500,rekor-server,', \ + '88,17,0,kdc,Software Signing', \ + '22,6,0,launchd,Software Signing', \ + '22000,6,500,syncthing,', \ + '24678,6,500,node,', \ + '2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \ + '3306,6,500,mariadbd,', \ + '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + '3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)', \ + '41949,6,500,IPNExtension,Apple Mac OS Application Signing', \ + '43398,6,500,IPNExtension,Apple Mac OS Application Signing', \ + '443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \ + '45972,6,500,IPNExtension,Apple Mac OS Application Signing', \ + '49152,6,0,AirPlayXPCHelper,Software Signing', \ + '49152,6,0,AirPlayXPCHelper,Software Signing', \ + '49152,6,0,launchd,Software Signing', \ + '49152,6,0,remoted,Software Signing', \ + '49152,6,0,remotepairingdeviced,Software Signing', \ + '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \ + '49152,6,500,GarageBand,Apple Mac OS Application Signing', \ + '49152,6,500,IPNExtension,Apple Mac OS Application Signing', \ + '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + '49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + '49152,6,500,Music,Software Signing', \ + '49152,6,500,node,', \ + '49152,6,500,rapportd,Software Signing', \ + '49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', \ + '49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', \ + '49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)', \ + '49152,6,500,telepresence,', \ + '49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)', \ + '49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', \ + '5000,6,500,ControlCenter,Software Signing', \ + '5060,6,500,CommCenter,Software Signing', \ + '546,17,0,configd,Software Signing', \ + '5900,6,0,launchd,Software Signing', \ + '5900,6,0,screensharingd,Software Signing', \ + '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)', \ + '631,6,0,cupsd,Software Signing', \ + '68,17,0,configd,Software Signing', \ + '7000,6,500,ControlCenter,Software Signing', \ + '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \ + '8770,6,500,sharingd,Software Signing', \ + '88,6,0,kdc,Software Signing', \ + '8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8831,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8832,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', \ + '9101,6,500,github_actions_exporter,', \ + '8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)' \ + ) \ + AND NOT ( \ + p.path LIKE ',ko-app,%' \ + AND lp.port > 1024 \ + and lp.protocol = 6 \ + ) \ + AND NOT ( \ + p.name IN ('hugo', 'node', 'com.docker.backend') \ + AND lp.port > 1024 \ + and lp.protocol = 6 \ + ) \ + AND NOT ( \ + p.path LIKE '/private/var/folders/%/go-build%/exe/%' \ + AND lp.port > 1024 \ + AND lp.protocol = 6 \ + ) \ + AND NOT ( \ + p.cwd LIKE '/Users/%/src/%' \ + AND p.cmdline LIKE './%' \ + AND lp.port > 1024 \ + AND lp.protocol = 6 \ + ) \ + GROUP BY \ + exception_key;", + "interval": "10800", + "platform": "darwin", + "description": "Unexpected programs listening on a TCP port." + }, + "unexpected-talkers-linux": { + "query": "SELECT \ + s.family, \ + protocol, \ + s.local_port, \ + s.remote_port, \ + s.local_address, \ + s.remote_address, \ + p.name, \ + p.path, \ + p.cmdline AS child_cmd, \ + p.cwd, \ + s.pid, \ + s.net_namespace, \ + pp.path AS parent_path, \ + p.parent AS parent_pid, \ + pp.cmdline AS parent_cmd, \ + hash.sha256, \ + CONCAT ( \ + MIN(s.remote_port, 32768), \ + ',', \ + protocol, \ + ',', \ + MIN(p.uid, 500), \ + ',', \ + p.name \ + ) AS exception_key \ + FROM \ + process_open_sockets s \ + LEFT JOIN processes p ON s.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + protocol > 0 \ + AND s.remote_port > 0 \ + AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') \ + AND s.remote_address NOT LIKE 'fe80:%' \ + AND s.remote_address NOT LIKE '127.%' \ + AND s.remote_address NOT LIKE '192.168.%' \ + AND s.remote_address NOT LIKE '172.1%' \ + AND s.remote_address NOT LIKE '172.2%' \ + AND s.remote_address NOT LIKE '172.30.%' \ + AND s.remote_address NOT LIKE '172.31.%' \ + AND s.remote_address NOT LIKE '::ffff:172.%' \ + AND s.remote_address NOT LIKE '10.%' \ + AND s.remote_address NOT LIKE '::ffff:10.%' \ + AND s.remote_address NOT LIKE 'fc00:%' \ + AND s.state != 'LISTEN' \ + AND NOT ( \ + remote_port = 53 \ + AND protocol IN (6, 17) \ + AND p.name IN ( \ + '1password', \ + 'apt', \ + 'apt-get', \ + 'Brackets', \ + 'chainctl', \ + 'chrome', \ + 'chronyd', \ + 'cloud_sql_proxy', \ + 'code', \ + 'containerd', \ + 'controlplane', \ + 'crc', \ + 'curl', \ + 'dig', \ + 'dnf', \ + 'electron', \ + 'firefox', \ + '.firefox-wrappe', \ + 'flameshot', \ + 'gh', \ + 'git-remote-http', \ + 'gitsign', \ + 'gnome-software', \ + 'go', \ + 'grafana-server', \ + 'grype', \ + 'host', \ + 'htop', \ + 'istioctl', \ + 'jcef_helper', \ + 'k6', \ + 'k9s', \ + 'ko', \ + 'kolide-pipeline', \ + 'launcher', \ + 'NetworkManager', \ + 'ngrok', \ + 'nix', \ + 'node', \ + 'nscd', \ + 'obs', \ + 'obs-browser-page', \ + 'obs-ffmpeg-mux', \ + 'obsidian', \ + 'opera', \ + 'pacman', \ + 'ping', \ + 'podman', \ + 'prometheus', \ + 'rootlessport', \ + 'signal-desktop', \ + 'slack', \ + 'slirp4netns', \ + 'snapd', \ + 'snap-store', \ + 'Socket Process', \ + 'spotify', \ + 'ssh', \ + 'steam', \ + 'steamwebhelper', \ + 'syncthing', \ + 'systemd-resolve', \ + 'tailscaled', \ + '.tailscaled-wra', \ + 'terraform', \ + 'terraform-provi', \ + 'tkn', \ + 'traceroute', \ + 'vcluster', \ + 'wget', \ + 'whois', \ + 'xmobar', \ + 'yay', \ + 'zoom' \ + ) \ + ) \ + AND NOT exception_key IN ( \ + '123,17,,', \ + '123,17,500,chronyd', \ + '22067,6,500,syncthing', \ + '22,6,,', \ + '22,6,500,ssh', \ + '27024,6,500,steam', \ + '3100,6,500,firefox', \ + '3100,6,500,k6', \ + '32768,6,0,tailscaled', \ + '3307,6,500,cloud_sql_proxy', \ + '4070,6,500,spotify', \ + '443,17,500,chrome', \ + '443,17,500,electron', \ + '443,17,500,jcef_helper', \ + '443,17,500,slack', \ + '443,17,500,spotify', \ + '443,6,0,apk', \ + '443,6,0,containerd', \ + '443,6,0,depmod', \ + '443,6,0,dirmngr', \ + '443,6,0,dnf', \ + '443,6,0,dockerd', \ + '443,6,0,influxd', \ + '443,6,0,launcher', \ + '443,6,0,nix', \ + '443,6,0,nix-daemon', \ + '443,6,0,packagekitd', \ + '443,6,0,pacman', \ + '443,6,0,snapd', \ + '443,6,0,systemctl', \ + '443,6,0,tailscaled', \ + '443,6,0,.tailscaled-wra', \ + '443,6,0,yum', \ + '443,6,105,https', \ + '443,6,472,grafana-server', \ + '443,6,500,1password', \ + '443,6,500,authentik-proxy', \ + '443,6,500,aws', \ + '443,6,500,Brackets', \ + '443,6,500,celery', \ + '443,6,500,chainctl', \ + '443,6,500,chrome', \ + '443,6,500,cloud_sql_proxy', \ + '443,6,500,code', \ + '443,6,500,containerd', \ + '443,6,500,controlplane', \ + '443,6,500,cosign', \ + '443,6,500,crane', \ + '443,6,500,CrBrowserMain', \ + '443,6,500,crc', \ + '443,6,500,CrUtilityMain', \ + '443,6,500,curl', \ + '443,6,500,Discord', \ + '443,6,500,electron', \ + '443,6,500,emacs', \ + '443,6,500,firefox', \ + '443,6,500,.firefox-wrappe', \ + '443,6,500,flameshot', \ + '443,6,500,geoclue', \ + '443,6,500,gh', \ + '443,6,500,git-remote-http', \ + '443,6,500,gitsign', \ + '443,6,500,gnome-shell', \ + '443,6,500,gnome-software', \ + '443,6,500,go', \ + '443,6,500,___go_build_github_com_anchore_grype,a.out,', \ + '443,6,500,grafana-server', \ + '443,6,500,grype', \ + '443,6,500,gunicorn', \ + '443,6,500,gvfsd-http', \ + '443,6,500,htop', \ + '443,6,500,influxd', \ + '443,6,500,istioctl', \ + '443,6,500,java', \ + '443,6,500,jcef_helper', \ + '443,6,500,jetbrains-toolb', \ + '443,6,500,k6', \ + '443,6,500,k9s', \ + '443,6,500,ko', \ + '443,6,500,kolide-pipeline', \ + '443,6,500,kubectl', \ + '443,6,500,minicli', \ + '443,6,500,ngrok', \ + '443,6,500,nix', \ + '443,6,500,node', \ + '443,6,500,obs', \ + '443,6,500,obs-browser-page', \ + '443,6,500,obs-ffmpeg-mux', \ + '443,6,500,obsidian', \ + '443,6,500,pingsender', \ + '443,6,500,pip', \ + '443,6,500,podman', \ + '443,6,500,signal-desktop', \ + '443,6,500,slack', \ + '443,6,500,slirp4netns', \ + '443,6,500,snap-store', \ + '443,6,500,Socket Process', \ + '443,6,500,spotify', \ + '443,6,500,steamwebhelper', \ + '443,6,500,teams', \ + '443,6,500,terraform', \ + '443,6,500,terraform-provi', \ + '443,6,500,tkn', \ + '443,6,500,.tox-wrapped', \ + '443,6,500,trivy', \ + '443,6,500,vcluster', \ + '443,6,500,vim', \ + '443,6,500,WebKitNetworkPr', \ + '443,6,500,wget', \ + '443,6,500,wineserver', \ + '443,6,500,x11-ssh-askpass', \ + '443,6,500,xmobar', \ + '443,6,500,yay', \ + '443,6,500,zoom', \ + '5228,6,500,chrome', \ + '6000,6,500,ssh', \ + '80,6,0,mkinitcpio', \ + '67,17,0,NetworkManager', \ + '7903,6,500,syncthing', \ + '8006,6,500,chrome', \ + '80,6,0,dnf', \ + '80,6,0,gdk-pixbuf-quer', \ + '80,6,0,NetworkManager', \ + '80,6,0,pacman', \ + '80,6,0,tailscaled', \ + '80,6,0,.tailscaled-wra', \ + '443,6,0,yay', \ + '80,6,0,yum', \ + '443,6,500,rustup', \ + '443,6,500,cargo', \ + '80,6,500,thunderbird', \ + '80,6,105,http', \ + '80,6,500,curl', \ + '80,6,500,firefox', \ + '80,6,500,.firefox-wrappe', \ + '80,6,500,gitsign', \ + '80,6,500,slack', \ + '80,6,500,spotify', \ + '80,6,500,steam', \ + '80,6,500,steamwebhelper', \ + '80,6,500,syncthing', \ + '8801,17,500,zoom', \ + '9090,6,500,firefox', \ + '9090,6,500,k6', \ + '9090,6,500,prometheus', \ + '9090,6,500,rootlessport' \ + ) \ + AND NOT ( \ + ( \ + remote_address LIKE '151.101.%' \ + OR remote_address LIKE '140.82.%' \ + ) \ + AND remote_port = 443 \ + AND protocol = 6 \ + AND ( \ + parent_path LIKE '/nix/%/bin/bash' \ + OR parent_path LIKE '/nix/%/bin/zsh' \ + OR parent_path LIKE '%/bin/nix' \ + OR p.path LIKE '/nix/store/%' \ + ) \ + ) \ + AND NOT p.cmdline LIKE 'bash --rcfile /tmp/nix-shell.%' -- Other more complicated situations \ + AND NOT ( \ + p.name = 'rootlessport' \ + AND remote_port > 1024 \ + ) \ + AND NOT ( \ + p.name = 'syncthing' \ + AND ( \ + remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451) \ + OR remote_port > 1024 \ + ) \ + ) \ + AND NOT ( \ + p.name IN ( \ + 'chrome', \ + 'Google Chrome Helper', \ + 'Brave Browser Helper', \ + 'Chromium Helper', \ + 'Opera Helper' \ + ) \ + AND remote_port IN ( \ + 53, \ + 3100, \ + 443, \ + 80, \ + 8006, \ + 9000, \ + 5004, \ + 8009, \ + 8080, \ + 8888, \ + 8443, \ + 5228, \ + 32211, \ + 53, \ + 10001, \ + 3478, \ + 19305, \ + 19306, \ + 19307, \ + 19308, \ + 19309 \ + ) \ + ) \ + AND NOT ( \ + p.name IN ('thunderbird') \ + AND remote_port IN (53, 143, 443, 587, 465, 585, 993) \ + ) \ + AND NOT ( \ + p.name IN ('spotify', 'Spotify Helper', 'Spotify') \ + AND remote_port IN (53, 443, 8009, 4070, 32211) \ + ) \ + AND NOT ( \ + remote_port IN (443, 53) \ + AND p.name LIKE 'terraform-provider-%' \ + ) \ + AND NOT ( \ + remote_port IN (443, 53) \ + AND p.name LIKE 'npm exec %' \ + ) \ + AND NOT ( \ + remote_port iN (443, 53) \ + AND p.name LIKE 'kubectl.%' \ + ) \ + AND NOT ( \ + p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' \ + AND remote_port IN (80, 53, 443) \ + ) \ + GROUP BY \ + p.cmdline;", + "interval": "10800", + "platform": "linux", + "description": "Programs communicating over the network in unexpected ways (state-based)" + }, + "unexpected-talkers-macos": { + "query": "SELECT \ + protocol, \ + s.local_port, \ + s.remote_port, \ + s.remote_address, \ + p.name, \ + p.path, \ + p.cmdline AS child_cmd, \ + p.cwd, \ + s.pid, \ + p.parent AS parent_pid, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + hash.sha256, \ + CONCAT ( \ + MIN(s.remote_port, 32768), \ + ',', \ + protocol, \ + ',', \ + MIN(p.uid, 500), \ + ',', \ + p.name, \ + ',', \ + signature.identifier, \ + ',', \ + signature.authority \ + ) AS exception_key \ + FROM \ + process_open_sockets s \ + LEFT JOIN processes p ON s.pid = p.pid \ + LEFT JOIN processes pp ON pp.pid = p.parent \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN signature ON p.path = signature.path \ + WHERE \ + protocol > 0 \ + AND s.remote_port > 0 \ + AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') \ + AND s.remote_address NOT LIKE 'fe80:%' \ + AND s.remote_address NOT LIKE '127.%' \ + AND s.remote_address NOT LIKE '192.168.%' \ + AND s.remote_address NOT LIKE '172.1%' \ + AND s.remote_address NOT LIKE '172.2%' \ + AND s.remote_address NOT LIKE '172.30.%' \ + AND s.remote_address NOT LIKE '172.31.%' \ + AND s.remote_address NOT LIKE '::ffff:172.%' \ + AND s.remote_address NOT LIKE '10.%' \ + AND s.remote_address NOT LIKE '::ffff:10.%' \ + AND s.remote_address NOT LIKE 'fc00:%' \ + AND s.state != 'LISTEN' \ + AND p.path NOT LIKE '/Applications/%.app/Contents/%' \ + AND p.path NOT LIKE '/Library/Apple/System/Library/%' \ + AND p.path NOT LIKE '/Library/Application Support/%/Contents/%' \ + AND p.path NOT LIKE '/System/Applications/%' \ + AND p.path NOT LIKE '/System/Library/%' \ + AND p.path NOT LIKE '/Users/%/Library/%.app/Contents/MacOS/%' \ + AND p.path NOT LIKE '/System/%' \ + AND p.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' \ + AND p.path NOT LIKE '/usr/libexec/%' \ + AND p.path NOT LIKE '/usr/sbin/%' \ + AND p.path NOT LIKE '/private/var/folders/%/go-build%/%' \ + AND NOT ( \ + remote_port = 53 \ + AND protocol IN (6, 17) \ + AND p.name IN ( \ + '1password', \ + 'Acrobat Update Helper', \ + 'chainctl', \ + 'cloud_sql_proxy', \ + 'Code Helper', \ + 'com.apple.MobileSoftwareUpdate.UpdateBrainService', \ + 'cosign', \ + 'crc', \ + 'curl', \ + 'dig', \ + 'Evernote Helper', \ + 'figma_agent', \ + 'gh', \ + 'git-remote-http', \ + 'gitsign', \ + 'go', \ + 'grafana-server', \ + 'grype', \ + 'host', \ + 'htop', \ + 'istioctl', \ + 'k6', \ + 'k9s', \ + 'ko', \ + 'launcher', \ + 'ngrok', \ + 'nix', \ + 'node', \ + 'obs', \ + 'obs-browser-page', \ + 'obs-ffmpeg-mux', \ + 'obsidian', \ + 'opera', \ + 'ping', \ + 'Python', \ + 'python3.10', \ + 'Reflect', \ + 'Reflect Helper', \ + 'ruby', \ + 'sample', \ + 'ssh', \ + 'steam_osx', \ + 'syncthing', \ + 'tailscaled', \ + 'terraform', \ + 'tkn', \ + 'traceroute', \ + 'vcluster', \ + 'wget', \ + 'whois', \ + 'zoom' \ + ) \ + ) \ + AND NOT exception_key IN ( \ + '22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)', \ + '22,6,500,ssh,,', \ + '22,6,500,ssh,com.apple.openssh,Software Signing', \ + '22,6,500,ssh,ssh,', \ + '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', \ + '30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + '3307,6,500,cloud_sql_proxy,a.out,', \ + '43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \ + '443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', \ + '443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \ + '443,17,500,Slack Helper,,', \ + '443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', \ + '443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + '443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)', \ + '443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', \ + '443,6,0,nix,nix,', \ + '443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + '443,6,500,,,', \ + '443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + '443,6,500,bash,bash,', \ + '443,6,500,chainctl,,', \ + '443,6,500,chainctl,a.out,', \ + '443,6,500,chainctl_Darwin_arm64,a.out,', \ + '443,6,500,civo,a.out,', \ + '443,6,500,cloud_sql_proxy,a.out,', \ + '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,500,cosign,,', \ + '443,6,500,cosign,a.out,', \ + '443,6,500,crane,,', \ + '443,6,500,crane,a.out,', \ + '443,6,500,ctclient,a.out,', \ + '443,6,500,curl,com.apple.curl,Software Signing', \ + '443,6,500,docker-credential-gcr,a.out,', \ + '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,500,emacs-28.2,emacs-28.2,', \ + '443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', \ + '443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)', \ + '443,6,500,gh,a.out,', \ + '443,6,500,gh,gh,', \ + '443,6,500,git,com.apple.git,Software Signing', \ + '443,6,500,git,git,', \ + '443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing', \ + '443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,', \ + '443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,', \ + '443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,', \ + '443,6,500,gitsign,,', \ + '443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing', \ + '443,6,500,gitsign,a.out,', \ + '443,6,500,gitsign,gitsign,', \ + '443,6,500,go,a.out,', \ + '443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + '443,6,500,helm,a.out,', \ + '443,6,500,istioctl,a.out,', \ + '443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + '443,6,500,ko,a.out,', \ + '443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + '443,6,500,kubectl,,', \ + '443,6,500,kubectl,a.out,', \ + '443,6,500,limactl,,', \ + '443,6,500,main,a.out,', \ + '443,6,500,melange,a.out,', \ + '443,6,500,minikube,,', \ + '443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)', \ + '443,6,500,nix,nix,', \ + '443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)', \ + '443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + '443,6,500,prober,a.out,', \ + '443,6,500,pulumi-resource-gcp,a.out,', \ + '443,6,500,pulumi-resource-github,a.out,', \ + '443,6,500,python2.7,python2.7,', \ + '443,6,500,python3.10,python3.10,', \ + '443,6,500,Python,com.apple.python3,Software Signing', \ + '443,6,500,Python,org.python.python,', \ + '443,6,500,Python,Python,', \ + '443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \ + '443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \ + '443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing', \ + '443,6,500,scorecard-darwin-amd64,,', \ + '443,6,500,Slack Helper,,', \ + '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', \ + '443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', \ + '443,6,500,step,step,', \ + '443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)', \ + '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \ + '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \ + '443,6,500,vegeta,a.out,', \ + '443,6,500,vim,vim,', \ + '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', \ + '443,6,500,zsh,com.apple.zsh,Software Signing', \ + '53,17,500,docker-credential-gcr,a.out,', \ + '6000,6,500,ssh,,', \ + '6000,6,500,ssh,com.apple.openssh,Software Signing', \ + '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', \ + '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', \ + '80,6,500,curl,com.apple.curl,Software Signing', \ + '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', \ + '80,6,500,webhook.test,a.out,' \ + ) \ + AND NOT ( \ + parent_cmd LIKE '%/tmp/nix-shell%' \ + AND remote_port = 443 \ + AND protocol = 6 \ + ) \ + AND NOT ( \ + ( \ + remote_address LIKE '151.101.%' \ + OR remote_address LIKE '140.82.%' \ + ) \ + AND remote_port = 443 \ + AND protocol = 6 \ + AND parent_path LIKE '/nix/%/bash' \ + ) \ + AND NOT ( \ + p.name = 'syncthing' \ + AND ( \ + remote_port IN (53, 80, 88, 110, 443, 587, 993) \ + OR remote_port > 1024 \ + ) \ + ) \ + AND NOT ( \ + p.name IN ( \ + 'Google Chrome Helper', \ + 'Brave Browser Helper', \ + 'Chromium Helper', \ + 'Opera Helper' \ + ) \ + AND remote_port IN ( \ + 53, \ + 443, \ + 80, \ + 8009, \ + 8080, \ + 8888, \ + 8443, \ + 5228, \ + 32211, \ + 53, \ + 10001, \ + 3478, \ + 19305, \ + 19306, \ + 5004, \ + 9000, \ + 19307, \ + 19308, \ + 19309 \ + ) \ + ) \ + AND NOT ( \ + p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') \ + AND remote_port IN (53, 143, 443, 587, 465, 585, 993) \ + ) \ + AND NOT ( \ + parent_path = '/Applications/Minecraft.app/Contents/MacOS/launcher' \ + AND remote_port > 30000 \ + ) \ + AND NOT ( \ + p.name IN ('Spotify Helper', 'Spotify') \ + AND remote_port IN (53, 443, 8009, 4070, 32211) \ + ) \ + AND NOT ( \ + remote_port IN (53, 443) \ + AND p.name LIKE 'terraform-provider-%' \ + ) \ + AND NOT ( \ + remote_port IN (53, 443) \ + AND p.name LIKE 'kubectl.%' \ + ) \ + AND NOT ( \ + p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' \ + AND remote_port IN (80, 443, 53) \ + ) \ + AND NOT ( \ + p.path = '' \ + AND pp.cmdline LIKE '%/Slack' \ + ) \ + AND NOT ( \ + p.cmdline = '/Applications/Craft.app/Contents/MacOS/Craft' \ + AND remote_port = 443 \ + AND protocol = 6 \ + ) \ + AND NOT ( \ + remote_port IN (53, 443) \ + AND p.path LIKE '/private/var/folders/%/T/GoLand/%' \ + ) \ + GROUP BY \ + s.pid;", + "interval": "10800", + "platform": "macos", + "description": "Programs communicating over the network in unexpected ways (state-based)" + } + } +} +{ + "queries": { + "macos_keyboard_sniffer": { + "query": "SELECT \ + et.enabled, \ + et.process_being_tapped, \ + et.tapping_process, \ + p.path, \ + s.authority, \ + s.identifier, \ + h.sha256, \ + CONCAT ( \ + REPLACE( \ + p.path, \ + RTRIM(p.path, REPLACE(p.path, '/', '')), \ + '' \ + ), \ + ',', \ + identifier, \ + ',', \ + authority \ + ) AS exception_key \ + FROM \ + event_taps et \ + LEFT JOIN processes p ON et.tapping_process = p.pid \ + LEFT JOIN signature s ON s.path = p.path \ + LEFT JOIN hash h ON h.path = p.path \ + WHERE \ + event_tapped IN ('EventKeyDown', 'EventKeyUp') \ + AND authority != 'Software Signing' \ + AND NOT exception_key IN ( \ + 'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \ + 'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)', \ + 'skhd,skhd,' \ + ) \ + GROUP BY \ + p.path;", + "interval": "10800", + "platform": "darwin", + "description": "Find programs that are sniffing keyboard events on macOS" + }, + "unexpected-dev-opener-linux": { + "query": "SELECT \ + pof.pid, \ + pof.path AS device, \ + p.path AS program, \ + p.name AS program_name, \ + p.cmdline AS cmdline, \ + hash.sha256, \ + CONCAT ( \ + IIF( \ + REGEX_MATCH ( \ + REPLACE(pof.path, ' (deleted)', ''), \ + '(/dev/.*)[\\d ]+$', \ + 1 \ + ) != '', \ + REGEX_MATCH ( \ + REPLACE(pof.path, ' (deleted)', ''), \ + '(/dev/.*)[\\d ]+$', \ + 1 \ + ), \ + REPLACE(pof.path, ' (deleted)', '') \ + ), \ + ',', \ + REPLACE( \ + p.path, \ + RTRIM(p.path, REPLACE(p.path, '/', '')), \ + '' \ + ) \ + ) AS path_exception, \ + CONCAT ( \ + TRIM( \ + REPLACE( \ + pof.path, \ + CONCAT ( \ + '/', \ + REPLACE( \ + pof.path, \ + RTRIM(pof.path, REPLACE(pof.path, '/', '')), \ + '' \ + ) \ + ), \ + '' \ + ) \ + ), \ + ',', \ + REPLACE( \ + p.path, \ + RTRIM(p.path, REPLACE(p.path, '/', '')), \ + '' \ + ) \ + ) AS dir_exception \ + FROM \ + process_open_files pof \ + LEFT JOIN processes p ON pof.pid = p.pid \ + LEFT JOIN hash ON hash.path = p.path \ + WHERE \ + pof.path LIKE '/dev/%' \ + AND pof.path NOT IN ( \ + '/dev/dri/card0', \ + '/dev/dri/card1', \ + '/dev/dri/renderD128', \ + '/dev/dri/renderD129', \ + '/dev/fuse', \ + '/dev/io8log', \ + '/dev/io8logmt', \ + '/dev/io8logtemp', \ + '/dev/null', \ + '/dev/nvidia-modeset', \ + '/dev/nvidia-uvm', \ + '/dev/nvidia0', \ + '/dev/nvidiactl', \ + '/dev/ptmx', \ + '/dev/pts/ptmx', \ + '/dev/random', \ + '/dev/rfkill', \ + '/dev/snd/seq', \ + '/dev/urandom', \ + '/dev/vga_arbiter', \ + '/dev/video10' \ + ) \ + AND pof.path NOT LIKE '/dev/pts/%' \ + AND pof.path NOT LIKE '/dev/snd/%' \ + AND pof.path NOT LIKE '/dev/tty%' \ + AND pof.path NOT LIKE '/dev/hidraw%' \ + AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%' \ + AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%' \ + AND pof.path NOT LIKE '/dev/shm/authentik_%' \ + AND NOT dir_exception IN ( \ + '/dev/bus/usb,pcscd', \ + '/dev/bus/usb/001,pcscd', \ + '/dev/bus/usb/005,python3.10', \ + '/dev/input,acpid', \ + '/dev/kmsg,systemd-coredump', \ + '/dev/input,gnome-shell', \ + '/dev/input,systemd-logind', \ + '/dev/input,systemd', \ + '/dev/input,upowerd', \ + '/dev/input,Xorg', \ + '/dev/net,.tailscaled-wrapped', \ + '/dev/net,tailscaled', \ + '/dev/shm,1password', \ + '/dev/shm,chrome', \ + '/dev/shm,code', \ + '/dev/shm,electron', \ + '/dev/shm,Brackets', \ + '/dev/shm,firefox', \ + '/dev/shm,gopls', \ + '/dev/shm,java', \ + '/dev/shm,jcef_helper', \ + '/dev/shm,slack', \ + '/dev/shm,spotify', \ + '/dev/shm,steam', \ + '/dev/shm,steamwebhelper', \ + '/dev/shm,wine64-preloader', \ + '/dev/shm,winedevice.exe', \ + '/dev/snd,.pulseaudio-wrapped', \ + '/dev/snd,alsactl', \ + '/dev/net/tun,qemu-system-x86_64', \ + '/dev/snd,pipewire', \ + '/dev/snd,pulseaudio', \ + '/dev/snd,wireplumber' \ + ) \ + AND NOT path_exception IN ( \ + '/dev/autofs,systemd', \ + '/dev/hidraw,chrome', \ + '/dev/input/event,thermald', \ + '/dev/input/event,Xorg', \ + '/dev/kmsg,kubelet', \ + '/dev/kmsg,systemd', \ + '/dev/kmsg,systemd-journald', \ + '/dev/kvm,qemu-system-x86_64', \ + '/dev/mapper/control,dockerd', \ + '/dev/mcelog,mcelog', \ + '/dev/media,pipewire', \ + '/dev/media,wireplumber', \ + '/dev/net/tun,slirp4netns', \ + '/dev/tty,agetty', \ + '/dev/tty,gdm-wayland-session', \ + '/dev/tty,gdm-x-session', \ + '/dev/tty,systemd-logind', \ + '/dev/tty,Xorg', \ + '/dev/uinput,bluetoothd', \ + '/dev/usb/hiddev,apcupsd', \ + '/dev/usb/hiddev,upowerd', \ + '/dev/video,chrome', \ + '/dev/video,ffmpeg', \ + '/dev/video,firefox', \ + '/dev/video,obs', \ + '/dev/video,pipewire', \ + '/dev/video,zoom', \ + '/dev/video,obs-ffmpeg-mux', \ + '/dev/video,vlc', \ + '/dev/video,wireplumber', \ + '/dev/zfs,zed', \ + '/dev/zfs,zfs', \ + '/dev/zfs,zpool' \ + ) \ + AND NOT ( \ + device LIKE '/dev/bus/usb/%' \ + AND program_name IN ( \ + 'streamdeck', \ + 'gphoto2', \ + 'fwupd', \ + 'pcscd', \ + 'gvfs-gphoto2-vo', \ + 'gvfs-gphoto2-volume-monitor' \ + ) \ + ) \ + GROUP BY \ + pof.pid;", + "interval": "10800", + "platform": "linux", + "description": "Detects unexpected programs opening files in /dev on Linux" + }, + "unexpected-dev-opener-macos": { + "query": "SELECT \ + pof.pid, \ + pof.path AS device, \ + p.path AS program, \ + p.name AS program_name, \ + p.cmdline AS cmdline, \ + hash.sha256, \ + s.authority, \ + s.identifier, \ + CONCAT ( \ + IIF( \ + REGEX_MATCH (pof.path, '(/dev/.*)\\d+$', 1) != '', \ + REGEX_MATCH (pof.path, '(/dev/.*)\\d+', 1), \ + pof.path \ + ), \ + ',', \ + REPLACE( \ + p.path, \ + RTRIM(p.path, REPLACE(p.path, '/', '')), \ + '' \ + ), \ + ',', \ + s.authority, \ + ',', \ + s.identifier \ + ) AS exception_key \ + FROM \ + process_open_files pof \ + LEFT JOIN processes p ON pof.pid = p.pid \ + LEFT JOIN hash ON hash.path = p.path \ + LEFT JOIN signature s ON p.path = s.path \ + WHERE \ + pof.path LIKE '/dev/%' \ + AND pof.path NOT IN ( \ + '/dev/null', \ + '/dev/ptmx', \ + '/dev/random', \ + '/dev/tty', \ + '/dev/urandom' \ + ) \ + AND pof.path NOT LIKE '/dev/ttys%' \ + AND p.path NOT LIKE '/System/%' \ + AND p.path NOT LIKE '/usr/libexec/%' \ + AND p.path NOT LIKE '/usr/sbin/%' \ + AND exception_key NOT IN ( \ + '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond', \ + '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', \ + '/dev/auditsessions,authd,Software Signing,com.apple.authd', \ + '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred', \ + '/dev/auditsessions,securityd,Software Signing,com.apple.securityd', \ + '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', \ + '/dev/autofs,automountd,Software Signing,com.apple.automountd', \ + '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd', \ + '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd', \ + '/dev/console,launchd,Software Signing,com.apple.xpc.launchd', \ + '/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd', \ + '/dev/io8log,airportd,Software Signing,com.apple.airport.airportd', \ + '/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter', \ + '/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd', \ + '/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \ + '/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd', \ + '/dev/io8logtemp,airportd,Software Signing,com.apple.airport.airportd', \ + '/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter', \ + '/dev/io8logtemp,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \ + '/dev/io8logtemp,symptomsd,Software Signing,com.apple.symptomsd', \ + '/dev/io8logtemp,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \ + '/dev/io8logtemp,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \ + '/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \ + '/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \ + '/dev/io,airportd,Software Signing,com.apple.airport.airportd', \ + '/dev/io,ControlCenter,Software Signing,com.apple.controlcenter', \ + '/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \ + '/dev/io,symptomsd,Software Signing,com.apple.symptomsd', \ + '/dev/io,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \ + '/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \ + '/dev/klog,syslogd,Software Signing,com.apple.syslogd', \ + '/dev/oslog,logd,Software Signing,com.apple.logd', \ + '/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \ + '/dev/xcpm,systemstats,Software Signing,com.apple.systemstats', \ + '/dev/xcpm,thermald,Software Signing,com.apple.thermald' \ + ) \ + GROUP BY \ + pof.pid;", + "interval": "10800", + "platform": "darwin", + "description": "Detects unexpected programs opening files in /dev on Linux" + }, + "unexpected-sensitive-file-access-linux": { + "query": "SELECT \ + pof.pid, \ + pof.fd, \ + pof.path, \ + f.uid AS file_uid, \ + p.cwd AS cwd, \ + p.euid, \ + p.uid AS process_uid, \ + p.name AS program_name, \ + p.cmdline AS cmdline, \ + pp.name AS parent_name, \ + pp.cwd AS parent_cwd, \ + pp.path AS parent_path, \ + hp.sha256 AS parent_sha256, \ + pf.filename AS program_base, \ + hash.sha256, \ + REPLACE(f.directory, u.directory, '~') AS dir, \ + CONCAT ( \ + pf.filename, \ + ',', \ + p.name, \ + ',', \ + IIF( \ + REGEX_MATCH ( \ + REPLACE(f.directory, u.directory, '~'), \ + '([/~].*?/.*?/.*?)/', \ + 1 \ + ) != '', \ + REGEX_MATCH ( \ + REPLACE(f.directory, u.directory, '~'), \ + '([/~].*?/.*?/.*?)/', \ + 1 \ + ), \ + REPLACE(f.directory, u.directory, '~') \ + ) \ + ) AS exception_key \ + FROM \ + process_open_files pof \ + LEFT JOIN processes p ON pof.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN file f ON pof.path = f.path \ + LEFT JOIN file pf ON p.path = pf.path \ + LEFT JOIN users u ON p.uid = u.uid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN hash hp ON pp.path = hp.path \ + WHERE \ + f.uid != '' \ + AND pf.filename != '' \ + AND ( \ + pof.path LIKE '/home/%/.ssh/%' \ + OR pof.path LIKE '/home/%/.mozilla/firefox/%' \ + OR pof.path LIKE '/home/%/.config/google-chrome/%' \ + OR pof.path LIKE '/root/.ssh/%' \ + OR pof.path LIKE '/root/.bash_history' \ + OR pof.path LIKE '/home/%/.config/gcloud/%' \ + OR pof.path LIKE '/home/%/.config/Slack/%' \ + OR pof.path LIKE '/home/%/.bash_history' \ + OR pof.path LIKE '/home/%/.cache/mozilla/firefox%' \ + OR pof.path LIKE '/home/%/.config/mozilla/firefox%' \ + OR pof.path LIKE '/home/%/.aws%' \ + ) \ + AND NOT ( \ + file_uid == process_uid \ + AND exception_key IN ( \ + 'aws,aws,~/.aws', \ + 'chrome_crashpad_handler,chrome_crashpad,', \ + 'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome', \ + 'chrome,chrome,~/.config/google-chrome', \ + 'firefox,.firefox-wrappe,~/.cache/mozilla', \ + 'firefox,.firefox-wrappe,~/.mozilla/firefox', \ + 'firefox,file:// Content,~/.mozilla/firefox', \ + 'firefox,firefox,~/.cache/mozilla', \ + 'firefox,firefox,~/.mozilla/firefox', \ + 'firefox,file:// Content,~/.cache/mozilla', \ + 'firefox,firefox,~/snap/firefox', \ + 'firefox,Isolated Servic,~/.cache/mozilla', \ + 'firefox,Isolated Servic,~/snap/firefox', \ + 'firefox,Isolated Web Co,~/.cache/mozilla', \ + 'firefox,Isolated Web Co,~/.mozilla/firefox', \ + 'firefox,Isolated Web Co,~/snap/firefox', \ + 'firefox,Privileged Cont,~/.cache/mozilla', \ + 'firefox,Privileged Cont,~/.mozilla/firefox', \ + 'firefox,Privileged Cont,~/snap/firefox', \ + 'firefox,Web Content,~/.cache/mozilla', \ + 'firefox,Web Content,~/snap/firefox', \ + 'firefox,WebExtensions,~/.cache/mozilla', \ + 'firefox,WebExtensions,~/.mozilla/firefox', \ + 'firefox,WebExtensions,~/snap/firefox', \ + 'plugin-container,MainThread,~/.mozilla/firefox', \ + 'slack,slack,~/.config/Slack', \ + 'slack,slack,~/snap/slack' \ + ) \ + ) \ + GROUP BY \ + pof.pid, \ + pof.path;", + "interval": "10800", + "platform": "linux", + "description": "This query looks for exotic open file/process combinations" + } + } +} +{ + "queries": { + "unexpected-bpf-user": { + "query": "SELECT \ + SELECT \ + pmm.pid, \ + pmm.path AS lib_path, \ + p.path, \ + p.name, \ + p.cmdline, \ + p.cwd, \ + p.euid, \ + p.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + hash.sha256 AS child_sha256, \ + phash.sha256 AS parent_sha256 \ + FROM \ + process_memory_map pmm \ + LEFT JOIN processes p ON pmm.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN hash AS phash ON pp.path = phash.path \ + WHERE \ + ( \ + lib_path LIKE '%:bpf%' \ + OR lib_path LIKE '%libbpf%' \ + ) \ + AND p.path NOT IN ( \ + '/usr/bin/qemu-system-x86_64', \ + '/usr/lib/systemd/systemd' \ + ) \ + AND p.path NOT LIKE '/nix/store/%/lib/systemd/systemd' \ + GROUP BY \ + pmm.pid;", + "interval": "10800", + "platform": "darwin", + "description": "Find root-run processes which link against libpf" + }, + "unexpected-pcap-user-linux": { + "query": "SELECT \ + pmm.pid, \ + p.uid, \ + p.gid, \ + pmm.path AS lib_path, \ + p.path AS child_path, \ + p.name AS child_name, \ + p.cmdline AS child_cmd, \ + p.cwd AS child_cwd, \ + h.sha256 AS child_sha256, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + ph.sha256 AS parent_sha256 \ + FROM \ + process_memory_map pmm \ + LEFT JOIN processes p ON pmm.pid = p.pid \ + LEFT JOIN hash h ON p.path = h.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash AS ph ON pp.path = ph.path \ + WHERE \ + pmm.path LIKE '%libpcap%' \ + AND p.euid = 0 \ + AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + AND child_path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%' \ + AND child_path NOT LIKE '/nix/store/%-systemd-%/bin/udevadm' \ + AND child_path NOT LIKE '/System/Library/%' \ + AND child_path NOT LIKE '/nix/store/%/bin/nix' \ + AND child_path NOT IN ( \ + '/usr/libexec/UserEventAgent', \ + '/usr/sbin/systemstats', \ + '/usr/bin/libvirtd', \ + '/usr/sbin/cupsd', \ + '/run/current-system/systemd/lib/systemd/systemd' \ + ) \ + AND child_cmd NOT IN ( \ + '/nix/var/nix/profiles/default/bin/nix-daemon', \ + '/run/current-system/systemd/lib/systemd/systemd', \ + '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid' \ + ) \ + GROUP BY \ + pmm.pid;", + "interval": "10800", + "platform": "linux", + "description": "Find root-run processes which link against libpcap" + }, + "unexpected-pcap-user-macos": { + "query": "SELECT \ + SELECT \ + pmm.pid, \ + p.uid, \ + p.gid, \ + pmm.path AS lib_path, \ + p.path AS child_path, \ + p.name AS child_name, \ + p.cmdline AS child_cmd, \ + p.cwd AS child_cwd, \ + h.sha256 AS child_sha256, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + ph.sha256 AS parent_sha256, \ + s.authority, \ + s.identifier \ + FROM \ + process_memory_map pmm \ + LEFT JOIN processes p ON pmm.pid = p.pid \ + LEFT JOIN hash h ON p.path = h.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash AS ph ON pp.path = ph.path \ + LEFT JOIN signature s ON p.path = s.path \ + WHERE \ + pmm.path LIKE '%libpcap%' \ + AND p.euid = 0 \ + AND child_path NOT LIKE '/System/%' \ + AND child_path NOT LIKE '/usr/libexec/%' \ + AND child_path NOT LIKE '/usr/sbin/%' \ + AND child_path NOT LIKE '/usr/bin/%' \ + AND child_path NOT LIKE '/nix/store/%/bin/nix' \ + AND child_path NOT LIKE '/opt/homebrew/Cellar/vim/%/bin/vim' \ + AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + AND NOT s.authority IN ( \ + 'Software Signing', \ + 'Apple Mac OS Application Signing', \ + 'Developer ID Application: Kolide Inc (YZ3EM74M78)', \ + 'Developer ID Application: Docker Inc (9BNSXJN65R)' \ + ) \ + GROUP BY \ + pmm.pid;", + "interval": "10800", + "platform": "darwin", + "description": "Find root-run processes which link against libpcap" + } + } +} +{ + "queries": { + "empty_environ": { + "query": "SELECT \ + COUNT(*) AS count, \ + p.pid, \ + p.path, \ + p.cmdline \ + FROM \ + process_envs pe \ + JOIN processes p ON pe.pid = p.pid \ + GROUP BY \ + p.pid \ + HAVING \ + count == 0;", + "interval": "10800", + "description": "Inspired by BPFdoor" + }, + "executables-from-the-future": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.cmdline, \ + p.cwd, \ + p.euid, \ + p.parent, \ + f.ctime, \ + f.btime, \ + f.mtime, \ + p.start_time, \ + f.mtime > strftime('%s', 'now') AS mtime_newer, \ + f.ctime > strftime('%s', 'now') AS ctime_newer, \ + f.btime > strftime('%s', 'now') AS btime_newer, \ + hash.sha256 AS child_hash256, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + mtime_newer == 1 \ + OR ctime_newer == 1 \ + OR btime_newer == 1;", + "interval": "10800", + "description": "Programs which claim to be from the future, based on (btime,ctime,mtime)" + }, + "hidden-cwd": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.cmdline, \ + p.cwd, \ + p.euid, \ + p.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + hash.sha256, \ + REPLACE(p.cwd, u.directory, '~') AS dir, \ + CONCAT ( \ + p.name, \ + ',', \ + IIF( \ + REGEX_MATCH ( \ + REPLACE(p.cwd, u.directory, '~'), \ + '([/~].*?/.*?/.*?)/', \ + 1 \ + ) != '', \ + REGEX_MATCH ( \ + REPLACE(p.cwd, u.directory, '~'), \ + '([/~].*?/.*?/.*?)/', \ + 1 \ + ), \ + REPLACE(p.cwd, u.directory, '~') \ + ) \ + ) AS exception_key \ + FROM \ + processes p \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN users u ON p.uid = u.uid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + dir LIKE '%/.%' \ + AND NOT ( \ + exception_key IN ( \ + 'bash,~/.local/share', \ + 'bash,~/go/src', \ + 'Electron,~/.vscode/extensions', \ + 'fish,~/.local/share', \ + 'git,~/.local/share', \ + 'makepkg,~/.cache/yay', \ + 'make,~/.cache/yay', \ + 'java,~/.gradle/daemon', \ + 'java,~/.local/share', \ + 'rust-analyzer-p,~/.cargo/registry', \ + 'as,~/.cache/yay', \ + 'c++,~/.cache/yay', \ + 'cc1plus,~/.cache/yay', \ + 'mysqld,~/.local/share' \ + ) \ + OR dir IN ( \ + '~/.vim', \ + '~/.cache/yay', \ + '~/.local/share/chezmoi', \ + '~/.local/share/nvim', \ + '~/.gmailctl' \ + ) \ + OR p.name IN ( \ + 'bindfs', \ + 'vim', \ + 'nvim', \ + 'code', \ + 'updatedb', \ + 'git', \ + 'gitsign', \ + 'Code Helper' \ + ) \ + OR dir LIKE '~/.dotfiles/%' \ + OR dir LIKE '~/.gradle/%' \ + OR dir LIKE '~/.local/share/kotlin/%' \ + OR dir LIKE '~/go/src/%' \ + OR dir LIKE '~/.local/share/nvim/%' \ + OR dir LIKE '~/.vscode/extensions/%' \ + OR dir LIKE '~/.local/share/fish/%' \ + OR dir LIKE '~/.cache/yay/%' \ + OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' \ + OR dir LIKE '~/src/%' \ + OR dir LIKE '~/%/.github%' \ + OR dir LIKE '~/.cargo/%' \ + OR dir LIKE '~/.local/share/JetBrains/%' \ + OR dir LIKE '~/code/%' \ + );", + "interval": "10800", + "description": "Programs running with a hidden current working directory" + }, + "hidden-launchd-files-macos": { + "query": "SELECT file.path, \ + file.type, \ + file.filename, \ + file.size, \ + file.mtime, \ + file.uid, \ + file.ctime, \ + file.gid, \ + hash.sha256, \ + signature.identifier, \ + signature.authority \ + FROM file \ + LEFT JOIN signature ON file.path = signature.path \ + LEFT JOIN hash ON file.path = hash.path \ + WHERE ( \ + file.path LIKE '/Library/LaunchAgents/.%' \ + OR file.path LIKE '/Users/%/Library/LaunchAgents/.%' \ + OR file.path LIKE '/Users/%/Library/LaunchDaemons/.%' \ + ) \ + AND file.filename NOT IN ('.', '..', '.DS_Store') \ + AND NOT ( \ + file.filename = '.DS_Store' \ + AND hash.sha256 = 'd65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3' \ + );", + "interval": "10800", + "platform": "darwin", + "description": "osquery can't see hidden launch agents/daemons" + }, + "hidden-parent-pid": { + "query": "SELECT \ + pp.* \ + FROM \ + processes \ + JOIN processes pp ON processes.parent = pp.pid \ + WHERE \ + processes.parent NOT IN ( \ + SELECT \ + pid \ + FROM \ + processes \ + ) \ + AND processes.parent != 0;", + "interval": "10800", + "description": "Works well for revealing boopkit, so long as boopkit has a child process." + }, + "missing-from-disk-linux": { + "query": "SELECT \ + p.pid, \ + p.uid, \ + p.cmdline, \ + p.path, \ + mnt_namespace, \ + p.cwd, \ + p.on_disk, \ + p.state, \ + file.inode, \ + pp.on_disk AS parent_on_disk, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmdline, \ + pp.cwd AS parent_cwd, \ + ph.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ph ON pp.path = ph.path \ + WHERE \ + p.on_disk != 1 \ + AND p.path != '' \ + AND mnt_namespace IN ( \ + SELECT DISTINCT \ + (mnt_namespace) \ + FROM \ + process_namespaces \ + JOIN processes ON processes.pid = process_namespaces.pid \ + WHERE \ + processes.name IN ('osqueryi', 'osqueryd') \ + ) \ + AND file.inode IS NULL \ + AND p.path NOT LIKE '/tmp/.mount_%';", + "interval": "10800", + "platform": "linux", + "description": "Processes that do not exist on disk" + }, + "missing-from-disk-macos": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.parent, \ + p.state, \ + p.cwd, \ + p.gid, \ + p.uid, \ + p.euid, \ + p.cmdline AS cmd, \ + p.cwd, \ + p.on_disk, \ + p.state, \ + pp.on_disk AS parent_on_disk, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + p.on_disk != 1 \ + AND (strftime('%s', 'now') - p.start_time) > 15 \ + AND p.pid > 0 \ + AND p.parent != 2 \ + AND p.state != 'Z' \ + AND NOT ( \ + p.parent = 1 \ + AND p.path = '' \ + ) \ + AND NOT ( \ + p.gid = 20 \ + AND ( \ + cmd LIKE '/Library/Apple/System/%' \ + OR cmd LIKE '/Applications/%/Contents/%' \ + OR cmd LIKE '/Library/Apple/System/%' \ + OR cmd LIKE '/Library/Application Support/Logitech.localized/%' \ + OR cmd LIKE '/Library/Developer/CommandLineTools/%' \ + OR p.path IN ( \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper' \ + ) \ + OR cmd LIKE '/opt/homebrew/Cellar/%' \ + OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' \ + OR cmd LIKE '/opt/homebrew/opt/%' \ + OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' \ + OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' \ + OR parent_cmd LIKE '/Applications/Google Chrome.app/%' \ + ) \ + ) \ + AND NOT ( \ + p.name = '' \ + AND parent_cmd = '/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox -foreground' \ + );", + "interval": "10800", + "platform": "darwin", + "description": "Processes that do not exist on disk" + }, + "name_path_mismatch": { + "query": "SELECT \ + p.name, \ + TRIM(SUBSTR(SPLIT (p.name, ':./ ', 0), 0, 15)) AS short_name, \ + TRIM(SUBSTR(SPLIT (f.filename, ':./ ', 0), 0, 15)) AS short_filename, \ + f.filename, \ + p.path, \ + p.cwd, \ + p.cmdline AS cmd, \ + p.parent AS parent_pid, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + hash.sha256 AS child_sha256, \ + phash.sha256 AS parent_sha256, \ + CONCAT ( \ + 'name=', \ + TRIM(SUBSTR(SPLIT (p.name, ':./ ', 0), 0, 15)), \ + ',file=', \ + TRIM(SUBSTR(SPLIT (f.filename, ':./ ', 0), 0, 15)), \ + ',', \ + MIN(p.uid, 500) \ + ) AS exception_key \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN hash AS phash ON pp.path = phash.path \ + WHERE \ + short_filename != short_name \ + AND NOT cmd LIKE '/nix/store/%/bin/bash%' \ + AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3') \ + AND exception_key NOT IN ( \ + 'name=blueman-applet,file=python3,500', \ + 'name=blueman-tray,file=python3,500', \ + 'name=cat,file=coreutils,500', \ + 'name=chrome-gnome-s,file=python3,500', \ + 'name=Chroot,file=firefox,500', \ + 'name=code-oss,file=electron,500', \ + 'name=exe,file=rootlessport,500', \ + 'name=file,file=firefox,500', \ + 'name=firefox-wrappe,file=firefox,500', \ + 'name=Web,file=thunderbird,500', \ + 'name=Isolated,file=thunderbird,500', \ + 'name=firewalld,file=python3,0', \ + 'name=gjs,file=gjs-console,120', \ + 'name=gjs,file=gjs-console,500', \ + 'name=gnome-characte,file=gjs-console,500', \ + 'name=gnome-character,file=gjs-console,500', \ + 'name=gnome-tweak-to,file=python3,500', \ + 'name=gsettings-hel,file=gsettings-help,500', \ + 'name=Isolated,file=firefox,500', \ + 'name=MainThread,file=plugin-contain,500', \ + 'name=mysqld,file=mariadbd,500', \ + 'name=networkd-dispa,file=python3,0', \ + 'name=Web,file=thunderbird,500', \ + 'name=nix-daemon,file=nix,0', \ + 'name=sessionclean,file=dash,0', \ + 'name=npm,file=node,500', \ + 'name=pidof,file=killall5,0', \ + 'name=osqueryi,file=osqueryd,0', \ + 'name=osqueryi,file=osqueryd,500', \ + 'name=phpstorm,file=dash,500', \ + 'name=Privileged,file=firefox,500', \ + 'name=RDD,file=firefox,500', \ + 'name=sd_espeak-ng-m,file=sd_espeak-ng,500', \ + 'name=sh,file=dash,0', \ + 'name=sh,file=dash,500', \ + 'name=slic3r_main,file=prusa-slicer,500', \ + 'name=Socket,file=firefox,500', \ + 'name=streamdeck,file=python3,500', \ + 'name=systemd-udevd,file=udevadm,0', \ + 'name=terminator,file=python3,500', \ + 'name=Thunar,file=thunar,500', \ + 'name=unattended-upg,file=python3,0', \ + 'name=Utility,file=firefox,500', \ + 'name=vi,file=nvim,500', \ + 'name=vi,file=vim,500', \ + 'name=WebExtensions,file=firefox,500', \ + 'name=Web,file=firefox,500', \ + 'name=X,file=Xorg,0', \ + 'name=zfs-auto-snaps,file=ruby,0', \ + 'name=zoom,file=ZoomLauncher,500' \ + ) \ + AND NOT ( \ + short_filename = 'systemd' \ + AND short_name LIKE '(sd%' \ + ) \ + AND NOT ( \ + short_filename LIKE 'emacs%' \ + AND short_name = 'emacs' \ + ) \ + AND NOT (p.path LIKE '/nix/store/%/bin/coreutils') \ + GROUP by \ + short_name, \ + short_filename;", + "interval": "10800", + "description": "Processes that do not exist on disk" + }, + "old-binaries-running": { + "query": "SELECT \ + p.path, \ + p.cmdline, \ + p.cwd, \ + ((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days, \ + ((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days, \ + ((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days, \ + h.sha256, \ + f.uid, \ + f.gid \ + FROM \ + processes p \ + JOIN file f ON p.path = f.path \ + JOIN hash h ON p.path = h.path \ + WHERE \ + ( \ + ctime_age_days > 1050 \ + OR mtime_age_days > 1050 \ + ) \ + AND p.path NOT LIKE '%/opt/brackets/Brackets%' \ + AND h.sha256 NOT IN ( \ + 'f61dcfce6f0c04263780700e0e9a8ff2363edefc344c08bd792fd401ddaa160f' \ + );", + "interval": "10800", + "description": "Alert on programs running that are unusually old (poor timestomping)" + }, + "parent-missing-from-disk": { + "query": "SELECT \ + p.name AS child_name, \ + p.pid AS child_pid, \ + p.path AS child_path, \ + p.cmdline AS child_cmd, \ + p.uid AS child_uid, \ + p.gid AS child_gid, \ + hash.path, \ + p.on_disk AS child_on_disk, \ + pp.pid AS parent_pid, \ + pp.name AS parent_name, \ + pp.path AS parent_path, \ + pp.cmdline AS cmd, \ + pp.on_disk AS parent_on_disk, \ + pp.uid AS parent_uid, \ + pp.gid AS parent_gid \ + FROM \ + processes p \ + JOIN processes pp ON pp.pid = p.parent \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + parent_on_disk != 1 \ + AND child_on_disk = 1 \ + AND NOT child_pid IN (1, 2) \ + AND NOT parent_pid IN (1, 2) \ + AND NOT parent_path IN ( \ + '/opt/google/chrome/chrome', \ + '/usr/bin/gnome-shell' \ + ) \ + AND NOT parent_name IN ( \ + 'lightdm', \ + 'nvim', \ + 'gnome-shell', \ + 'slack', \ + 'kube-proxy', \ + 'kubelet' \ + ) \ + AND NOT ( \ + parent_path = '' \ + AND p.uid > 500 \ + ) \ + AND parent_path NOT LIKE '/app/extra/%' \ + AND parent_path NOT LIKE '/opt/homebrew/Cellar/%' \ + AND NOT ( \ + parent_name LIKE 'kworker/%+events_unbound' \ + AND child_name IN ('modprobe') \ + );", + "interval": "10800", + "description": "Parent PID is not on disk" + }, + "ssh-notty": { + "query": "SELECT * FROM ( \ + SELECT p.pid,p.name,p.cmdline,GROUP_CONCAT(DISTINCT pof.path) AS open_files \ + FROM processes p \ + LEFT JOIN process_open_files pof ON p.pid = pof.pid \ + WHERE p.name = 'sshd' \ + GROUP BY p.pid \ + ) \ + WHERE INSTR(cmdline, '@notty') > 0 \ + OR \ + INSTR(open_files, '/dev/ptmx') = 0;", + "interval": "10800", + "description": "Find ssh sessions that are hiding from 'w'/'who'" + }, + "touched-executable-linux": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.cmdline, \ + p.cwd, \ + p.euid, \ + p.parent, \ + f.ctime, \ + f.btime, \ + f.mtime, \ + p.start_time, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + hash.sha256 AS sha256 \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + f.ctime = f.mtime \ + AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' \ + AND f.path NOT LIKE '/snap/%' \ + AND f.path NOT LIKE '/home/%/go/bin/%' \ + AND f.path NOT LIKE '/home/%/.rustup/%' \ + AND f.path NOT LIKE '/home/eddiezane/.local/share/JetBrains/Toolbox/bin/%' \ + AND f.path NOT LIKE '/home/%/.cache/cloud-code/bin/%' \ + GROUP by \ + p.pid;", + "interval": "10800", + "platform": "linux", + "description": "Programs which were spawned by an executable containing a matching ctime & mtime, which" + }, + "touched-executable-macos": { + "query": "SELECT \ + p.path, \ + p.name, \ + p.cmdline, \ + p.euid, \ + DATETIME(p.start_time, 'unixepoch') AS started, \ + DATETIME(f.ctime, 'unixepoch') AS changed, \ + DATETIME(f.btime, 'unixepoch') AS birthed, \ + DATETIME(f.mtime, 'unixepoch') AS modified, \ + DATETIME(f.atime, 'unixepoch') AS accessed, \ + (f.btime - f.ctime) / 86400 AS btime_ctime_days_diff, \ + (p.start_time - f.atime) / 86400 AS start_atime_days_diff, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + pp.cwd AS parent_cwd, \ + hash.sha256 AS sha256, \ + signature.identifier, \ + signature.authority \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN signature ON p.path = signature.path \ + WHERE \ + f.btime == f.mtime \ + AND ( \ + btime_ctime_days_diff > 0 \ + OR ( \ + (btime_ctime_days_diff < -365) \ + AND (btime_ctime_days_diff < -1000) \ + ) \ + OR start_atime_days_diff > 90 \ + OR start_atime_days_diff < -10 \ + ) \ + AND NOT signature.authority IN ( \ + 'Apple Mac OS Application Signing', \ + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)', \ + 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', \ + 'Developer ID Application: Bryan Jones (49EYHPJ4Q3)', \ + 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', \ + 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \ + 'Developer ID Application: Docker Inc (9BNSXJN65R)', \ + 'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)', \ + 'Developer ID Application: Galvanix (5BRAQAFB8B)', \ + 'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)', \ + 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \ + 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', \ + 'Developer ID Application: GitHub (VEKTX9H2N7)', \ + 'Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'Developer ID Application: Michael Jones (YD6LEYT6WZ)', \ + 'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', \ + 'Developer ID Application: RescueTime, Inc (FSY4RB8H39)', \ + 'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \ + 'Developer ID Application: Yubico Limited (LQA3CS5MM7)', \ + 'Software Signing' \ + ) \ + AND NOT ( \ + p.euid > 500 \ + AND ( \ + p.path IN ( \ + '/Applications/Divvy.app/Contents/MacOS/Divvy', \ + '/Applications/Sourcetree.app/Contents/MacOS/Sourcetree', \ + '/Library/CoreMediaIO/Plug-Ins/DAL/LogiCapture.plugin/Contents/MacOS/Assistant', \ + '/Applications/Canon Utilities/IJ Scan Utility/Canon IJ Scan Utility Lite.app/Contents/Library/LoginItems/CIJSULAgent.app/Contents/MacOS/CIJSULAgent', \ + '/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/MacOS/ESPController.app/Contents/Library/LoginItems/CanonIJExtendedSurveyLaunchAgent.app/Contents/MacOS/CanonIJExtendedSurveyLaunchAgent' \ + ) \ + OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%' \ + OR p.path LIKE '/Applications/%.app/Contents/MacOS/%' \ + OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' \ + OR p.path LIKE '/nix/store/%' \ + ) \ + ) \ + AND NOT ( \ + p.euid = 0 \ + AND ( \ + p.path LIKE '/nix/store/%/bin/nix' \ + OR p.path LIKE '/nix/store/%/bin/nix-daemon' \ + ) \ + ) \ + GROUP by \ + p.pid;", + "interval": "10800", + "platform": "darwin", + "description": "Programs which appear to have been touched on macOS" + }, + "unexpected-alf-exceptions-macos": { + "query": "SELECT \ + ae.path, \ + ae.state, \ + file.mtime, \ + file.ctime, \ + file.uid, \ + file.directory, \ + file.size, \ + file.type, \ + hash.sha256, \ + signature.identifier, \ + signature.authority, \ + CONCAT ( \ + signature.authority, \ + ',', \ + signature.identifier, \ + ',', \ + ae.path, \ + ',', \ + MIN(file.uid, 501) \ + ) AS exception_key \ + FROM \ + alf_exceptions ae \ + LEFT JOIN file ON ae.path = file.path \ + LEFT JOIN hash ON ae.path = hash.path \ + LEFT JOIN signature ON ae.path = signature.path \ + WHERE \ + exception_key NOT IN ( \ + ',,/Applications/Google%20Chrome.app/,', \ + ',,/Applications/IntelliJ%20IDEA.app/,', \ + ',,/Applications/ProtonMail%20Bridge.app/,', \ + ',,/Applications/Visual%20Studio%20Code.app/,', \ + ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,', \ + ',,/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig,', \ + ',,/usr/bin/nmblookup,', \ + ',,/usr/libexec/discoveryd,', \ + ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', \ + ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501', \ + 'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0', \ + 'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0', \ + 'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0', \ + 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501', \ + 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501', \ + 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0', \ + 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', \ + 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', \ + 'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', \ + 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0', \ + 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', \ + 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', \ + 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501', \ + 'Software Signing,com.apple.bootpd,/usr/libexec/bootpd,0', \ + 'Software Signing,com.apple.configd,/usr/libexec/configd,0', \ + 'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0', \ + 'Software Signing,com.apple.EmbeddedOSInstallService,/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/,0', \ + 'Software Signing,com.apple.mDNSResponder,/usr/sbin/mDNSResponder,0', \ + 'Software Signing,com.apple.Music,/System/Applications/Music.app/,0', \ + 'Software Signing,com.apple.nc,/usr/bin/nc,0', \ + 'Software Signing,com.apple.racoon,/usr/sbin/racoon,0', \ + 'Software Signing,com.apple.universalcontrol,/System/Library/CoreServices/UniversalControl.app/,0', \ + 'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', \ + 'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0' \ + ) \ + AND NOT ( \ + signature.identifier LIKE 'cargo-%' \ + AND ae.path LIKE '/Users/%/.rustup/%' \ + ) \ + AND NOT ( \ + signature.identifier LIKE 'fake-%' \ + AND ae.path LIKE '%/exe/fake' \ + ) \ + AND NOT ( \ + signature.identifier LIKE 'mariadbd-%' \ + AND ae.path LIKE '/opt/homebrew/%/mariadbd' \ + ) \ + AND NOT ( \ + signature.identifier = 'netcat' \ + AND ae.path LIKE '/Users/%/homebrew/Cellar/netcat/%/bin/netcat' \ + ) \ + AND NOT ( \ + signature.identifier = 'syncthing' \ + AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing' \ + ) \ + AND NOT ( \ + ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/' \ + ) \ + AND NOT ( \ + ( \ + signature.identifier = 'a.out' \ + OR signature.identifier LIKE '%-%' \ + ) \ + AND file.uid > 500 \ + AND ( \ + file.directory LIKE '/opt/homebrew/Cellar/%/bin' \ + OR file.directory LIKE '/Users/%/bin' \ + OR file.directory LIKE '/Users/%/code/%' \ + OR file.directory LIKE '/Users/%/src/%' \ + OR file.directory LIKE '/Users/%/node_modules/.bin/%' \ + OR file.directory LIKE '/Users/%/git/%' \ + OR file.directory LIKE '/Users/%/%-cli' \ + OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe' \ + ) \ + ) \ + GROUP BY \ + exception_key;", + "interval": "10800", + "platform": "darwin", + "description": "macOS application layer firewall (ALF) service exceptions." + }, + "unexpected-dev-entries": { + "query": "SELECT \ + file.path, \ + file.type, \ + file.size, \ + file.mtime, \ + file.uid, \ + file.ctime, \ + file.gid, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash ON file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + ( \ + file.path LIKE '/dev/shm/%%' \ + OR file.path LIKE '/dev/%/.%' \ + OR file.path LIKE '/dev/.%' \ + OR file.path LIKE '/dev/.%/%' \ + OR file.path LIKE '/dev/%%/.%/%' \ + OR file.path LIKE '/dev/mqueue/%%' \ + ) \ + AND NOT ( \ + file.uid > 499 \ + AND ( \ + file.path NOT LIKE '/dev/shm/.com.google.%' \ + OR file.path LIKE '/dev/shm/.org.chromium.%' \ + OR file.path LIKE '/dev/shm/wayland.mozilla.%' \ + OR file.path LIKE '/dev/shm/shm-%-%-%' \ + OR file.path LIKE 'pulse-shm-%' \ + OR file.path LIKE 'u1000-Shm%' \ + OR file.path LIKE 'u1000-Valve%' \ + OR file.path LIKE '/dev/shm/jack_db%' \ + ) \ + ) \ + AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%' \ + AND file.path NOT LIKE '/dev/shm/flatpak-%' \ + AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%' \ + AND file.path NOT LIKE '%/../%' \ + AND file.path NOT LIKE '%/./%' \ + AND filename NOT IN ('..') \ + AND file.path NOT IN ('/dev/.mdadm/');", + "interval": "10800", + "description": "Inspired by BPFdoor" + }, + "unexpected-dev-executables-linux": { + "query": "SELECT \ + file.path, \ + file.directory, \ + uid, \ + gid, \ + mode, \ + file.mtime, \ + file.size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + ( \ + file.path LIKE '/dev/%%' \ + OR file.path LIKE '/dev/%%/%%' \ + ) \ + AND file.type = 'regular' \ + AND ( \ + file.mode LIKE '%7%' \ + or file.mode LIKE '%5%' \ + or file.mode LIKE '%1%' \ + );", + "interval": "10800", + "platform": "linux", + "description": "Find unexpected executables in /dev" + }, + "unexpected-etc-executables-linux": { + "query": "SELECT \ + file.path, \ + file.directory, \ + uid, \ + gid, \ + mode, \ + file.mtime, \ + file.size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + (file.path LIKE '/etc/%%') \ + AND file.type = 'regular' \ + AND ( \ + file.mode LIKE '%7%' \ + or file.mode LIKE '%5%' \ + or file.mode LIKE '%1%' \ + ) \ + AND file.directory NOT IN ( \ + '/etc/X11/xinit/xinitrc.d', \ + '/etc/apcupsd', \ + '/etc/menu-methods', \ + '/etc/avahi', \ + '/etc/chromium/native-messaging-hosts', \ + '/etc/cifs-utils', \ + '/etc/cron.hourly', \ + '/etc/flatpak/remotes.d', \ + '/etc/gdm/Init', \ + '/etc/gdm/PostLogin', \ + '/etc/gdm/PostSession', \ + '/etc/gdm/PreSession', \ + '/etc/gdm', \ + '/etc/grub.d', \ + '/etc/httpd/modules', \ + '/etc/ifplugd', \ + '/etc/init.d', \ + '/etc/lightdm', \ + '/etc/pinentry', \ + '/etc/ppp', \ + '/etc/ppp/ip-down.d', \ + '/etc/ppp/ip-up.d', \ + '/etc/ppp/ipv6-up.d', \ + '/etc/profile.d', \ + '/etc/rdnssd', \ + '/etc/security', \ + '/etc/skel', \ + '/etc/ssl/misc', \ + '/etc/systemd/system', \ + '/etc/systemd/system/graphical.target.wants', \ + '/etc/vpnc', \ + '/etc/xdg/Xwayland-session.d', \ + '/etc/NetworkManager/dispatcher.d', \ + '/etc/X11', \ + '/etc/X11/xinit', \ + '/etc/acpi', \ + '/etc/alternatives', \ + '/etc/apm/resume.d', \ + '/etc/apm/scripts.d', \ + '/etc/apm/suspend.d', \ + '/etc/brltty/Contraction', \ + '/etc/console-setup', \ + '/etc/cron.daily', \ + '/etc/cron.monthly', \ + '/etc/cron.weekly', \ + '/etc/dhcp/dhclient-enter-hooks.d', \ + '/etc/dhcp/dhclient-exit-hooks.d', \ + '/etc/dkms', \ + '/etc/gdm3/Init', \ + '/etc/gdm3/PostLogin', \ + '/etc/gdm3/PostSession', \ + '/etc/gdm3/PreSession', \ + '/etc/gdm3/Prime', \ + '/etc/gdm3/PrimeOff', \ + '/etc/gdm3', \ + '/etc/ifplugd/action.d', \ + '/etc/kernel/header_postinst.d', \ + '/etc/kernel/install.d', \ + '/etc/kernel/postinst.d', \ + '/etc/kernel/postrm.d', \ + '/etc/kernel/preinst.d', \ + '/etc/kernel/prerm.d', \ + '/etc/network/if-down.d', \ + '/etc/network/if-post-down.d', \ + '/etc/network/if-pre-up.d', \ + '/etc/network/if-up.d', \ + '/etc/openvpn', \ + '/etc/pm/sleep.d', \ + '/etc/rc0.d', \ + '/etc/rc1.d', \ + '/etc/rc2.d', \ + '/etc/rc3.d', \ + '/etc/rc4.d', \ + '/etc/rc5.d', \ + '/etc/rc6.d', \ + '/etc/rcS.d', \ + '/etc/update-motd.d', \ + '/etc/wpa_supplicant', \ + '/etc/zfs/zed.d', \ + '/etc/zfs/zpool.d', \ + '/etc/bash_completion.d', \ + '/etc/dhcp/dhclient.d', \ + '/etc/mcelog/triggers', \ + '/etc/qemu-ga', \ + '/etc/rc.d/init.d', \ + '/etc/rc.d/rc0.d', \ + '/etc/rc.d/rc1.d', \ + '/etc/rc.d/rc2.d', \ + '/etc/rc.d/rc3.d', \ + '/etc/rc.d/rc4.d', \ + '/etc/rc.d/rc5.d', \ + '/etc/rc.d/rc6.d', \ + '/etc/vmware-tools', \ + '/etc/zfs-fuse', \ + '/etc/ssl/certs', \ + '/etc/ssl/trust-source', \ + '/etc/systemd/system-shutdown' \ + ) \ + AND file.path NOT IN ( \ + '/etc/nftables.conf', \ + '/etc/rmt', \ + '/etc/qemu-ifdown', \ + '/etc/qemu-ifup', \ + '/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json' \ + );", + "interval": "10800", + "platform": "linux", + "description": "Find unexpected executables in /etc" + }, + "unexpected-hidden-system-folders": { + "query": "SELECT \ + file.path, \ + uid, \ + gid, \ + mode, \ + mtime, \ + ctime, \ + type, \ + size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash ON file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + ( \ + file.path LIKE '/lib/.%' \ + OR file.path LIKE '/.%' \ + OR file.path LIKE '/bin/%/.%' \ + OR file.path LIKE '/lib/%/.%' \ + OR file.path LIKE '/libexec/.%' \ + OR file.path LIKE '/Library/.%' \ + OR file.path LIKE '/sbin/.%' \ + OR file.path LIKE '/sbin/%/.%' \ + OR file.path LIKE '/tmp/.%' \ + OR file.path LIKE '/usr/bin/.%' \ + OR file.path LIKE '/usr/lib/.%' \ + OR file.path LIKE '/usr/lib/%/.%' \ + OR file.path LIKE '/usr/libexec/.%' \ + OR file.path LIKE '/usr/local/bin/.%' \ + OR file.path LIKE '/usr/local/lib/.%' \ + OR file.path LIKE '/usr/local/lib/.%' \ + OR file.path LIKE '/usr/local/libexec/.%' \ + OR file.path LIKE '/usr/local/sbin/.%' \ + OR file.path LIKE '/usr/sbin/.%' \ + OR file.path LIKE '/var/.%' \ + OR file.path LIKE '/var/lib/.%' \ + OR file.path LIKE '/var/tmp/.%' \ + OR file.path LIKE '/dev/.%' \ + ) \ + AND strftime('%s', 'now') - file.ctime > 20 \ + AND file.path NOT IN ( \ + '/.autorelabel', \ + '/.file', \ + '/.vol/', \ + '/.VolumeIcon.icns', \ + '/dev/.mdadm/', \ + '/tmp/._contentbarrier_installed', \ + '/tmp/../', \ + '/tmp/./', \ + '/tmp/.%.lock', \ + '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', \ + '/tmp/.dracula-tmux-weather.lock', \ + '/tmp/.dracula-tmux-data', \ + '/tmp/.dotnet/', \ + '/tmp/.vbox-t-ipc/', \ + '/tmp/.font-unix/', \ + '/tmp/.ICE-unix/', \ + '/tmp/.Test-unix/', \ + '/tmp/.X0-lock', \ + '/tmp/.X1-lock', \ + '/tmp/.X11-unix/', \ + '/tmp/.XIM-unix/', \ + '/var/.ntw_cache', \ + '/var/.Parallels_swap/', \ + '/var/.pwd_cache' \ + ) \ + AND file.path NOT LIKE '/tmp/.#%' \ + AND file.path NOT LIKE '/tmp/.com.google.Chrome.%' \ + AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%' \ + AND file.path NOT LIKE '/tmp/.X1%-lock' \ + AND file.path NOT LIKE '/usr/local/%/.keepme' \ + AND file.path NOT LIKE '%/../' \ + AND file.path NOT LIKE '%/./' \ + AND file.path NOT LIKE '%/.build-id/' \ + AND file.path NOT LIKE '%/.dwz/' \ + AND file.path NOT LIKE '%/.updated' \ + AND file.path NOT LIKE '/%bin/bootstrapping/.default_components' \ + AND file.path NOT LIKE '%/google-cloud-sdk/.install/' \ + AND file.path NOT LIKE '/tmp/.%.gcode' \ + AND NOT ( \ + type = 'regular' \ + AND ( \ + filename LIKE '%.swp' \ + OR size < 2 \ + ) \ + ) \ + AND NOT ( \ + file.path = '/.cache/' \ + AND file.uid = 0 \ + AND file.gid = 0 \ + AND file.mode = '0755' \ + AND file.size = 3 \ + ) \ + AND NOT ( \ + file.path = '/.config/' \ + AND file.uid = 0 \ + AND file.gid = 0 \ + AND file.mode IN ('0755', '0700') \ + AND file.size = 4 \ + );", + "interval": "10800" + }, + "unexpected-ld-so-files-linux": { + "query": "SELECT \ + file.path, \ + uid, \ + gid, \ + mode, \ + file.mtime, \ + file.size, \ + hash.sha256, \ + CONCAT (file.path, ',', mode, ',', size, ',', sha256) AS exception_key \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + ( \ + file.path IN ('/etc/ld.so.conf', '/etc/ld.so.preload') \ + OR file.path LIKE '/etc/ld.so.conf.d/%' \ + OR file.path LIKE '/etc/ld.so.conf.d/.%' \ + ) \ + AND file.filename NOT IN ('.', '..') \ + AND exception_key NOT IN ( \ + '/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5', \ + '/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f', \ + '/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8', \ + '/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28', \ + '/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50', \ + '/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181', \ + '/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee', \ + '/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a', \ + '/etc/ld.so.conf.d/lib32-glibc.conf,0644,11,c27424154a6096ae32c0824b785e05de6acef33d9224fd6147d1936be9b4962b', \ + '/etc/ld.so.conf.d/libc.conf,0644,44,90d4c7e43e7661cd116010eb9f50ad5817e43162df344bd1ad10898851b15d41', \ + '/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3', \ + '/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0', \ + '/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f', \ + '/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221', \ + '/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a', \ + '/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98' \ + );", + "interval": "10800", + "platform": "linux", + "description": "If you have Augeas available, you may want to use that in conjunction with this more limited check." + }, + "unexpected-var-executables-linux": { + "query": "SELECT \ + file.path, \ + file.directory, \ + uid, \ + gid, \ + mode, \ + file.mtime, \ + file.size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + (file.path LIKE '/var/%%') \ + AND file.type = 'regular' \ + AND ( \ + file.mode LIKE '%7%' \ + or file.mode LIKE '%5%' \ + or file.mode LIKE '%1%' \ + ) \ + AND file.directory NOT IN ( \ + '/var/lib/colord', \ + '/var/ossec/agentless', \ + '/var/ossec/bin', \ + '/var/ossec/wodles', \ + '/var/run/booted-system', \ + '/var/run/current-system' \ + );", + "interval": "10800", + "platform": "linux", + "description": "Find unexpected executables in /var" + } + } +} +{ + "queries": { + "recently-created-executables": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.cmdline, \ + p.cwd, \ + p.euid, \ + p.parent, \ + f.directory, \ + f.ctime, \ + f.btime, \ + f.mtime, \ + p.start_time, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.cwd AS parent_cwd, \ + pp.euid AS parent_euid, \ + ch.sha256 AS child_sha256, \ + ph.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash AS ch ON p.path = ch.path \ + LEFT JOIN hash AS ph ON pp.path = ph.path \ + WHERE \ + p.start_time > 0 \ + AND f.ctime > 0 \ + AND (p.start_time - MAX(f.ctime, f.btime)) < 180 \ + AND p.start_time >= MAX(f.ctime, f.ctime) \ + AND NOT f.directory IN ( \ + '/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS', \ + '/Applications/Grammarly Desktop.app/Contents/MacOS', \ + '/Applications/Opal.app/Contents/Library/LaunchServices', \ + '/Applications/Opal.app/Contents/MacOS', \ + '/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS', \ + '/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS', \ + '/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS', \ + '/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS', \ + '/Applications/Signal.app/Contents/MacOS', \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS', \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS', \ + '/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS', \ + '/Applications/Slack.app/Contents/MacOS', \ + '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS', \ + '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (GPU).app/Contents/MacOS', \ + '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (Renderer).app/Contents/MacOS', \ + '/Applications/Spotify.app/Contents/MacOS', \ + '/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS', \ + '/Applications/Stream Deck.app/Contents/MacOS', \ + '/Applications/Tailscale.app/Contents/MacOS', \ + '/usr/lib/firefox', \ + '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS', \ + '/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS', \ + '/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS', \ + '/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (Renderer).app/Contents/MacOS', \ + '/Applications/Todoist.app/Contents/MacOS', \ + '/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS', \ + '/Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources', \ + '/Library/Application Support/Adobe/AdobeGCClient', \ + '/Library/CoreMediaIO/Plug-Ins/DAL/OpalVirtualCamera.plugin/Contents/Resources', \ + '/Library/Developer/CommandLineTools/usr/bin', \ + '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS', \ + '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS', \ + '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS', \ + '/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS', \ + '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS', \ + '/usr/local/kolide-k2/bin' \ + ) \ + AND NOT p.path IN ( \ + '', \ + '/Library/DropboxHelperTools/Dropbox_u501/dbkextd', \ + '/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \ + '/Library/PrivilegedHelperTools/com.docker.vmnetd', \ + '/opt/google/chrome/chrome', \ + '/usr/bin/containerd', \ + '/usr/bin/dockerd', \ + '/usr/bin/obs', \ + '/usr/bin/udevadm', \ + '/usr/bin/pipewire', \ + '/usr/lib/at-spi2-registryd', \ + '/usr/lib/at-spi-bus-launcher', \ + '/usr/libexec/fwupd/fwupd', \ + '/usr/libexec/sssd/sssd_kcm', \ + '/usr/lib/fwupd/fwupd', \ + '/usr/lib/slack/chrome_crashpad_handler', \ + '/usr/lib/slack/slack', \ + '/usr/lib/systemd/systemd-journald', \ + '/usr/lib/systemd/systemd-oomd', \ + '/usr/lib/systemd/systemd-resolved', \ + '/usr/lib/systemd/systemd-timesyncd', \ + '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page', \ + '/usr/lib/xf86-video-intel-backlight-helper', \ + '/usr/sbin/cupsd', \ + '/usr/sbin/tailscaled' \ + ) \ + AND NOT p.path LIKE '/Applications/%.app/%' \ + AND NOT p.path LIKE '%-go-build%' \ + AND NOT p.path LIKE '/home/%/bin/%' \ + AND NOT p.path LIKE '/home/%/terraform-provider-%' \ + AND NOT p.path LIKE '/home/%/%.test' \ + AND NOT p.path LIKE '/Library/Apple/System/%' \ + AND NOT p.path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%' \ + AND NOT p.path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' \ + AND NOT p.path LIKE '/Library/Application Support/Logitech.localized/%' \ + AND NOT p.path LIKE '/nix/store/%/bin/%' \ + AND NOT p.path LIKE '/opt/homebrew/bin/%' \ + AND NOT p.path LIKE '/opt/homebrew/Cellar/%' \ + AND NOT p.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install' \ + AND NOT p.path LIKE '/private/tmp/go-build%' \ + AND NOT p.path LIKE '/private/tmp/nix-build-%' \ + AND NOT p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' \ + AND NOT p.path LIKE '/private/var/folders/%/bin/%' \ + AND NOT p.path LIKE '/private/var/folders/%/go-build%' \ + AND NOT p.path LIKE '/private/var/folders/%/GoLand/%' \ + AND NOT p.path LIKE '/private/var/folders/%/T/pulumi-go.%' \ + AND NOT p.path LIKE '/Users/%/bin/%' \ + AND NOT p.path LIKE '/Users/%/code/%' \ + AND NOT p.path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%' \ + AND NOT p.path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%' \ + AND NOT p.path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%' \ + AND NOT p.path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%' \ + AND NOT p.path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%' \ + AND NOT p.path LIKE '/Users/%/terraform-provider-%' \ + AND NOT p.path LIKE '/Users/%/%.test' \ + AND NOT p.path LIKE '/usr/local/bin/%' \ + AND NOT p.path LIKE '/usr/local/Cellar/%' \ + AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + AND NOT p.path LIKE '%/.vscode/extensions/%' \ + AND NOT pp.path IN ('/usr/bin/gnome-shell') \ + AND NOT ( \ + ( \ + p.path LIKE '/Users/%' \ + OR p.path LIKE '/home/%' \ + ) \ + AND p.uid > 499 \ + AND f.ctime = f.mtime \ + AND f.uid = p.uid \ + AND p.cmdline LIKE './%' \ + ) \ + GROUP BY \ + p.pid;", + "interval": "10800", + "description": "Programs who were recently written to disk, based on btime (macOS) or ctime (Linux)" + }, + "reverse-shell-socket": { + "query": "SELECT DISTINCT \ + (p.pid), \ + p.parent, \ + p.name, \ + p.path, \ + p.cmdline, \ + p.cwd, \ + p.root, \ + p.uid, \ + p.gid, \ + p.start_time, \ + pos.remote_address, \ + pos.remote_port, \ + pp.cmdline, \ + pp.path \ + FROM \ + process_open_files pof \ + JOIN process_open_sockets pos USING (pid) \ + LEFT JOIN processes p ON pof.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid \ + WHERE \ + p.name IN ('sh', 'bash', 'perl', 'python') \ + AND pof.pid IS NULL \ + AND pos.remote_port > 0 \ + AND NOT ( \ + p.path = '/usr/bin/bash' \ + AND pp.cmdline LIKE 'pacman -S%' \ + );", + "interval": "10800", + "description": "An alternate way to discover reverse shells, inspired by the osxattack pack" + }, + "sketchy-fetcher": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.name, \ + p.cmdline, \ + REGEX_MATCH (p.cmdline, '/(\\d+\\.\\d+\\.\\d+\\.\\d+)[:/]', 1) AS remote_address, \ + REGEX_MATCH (p.cmdline, '/(:\\d+\\/)/', 1) AS remote_port, \ + p.cwd, \ + p.euid, \ + p.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + ( \ + INSTR(p.cmdline, 'wget ') > 0 \ + OR INSTR(p.cmdline, 'curl ') > 0 \ + ) \ + AND ( \ + remote_address NOT IN ('', '127.0.0.1', '::1') \ + OR remote_port != '' \ + OR p.cmdline LIKE '%.onion%' \ + OR p.cmdline LIKE '%tor2web%' \ + OR p.cmdline LIKE '%aliyun%' \ + OR p.cmdline LIKE '%pastebin%' \ + OR p.cmdline LIKE '%curl %--user-agent%' \ + OR p.cmdline LIKE '%curl -k%' \ + OR p.cmdline LIKE '%curl -sL%' \ + OR p.cmdline LIKE '%curl%--insecure%' \ + OR p.cmdline LIKE '%wget %--user-agent%' \ + OR p.cmdline LIKE '%wget %--no-check-certificate%' \ + OR p.cmdline LIKE '%curl%--connect-timeout%' \ + OR p.cmdline LIKE '%wget -nc%' \ + OR p.cmdline LIKE '%wget -t%' \ + OR ( \ + p.cmdline LIKE '%wget %' \ + AND p.euid < 500 \ + ) \ + OR ( \ + p.cmdline LIKE '%curl %' \ + AND p.euid < 500 \ + ) \ + ) \ + AND pp.name NOT IN ('makepkg') \ + AND NOT ( \ + p.euid > 500 \ + AND ( \ + p.cmdline LIKE '%--dump-header%' \ + OR p.cmdline LIKE '%/api/v%' \ + OR p.cmdline LIKE '%curl -X %' \ + OR p.cmdline LIKE '%go mod %' \ + OR p.cmdline LIKE '%application/json%' \ + OR p.cmdline LIKE '%grpcurl%' \ + OR p.cmdline LIKE '%Homebrew%' \ + OR p.cmdline LIKE '%Nixpkgs/%' \ + OR p.cmdline LIKE '%If-None-Match%' \ + OR p.cmdline LIKE '%ctlog%' \ + OR p.cmdline LIKE '%.well-known/openid-configuration%' \ + OR p.cmdline LIKE '%/openid/v1/jwks%' \ + OR p.cmdline LIKE '%--progress-bar%' \ + OR parent_cmdline LIKE '%brew.rb%' \ + OR parent_cmdline LIKE '%brew.sh%' \ + OR parent_cmdline LIKE '/nix/store/%-builder.sh' \ + OR p.cmdline LIKE 'git %' \ + OR p.cmdline LIKE '%LICENSES/vendor/%' \ + OR p.cmdline LIKE '%localhost:%' \ + OR p.cmdline LIKE '%127.0.0.1:%' \ + OR p.name IN ('apko') \ + ) \ + );", + "interval": "60", + "platform": "posix", + "description": "Suspicious URL requests by built-in fetching tools" + }, + "sketchy-fetcher-events": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.cmdline, \ + REGEX_MATCH (p.cmdline, '/(\\d+\\.\\d+\\.\\d+\\.\\d+)[:/]', 1) AS remote_address, \ + REGEX_MATCH (p.cmdline, '/(:\\d+\\/)/', 1) AS remote_port, \ + p.mode, \ + p.cwd, \ + p.euid, \ + p.parent, \ + p.syscall, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + process_events p \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + p.time > (strftime('%s', 'now') -60) \ + AND ( \ + INSTR(p.cmdline, 'wget ') > 0 \ + OR INSTR(p.cmdline, 'curl ') > 0 \ + ) \ + AND ( \ + remote_address NOT IN ('', '127.0.0.1', '::1') \ + OR remote_port != '' \ + OR p.cmdline LIKE '%.onion%' \ + OR p.cmdline LIKE '%tor2web%' \ + OR p.cmdline LIKE '%aliyun%' \ + OR p.cmdline LIKE '%pastebin%' \ + OR p.cmdline LIKE '%curl.*—write-out%' \ + OR p.cmdline LIKE '%curl.*—write-out%' \ + OR p.cmdline LIKE '%curl %--user-agent%' \ + OR p.cmdline LIKE '%curl -k%' \ + OR p.cmdline LIKE '%curl -sL%' \ + OR p.cmdline LIKE '%curl%--connect-timeout%' \ + OR p.cmdline LIKE '%curl%--output /dev/null%' \ + OR p.cmdline LIKE '%curl%--O /dev/null%' \ + OR p.cmdline LIKE '%curl%--insecure%' \ + OR p.cmdline LIKE '%wget %--user-agent%' \ + OR p.cmdline LIKE '%wget %--no-check-certificate%' \ + OR p.cmdline LIKE '%wget -nc%' \ + OR p.cmdline LIKE '%wget -t%' \ + OR ( \ + p.cmdline LIKE '%wget %' \ + AND p.euid < 500 \ + ) \ + OR ( \ + p.cmdline LIKE '%curl %' \ + AND p.euid < 500 \ + ) \ + ) \ + AND pp.name NOT IN ('makepkg', 'apko') \ + AND NOT ( \ + p.euid > 500 \ + AND ( \ + p.cmdline LIKE '%--dump-header%' \ + OR p.cmdline LIKE '%/api/v%' \ + OR p.cmdline LIKE '%curl -X %' \ + OR p.cmdline LIKE '%go mod %' \ + OR p.cmdline LIKE '%application/json%' \ + OR p.cmdline LIKE '%grpcurl%' \ + OR p.cmdline LIKE '%Homebrew%' \ + OR p.cmdline LIKE '%If-None-Match%' \ + OR p.cmdline LIKE '%ctlog%' \ + OR p.cmdline LIKE '%.well-known/openid-configuration%' \ + OR p.cmdline LIKE '%/openid/v1/jwks%' \ + OR p.cmdline LIKE '%--progress-bar%' \ + OR parent_cmdline LIKE '%brew.rb%' \ + OR parent_cmdline LIKE '%brew.sh%' \ + OR p.cmdline LIKE 'git %' \ + OR p.cmdline LIKE '%LICENSES/vendor/%' \ + OR p.cmdline LIKE '%localhost:%' \ + OR p.cmdline LIKE '%127.0.0.1:%' \ + OR p.cmdline LIKE '%/192.168.%:%' \ + OR p.cmdline LIKE '%/chainctl_%' \ + ) \ + );", + "interval": "10800", + "description": "Events version of sketchy-fetchers" + }, + "tiny-executable": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.cmdline, \ + file.size, \ + file.mode, \ + p.cwd, \ + p.euid, \ + p.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + file.size > 0 \ + AND file.size < 10000;", + "interval": "10800", + "description": "Discover tiny dropper binaries, such as Shikitega:" + }, + "tiny-executable-events": { + "query": "SELECT \ + p.pid, \ + p.path, \ + p.cmdline, \ + file.size, \ + p.mode, \ + p.cwd, \ + p.euid, \ + p.parent, \ + p.syscall, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + process_events p \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + p.time > (strftime('%s', 'now') -30) \ + AND file.size > 0 \ + AND file.size < 10000;", + "interval": "10800", + "description": "Discover tiny dropper binaries, such as Shikitega:" + }, + "unexpected-env-values": { + "query": "SELECT \ + key, \ + value, \ + p.pid, \ + p.path, \ + p.cmdline, \ + p.parent AS parent_pid, \ + pp.cmdline AS parent_cmd, \ + hash.sha256 \ + FROM \ + process_envs pe \ + LEFT JOIN processes p ON pe.pid = p.pid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + ( \ + key = 'HISTFILE' \ + AND NOT VALUE LIKE '/Users/%/.%_history' \ + AND NOT VALUE LIKE '/home/%/.%_history' \ + ) \ + OR ( \ + key = 'LD_PRELOAD' \ + AND NOT p.path LIKE '%/firefox' \ + AND NOT pe.value = 'libfakeroot.so' \ + AND NOT pe.value LIKE ':/home/%/.local/share/Steam' \ + AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%' \ + AND NOT pe.value LIKE ':/snap/%' \ + AND NOT pe.value LIKE '/app/bin/%' \ + AND NOT pe.value LIKE 'libmozsandbox.so%' \ + ) \ + OR ( \ + key = 'DYLD_INSERT_LIBRARIES' \ + ) \ + OR ( \ + key = 'DYLD_FRAMEWORK_PATH' \ + );", + "interval": "10800", + "description": "Inpsired by BPFdoor and other intrusions" + }, + "unexpected-execdir-events-linux": { + "query": "SELECT \ + pe.pid, \ + pe.path, \ + REGEX_MATCH (pe.path, '(.*)/', 1) AS dirname, \ + pe.mode, \ + pe.cwd, \ + pe.euid, \ + pe.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmd, \ + pp.euid AS parent_euid, \ + phash.sha256 AS parent_sha256, \ + hash.sha256 AS sha256 \ + FROM \ + process_events pe \ + LEFT JOIN processes p ON pe.pid = pe.pid \ + LEFT JOIN processes pp ON pe.parent = p.pid \ + LEFT JOIN hash ON pe.path = hash.path \ + LEFT JOIN hash phash ON pp.path = hash.path \ + WHERE \ + pe.time > (strftime('%s', 'now') -15) \ + AND dirname NOT LIKE '/home/%' \ + AND dirname NOT LIKE '/nix/store/%/bin' \ + AND dirname NOT LIKE '/nix/store/%/lib/%' \ + AND dirname NOT LIKE '/nix/store/%/libexec' \ + AND dirname NOT LIKE '/nix/store/%/libexec/%' \ + AND dirname NOT LIKE '/nix/store/%/share/%' \ + AND dirname NOT LIKE '/opt/%' \ + AND dirname NOT LIKE '/tmp/go-build%' \ + AND dirname NOT LIKE '/snap/%' \ + AND dirname NOT LIKE '/usr/libexec/%' \ + AND dirname NOT LIKE '/usr/local/%/bin/%' \ + AND dirname NOT LIKE '/usr/local/%bin' \ + AND dirname NOT LIKE '/usr/local/%libexec' \ + and dirname NOT LIKE '/usr/local/Cellar/%' \ + AND dirname NOT LIKE '/usr/lib/%' \ + AND dirname NOT LIKE '/usr/lib64/%' \ + AND dirname NOT LIKE '/tmp/%/bin' \ + AND dirname NOT LIKE '/usr/local/go/pkg/tool/%' \ + AND dirname NOT IN ( \ + '/', \ + '/app', \ + '/bin', \ + '/ko-app', \ + '/sbin', \ + '/usr/bin', \ + '/usr/lib', \ + '/usr/lib64/firefox', \ + '/usr/lib/bluetooth', \ + '/usr/lib/cups/notifier', \ + '/usr/lib/evolution-data-server', \ + '/usr/libexec', \ + '/usr/libexec/ApplicationFirewall', \ + '/usr/libexec/rosetta', \ + '/usr/lib/firefox', \ + '/usr/lib/fwupd', \ + '/usr/lib/ibus', \ + '/usr/lib/libreoffice/program', \ + '/usr/lib/polkit-1', \ + '/usr/lib/slack', \ + '/usr/lib/snapd', \ + '/usr/lib/systemd', \ + '/usr/lib/telepathy', \ + '/usr/lib/udisks2', \ + '/usr/lib/xorg', \ + '/usr/sbin', \ + '/usr/share/code', \ + '/usr/share/teams', \ + '/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin' \ + ) \ + AND NOT pe.path IN ('/usr/lib32/ld-linux.so.2') \ + AND NOT ( \ + dirname = '' \ + AND p.name LIKE 'runc%' \ + ) \ + AND NOT ( \ + dirname = '' \ + AND parent_name IN ('dockerd') \ + ) \ + AND NOT (pe.euid = 65532) \ + GROUP BY \ + pe.pid;", + "interval": "10800", + "platform": "linux", + "description": "Events version of unexpected-executable-directory" + }, + "unexpected-execdir-events-macos": { + "query": "SELECT \ + p.pid, \ + p.path, \ + REGEX_MATCH (p.path, '(.*)/', 1) AS dirname, \ + REPLACE(file.directory, u.directory, '~') AS homedir, \ + p.cmdline, \ + p.mode, \ + p.cwd, \ + p.euid, \ + p.parent, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmd, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + process_events p \ + LEFT JOIN processes ON p.pid = processes.pid \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN users u ON p.uid = u.uid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + p.time > (strftime('%s', 'now') -60) \ + AND dirname LIKE '/%' \ + AND file.size > 0 \ + AND dirname NOT IN ( \ + '/bin', \ + '/Library/DropboxHelperTools/Dropbox_u501', \ + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', \ + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS', \ + '/Library/Printers/DYMO/Utilities', \ + '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources', \ + '/usr/lib/system', \ + '/Library/PrivilegedHelperTools', \ + '/sbin', \ + '/nix/store', \ + '/usr/bin', \ + '/usr/lib', \ + '/Library/TeX/texbin', \ + '/usr/lib/bluetooth', \ + '/usr/lib/cups/notifier', \ + '/Library/Frameworks/Python.framework/Versions/3.10/bin', \ + '/usr/libexec', \ + '/usr/libexec/ApplicationFirewall', \ + '/usr/libexec/rosetta', \ + '/node_modules/.bin', \ + '/nix/var/nix/profiles/default/bin', \ + '/run/current-system/sw/bin', \ + '/usr/libexec/firmwarecheckers/eficheck', \ + '/usr/sbin', \ + '/usr/share/code' \ + ) \ + AND dirname NOT LIKE '/Applications/%.app/%' \ + AND dirname NOT LIKE '/etc/profiles/per-user/%/bin' \ + AND dirname NOT LIKE '/home/%' \ + AND dirname NOT LIKE '/Library/%/%.bundle/Contents/Helpers' \ + AND dirname NOT LIKE '/Library/%/Resources/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/%/sbin' \ + AND dirname NOT LIKE '/Library/Apple/System/%' \ + AND dirname NOT LIKE '/Library/Application Support/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/Application Support/Adobe/%' \ + AND dirname NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' \ + AND dirname NOT LIKE '/Library/Developer/%' \ + AND dirname NOT LIKE '/Library/Developer/CommandLineTools/Library/%' \ + AND dirname NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/Java/JavaVirtualMachines/%' \ + AND dirname NOT LIKE '/Library/SystemExtensions/%' \ + AND dirname NOT LIKE '/nix/store/%' \ + AND dirname NOT LIKE '/opt/%' \ + AND dirname NOT LIKE '/private/tmp/go-build%/exe' \ + AND dirname NOT LIKE '/private/tmp/nix-build-%' \ + AND dirname NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' \ + AND dirname NOT LIKE '/private/var/folders/%/bin' \ + AND dirname NOT LIKE '/private/var/folders/%/Contents/%' \ + AND dirname NOT LIKE '/private/var/folders/%/go-build%' \ + AND dirname NOT LIKE '/private/var/folders/%/GoLand' \ + AND dirname NOT LIKE '/snap/%' \ + AND dirname NOT LIKE '/store/%/bin' \ + AND dirname NOT LIKE '/System/%' \ + AND dirname NOT LIKE '/Users/%' \ + AND dirname NOT LIKE '/usr/libexec/%' \ + AND dirname NOT LIKE '/usr/local/%' \ + AND dirname NOT LIKE '/Volumes/com.getdropbox.dropbox-%' \ + AND dirname NOT LIKE '../%' \ + AND p.path NOT IN ( \ + '/Applications/Stats.app/Contents/MacOS/Stats', \ + '/usr/libexec/AssetCache/AssetCache', \ + '_build/krew/bin/git', \ + '/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \ + '/Library/DropboxHelperTools/DropboxHelperInstaller', \ + '/Library/PrivilegedHelperTools/com.adobe.ARMDC.Communicator', \ + '/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper', \ + '/Library/PrivilegedHelperTools/com.docker.vmnetd', \ + '/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', \ + '/Library/PrivilegedHelperTools/keybase.Helper' \ + ) \ + AND parent_path NOT LIKE '/nix/store/%' \ + AND parent_cmd NOT LIKE '%./configure%' \ + AND NOT ( \ + dirname LIKE '/private/var/%' \ + AND processes.name LIKE 'pulumi-go.%' \ + ) \ + AND NOT ( \ + dirname LIKE '/private/tmp/%' \ + AND processes.name = 'goobspatch' \ + ) \ + GROUP BY \ + p.cmdline, \ + p.cwd, \ + p.euid;", + "interval": "10800", + "platform": "darwin", + "description": "Events version of unexpected-executable-directory" + }, + "unexpected-executable-directory-linux": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + p.euid, \ + p.gid, \ + f.ctime, \ + f.directory AS dirname, \ + p.cmdline, \ + hash.sha256, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN hash ON hash.path = p.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + WHERE \ + dirname NOT IN ( \ + '/bin', \ + '/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin', \ + '/sbin', \ + '/usr/bin', \ + '/usr/lib', \ + '/usr/lib/bluetooth', \ + '/usr/lib/cups/notifier', \ + '/usr/share/teams', \ + '/usr/lib/evolution-data-server', \ + '/usr/lib/firefox', \ + '/usr/lib/fwupd', \ + '/usr/lib/ibus', \ + '/usr/lib/libreoffice/program', \ + '/usr/lib/polkit-1', \ + '/usr/lib/slack', \ + '/usr/lib/snapd', \ + '/usr/lib/systemd', \ + '/usr/lib/telepathy', \ + '/usr/lib/udisks2', \ + '/usr/lib/xorg', \ + '/usr/lib64/firefox', \ + '/usr/libexec', \ + '/usr/sbin', \ + '/usr/share/code' \ + ) \ + AND dirname NOT LIKE '/home/%' \ + AND dirname NOT LIKE '/nix/store/%' \ + AND dirname NOT LIKE '/opt/%' \ + AND dirname NOT LIKE '/snap/%' \ + AND dirname NOT LIKE '/tmp/%/bin' \ + AND dirname NOT LIKE '/tmp/go-build%' \ + AND dirname NOT LIKE '/usr/lib/%' \ + AND dirname NOT LIKE '/usr/lib64/%' \ + AND dirname NOT LIKE '/usr/libexec/%' \ + AND dirname NOT LIKE '/usr/local/%' \ + AND p.path NOT IN ( \ + '/usr/lib/firefox/firefox', \ + '/usr/lib64/firefox/firefox' \ + ) \ + AND NOT ( \ + dirname = '' \ + AND p.name LIKE 'runc%' \ + );", + "interval": "10800", + "platform": "linux", + "description": "Programs running out of unexpected directories, such as /tmp" + }, + "unexpected-executable-directory-macos": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + p.euid, \ + p.gid, \ + f.ctime, \ + f.directory AS dirname, \ + REPLACE(f.directory, u.directory, '~') AS dirname, \ + p.cmdline, \ + hash.sha256, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + hash.sha256 AS parent_sha256, \ + signature.identifier, \ + signature.authority \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN hash ON hash.path = p.path \ + LEFT JOIN users u ON p.uid = u.uid \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN signature ON p.path = signature.path \ + WHERE \ + dirname NOT IN ( \ + '/bin', \ + '/Library/DropboxHelperTools/Dropbox_u501', \ + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', \ + '/Library/Printers/DYMO/Utilities', \ + '/Library/PrivilegedHelperTools', \ + '/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin', \ + '/opt/usr/bin', \ + '/opt/X11/bin', \ + '/opt/X11/libexec', \ + '/sbin', \ + '/usr/bin', \ + '/usr/lib', \ + '/usr/lib/bluetooth', \ + '/usr/lib/cups/notifier', \ + '/usr/lib/fwupd', \ + '/usr/lib/ibus', \ + '/usr/libexec', \ + '/usr/libexec/ApplicationFirewall', \ + '/usr/libexec/AssetCache', \ + '/usr/libexec/rosetta', \ + '/usr/sbin', \ + '/usr/share/code', \ + '/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin' \ + ) \ + AND homedir NOT IN ( \ + '~/bin', \ + '~/go/bin', \ + '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', \ + '~/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin', \ + '~/Library/Application Support/com.elgato.StreamDeck/Plugins/com.lostdomain.zoom.sdPlugin' \ + ) \ + AND signature.authority NOT IN ( \ + 'Apple Mac OS Application Signing', \ + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \ + 'Developer ID Application: Docker Inc (9BNSXJN65R)', \ + 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \ + 'Developer ID Application: Figma, Inc. (T8RA8NE3B7)', \ + 'Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', \ + 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \ + 'Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \ + 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \ + 'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', \ + 'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', \ + 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \ + 'Developer ID Application: Valve Corporation (MXGJJ98X76)', \ + 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', \ + 'Apple iPhone OS Application Signing', \ + 'Developer ID Application: Node.js Foundation (HX7739G8FX)', \ + 'Software Signing' \ + ) \ + AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' \ + AND dirname NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' \ + AND dirname NOT LIKE '/Applications/%.app/%' \ + AND dirname NOT LIKE '/Applications/Utilities/Adobe Creative Cloud/%' \ + AND dirname NOT LIKE '/Library/%/%.bundle/Contents/Helpers' \ + AND dirname NOT LIKE '/Library/%/Resources/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/%/sbin' \ + AND dirname NOT LIKE '/Library/Apple/System/Library%' \ + AND dirname NOT LIKE '/Library/Application Support/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/Application Support/Adobe/%' \ + AND dirname NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' \ + AND dirname NOT LIKE '/Library/Developer/%' \ + AND dirname NOT LIKE '/Library/Developer/CommandLineTools/Library/%' \ + AND dirname NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/Java/JavaVirtualMachines/%' \ + AND dirname NOT LIKE '/Library/Printers/%.app/Contents/MacOS' \ + AND dirname NOT LIKE '/Library/PrivilegedHelperTools/com.%' \ + AND dirname NOT LIKE '/nix/store/%' \ + AND dirname NOT LIKE '/opt/homebrew/Cellar/%/bin' \ + AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec' \ + AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec/%' \ + AND dirname NOT LIKE '/opt/homebrew/Cellar/%/Contents/MacOS' \ + AND dirname NOT LIKE '/opt/homebrew/Caskroom/%/bin' \ + AND dirname NOT LIKE '/private/tmp/%.app/Contents/MacOS' \ + AND dirname NOT LIKE '/private/tmp/go-build%/exe' \ + AND dirname NOT LIKE '/private/tmp/nix-build-%' \ + AND dirname NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' \ + AND dirname NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' \ + AND dirname NOT LIKE '/private/var/folders/%/bin' \ + AND dirname NOT LIKE '/private/var/folders/%/Contents/%' \ + AND dirname NOT LIKE '/private/var/folders/%/go-build%' \ + AND dirname NOT LIKE '/private/var/folders/%/GoLand' \ + AND dirname NOT LIKE '/System/%' \ + AND dirname NOT LIKE '/Users/%/bin/%' \ + AND dirname NOT LIKE '/Users/%/src/%' \ + AND dirname NOT LIKE '/usr/libexec/%' \ + AND dirname NOT LIKE '/usr/local/%' \ + AND NOT ( \ + dirname LIKE '/private/var/%' \ + AND p.name LIKE 'pulumi-go.%' \ + ) \ + AND NOT ( \ + dirname LIKE '/private/tmp/%' \ + AND p.name = 'goobspatch' \ + ) \ + AND NOT ( \ + homedir = '~' \ + AND p.name = 'cloud_sql_proxy' \ + );", + "interval": "10800", + "platform": "darwin", + "description": "Planning on running something in an unexpected place without a signature?" + }, + "unexpected-executable-permissions": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + f.mode, \ + f.uid, \ + f.gid, \ + hash.sha256, \ + pp.name AS parent_name, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + JOIN file f ON p.path = f.path \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN processes pp ON pp.pid = p.parent \ + WHERE \ + f.mode NOT IN ( \ + '0500', \ + '0544', \ + '0555', \ + '0711', \ + '0755', \ + '0775', \ + '6755', \ + '0700', \ + '2755', \ + '4511', \ + '4555', \ + '4755' \ + ) \ + AND NOT ( \ + f.path IN ( \ + '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', \ + '/Applications/Camera Settings.app/Contents/MacOS/LogitechCamera' \ + ) \ + AND f.mode = '0777' \ + AND f.uid > 500 \ + ) \ + AND NOT ( \ + f.path LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin/jsonnet-language-server' \ + AND f.mode = '0777' \ + AND f.uid > 500 \ + ) \ + AND NOT ( \ + f.path = '/usr/bin/sudo' \ + AND f.mode = '0411' \ + AND f.uid = 0 \ + ) \ + AND NOT ( \ + f.path LIKE '/home/%/.local/share/JetBrains/Toolbox/bin/jetbrains-toolbox' \ + AND f.mode = '0744' \ + AND f.uid = 0 \ + );", + "interval": "10800", + "description": "Find processes running that are tied to binaries with unsual permissions. Namely, 0777." + }, + "unexpected-gatekeeper-approvals-macos": { + "query": "SELECT \ + gap.ctime, \ + gap.mtime, \ + gap.path, \ + file.mtime, \ + file.uid, \ + file.ctime, \ + file.gid, \ + hash.sha256, \ + signature.identifier, \ + signature.authority \ + FROM \ + gatekeeper_approved_apps AS gap \ + LEFT JOIN file ON gap.path = file.path \ + LEFT JOIN hash ON gap.path = hash.path \ + LEFT JOIN signature ON gap.path = signature.path \ + WHERE \ + gap.path NOT LIKE '/Users/%/bin/%' \ + AND gap.path NOT LIKE '/Users/%/rekor-cli' \ + AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64' \ + AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64' \ + AND gap.path NOT LIKE '/Users/%/configure' \ + GROUP BY \ + gap.requirement;", + "interval": "10800", + "platform": "darwin", + "description": "Gatekeeper exceptions are exceptions for downloaded binaries" + }, + "unexpected-mounts": { + "query": "SELECT * FROM mounts WHERE device = '/dev/disk0s1' AND type = 'msdos';", + "interval": "10800", + "description": "Detect weird mounts, like mounting the EFI partition" + }, + "unexpected-osascript-calls": { + "query": "SELECT \ + p.pid, \ + p.path, \ + TRIM(p.cmdline) AS cmd, \ + p.mode, \ + p.cwd, \ + p.euid, \ + p.parent, \ + p.syscall, \ + hash.sha256, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + TRIM(p.cmdline) AS parent_cmd, \ + pp.euid AS parent_euid, \ + phash.sha256 AS parent_sha256 \ + FROM \ + uptime, \ + process_events p \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN hash AS phash ON pp.path = hash.path \ + WHERE \ + p.path = '/usr/bin/osascript' \ + AND p.time > (strftime('%s', 'now') -60);", + "interval": "10800", + "description": "Detect unusual calls to osascript" + }, + "unexpected-raw-socket": { + "query": "SELECT \ + pop.pid, \ + p.path, \ + p.cmdline, \ + p.name, \ + hash.sha256 \ + FROM \ + process_open_sockets pop \ + JOIN processes p ON pop.pid = p.pid \ + JOIN hash ON p.path = hash.path \ + WHERE \ + family = 17 \ + AND name NOT IN ( \ + 'wpa_supplicant', \ + 'NetworkManager', \ + 'dhcpcd', \ + 'tcpdump' \ + );", + "interval": "10800" + }, + "unexpected-setuid-binaries": { + "query": "SELECT \ + file.path, \ + gid, \ + uid, \ + mode, \ + type, \ + size, \ + sha256 \ + FROM \ + file \ + JOIN hash ON file.path = hash.path \ + WHERE \ + ( \ + file.path LIKE '/bin/%' \ + OR file.path LIKE '/home/%/bin/%' \ + OR file.path LIKE '/opt/%/bin/%' \ + OR file.path LIKE '/opt/%/sbin/%' \ + OR file.path LIKE '/sbin/%' \ + OR file.path LIKE '/tmp/%' \ + OR file.path LIKE '/Users/%/bin/%' \ + OR file.path LIKE '/usr/bin/%' \ + OR file.path LIKE '/usr/lib/%' \ + OR file.path LIKE '/usr/lib64/%' \ + OR file.path LIKE '/usr/libexec/%' \ + OR file.path LIKE '/usr/local/bin/%' \ + OR file.path LIKE '/usr/local/lib/%' \ + OR file.path LIKE '/usr/local/lib64/%' \ + OR file.path LIKE '/usr/local/libexec/%' \ + OR file.path LIKE '/usr/local/sbin/%' \ + OR file.path LIKE '/usr/sbin/%' \ + OR file.path LIKE '/var/lib/%' \ + OR file.path LIKE '/var/tmp/%' \ + ) \ + AND type = 'regular' \ + AND mode NOT LIKE '0%' \ + AND mode NOT LIKE '1%' \ + AND mode NOT LIKE '2%' \ + AND NOT ( \ + mode LIKE '4%11' \ + AND uid = 0 \ + AND gid = 0 \ + AND file.path IN ( \ + '/bin/cdda2wav', \ + '/bin/cdrecord', \ + '/bin/icedax', \ + '/bin/mount.nfs', \ + '/bin/mount.nfs4', \ + '/bin/readcd', \ + '/bin/readom', \ + '/bin/rscsi', \ + '/bin/staprun', \ + '/bin/sudo', \ + '/bin/sudoedit', \ + '/bin/umount.nfs', \ + '/bin/umount.nfs4', \ + '/bin/wodim', \ + '/sbin/cdda2wav', \ + '/sbin/cdrecord', \ + '/sbin/icedax', \ + '/sbin/mount.nfs', \ + '/sbin/mount.nfs4', \ + '/sbin/readcd', \ + '/sbin/readom', \ + '/sbin/rscsi', \ + '/sbin/umount.nfs', \ + '/sbin/umount.nfs4', \ + '/sbin/userhelper', \ + '/sbin/wodim', \ + '/usr/bin/cdda2wav', \ + '/usr/bin/cdrecord', \ + '/usr/bin/icedax', \ + '/usr/bin/mount.nfs', \ + '/usr/bin/mount.nfs4', \ + '/usr/bin/readcd', \ + '/usr/bin/readom', \ + '/usr/bin/rscsi', \ + '/usr/bin/staprun', \ + '/usr/bin/sudo', \ + '/usr/bin/sudoedit', \ + '/usr/bin/umount.nfs', \ + '/usr/bin/umount.nfs4', \ + '/usr/bin/wodim', \ + '/usr/libexec/security_authtrampoline', \ + '/usr/sbin/cdda2wav', \ + '/usr/sbin/cdrecord', \ + '/usr/sbin/icedax', \ + '/usr/sbin/mount.nfs', \ + '/usr/sbin/mount.nfs4', \ + '/usr/sbin/readcd', \ + '/usr/sbin/readom', \ + '/usr/sbin/rscsi', \ + '/usr/sbin/umount.nfs', \ + '/usr/sbin/umount.nfs4', \ + '/usr/sbin/userhelper', \ + '/usr/sbin/wodim' \ + ) \ + ) \ + AND NOT ( \ + mode LIKE '4%55' \ + AND uid = 0 \ + AND gid = 0 \ + AND file.path IN ( \ + '/bin/chage', \ + '/bin/chfn', \ + '/bin/chsh', \ + '/bin/crontab', \ + '/bin/doas', \ + '/bin/expiry', \ + '/bin/fusermount-glusterfs', \ + '/bin/fusermount', \ + '/bin/fusermount3', \ + '/bin/gpasswd', \ + '/bin/ksu', \ + '/bin/mount', \ + '/bin/ndisc6', \ + '/bin/newgidmap', \ + '/bin/newgrp', \ + '/bin/newuidmap', \ + '/usr/bin/newgidmap', \ + '/bin/nvidia-modprobe', \ + '/bin/passwd', \ + '/bin/pkexec', \ + '/bin/ps', \ + '/bin/rdisc6', \ + '/bin/rltraceroute6', \ + '/bin/sg', \ + '/bin/su', \ + '/bin/sudo', \ + '/bin/sudoedit', \ + '/bin/suexec', \ + '/bin/ubuntu-core-launcher', \ + '/bin/umount', \ + '/bin/vmware-user-suid-wrapper', \ + '/bin/vmware-user', \ + '/sbin/chage', \ + '/sbin/chfn', \ + '/sbin/chsh', \ + '/sbin/crontab', \ + '/sbin/doas', \ + '/sbin/expiry', \ + '/sbin/fusermount', \ + '/sbin/fusermount3', \ + '/sbin/gpasswd', \ + '/sbin/grub2-set-bootflag', \ + '/sbin/ksu', \ + '/sbin/mount.nfs', \ + '/sbin/mount.nfs4', \ + '/sbin/mount', \ + '/sbin/ndisc6', \ + '/sbin/newgrp', \ + '/sbin/nvidia-modprobe', \ + '/sbin/pam_timestamp_check', \ + '/sbin/passwd', \ + '/sbin/pkexec', \ + '/sbin/rdisc6', \ + '/sbin/rltraceroute6', \ + '/sbin/sg', \ + '/sbin/su', \ + '/sbin/sudo', \ + '/sbin/sudoedit', \ + '/sbin/suexec', \ + '/sbin/umount.nfs', \ + '/sbin/umount.nfs4', \ + '/sbin/umount', \ + '/sbin/unix_chkpwd', \ + '/usr/bin/at', \ + '/usr/bin/atq', \ + '/usr/bin/atrm', \ + '/usr/bin/batch', \ + '/usr/bin/chage', \ + '/usr/bin/chfn', \ + '/usr/bin/chsh', \ + '/usr/bin/crontab', \ + '/usr/bin/doas', \ + '/usr/bin/expiry', \ + '/usr/bin/fusermount-glusterfs', \ + '/usr/bin/fusermount', \ + '/usr/bin/fusermount3', \ + '/usr/bin/gpasswd', \ + '/usr/bin/ksu', \ + '/usr/bin/login', \ + '/usr/bin/mount', \ + '/usr/bin/ndisc6', \ + '/usr/bin/newgrp', \ + '/usr/bin/newuidmap', \ + '/usr/bin/nvidia-modprobe', \ + '/usr/bin/passwd', \ + '/usr/bin/pkexec', \ + '/usr/bin/quota', \ + '/usr/bin/mullvad-exclude', \ + '/usr/sbin/mullvad-exclude', \ + '/usr/bin/rdisc6', \ + '/usr/bin/rltraceroute6', \ + '/usr/bin/sg', \ + '/sbin/mullvad-exclude', \ + '/bin/mullvad-exclude', \ + '/usr/bin/su', \ + '/usr/bin/sudo', \ + '/usr/bin/sudoedit', \ + '/usr/bin/suexec', \ + '/usr/bin/top', \ + '/usr/bin/ubuntu-core-launcher', \ + '/usr/bin/umount', \ + '/usr/bin/vmware-user-suid-wrapper', \ + '/usr/bin/vmware-user', \ + '/usr/lib/mail-dotlock', \ + '/usr/lib/xf86-video-intel-backlight-helper', \ + '/usr/lib/Xorg.wrap', \ + '/usr/lib64/mail-dotlock', \ + '/usr/lib64/xf86-video-intel-backlight-helper', \ + '/usr/lib64/Xorg.wrap', \ + '/usr/libexec/authopen', \ + '/usr/libexec/polkit-agent-helper-1', \ + '/usr/libexec/qemu-bridge-helper', \ + '/usr/libexec/Xorg.wrap', \ + '/usr/sbin/chage', \ + '/usr/sbin/chfn', \ + '/usr/sbin/chsh', \ + '/usr/sbin/crontab', \ + '/usr/sbin/doas', \ + '/usr/sbin/expiry', \ + '/usr/sbin/fusermount', \ + '/usr/sbin/fusermount3', \ + '/usr/sbin/gpasswd', \ + '/usr/sbin/grub2-set-bootflag', \ + '/usr/sbin/ksu', \ + '/usr/sbin/mount.nfs', \ + '/usr/sbin/mount.nfs4', \ + '/usr/sbin/mount', \ + '/usr/sbin/ndisc6', \ + '/usr/sbin/newgrp', \ + '/usr/sbin/nvidia-modprobe', \ + '/usr/sbin/pam_timestamp_check', \ + '/usr/sbin/passwd', \ + '/usr/sbin/pkexec', \ + '/usr/sbin/rdisc6', \ + '/usr/sbin/rltraceroute6', \ + '/usr/sbin/sg', \ + '/usr/sbin/su', \ + '/usr/sbin/sudo', \ + '/usr/sbin/sudoedit', \ + '/usr/sbin/suexec', \ + '/usr/sbin/traceroute', \ + '/usr/sbin/traceroute6', \ + '/usr/sbin/umount.nfs', \ + '/usr/sbin/umount.nfs4', \ + '/usr/sbin/umount', \ + '/usr/sbin/unix_chkpwd' \ + ) \ + ) \ + AND NOT ( \ + mode = '4754' \ + AND uid = 0 \ + AND gid = 30 \ + AND file.path IN ('/usr/sbin/pppd', '/sbin/pppd') \ + ) \ + AND NOT ( \ + mode = '6755' \ + AND uid = 0 \ + AND gid = 0 \ + AND file.path IN ( \ + '/bin/mount.cifs', \ + '/bin/mount.smb3', \ + '/bin/unix_chkpwd', \ + '/sbin/mount.cifs', \ + '/sbin/mount.smb3', \ + '/sbin/unix_chkpwd', \ + '/usr/bin/mount.cifs', \ + '/usr/bin/mount.smb3', \ + '/usr/bin/unix_chkpwd', \ + '/usr/lib/xtest', \ + '/usr/lib64/xtest', \ + '/usr/sbin/mount.cifs', \ + '/usr/sbin/mount.smb3', \ + '/usr/sbin/unix_chkpwd' \ + ) \ + ) \ + AND NOT ( \ + mode = '4110' \ + AND uid = 0 \ + AND gid = 156 \ + AND file.path IN ('/bin/staprun', '/usr/bin/staprun') \ + );", + "interval": "10800" + }, + "unexpected-tmp-executables": { + "query": "SELECT \ + file.path, \ + uid, \ + gid, \ + mode, \ + file.mtime, \ + file.size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + ( \ + file.path LIKE '/tmp/%%' \ + OR file.path LIKE '/tmp/.%/%%' \ + OR file.path LIKE '/tmp/%/%%' \ + OR file.path LIKE '/tmp/%/%/.%' \ + OR file.path LIKE '/tmp/%/.%/%%' \ + OR file.path LIKE '/var/tmp/%%' \ + OR file.path LIKE '/var/tmp/.%/%%' \ + OR file.path LIKE '/var/tmp/%/%%' \ + OR file.path LIKE '/var/tmp/%/%/.%' \ + OR file.path LIKE '/var/tmp/%/.%/%%' \ + OR file.path LIKE '/var/spool/%%' \ + OR file.path LIKE '/var/spool/.%/%%' \ + OR file.path LIKE '/var/spool/%/%%' \ + OR file.path LIKE '/var/spool/%/%/.%' \ + OR file.path LIKE '/var/spool/%/.%/%%' \ + OR file.path LIKE '/dev/mqueue/%%' \ + OR file.path LIKE '/dev/mqueue/.%/%%' \ + OR file.path LIKE '/dev/mqueue/%/%%' \ + OR file.path LIKE '/dev/mqueue/%/%/.%' \ + OR file.path LIKE '/dev/mqueue/%/.%/%%' \ + OR file.path LIKE '/dev/shm/%%' \ + OR file.path LIKE '/dev/shm/.%/%%' \ + OR file.path LIKE '/dev/shm/%/%%' \ + OR file.path LIKE '/dev/shm/%/%/.%' \ + OR file.path LIKE '/dev/shm/%/.%/%%' \ + ) \ + AND file.type = 'regular' \ + AND file.path NOT LIKE '%/../%' \ + AND file.path NOT LIKE '%/./%' \ + AND ( \ + file.mode LIKE '%7%' \ + or file.mode LIKE '%5%' \ + or file.mode LIKE '%1%' \ + ) \ + AND NOT ( \ + uid > 500 \ + AND ( \ + file.path LIKE '%/go-build%' \ + OR file.path LIKE '/tmp/checkout/%' \ + OR file.path LIKE '/tmp/com.apple.installer%' \ + OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%' \ + OR file.path LIKE '/tmp/go.%.sum' \ + OR file.path LIKE '/tmp/guile-%/guile-%' \ + OR file.path LIKE '/tmp/terraformer/%' \ + OR file.path LIKE '/tmp/tmp.%' \ + OR file.path LIKE '%/bin/%-gen' \ + OR file.path LIKE '%/bin/%' \ + OR file.path LIKE '%/CCLBS/%' \ + OR file.path LIKE '%/ko/%' \ + OR file.path LIKE '%/pdf-tools/%' \ + OR file.path LIKE '%/tmp/epdf%' \ + OR \ + ( \ + file.size < 4000 \ + AND file.path LIKE '/tmp/%.sh' \ + ) \ + OR ( \ + file.size < 4000 \ + AND file.path LIKE '/tmp/%.py' \ + ) \ + ) \ + ) \ + AND NOT ( \ + file.directory LIKE '/tmp/tmp%' \ + AND gid = 0 \ + AND uid > 300 \ + AND uid < 350 \ + ) \ + AND NOT magic.data LIKE '%nix-shell script%' \ + AND NOT ( \ + file.directory LIKE '/tmp/%' \ + AND (strftime('%s', 'now') - ctime) < 60 \ + ) \ + AND NOT file.directory LIKE '/tmp/msu-target-%' \ + AND NOT ( \ + file.path LIKE('/tmp/%compressed') \ + AND size < 4000 \ + AND uid > 500 \ + ) \ + AND NOT ( \ + file.type = 'regular' \ + AND size < 10 \ + );", + "interval": "10800", + "description": "Find unexpected executables in temp directories" + }, + "xprotect-reports": { + "query": "SELECT * FROM xprotect_reports;", + "interval": "1200", + "platform": "darwin", + "description": "Returns a list of malware matches from macOS XProtect" + } + } +} +{ + "queries": { + "high-disk-bytes-written": { + "query": "SELECT \ + p.name, \ + p.path, \ + p.pid, \ + p.cmdline, \ + p.on_disk, \ + p.parent, \ + p.start_time, \ + hash.sha256, \ + p.disk_bytes_written, \ + p.cwd, \ + (strftime('%s', 'now') - start_time) AS age, \ + disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second \ + FROM \ + processes p \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + bytes_per_second > 2000000 \ + AND age > 120 \ + AND pid > 2 \ + AND p.path NOT IN ( \ + '/bin/bash', \ + '/usr/bin/aptd', \ + '/usr/bin/bash', \ + '/usr/bin/bwrap', \ + '/usr/bin/curl', \ + '/usr/bin/fish', \ + '/usr/bin/gnome-shell', \ + '/usr/bin/qemu-system-x86_64', \ + '/usr/bin/yay', \ + '/usr/bin/zsh', \ + '/usr/lib/flatpak-system-helper', \ + '/usr/lib/systemd/systemd-journald', \ + '/usr/lib/systemd/systemd', \ + '/usr/lib64/thunderbird/thunderbird', \ + '/usr/libexec/coreduetd', \ + '/usr/libexec/coreduetd', \ + '/usr/libexec/packagekitd', \ + '/usr/libexec/rosetta/oahd', \ + '/usr/libexec/secd', \ + '/usr/libexec/sharingd', \ + '/usr/sbin/screencapture' \ + ) \ + AND NOT ( \ + name LIKE 'jbd%/dm-%' \ + AND on_disk = -1 \ + ) \ + AND NOT ( \ + name = 'bindfs' \ + AND cmdline LIKE 'bindfs -f -o fsname=%' \ + ) \ + AND NOT ( \ + name = 'btrfs-transaction' \ + AND on_disk = -1 \ + ) \ + AND NOT ( \ + name = 'kernel_task' \ + AND p.path = '' \ + AND parent IN (0, 1) \ + AND on_disk = -1 \ + ) \ + AND NOT ( \ + name = 'launchd' \ + AND p.path = '/sbin/launchd' \ + AND parent = 0 \ + ) \ + AND NOT ( \ + name = 'logd' \ + AND cmdline = '/usr/libexec/logd' \ + AND parent = 1 \ + ) \ + AND NOT ( \ + name = 'aptd' \ + AND cmdline = '/usr/bin/python3 /usr/sbin/aptd' \ + ) \ + AND NOT name IN ( \ + 'chrome', \ + 'com.apple.MobileSoftwareUpdate.UpdateBrainService', \ + 'containerd', \ + 'esbuild', \ + 'firefox', \ + 'go', \ + 'goland', \ + 'java', \ + 'launcher', \ + 'gopls', \ + 'jetbrains-toolb', \ + 'slack', \ + 'slack', \ + 'wineserver' \ + ) \ + AND p.path NOT LIKE '/Applications/%.app/Contents/%' \ + AND p.path NOT LIKE '/home/%/.local/share/Steam' \ + AND p.path NOT LIKE '/nix/store/%/bin/%sh' \ + AND p.path NOT LIKE '/nix/store/%/bin/nix' \ + AND p.path NOT LIKE '/System/Applications/%' \ + AND p.path NOT LIKE '/System/Library/%' \ + AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher';", + "interval": "10800" + }, + "high_disk_bytes_read": { + "query": "SELECT \ + p.name, \ + p.path, \ + p.cmdline, \ + p.on_disk, \ + p.parent, \ + p.start_time, \ + hash.sha256, \ + p.disk_bytes_read, \ + p.cwd, \ + (strftime('%s', 'now') - start_time) AS age, \ + disk_bytes_read / (strftime('%s', 'now') - start_time) AS bytes_per_second \ + FROM \ + processes p \ + LEFT JOIN hash ON p.path = hash.path \ + WHERE \ + bytes_per_second > 2000000 \ + AND age > 180 \ + AND p.path NOT LIKE '/Applications/%.app/Contents/%' \ + AND p.path NOT LIKE '/System/Library/%' \ + AND p.path NOT LIKE '/System/Applications/%' \ + AND p.path NOT LIKE '/Library/Apple/System/Library/%' \ + AND name NOT IN ( \ + 'bash', \ + 'emacs', \ + 'firefox', \ + 'fish', \ + 'gopls', \ + 'GoogleSoftwareUpdateAgent', \ + 'nautilus', \ + 'qemu-system-x86-64', \ + 'qemu-system-x86', \ + 'slack', \ + 'java', \ + 'wineserver', \ + 'nix', \ + 'ykman-gui', \ + 'osqueryd', \ + 'zsh' \ + ) \ + AND NOT ( \ + name = 'aned' \ + AND cmdline = '/usr/libexec/aned' \ + AND parent = 1 \ + ) \ + AND NOT ( \ + name = 'bindfs' \ + AND cmdline LIKE 'bindfs -f -o fsname=%' \ + ) \ + AND NOT ( \ + name = 'jetbrains-toolb' \ + AND p.path LIKE '/tmp/.mount_jet%/jetbrains-toolbox' \ + ) \ + AND NOT ( \ + name = 'chrome' \ + AND p.path = '/opt/google/chrome/chrome' \ + ) \ + AND NOT ( \ + name = 'com.apple.MobileSoftwareUpdate.UpdateBrainService' \ + AND p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.MobileSoftwareUpdate.UpdateBrainService.%.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.UpdateBrainService' \ + ) \ + AND NOT ( \ + name = 'FindMy' \ + AND p.path = '/System/Applications/FindMy.app/Contents/MacOS/FindMy' \ + ) \ + AND NOT ( \ + name = 'go' \ + AND cmdline LIKE 'go run %' \ + ) \ + AND NOT ( \ + name = 'gopls' \ + AND p.path LIKE '/home/%/bin/gopls' \ + ) \ + AND NOT ( \ + name = 'gopls' \ + AND p.path LIKE '/home/%/gopls/gopls' \ + ) \ + AND NOT ( \ + name = 'gopls' \ + AND p.path LIKE '/Users/%/bin/gopls' \ + ) \ + AND NOT ( \ + name = 'gopls' \ + AND p.path LIKE '/Users/%/gopls/gopls' \ + ) \ + AND NOT ( \ + name = 'kernel_task' \ + AND p.path = '' \ + AND parent IN (0, 1) \ + AND on_disk = -1 \ + ) \ + AND NOT ( \ + name = 'launcher' \ + AND p.path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' \ + ) \ + AND NOT ( \ + name = 'logd' \ + AND cmdline = '/usr/libexec/logd' \ + AND parent = 1 \ + ) \ + AND NOT (name = 'LogiFacecamService') \ + AND NOT ( \ + name = 'node' \ + AND cwd LIKE '%/console-ui/app' \ + ) \ + AND NOT ( \ + name = 'osqueryd' \ + AND p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + ) \ + AND NOT ( \ + name = 'packagekitd' \ + AND p.path = '/usr/libexec/packagekitd' \ + ) \ + AND NOT ( \ + name = 'PerfPowerServices' \ + AND p.path = '/usr/libexec/PerfPowerServices' \ + ) \ + AND NOT ( \ + name = 'ruby' \ + AND cmdline LIKE '%brew.rb upgrade' \ + ) \ + AND NOT ( \ + name = 'signpost_reporter' \ + AND cmdline = '/usr/libexec/signpost_reporter' \ + AND parent = 1 \ + ) \ + AND NOT ( \ + name = 'snapd' \ + AND p.path = '/usr/lib/snaptd/snaptd' \ + ) \ + AND NOT ( \ + name = 'spindump' \ + AND p.path = '/usr/sbin/spindump' \ + ) \ + AND NOT ( \ + name = 'syspolicyd' \ + AND p.path = '/usr/libexec/syspolicyd' \ + AND parent = 1 \ + ) \ + AND NOT ( \ + name = 'systemd-udevd' \ + AND p.path = '/usr/bin/udevadm' \ + ) \ + AND NOT ( \ + name = 'systemd' \ + AND p.path = '/usr/lib/systemd/systemd' \ + ) \ + AND NOT ( \ + name = 'systemstats' \ + AND p.path = '/usr/sbin/systemstats' \ + ) \ + AND NOT (p.path = '/usr/bin/gnome-shell') \ + AND NOT ( \ + name = 'terraform-ls' \ + AND cmdline LIKE 'terraform-ls serve%' \ + ) \ + AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java');", + "interval": "10800" + }, + "spotlight-database-export-macos": { + "query": "SELECT \ + f.path, \ + f.size, \ + datetime(f.btime, 'unixepoch') AS file_created, \ + magic.data \ + FROM \ + file f \ + JOIN mdfind ON mdfind.path = f.path \ + LEFT JOIN magic ON f.path = magic.path \ + WHERE \ + ( \ + ( \ + mdfind.query = 'kMDItemFSName == '*enforce*' && kMDItemTextContent == 'CREATE TABLE'' \ + ) \ + OR ( \ + mdfind.query = 'kMDItemFSName == '*iam*' && kMDItemTextContent == 'CREATE TABLE'' \ + ) \ + OR ( \ + mdfind.query = 'kMDItemFSName == '*tenant*' && kMDItemTextContent == 'CREATE TABLE'' \ + ) \ + ) \ + AND f.path NOT LIKE '%.json' \ + AND f.path NOT LIKE '%.log' \ + AND f.size > 32768;", + "interval": "10800", + "platform": "darwin", + "description": "Find database exports. Will need tuning based on your table names." + } + } +} +{ + "queries": { + "unexpected-etc-hosts": { + "query": "SELECT \ + * \ + FROM \ + etc_hosts \ + WHERE \ + hostnames NOT IN ( \ + 'localhost', \ + 'localhost ip6-localhost ip6-loopback', \ + 'ip6-allnodes', \ + 'ip6-allrouters', \ + 'kubernetes' \ + ) \ + AND address NOT IN ( \ + '127.0.1.1', \ + '::1', \ + 'ff02::1', \ + 'ff02::2', \ + '255.255.255.255', \ + 'fe00::0', \ + 'ff00::0' \ + ) \ + AND hostnames NOT LIKE 'localhost.%' \ + AND hostnames NOT LIKE '%.svc' \ + AND hostnames NOT LIKE '%.test' \ + AND hostnames NOT LIKE '%.internal' \ + AND hostnames NOT LIKE '%.local' \ + AND hostnames NOT LIKE 'ip6-%';", + "interval": "10800" + } + } +} +{ + "queries": { + "unexpected-shell-parents": { + "query": "SELECT \ + p.name, \ + p.path AS path, \ + p.cmdline AS cmd, \ + p.pid, \ + p.parent, \ + pp.name AS parent_name, \ + pp.path AS parent_path, \ + pp.cmdline AS parent_cmd, \ + hash.sha256 AS parent_sha256 \ + FROM \ + processes p \ + LEFT JOIN processes pp ON pp.pid = p.parent \ + LEFT JOIN hash ON pp.path = hash.path \ + WHERE \ + p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'osascript') \ + AND parent_path != '' \ + AND pp.name NOT IN ( \ + 'abrt-handle-eve', \ + 'alacritty', \ + 'bash', \ + 'build-script-build', \ + 'clang-11', \ + 'Code - Insiders Helper (Renderer)', \ + 'Code Helper (Renderer)', \ + 'collect2', \ + 'conmon', \ + 'containerd-shim', \ + 'dash', \ + 'demoit', \ + 'direnv', \ + 'chezmoi', \ + 'find', \ + 'FinderSyncExtension', \ + 'fish', \ + 'go', \ + 'goland', \ + 'java', \ + 'ko', \ + 'kubectl', \ + 'doas', \ + 'make', \ + 'monorail', \ + 'nix-daemon', \ + 'nix', \ + 'nix-build', \ + 'package_script_service', \ + 'node', \ + 'nvim', \ + 'perl', \ + 'PK-Backend', \ + 'python', \ + 'roxterm', \ + 'sdzoomplugin', \ + 'sh', \ + 'skhd', \ + 'swift', \ + 'systemd', \ + 'helm', \ + 'terminator', \ + 'test2json', \ + 'tmux:server', \ + 'tmux', \ + 'vi', \ + 'vim', \ + 'watch', \ + 'wezterm-gui', \ + 'sshd', \ + 'xargs', \ + 'xcrun', \ + 'xfce4-terminal', \ + 'yum', \ + 'zsh' \ + ) \ + AND parent_path NOT IN ( \ + '/Applications/Docker.app/Contents/MacOS/Docker', \ + '/bin/dash', \ + '/bin/sh', \ + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon', \ + '/opt/X11/libexec/launchd_startx', \ + '/sbin/launchd', \ + '/usr/lib/xorg/Xorg', \ + '/usr/bin/alacritty', \ + '/usr/bin/apt-get', \ + '/usr/bin/bash', \ + '/usr/bin/bwrap', \ + '/usr/bin/sysdiagnose', \ + '/usr/bin/crond', \ + '/usr/bin/login', \ + '/Applications/IntelliJ IDEA.app/Contents/MacOS/idea', \ + '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli', \ + '/usr/bin/man', \ + '/usr/bin/sudo', \ + '/usr/bin/xargs', \ + '/usr/bin/zsh', \ + '/usr/libexec/gnome-terminal-server', \ + '/usr/libexec/periodic-wrapper', \ + '/usr/bin/su' \ + ) \ + AND NOT p.cmdline IN ( \ + 'sh -c -- exec-bin node_modules/.bin/hugo/hugo server', \ + 'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null' \ + ) \ + AND NOT ( \ + pp.name = 'sshd' \ + AND p.cmdline LIKE '%askpass%' \ + ) \ + AND NOT ( \ + pp.name = 'bash' \ + AND p.cmdline LIKE 'sh -s _hostname %' \ + ) \ + AND NOT ( \ + pp.cmdline LIKE 'perl%/help2man%' \ + AND p.cmdline LIKE 'sh -c man/%' \ + ) \ + AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%' \ + AND NOT p.cmdline LIKE '%gcloud config config-helper%' \ + AND NOT pp.cmdline LIKE '/Applications/Warp.app/%' \ + AND NOT pp.cmdline LIKE '%brew.rb%' \ + AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%' \ + AND NOT pp.cmdline LIKE '%Code Helper%' \ + AND NOT pp.cmdline LIKE '%gcloud.py config config-helper%' \ + AND NOT pp.name LIKE '%term%' \ + AND NOT pp.name LIKE '%Term%' \ + AND NOT pp.name LIKE 'Emacs%' \ + AND NOT pp.name LIKE 'terraform-provider-%' \ + AND NOT pp.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent' \ + AND NOT pp.name LIKE '%/bin/bash' \ + AND NOT pp.name LIKE '%/bin/direnv' \ + AND NOT parent_path LIKE '/nix/store/%sh' \ + AND NOT parent_path LIKE '/opt/homebrew/%';", + "interval": "10800" + }, + "unexpected-volume-contents": { + "query": "SELECT \ + RTRIM(file.path, '/') AS trimpath, \ + uid, \ + filename, \ + gid, \ + mode, \ + REGEX_MATCH (file.path, '(.*)/', 1) AS dirname, \ + REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS basename, \ + REGEX_MATCH (RTRIM(file.path, '/'), '.*\\.(.*?)$', 1) AS extension, \ + mtime, \ + ctime, \ + symlink, \ + type, \ + size, \ + hash.sha256, \ + magic.data, \ + signature.identifier, \ + signature.authority \ + FROM \ + file \ + LEFT JOIN hash on file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + LEFT JOIN signature ON file.path = signature.path \ + WHERE \ + ( \ + file.path LIKE '/Volumes/%/%' \ + OR file.path LIKE '/Volumes/%/.%' \ + ) \ + AND file.path NOT LIKE '/Volumes/Macintosh HD%' \ + AND file.path NOT LIKE '/Volumes/%/.com.apple.timemachine%' \ + AND ( \ + extension IN ( \ + 'command', \ + 'lnk', \ + 'mpkg', \ + 'scpt', \ + 'dmg', \ + 'iso', \ + 'gz', \ + 'sh', \ + 'sql' \ + ) \ + OR file.symlink != 0 \ + OR basename LIKE '.%' \ + OR basename LIKE '%.sql%' \ + OR basename LIKE '%Chrome%' \ + OR basename LIKE '%Extension%' \ + OR basename LIKE '%enforce%' \ + OR basename LIKE '%hidden%' \ + OR basename LIKE '%Installer%' \ + OR basename LIKE '%mono%' \ + OR basename LIKE '%secret%' \ + OR basename LIKE '%sql%' \ + OR basename LIKE '%guard%' \ + OR basename LIKE 'cg%' \ + ) \ + AND basename NOT IN ( \ + '..', \ + '.', \ + '.background', \ + '.disk_label_2x', \ + '.disk_label', \ + '.DS_Store', \ + '.iotest', \ + '.file-revisions-by-id', \ + '.file', \ + '.metadata_never_index_unless_rootfs', \ + '.shortcut-targets-by-id', \ + '.TemporaryItems', \ + '.Trashes', \ + '._Id.txt', \ + '.vol', \ + '.apdisk', \ + '._.Trashes', \ + '._.TemporaryItems', \ + '._.apdisk', \ + '.VolumeIcon.icns' \ + ) \ + AND authority NOT IN ( \ + 'Developer ID Application: Google LLC (EQHXZ8M8AV)' \ + ) \ + AND trimpath NOT IN ( \ + '/Volumes/Google Chrome/.keystone_install', \ + '/Volumes/Google Chrome Canary/.keystone_install', \ + '/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg' \ + );", + "interval": "10800", + "platform": "darwin", + "description": "Scan removable volumes for sketchy files" + } + } +} +{ + "queries": { + "fake-apple-launchd": { + "query": "select \ + * \ + FROM \ + signature s \ + JOIN launchd d ON d.program_arguments = s.path \ + WHERE \ + d.name LIKE 'com.apple.%' \ + AND ( \ + signed = 0 \ + OR authority != 'Software Signing' \ + ) \ + AND d.run_at_load = 1;", + "interval": "10800", + "platform": "darwin", + "description": "Find launchd entries which purport to be by Apple, but are not signed by Apple." + }, + "unexpected-cron-entries": { + "query": "SELECT \ + * \ + FROM \ + crontab \ + WHERE \ + command NOT LIKE 'root%run-parts%' \ + AND command NOT LIKE '%freshclam%' \ + AND command NOT LIKE '%clamscan%' \ + AND command NOT LIKE '%e2scrub%' \ + AND command NOT LIKE '%zfs-linux%' \ + AND command NOT LIKE '%anacron start%' \ + AND command NOT LIKE '%/usr/lib/php/sessionclean%';", + "interval": "10800" + }, + "unexpected-kernel-extensions": { + "query": "SELECT \ + * \ + FROM \ + kernel_extensions \ + WHERE \ + path NOT LIKE '/System/Library/Extensions/%' \ + AND NOT ( \ + idx = 0 \ + AND name = '__kernel__' \ + );", + "interval": "10800", + "platform": "darwin", + "description": "Display a list of non-Apple kernel extensions, which are exceedingly rare." + }, + "unexpected-launchd-program": { + "query": "SELECT \ + l.label, \ + l.name, \ + l.path, \ + l.program, \ + l.program_arguments, \ + l.keep_alive, \ + signature.authority AS program_authority, \ + signature.identifier AS program_identifier, \ + hash.sha256 \ + FROM \ + launchd l \ + LEFT JOIN signature ON l.program = signature.path \ + LEFT JOIN hash ON l.path = hash.path \ + WHERE \ + ( \ + run_at_load = 1 \ + OR keep_alive = 1 \ + ) \ + AND l.path NOT LIKE '/System/%' \ + AND program IS NOT NULL \ + AND program_authority NOT IN ( \ + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + 'Developer ID Application: Docker Inc (9BNSXJN65R)', \ + 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \ + 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \ + 'Developer ID Application: Valve Corporation (MXGJJ98X76)', \ + 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)' \ + ) \ + AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent');", + "interval": "10800", + "platform": "darwin", + "description": "Unexpected launchd scripts that use the 'program' field" + }, + "unexpected-launchd-program-arguments": { + "query": "SELECT \ + l.label, \ + l.name, \ + l.path, \ + TRIM(REGEX_SPLIT (l.program_arguments, ' -', 0)) AS program_path, \ + l.program_arguments, \ + l.keep_alive, \ + signature.authority AS program_authority, \ + hash.sha256 \ + FROM \ + launchd l \ + LEFT JOIN signature ON program_path = signature.path \ + LEFT JOIN hash ON program_path = hash.path \ + WHERE \ + ( \ + run_at_load = 1 \ + OR keep_alive = 1 \ + ) \ + AND ( \ + program IS NULL \ + OR program = '' \ + ) \ + AND l.path NOT LIKE '/System/%' \ + AND program_authority NOT IN ( \ + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \ + 'Developer ID Application: Foxit Corporation (8GN47HTP75)', \ + 'Developer ID Application: Google LLC (EQHXZ8M8AV)', \ + 'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', \ + 'Developer ID Application: Keybase, Inc. (99229SGT5K)', \ + 'Developer ID Application: Kolide Inc (YZ3EM74M78)', \ + 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \ + 'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', \ + 'Developer ID Application: Mersive Technologies (63B5A5WDNG)', \ + 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + 'Developer ID Application: Proton Technologies AG (6UN54H93QT)', \ + 'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \ + 'Developer ID Application: Sanford, L.P. (N3S6676K3E)', \ + 'Developer ID Application: Canva Pty Ltd (5HD2ARTBFS)', \ + 'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', \ + 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \ + 'Software Signing', \ + 'yabai-cert' \ + ) \ + AND program_arguments NOT IN ( \ + '/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk', \ + '/opt/homebrew/opt/mariadb/bin/mysqld_safe', \ + '/opt/homebrew/opt/skhd/bin/skhd', \ + '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080', \ + '/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock', \ + '/usr/local/MacGPG2/libexec/fixGpgHome' \ + ) \ + AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh' \ + AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%';", + "interval": "10800", + "platform": "darwin", + "description": "Unexpected launchd scripts that use the 'program_arguments' field" + }, + "unexpected-modules": { + "query": "SELECT \ + * \ + FROM \ + kernel_modules \ + WHERE \ + name NOT IN ( \ + '8021q', \ + 'ac97_bus', \ + 'acpi_cpufreq', \ + 'acpi_pad', \ + 'acpi_tad', \ + 'acpi_thermal_rel', \ + 'aesni_intel', \ + 'af_alg', \ + 'af_packet', \ + 'agpgart', \ + 'ahci', \ + 'algif_aead', \ + 'algif_hash', \ + 'algif_skcipher', \ + 'amd_pmc', \ + 'amdgpu', \ + 'apple_mfi_fastcharge', \ + 'asn1_encoder', \ + 'asus_wmi', \ + 'atkbd', \ + 'authenc', \ + 'autofs4', \ + 'backlight', \ + 'battery', \ + 'binfmt_misc', \ + 'bluetooth', \ + 'bnep', \ + 'bpf_preload', \ + 'br_netfilter', \ + 'bridge', \ + 'btbcm', \ + 'btintel', \ + 'btmtk', \ + 'btrtl', \ + 'btusb', \ + 'button', \ + 'cbc', \ + 'ccm', \ + 'ccp', \ + 'cdc_ether', \ + 'cec', \ + 'cfg80211', \ + 'cmac', \ + 'configfs', \ + 'coretemp', \ + 'cqhci', \ + 'crc_t10dif', \ + 'crc16', \ + 'crc32_pclmul', \ + 'crc32c_generic', \ + 'crc32c_intel', \ + 'crct10dif_common', \ + 'crct10dif_generic', \ + 'crct10dif_pclmul', \ + 'cros_ec_chardev', \ + 'cros_ec_debugfs', \ + 'cros_ec_dev', \ + 'cros_ec_lpcs', \ + 'cros_ec_sysfs', \ + 'cros_ec', \ + 'cros_usbpd_charger', \ + 'cros_usbpd_logger', \ + 'cros_usbpd_notify', \ + 'cryptd', \ + 'crypto_simd', \ + 'crypto_user', \ + 'dca', \ + 'deflate', \ + 'des_generic', \ + 'dm_crypt', \ + 'dm_mod', \ + 'dm_multipath', \ + 'drm_buddy', \ + 'drm_display_helper', \ + 'drm_dp_helper', \ + 'drm_kms_helper', \ + 'drm_ttm_helper', \ + 'drm', \ + 'ecb', \ + 'ecc', \ + 'ecdh_generic', \ + 'edac_core', \ + 'edac_mce_amd', \ + 'ee1004', \ + 'eeepc_wmi', \ + 'efi_pstore', \ + 'efivarfs', \ + 'encrypted_keys', \ + 'essiv', \ + 'evdev', \ + 'ext4', \ + 'fat', \ + 'fb_sys_fops', \ + 'firmware_attributes_class', \ + 'fuse', \ + 'ghash_clmulni_intel', \ + 'gigabyte_wmi', \ + 'gpio_amdpt', \ + 'gpio_generic', \ + 'gpu_sched', \ + 'hid_apple', \ + 'hid_generic', \ + 'hid_jabra', \ + 'hid_logitech_dj', \ + 'hid_logitech_hidpp', \ + 'hid_multitouch', \ + 'hid_sensor_als', \ + 'hid_sensor_custom', \ + 'hid_sensor_hub', \ + 'hid_sensor_iio_common', \ + 'hid_sensor_trigger', \ + 'hid', \ + 'i2c_algo_bit', \ + 'i2c_core', \ + 'i2c_designware_core', \ + 'i2c_designware_platform', \ + 'i2c_hid_acpi', \ + 'i2c_hid', \ + 'i2c_i801', \ + 'i2c_piix4', \ + 'i2c_scmi', \ + 'i2c_smbus', \ + 'i8042', \ + 'i915', \ + 'icp', \ + 'idma64', \ + 'igb', \ + 'igc', \ + 'igen6_edac', \ + 'industrialio_triggered_buffer', \ + 'industrialio', \ + 'input_leds', \ + 'int3400_thermal', \ + 'int3403_thermal', \ + 'int340x_thermal_zone', \ + 'intel_cstate', \ + 'intel_gtt', \ + 'intel_ish_ipc', \ + 'intel_ishtp_hid', \ + 'intel_ishtp', \ + 'intel_lpss_pci', \ + 'intel_lpss', \ + 'intel_pmc_bxt', \ + 'intel_powerclamp', \ + 'intel_rapl_common', \ + 'intel_rapl_msr', \ + 'intel_soc_dts_iosf', \ + 'intel_tcc_cooling', \ + 'intel_uncore', \ + 'intel_vsec', \ + 'iommu_v2', \ + 'ip_set', \ + 'ip_tables', \ + 'ip_vs_rr', \ + 'ip_vs_sh', \ + 'ip_vs_wrr', \ + 'ip_vs', \ + 'ip6_tables', \ + 'ip6t_REJECT', \ + 'ip6t_rpfilter', \ + 'ip6t_rt', \ + 'ip6table_nat', \ + 'ipmi_devintf', \ + 'ipmi_msghandler', \ + 'ipt_REJECT', \ + 'ipt_rpfilter', \ + 'iptable_filter', \ + 'iptable_nat', \ + 'irqbypass', \ + 'iTCO_vendor_support', \ + 'iTCO_wdt', \ + 'iwlmei', \ + 'iwlmvm', \ + 'iwlwifi', \ + 'jbd2', \ + 'joydev', \ + 'k10temp', \ + 'kfifo_buf', \ + 'kvm_amd', \ + 'kvm_intel', \ + 'kvm', \ + 'led_class', \ + 'ledtrig_audio', \ + 'libaes', \ + 'libahci', \ + 'libarc4', \ + 'libata', \ + 'libcrc32c', \ + 'libdes', \ + 'libps2', \ + 'llc', \ + 'loop', \ + 'lp', \ + 'mac_hid', \ + 'mac80211', \ + 'macvlan', \ + 'mbcache', \ + 'mc', \ + 'md4', \ + 'mei_hdcp', \ + 'mei_me', \ + 'mei_pxp', \ + 'mei_wdt', \ + 'mei', \ + 'mii', \ + 'mmc_core', \ + 'mousedev', \ + 'msr', \ + 'mtd', \ + 'mxm_wmi', \ + 'nf_conntrack_broadcast', \ + 'nf_conntrack_netbios_ns', \ + 'nf_conntrack_netlink', \ + 'nf_conntrack', \ + 'nf_defrag_ipv4', \ + 'nf_defrag_ipv6', \ + 'nf_log_syslog', \ + 'nf_nat', \ + 'nf_reject_ipv4', \ + 'nf_reject_ipv6', \ + 'nf_tables', \ + 'nfnetlink', \ + 'nft_chain_nat', \ + 'nft_compat', \ + 'nft_counter', \ + 'nft_ct', \ + 'nft_fib_inet', \ + 'nft_fib_ipv4', \ + 'nft_fib_ipv6', \ + 'nft_fib', \ + 'nft_limit', \ + 'nft_objref', \ + 'nft_reject_inet', \ + 'nft_reject', \ + 'nls_cp437', \ + 'nls_iso8859_1', \ + 'nvidia_drm', \ + 'nvidia_modeset', \ + 'nvidia_uvm', \ + 'nvidia', \ + 'nvme_core', \ + 'nvme', \ + 'nvram', \ + 'overlay', \ + 'parport_pc', \ + 'parport', \ + 'pcspkr', \ + 'pinctrl_amd', \ + 'pinctrl_tigerlake', \ + 'pkcs8_key_parser', \ + 'platform_profile', \ + 'pmt_class', \ + 'pmt_telemetry', \ + 'ppdev', \ + 'pps_core', \ + 'processor_thermal_device_pci_legacy', \ + 'processor_thermal_device', \ + 'processor_thermal_mbox', \ + 'processor_thermal_rapl', \ + 'processor_thermal_rfim', \ + 'psmouse', \ + 'pstore_blk', \ + 'pstore_zone', \ + 'pstore', \ + 'ptp', \ + 'qrtr', \ + 'r8152', \ + 'r8153_ecm', \ + 'r8169', \ + 'ramoops', \ + 'rapl', \ + 'raydium_i2c_ts', \ + 'rc_core', \ + 'reed_solomon', \ + 'rfcomm', \ + 'rfkill', \ + 'rndis_host', \ + 'rndis_wlan', \ + 'rng_core', \ + 'roles', \ + 'rtc_cmos', \ + 'rtsx_pci_sdmmc', \ + 'rtsx_pci', \ + 'rtw89_8852a', \ + 'rtw89_8852ae', \ + 'rtw89_core', \ + 'rtw89_pci', \ + 'sch_fq_codel', \ + 'scsi_common', \ + 'scsi_mod', \ + 'sdhci_pci', \ + 'sdhci', \ + 'serio_raw', \ + 'serio', \ + 'sg', \ + 'snd_acp_config', \ + 'snd_acp3x_pdm_dma', \ + 'snd_acp3x_rn', \ + 'snd_compress', \ + 'snd_ctl_led', \ + 'snd_hda_codec_generic', \ + 'snd_hda_codec_hdmi', \ + 'snd_hda_codec_idt', \ + 'snd_hda_codec_realtek', \ + 'snd_hda_codec', \ + 'snd_hda_core', \ + 'snd_hda_ext_core', \ + 'snd_hda_intel', \ + 'snd_hrtimer', \ + 'snd_hwdep', \ + 'snd_intel_dspcfg', \ + 'snd_intel_sdw_acpi', \ + 'snd_pci_acp3x', \ + 'snd_pci_acp5x', \ + 'snd_pci_acp6x', \ + 'snd_pcm_dmaengine', \ + 'snd_pcm', \ + 'snd_rawmidi', \ + 'snd_rn_pci_acp3x', \ + 'snd_seq_device', \ + 'snd_seq_dummy', \ + 'snd_seq_midi_event', \ + 'snd_seq_midi', \ + 'snd_seq', \ + 'snd_soc_acpi_intel_match', \ + 'snd_soc_acpi', \ + 'snd_soc_core', \ + 'snd_soc_dmic', \ + 'snd_soc_hdac_hda', \ + 'snd_soc_hdac_hdmi', \ + 'snd_soc_intel_hda_dsp_common', \ + 'snd_soc_skl_hda_dsp', \ + 'snd_sof_amd_acp', \ + 'snd_sof_amd_renoir', \ + 'snd_sof_intel_hda_common', \ + 'snd_sof_intel_hda', \ + 'snd_sof_pci_intel_tgl', \ + 'snd_sof_pci', \ + 'snd_sof_utils', \ + 'snd_sof_xtensa_dsp', \ + 'snd_sof', \ + 'snd_timer', \ + 'snd_usb_audio', \ + 'snd_usbmidi_lib', \ + 'snd', \ + 'soundcore', \ + 'soundwire_bus', \ + 'soundwire_cadence', \ + 'soundwire_generic_allocation', \ + 'soundwire_intel', \ + 'sp5100_tco', \ + 'sparse_keymap', \ + 'spi_intel_pci', \ + 'spi_intel', \ + 'spi_nor', \ + 'spl', \ + 'squashfs', \ + 'stp', \ + 'sunrpc', \ + 'syscopyarea', \ + 'sysfillrect', \ + 'sysimgblt', \ + 't10_pi', \ + 'tap', \ + 'tee', \ + 'think_lmi', \ + 'thinkpad_acpi', \ + 'thunderbolt', \ + 'tiny_power_button', \ + 'tls', \ + 'tpm_crb', \ + 'tpm_tis_core', \ + 'tpm_tis', \ + 'tpm', \ + 'trusted', \ + 'ttm', \ + 'tun', \ + 'typec_ucsi', \ + 'typec', \ + 'uas', \ + 'ucsi_acpi', \ + 'uinput', \ + 'usb_common', \ + 'usb_storage', \ + 'usbcore', \ + 'usbhid', \ + 'usbnet', \ + 'uvcvideo', \ + 'veth', \ + 'vfat', \ + 'video', \ + 'videobuf2_common', \ + 'videobuf2_memops', \ + 'videobuf2_v4l2', \ + 'videobuf2_vmalloc', \ + 'videodev', \ + 'vivaldi_fmap', \ + 'watchdog', \ + 'wmi_bmof', \ + 'wmi', \ + 'x_tables', \ + 'x86_pkg_temp_thermal', \ + 'xfrm_algo', \ + 'xfrm_user', \ + 'xhci_hcd', \ + 'xhci_pci_renesas', \ + 'xhci_pci', \ + 'xt_addrtype', \ + 'xt_comment', \ + 'xt_conntrack', \ + 'xt_hl', \ + 'xt_limit', \ + 'xt_LOG', \ + 'xt_mark', \ + 'xt_MASQUERADE', \ + 'xt_nat', \ + 'xt_pkttype', \ + 'xt_statistic', \ + 'xt_tcpudp', \ + 'zavl', \ + 'zcommon', \ + 'zfs', \ + 'zlua', \ + 'znvpair', \ + 'zram', \ + 'zunicode', \ + 'zzstd' \ + );", + "interval": "10800" + }, + "unexpected-small-udev-entry": { + "query": "SELECT \ + file.path, \ + uid, \ + gid, \ + mode, \ + mtime, \ + ctime, \ + type, \ + size, \ + hash.sha256, \ + magic.data \ + FROM \ + file \ + LEFT JOIN hash ON file.path = hash.path \ + LEFT JOIN magic ON file.path = magic.path \ + WHERE \ + file.path LIKE '/usr/lib/udev/rules.d/%' \ + AND file.size < 180 \ + AND file.path NOT IN ( \ + '/usr/lib/udev/rules.d/60-rfkill.rules', \ + '/usr/lib/udev/rules.d/50-apport.rules', \ + '/usr/lib/udev/rules.d/60-net.rules', \ + '/usr/lib/udev/rules.d/61-mutter.rules', \ + '/usr/lib/udev/rules.d/66-saned.rules', \ + '/usr/lib/udev/rules.d/70-hypervfcopy.rules', \ + '/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules', \ + '/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules', \ + '/usr/lib/udev/rules.d/70-hypervkvp.rules', \ + '/usr/lib/udev/rules.d/70-hypervvss.rules', \ + '/usr/lib/udev/rules.d/70-spice-vdagentd.rules', \ + '/usr/lib/udev/rules.d/70-spice-webdavd.rules', \ + '/usr/lib/udev/rules.d/71-nacon-controllers.rules', \ + '/usr/lib/udev/rules.d/75-probe_mtd.rules', \ + '/usr/lib/udev/rules.d/71-sony-vr.rules', \ + '/usr/lib/udev/rules.d/71-betop-controllers.rules', \ + '/usr/lib/udev/rules.d/85-hdparm.rules', \ + '/usr/lib/udev/rules.d/85-regulatory.rules', \ + '/usr/lib/udev/rules.d/90-daxctl-device.rules', \ + '/usr/lib/udev/rules.d/91-drm-modeset.rules', \ + '/usr/lib/udev/rules.d/96-e2scrub.rules', \ + '/usr/lib/udev/rules.d/99-fuse.rules', \ + '/usr/lib/udev/rules.d/99-fuse3.rules', \ + '/usr/lib/udev/rules.d/99-libsane1.rules', \ + '/usr/lib/udev/rules.d/99-nfs.rules', \ + '/usr/lib/udev/rules.d/99-qemu-guest-agent.rules' \ + );", + "interval": "10800", + "description": "Inspired by Operation Earth Berberoka" + }, + "unexpected-uid0-daemon-linux": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + p.euid, \ + p.gid, \ + f.ctime, \ + f.directory AS dirname, \ + p.cmdline, \ + mnt_namespace, \ + hash.sha256, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + WHERE \ + p.uid = 0 \ + AND (strftime('%s', 'now') - p.start_time) > 15 \ + AND mnt_namespace IN ( \ + SELECT DISTINCT \ + (mnt_namespace) \ + FROM \ + process_namespaces \ + JOIN processes ON processes.pid = process_namespaces.pid \ + WHERE \ + processes.name IN ('osqueryi', 'osqueryd') \ + ) \ + AND p.path NOT IN ( \ + '', \ + '/sbin/apcupsd', \ + '/snap/snapd/17029/usr/lib/snapd/snapd', \ + '/usr/bin/abrt-dump-journal-core', \ + '/usr/bin/abrt-dump-journal-oops', \ + '/usr/bin/abrt-dump-journal-xorg', \ + '/usr/bin/pacman', \ + '/usr/bin/fish', \ + '/usr/bin/anacron', \ + '/usr/bin/apcupsd', \ + '/usr/bin/containerd-shim-runc-v2', \ + '/usr/bin/containerd', \ + '/usr/bin/crond', \ + '/usr/bin/docker-proxy', \ + '/usr/bin/dockerd', \ + '/usr/bin/gdm', \ + '/usr/bin/gpg-agent', \ + '/usr/bin/journalctl', \ + '/usr/bin/lightdm', \ + '/usr/bin/osqueryd', \ + '/usr/bin/sshd', \ + '/usr/bin/tailscaled', \ + '/usr/bin/wpa_supplicant', \ + '/usr/lib/gdm-session-worker', \ + '/usr/lib/software-properties/software-properties-dbus', \ + '/usr/lib/systemd/systemd-homed', \ + '/usr/lib/systemd/systemd-journald', \ + '/usr/lib/systemd/systemd-machined', \ + '/usr/lib/systemd/systemd', \ + '/usr/lib/udisks2/udisksd', \ + '/usr/lib/Xorg', \ + '/usr/libexec/accounts-daemon', \ + '/usr/libexec/docker/docker-proxy', \ + '/usr/libexec/flatpak-system-helper', \ + '/usr/lib/flatpak-system-helper', \ + '/usr/libexec/gdm-session-worker', \ + '/usr/libexec/packagekitd', \ + '/usr/libexec/polkitd', \ + '/usr/libexec/scdaemon', \ + '/usr/libexec/snapd/snapd', \ + '/usr/libexec/sssd/sssd_kcm', \ + '/usr/libexec/udisks2/udisksd', \ + '/usr/sbin/abrt-dbus', \ + '/usr/sbin/abrtd', \ + '/usr/sbin/acpid', \ + '/usr/sbin/alsactl', \ + '/usr/sbin/anacron', \ + '/usr/sbin/cron', \ + '/usr/sbin/cups-browsed', \ + '/usr/sbin/cupsd', \ + '/usr/sbin/gdm', \ + '/usr/sbin/gdm3', \ + '/usr/sbin/gssproxy', \ + '/usr/sbin/pcscd', \ + '/usr/sbin/tailscaled', \ + '/usr/sbin/wpa_supplicant', \ + '/usr/sbin/zed' \ + ) \ + AND p.cmdline NOT IN ( \ + '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid', \ + '/usr/bin/python /usr/bin/firewalld --nofork --nopid', \ + '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', \ + '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' \ + ) \ + AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \ + AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' \ + AND p.path NOT LIKE '/nix/store/%/bin/%' \ + AND p.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%' \ + AND p.path NOT LIKE '/nix/store/%/libexec/%' \ + AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd';", + "interval": "10800", + "platform": "linux" + }, + "unexpected-uid0-daemon-macos": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + p.euid, \ + p.gid, \ + f.ctime, \ + f.directory AS dirname, \ + p.cmdline, \ + hash.sha256, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + signature.identifier, \ + signature.authority \ + FROM \ + processes p \ + LEFT JOIN file f ON p.path = f.path \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN signature ON p.path = signature.path \ + WHERE \ + p.uid = 0 \ + AND (strftime('%s', 'now') - p.start_time) > 15 \ + AND p.path NOT IN ( \ + '/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService', \ + '/Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon', \ + '/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim', \ + '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service', \ + '/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd', \ + '/bin/bash', \ + '/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect', \ + '/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService', \ + '/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer', \ + '/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon', \ + '/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc', \ + '/Library/Nessus/run/sbin/nessusd', \ + '/Library/Nessus/run/sbin/nessus-service', \ + '/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \ + '/Library/PrivilegedHelperTools/com.docker.vmnetd', \ + '/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', \ + '/Library/PrivilegedHelperTools/keybase.Helper', \ + '/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension', \ + '/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence', \ + '/sbin/launchd', \ + '/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd', \ + '/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper', \ + '/System/Library/CoreServices/CrashReporterSupportHelper', \ + '/System/Library/CoreServices/iconservicesagent', \ + '/System/Library/CoreServices/launchservicesd', \ + '/System/Library/CoreServices/logind', \ + '/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow', \ + '/System/Library/CoreServices/osanalyticshelper', \ + '/System/Library/CoreServices/powerd.bundle/powerd', \ + '/System/Library/CoreServices/ReportCrash', \ + '/System/Library/CoreServices/sharedfilelistd', \ + '/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd', \ + '/System/Library/CoreServices/SubmitDiagInfo', \ + '/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader', \ + '/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle', \ + '/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice', \ + '/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar', \ + '/System/Library/Frameworks/AudioToolbox.framework/XPCServices/CAReportingService.xpc/Contents/MacOS/CAReportingService', \ + '/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper', \ + '/System/Library/Frameworks/ColorSync.framework/Versions/A/XPCServices/com.apple.ColorSyncXPCAgent.xpc/Contents/MacOS/com.apple.ColorSyncXPCAgent', \ + '/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/com.apple.cmio.registerassistantservice', \ + '/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/XPCServices/csnameddatad.xpc/Contents/MacOS/csnameddatad', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores', \ + '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync', \ + '/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp', \ + '/System/Library/Frameworks/GSS.framework/Helpers/GSSCred', \ + '/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd', \ + '/System/Library/Frameworks/Metal.framework/Versions/A/XPCServices/MTLCompilerService.xpc/Contents/MacOS/MTLCompilerService', \ + '/System/Library/Frameworks/NetFS.framework/Versions/A/XPCServices/PlugInLibraryService.xpc/Contents/MacOS/PlugInLibraryService', \ + '/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer', \ + '/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd', \ + '/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant', \ + '/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd', \ + '/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper', \ + '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd', \ + '/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper', \ + '/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent', \ + '/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon', \ + '/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService', \ + '/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer', \ + '/System/Library/PrivateFrameworks/ApplePushService.framework/apsd', \ + '/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService', \ + '/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService', \ + '/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService', \ + '/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd', \ + '/System/Library/PrivateFrameworks/CacheDelete.framework/deleted_helper', \ + '/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd', \ + '/System/Library/PrivateFrameworks/CoreAccessories.framework/Support/accessoryd', \ + '/System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored', \ + '/System/Library/PrivateFrameworks/CoreKDL.framework/Support/corekdld', \ + '/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd', \ + '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd', \ + '/System/Library/PrivateFrameworks/FindMyMac.framework/Versions/A/Resources/FindMyMacd', \ + '/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond', \ + '/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod', \ + '/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted', \ + '/System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/Contents/MacOS/com.apple.MobileInstallationHelperService', \ + '/System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Versions/A/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.CleanupPreparePathService', \ + '/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated', \ + '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd', \ + '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd', \ + '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service', \ + '/System/Library/PrivateFrameworks/SiriInference.framework/Support/siriinferenced', \ + '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer', \ + '/System/Library/PrivateFrameworks/StorageKit.framework/Versions/A/Resources/storagekitd', \ + '/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig', \ + '/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd', \ + '/System/Library/PrivateFrameworks/SystemStatusServer.framework/Support/systemstatusd', \ + '/System/Library/PrivateFrameworks/TCC.framework/Support/tccd', \ + '/System/Library/PrivateFrameworks/Uninstall.framework/Versions/A/Resources/uninstalld', \ + '/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary', \ + '/System/Library/PrivateFrameworks/WiFiPolicy.framework/XPCServices/WiFiCloudAssetsXPCService.xpc/Contents/MacOS/WiFiCloudAssetsXPCService', \ + '/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd', \ + '/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService', \ + '/usr/bin/sudo', \ + '/usr/bin/sysdiagnose', \ + '/usr/libexec/AirPlayXPCHelper', \ + '/usr/libexec/airportd', \ + '/usr/libexec/amfid', \ + '/usr/libexec/aned', \ + '/usr/libexec/apfsd', \ + '/usr/libexec/applessdstatistics', \ + '/usr/libexec/ApplicationFirewall/socketfilterfw', \ + '/usr/libexec/ASPCarryLog', \ + '/usr/libexec/autofsd', \ + '/usr/libexec/automountd', \ + '/usr/libexec/batteryintelligenced', \ + '/usr/libexec/biokitaggdd', \ + '/usr/libexec/biometrickitd', \ + '/usr/libexec/bootinstalld', \ + '/usr/libexec/colorsyncd', \ + '/usr/libexec/colorsync.displayservices', \ + '/usr/libexec/configd', \ + '/usr/libexec/containermanagerd', \ + '/usr/libexec/corebrightnessd', \ + '/usr/libexec/coreduetd', \ + '/usr/libexec/corestoraged', \ + '/usr/libexec/dasd', \ + '/usr/libexec/diskarbitrationd', \ + '/usr/libexec/diskmanagementd', \ + '/usr/libexec/dprivacyd', \ + '/usr/libexec/endpointsecurityd', \ + '/usr/libexec/findmydeviced', \ + '/usr/libexec/InternetSharing', \ + '/usr/libexec/IOMFB_bics_daemon', \ + '/usr/libexec/ioupsd', \ + '/usr/libexec/kernelmanagerd', \ + '/usr/libexec/keybagd', \ + '/usr/libexec/logd', \ + '/usr/libexec/logd_helper', \ + '/usr/libexec/lsd', \ + '/usr/libexec/memoryanalyticsd', \ + '/usr/libexec/microstackshot', \ + '/usr/libexec/misagent', \ + '/usr/libexec/mobileactivationd', \ + '/usr/libexec/mobileassetd', \ + '/usr/libexec/nehelper', \ + '/usr/libexec/nesessionmanager', \ + '/usr/libexec/online-authd', \ + '/usr/libexec/opendirectoryd', \ + '/usr/libexec/PerfPowerServices', \ + '/usr/libexec/periodic-wrapper', \ + '/usr/libexec/powerdatad', \ + '/usr/libexec/PowerUIAgent', \ + '/usr/libexec/remoted', \ + '/usr/libexec/rtcreportingd', \ + '/usr/libexec/runningboardd', \ + '/usr/libexec/sandboxd', \ + '/usr/libexec/searchpartyd', \ + '/usr/libexec/secinitd', \ + '/usr/libexec/securityd_service', \ + '/usr/libexec/smd', \ + '/usr/libexec/symptomsd-diag', \ + '/usr/libexec/sysmond', \ + '/usr/libexec/syspolicyd', \ + '/usr/libexec/tailspind', \ + '/usr/libexec/taskgated', \ + '/usr/libexec/thermalmonitord', \ + '/usr/libexec/TouchBarServer', \ + '/usr/libexec/tzd', \ + '/usr/libexec/tzlinkd', \ + '/usr/libexec/usbd', \ + '/usr/libexec/UserEventAgent', \ + '/usr/libexec/warmd', \ + '/usr/libexec/watchdogd', \ + '/usr/libexec/wifianalyticsd', \ + '/usr/libexec/wifip2pd', \ + '/usr/libexec/wifivelocityd', \ + '/usr/local/kolide-k2/bin/osquery-extension.ext', \ + '/usr/sbin/aslmanager', \ + '/usr/sbin/auditd', \ + '/usr/sbin/BlueTool', \ + '/usr/sbin/bluetoothd', \ + '/usr/sbin/BTLEServer', \ + '/usr/sbin/cfprefsd', \ + '/usr/sbin/distnoted', \ + '/usr/sbin/filecoordinationd', \ + '/usr/sbin/KernelEventAgent', \ + '/usr/sbin/mDNSResponderHelper', \ + '/usr/sbin/notifyd', \ + '/usr/sbin/securityd', \ + '/usr/sbin/spindump', \ + '/usr/sbin/syslogd', \ + '/usr/sbin/systemsoundserverd', \ + '/usr/sbin/systemstats', \ + '/usr/sbin/WirelessRadioManagerd' \ + ) \ + AND signature.identifier IN ( \ + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \ + 'Developer ID Application: Docker Inc (9BNSXJN65R)', \ + 'Developer ID Application: Foxit Corporation (8GN47HTP75)', \ + 'Developer ID Application: Keybase, Inc. (99229SGT5K)', \ + 'Developer ID Application: Kolide Inc (YZ3EM74M78)', \ + 'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', \ + 'Developer ID Application: Mersive Technologies (63B5A5WDNG)', \ + 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \ + 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \ + 'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', \ + 'Developer ID Application: Parallels International GmbH (4C6364ACXT)', \ + 'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', \ + 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \ + 'Software Signing' \ + ) \ + GROUP BY \ + p.path;", + "interval": "10800", + "platform": "darwin" + } + } +} +{ + "queries": { + "unexpected-privilege-escalation": { + "query": "SELECT \ + p.pid AS child_pid, \ + p.path AS child_path, \ + p.name AS child_name, \ + p.cmdline AS child_cmdline, \ + p.euid AS child_euid, \ + p.state AS child_state, \ + file.mode AS child_mode, \ + hash.sha256 AS child_hash, \ + p.parent AS parent_pid, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + pfile.mode AS parent_mode, \ + hash.sha256 AS parent_hash \ + FROM \ + processes p \ + JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN file AS pfile ON pp.path = file.path \ + LEFT JOIN hash AS phash ON pp.path = hash.path \ + WHERE \ + p.euid < pp.euid \ + AND p.path NOT IN ( \ + '/usr/bin/fusermount', \ + '/usr/bin/fusermount3', \ + '/usr/bin/login', \ + '/usr/bin/sudo', \ + '/usr/bin/doas', \ + '/bin/ps', \ + '/usr/bin/top' \ + ) \ + AND p.path NOT LIKE '/nix/store/%/bin/sudo' \ + AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' \ + AND NOT ( \ + p.name = 'polkit-agent-he' \ + AND parent_path = '/usr/bin/gnome-shell' \ + ) \ + AND NOT ( \ + p.name = 'fusermount3' \ + AND parent_path = '/usr/lib/xdg-document-portal' \ + );", + "interval": "30", + "description": "Find processes that run with a lower effective UID than their parent" + }, + "unexpected-privilege-escalation-events": { + "query": "SELECT \ + p.pid AS child_pid, \ + p.path AS child_path, \ + REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name, \ + p.cmdline AS child_cmdline, \ + p.euid AS child_euid, \ + file.mode AS child_mode, \ + hash.sha256 AS child_hash, \ + p.parent AS parent_pid, \ + pp.path AS parent_path, \ + pp.name AS parent_name, \ + pp.cmdline AS parent_cmdline, \ + pp.euid AS parent_euid, \ + pfile.mode AS parent_mode, \ + hash.sha256 AS parent_hash \ + FROM \ + process_events p \ + JOIN processes pp ON p.parent = pp.pid \ + LEFT JOIN file ON p.path = file.path \ + LEFT JOIN hash ON p.path = hash.path \ + LEFT JOIN file AS pfile ON pp.path = file.path \ + LEFT JOIN hash AS phash ON pp.path = hash.path \ + WHERE \ + p.time > (strftime('%s', 'now') -30) \ + AND p.euid < pp.euid \ + AND p.path NOT IN ( \ + '/usr/bin/fusermount', \ + '/usr/bin/fusermount3', \ + '/usr/bin/login', \ + '/usr/bin/sudo', \ + '/usr/bin/doas', \ + '/bin/ps', \ + '/usr/bin/top' \ + ) \ + AND p.path NOT LIKE '/nix/store/%/bin/sudo' \ + AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' \ + AND NOT ( \ + child_name = 'polkit-agent-helper-1' \ + AND parent_path = '/usr/bin/gnome-shell' \ + ) \ + AND NOT ( \ + child_name = 'fusermount3' \ + AND parent_path = '/usr/lib/xdg-document-portal' \ + );", + "interval": "10800", + "description": "Designed for execution every 30 seconds (where the parent may still be around)" + }, + "unexpected-privileged-containers": { + "query": "SELECT * FROM docker_containers WHERE privileged = 1 AND image NOT LIKE 'kindest/node:%';", + "interval": "10800" + }, + "unexpected-setxid-process": { + "query": "SELECT \ + p.pid, \ + p.name, \ + p.path, \ + p.cmdline, \ + f.ctime, \ + p.cwd, \ + p.uid, \ + f.mode, \ + hash.sha256 \ + FROM \ + processes p \ + JOIN file f ON p.path = f.path \ + JOIN hash ON p.path = hash.path \ + WHERE \ + f.mode NOT LIKE '0%' \ + AND f.path NOT IN ( \ + '/bin/ps', \ + '/Library/DropboxHelperTools/Dropbox_u501/dbkextd', \ + '/opt/1Password/1Password-BrowserSupport', \ + '/opt/1Password/1Password-KeyringHelper', \ + '/usr/bin/doas', \ + '/usr/lib/xf86-video-intel-backlight-helper', \ + '/usr/bin/mount', \ + '/usr/bin/fusermount', \ + '/usr/bin/fusermount3', \ + '/usr/sbin/traceroute', \ + '/usr/bin/login', \ + '/usr/bin/ssh-agent', \ + '/usr/bin/su', \ + '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service', \ + '/usr/bin/sudo', \ + '/usr/bin/top', \ + '/usr/lib/Xorg.wrap' \ + );", + "interval": "10800", + "description": "Processes running that originate from setuid/setgid programs" + } + } +}