From 12a5507907976d9c1c0d7bbb13f080133f31f750 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 24 Feb 2023 17:24:09 -0500 Subject: [PATCH] Optimize recently-created-executables-macos --- .../recently-created-executables-macos.sql | 32 ++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index b3d0558..6ef6d35 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -52,26 +52,26 @@ WHERE start_time > 0 AND start_time > (strftime('%s', 'now') - 7200) AND pid > 0 - AND REGEX_MATCH ( - path, - "^(/System|/usr/libexec/|/usr/sbin/|/usr/local/Cellar/|/opt/homebrew/|/nix/store/|/usr/bin/|/usr/lib/|/bin/|/Applications|/Library/Apple/|/sbin/|/usr/local/kolide-k2)", - 1 - ) IS NULL AND path != "" - AND NOT path LIKE '/Applications/%.app/%' + AND NOT path LIKE '/Applications/%' AND NOT path LIKE '%-go-build%' + AND NOT path LIKE '/Library/Apple/%' AND NOT path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%' - AND NOT path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' -- Known parent processes, typically GUI shells and updaters + AND NOT path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' AND NOT path LIKE '/Library/Application Support/Logitech.localized/%' + AND NOT path LIKE '/nix/store/%' + AND NOT path LIKE '/opt/homebrew/%' AND NOT path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install' AND NOT path LIKE '/private/tmp/go-%' AND NOT path LIKE '/private/tmp/nix-build-%' AND NOT path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' AND NOT path LIKE '/private/var/folders/%/bin/%' + AND NOT path LIKE '/private/var/folders/%/d/Wrapper/%.app/%' AND NOT path LIKE '/private/var/folders/%/go-build%' AND NOT path LIKE '/private/var/folders/%/GoLand/%' AND NOT path LIKE '/private/var/folders/%/T/download/ARMDCHammer' AND NOT path LIKE '/private/var/folders/%/T/pulumi-go.%' + AND NOT path LIKE '/System/%' AND NOT path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper' AND NOT path LIKE '/Users/%/bin/%' AND NOT path LIKE '/Users/%/code/%' @@ -80,27 +80,23 @@ WHERE AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%' AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%' AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos' + AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%' AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%' AND NOT path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%' + AND NOT path LIKE '/Users/%/.local/share/nvim/mason/packages/%' + AND NOT path LIKE '/Users/%/node_modules/.bin/%' + AND NOT path LIKE '/Users/%/node_modules/.pnpm/%' AND NOT path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper' AND NOT path LIKE '/Users/%/src/%' AND NOT path LIKE '/Users/%/terraform-provider-%' AND NOT path LIKE '/Users/%/%.test' - AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%' - AND NOT path LIKE '/Users/%/.local/share/nvim/mason/packages/%' - AND NOT path LIKE '/Users/%/node_modules/.pnpm/%' - AND NOT path LIKE '/Users/%/node_modules/.bin/%' AND NOT path LIKE '/usr/local/Cellar/%' - AND NOT path LIKE '/usr/sbin/%' + AND NOT path LIKE '/usr/local/kolide-k2/%' AND NOT path LIKE '%/.vscode/extensions/%' - AND NOT ( - path LIKE '/private/var/folders/%/d/Wrapper/%.app/%' - AND s.authority = 'TestFlight Beta Distribution' - ) + GROUP BY path ) + AND (p0.start_time - MAX(f.ctime, f.btime)) < 120 AND f.ctime > 0 - AND (p0.start_time - MAX(f.ctime, f.btime)) < 180 - AND p0.start_time >= MAX(f.ctime, f.ctime) AND s.authority NOT IN ( 'Apple Mac OS Application Signing', 'Apple iPhone OS Application Signing',