RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-19 19:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update detections for Jan 2025

Browse Source
This commit is contained in:
Thomas Stromberg 2025-01-06 13:18:47 -05:00
parent a3312d60c0
commit 21b48b1677
Failed to extract signature
15 changed files with 2566 additions and 2545 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

607
detection/c2/unexpected-talkers-linux.sql
View File

@ -9,311 +9,312 @@
-- tags: transient state net rapid
-- platform: linux
SELECT
s.remote_address,
s.remote_port,
s.local_port,
s.local_address,
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
p.euid,
pp.path AS parent_path,
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
p.cgroup_path,
s.state,
hash.sha256,
-- This intentionally avoids file.path, as it won't join across mount namespaces
CONCAT (
MIN(s.remote_port, 32768),
',',
s.protocol,
',',
MIN(p.euid, 500),
',',
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
',',
MIN(f.uid, 500),
'u,',
MIN(f.gid, 500),
'g,',
p.name
) AS exception_key
s.remote_address,
s.remote_port,
s.local_port,
s.local_address,
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
p.euid,
pp.path AS parent_path,
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
p.cgroup_path,
s.state,
hash.sha256,
-- This intentionally avoids file.path, as it won't join across mount namespaces
CONCAT (
MIN(s.remote_port, 32768),
',',
s.protocol,
',',
MIN(p.euid, 500),
',',
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
',',
MIN(f.uid, 500),
'u,',
MIN(f.gid, 500),
'g,',
p.name
) AS exception_key
FROM
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash ON p.path = hash.path
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash ON p.path = hash.path
WHERE
protocol > 0
AND s.remote_port > 0 -- See unexpected-https-client
AND NOT (
s.remote_port = 443
AND protocol IN (6, 17)
) -- See unexpected-dns-traffic
AND NOT (
s.remote_port = 53
AND protocol IN (6, 17)
)
AND s.remote_address NOT IN (
'127.0.0.1',
'::ffff:127.0.0.1',
'::1',
'::',
'0.0.0.0'
)
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '100.7%'
AND s.remote_address NOT LIKE '169.254.%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE '::ffff:192.168.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT (
s.remote_address LIKE '100.%'
AND s.local_address LIKE '100.%'
AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
)
AND NOT exception_key IN (
'123,17,500,chronyd,0u,0g,chronyd',
'123,17,473,chronyd,0u,0g,chronyd',
'19305,6,500,msedge,0u,0g,msedge',
'21,6,0,rpm-ostree,0u,0g,rpm-ostree',
'27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
'32768,6,500,slirp4netns,0u,0g,slirp4netns',
'4070,6,500,spotify,u,g,spotify',
'4070,6,500,spotify,0u,0g,spotify',
'49152,6,500,ContinuityCaptureAgent,Software Signing',
'587,6,500,perl,0u,0g,git-send-email',
'67,17,0,NetworkManager,0u,0g,NetworkManager',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'80,6,500,vlc,0u,0g,vlc',
'80,6,500,telegram-desktop,u,g,telegram-deskto',
'80,6,0,dnf5,0u,0g,dnf',
'80,6,0,grep,0u,0g,grep',
'80,6,0,incusd,0u,0g,incusd',
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,packagekit-dnf-refresh-repo,0u,0g,packagekit-dnf-',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,pdftex,0u,0g,pdftex',
'80,6,0,python2.7,500u,500g,yum',
'80,6,0,python3.10,0u,0g,dnf',
'80,6,0,python3.10,0u,0g,dnf-automatic',
'80,6,0,python3.12,500u,500g,dnf-automatic',
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
'123,17,106,chronyd,0u,0g,chronyd',
'5222,6,500,msedge,0u,0g,msedge',
'80,6,0,python3.11,0u,0g,dnf-automatic',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf',
'80,6,0,python3.12,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'89,6,500,chrome,0u,0g,chrome',
'80,6,0,python3.9,u,g,yum',
'80,6,0,rpm-ostree,0u,0g,rpm-ostree',
'80,6,0,sort,0u,0g,sort',
'80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
'80,6,0,tailscaled,0u,0g,tailscaled',
'80,6,0,wget,0u,0g,wget',
'80,6,0,zstd,0u,0g,zstd',
'80,6,100,http,0u,0g,http',
'80,6,105,http,0u,0g,http',
'80,6,42,http,0u,0g,http',
'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
'80,6,500,brave,0u,0g,brave',
'80,6,500,chrome,0u,0g,chrome',
'80,6,500,chrome,u,g,chrome',
'80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'80,6,500,code,0u,0g,code',
'80,6,500,code-oss,u,g,code-oss',
'80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
'80,6,500,curl,0u,0g,curl',
'80,6,500,dotnet,u,g,dotnet',
'80,6,500,electron,0u,0g,electron',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,firefox-bin,0u,0g,firefox-bin',
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'80,6,500,firefox-bin,u,g,firefox-bin',
'80,6,500,flatpak,0u,0g,flatpak',
'80,6,500,git-remote-http,0u,0g,git-remote-http',
'80,6,500,gnome-software,0u,0g,gnome-software',
'80,6,500,http,0u,0g,http',
'80,6,500,http,u,g,http',
'80,6,500,java,0u,0g,java',
'80,6,500,java,u,g,java',
'80,6,500,main,500u,500g,main',
'80,6,500,mconvert,500u,500g,mconvert',
'80,6,500,mediawriter,u,g,mediawriter',
'80,6,500,melange,500u,500g,melange',
'80,6,500,msedge,0u,0g,msedge',
'80,6,500,obs-browser-page,u,g,obs-browser-pag',
'80,6,500,pacman,0u,0g,pacman',
'80,6,500,python3.10,0u,0g,aws',
'80,6,500,python3.10,0u,0g,yum',
'80,6,500,python3.11,0u,0g,abrt-action-ins',
'80,6,500,python3.11,0u,0g,dnf',
'80,6,500,python3.11,0u,0g,yum',
'80,6,500,python3.12,0u,0g,pull-lp-source',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86',
'80,6,500,rpi-imager,0u,0g,rpi-imager',
'80,6,500,signal-desktop,0u,0g,signal-desktop',
'80,6,500,signal-desktop,u,g,signal-desktop',
'80,6,500,slack,0u,0g,slack',
'80,6,500,slirp4netns,500u,500g,slirp4netns',
'80,6,500,spotify,0u,0g,spotify',
'80,6,500,spotify,500u,500g,spotify',
'80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,500,spotify,u,g,spotify',
'80,6,0,dnf5,0u,0g,dnf5',
'80,6,500,steam,500u,100g,steam',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,terraform,0u,0g,terraform',
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird-bin,u,g,thunderbird-bin',
'80,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,wget,0u,0g,wget',
'80,6,500,wine64-preloader,0u,0g,control.exe',
'80,6,500,zen,u,g,zen',
'80,6,500,zoom,0u,0g,zoom',
'80,6,500,zoom.real,u,g,zoom.real',
'80,6,0,zypper,0u,0g,Zypp-main',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
'8080,6,500,goland,500u,500g,goland',
'8080,6,500,idea,0u,0g,idea',
'8080,6,500,java,u,g,java',
'8080,6,500,pycharm,500u,500g,pycharm',
'32768,6,500,mumble,0u,0g,mumble',
'8080,6,500,python3.11,0u,0g,speedtest-cli',
'8080,6,500,python3.12,u,g,hass',
'8080,6,500,speedtest,500u,500g,speedtest',
'8080,6,500,bambu-studio,u,g,bambustu_main',
'8080,6,500,goland,500u,500g,goland',
'8443,6,500,chrome,0u,0g,chrome',
'8443,6,500,firefox,0u,0g,firefox',
'8801,17,500,zoom,0u,0g,zoom',
'8801,17,500,zoom.real,u,g,zoom.real',
'8883,6,500,bambu-studio,u,g,bambustu_main',
'88,6,500,syncthing,0u,0g,syncthing',
'8987,6,500,whois,0u,0g,whois',
'9,17,0,launcher,0u,0g,launcher',
'9418,6,500,git,0u,0g,git',
'993,6,500,evolution,0u,0g,evolution',
'993,6,500,thunderbird,0u,0g,thunderbird',
'993,6,500,thunderbird,u,g,thunderbird',
'80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
'8883,6,500,WebKitWebProcess,u,g,WebKitWebProces',
'9999,6,500,firefox,0u,0g,firefox'
)
AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'
AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
AND NOT exception_key LIKE '%,6,500,ssh,0u,0g,ssh'
AND NOT (
s.remote_port = 80
AND s.protocol = 6
AND p.euid > 500
AND (
p.path LIKE '%/bin/%'
OR p.path LIKE '/app/%'
OR p.path LIKE '/opt/%'
protocol > 0
AND s.remote_port > 0 -- See unexpected-https-client
AND NOT (
s.remote_port = 443
AND protocol IN (6, 17)
) -- See unexpected-dns-traffic
AND NOT (
s.remote_port = 53
AND protocol IN (6, 17)
)
)
AND NOT (
p.name = 'java'
AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'
AND s.remote_port > 1024
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'ruby'
AND p.cmdline LIKE '%fluentd%'
AND s.remote_port > 1024
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name IN ('java', 'jcef_helper')
AND p.cmdline LIKE '/home/%/PhpStorm%'
AND s.remote_port > 79
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'syncthing'
AND f.filename = 'syncthing'
AND s.remote_port > 900
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'chrome'
AND f.filename = 'chrome'
AND s.remote_port > 1024
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'steam'
AND f.filename = 'steam'
AND s.remote_port > 27000
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'brave'
AND f.filename = 'brave'
AND s.remote_port > 3000
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name IN ('firefox', 'firefox-bin')
AND f.filename IN ('firefox', 'firefox-bin')
AND s.remote_port > 3000
AND s.protocol IN (6, 17)
AND p.euid > 500
) -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
AND NOT (
exception_key = '32768,6,500,ssh,0u,0g,ssh'
AND s.remote_port = 40022
) -- Qualys
AND NOT (
exception_key = '80,6,0,curl,0u,0g,curl'
AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'
AND child_cmd LIKE ' curl -sS -H Metadata:true http://169.254.169.254/metadata/instance%'
)
AND NOT (
s.remote_port = 80
AND (
p.cgroup_path LIKE '/system.slice/docker-%'
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
AND s.remote_address NOT IN (
'127.0.0.1',
'::ffff:127.0.0.1',
'::1',
'::',
'0.0.0.0'
)
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '100.7%'
AND s.remote_address NOT LIKE '169.254.%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE '::ffff:192.168.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT (
s.remote_address LIKE '100.%'
AND s.local_address LIKE '100.%'
AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
)
AND NOT exception_key IN (
'123,17,500,chronyd,0u,0g,chronyd',
'123,17,473,chronyd,0u,0g,chronyd',
'19305,6,500,msedge,0u,0g,msedge',
'21,6,0,rpm-ostree,0u,0g,rpm-ostree',
'27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
'32768,6,500,slirp4netns,0u,0g,slirp4netns',
'4070,6,500,spotify,u,g,spotify',
'4070,6,500,spotify,0u,0g,spotify',
'49152,6,500,ContinuityCaptureAgent,Software Signing',
'587,6,500,perl,0u,0g,git-send-email',
'67,17,0,NetworkManager,0u,0g,NetworkManager',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'80,6,500,vlc,0u,0g,vlc',
'80,6,500,telegram-desktop,u,g,telegram-deskto',
'80,6,0,dnf5,0u,0g,dnf',
'80,6,0,grep,0u,0g,grep',
'80,6,0,incusd,0u,0g,incusd',
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,packagekit-dnf-refresh-repo,0u,0g,packagekit-dnf-',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,pdftex,0u,0g,pdftex',
'80,6,0,python2.7,500u,500g,yum',
'80,6,0,python3.10,0u,0g,dnf',
'80,6,0,python3.10,0u,0g,dnf-automatic',
'80,6,0,python3.12,500u,500g,dnf-automatic',
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
'123,17,106,chronyd,0u,0g,chronyd',
'5222,6,500,msedge,0u,0g,msedge',
'80,6,0,python3.11,0u,0g,dnf-automatic',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf',
'80,6,0,python3.12,0u,0g,yum',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'89,6,500,chrome,0u,0g,chrome',
'80,6,0,python3.9,u,g,yum',
'80,6,0,rpm-ostree,0u,0g,rpm-ostree',
'80,6,0,sort,0u,0g,sort',
'80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
'80,6,0,tailscaled,0u,0g,tailscaled',
'80,6,0,wget,0u,0g,wget',
'80,6,0,zstd,0u,0g,zstd',
'80,6,100,http,0u,0g,http',
'80,6,105,http,0u,0g,http',
'80,6,42,http,0u,0g,http',
'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
'80,6,500,brave,0u,0g,brave',
'80,6,500,chrome,0u,0g,chrome',
'80,6,500,chrome,u,g,chrome',
'80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'80,6,500,code,0u,0g,code',
'80,6,500,code-oss,u,g,code-oss',
'80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
'80,6,500,curl,0u,0g,curl',
'80,6,500,dotnet,u,g,dotnet',
'80,6,500,electron,0u,0g,electron',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,firefox-bin,0u,0g,firefox-bin',
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'80,6,500,firefox-bin,u,g,firefox-bin',
'80,6,500,flatpak,0u,0g,flatpak',
'80,6,500,git-remote-http,0u,0g,git-remote-http',
'80,6,500,gnome-software,0u,0g,gnome-software',
'80,6,500,http,0u,0g,http',
'80,6,500,http,u,g,http',
'80,6,500,java,0u,0g,java',
'80,6,500,java,u,g,java',
'80,6,500,main,500u,500g,main',
'80,6,500,mconvert,500u,500g,mconvert',
'80,6,500,mediawriter,u,g,mediawriter',
'80,6,500,melange,500u,500g,melange',
'80,6,500,msedge,0u,0g,msedge',
'80,6,500,obs-browser-page,u,g,obs-browser-pag',
'80,6,500,pacman,0u,0g,pacman',
'80,6,500,python3.10,0u,0g,aws',
'80,6,500,python3.10,0u,0g,yum',
'80,6,500,python3.11,0u,0g,abrt-action-ins',
'80,6,500,python3.11,0u,0g,dnf',
'80,6,500,python3.11,0u,0g,yum',
'80,6,500,python3.12,0u,0g,pull-lp-source',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86',
'80,6,500,rpi-imager,0u,0g,rpi-imager',
'80,6,500,signal-desktop,0u,0g,signal-desktop',
'80,6,500,signal-desktop,u,g,signal-desktop',
'80,6,500,slack,0u,0g,slack',
'80,6,500,slirp4netns,500u,500g,slirp4netns',
'80,6,500,spotify,0u,0g,spotify',
'80,6,500,spotify,500u,500g,spotify',
'80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,500,spotify,u,g,spotify',
'80,6,0,dnf5,0u,0g,dnf5',
'80,6,500,steam,500u,100g,steam',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,terraform,0u,0g,terraform',
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird-bin,u,g,thunderbird-bin',
'80,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,wget,0u,0g,wget',
'80,6,500,wine64-preloader,0u,0g,control.exe',
'80,6,500,zen,u,g,zen',
'80,6,500,zoom,0u,0g,zoom',
'80,6,500,zoom.real,u,g,zoom.real',
'80,6,0,zypper,0u,0g,Zypp-main',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
'8080,6,500,goland,500u,500g,goland',
'8080,6,500,idea,0u,0g,idea',
'8080,6,500,java,u,g,java',
'8080,6,500,pycharm,500u,500g,pycharm',
'32768,6,500,mumble,0u,0g,mumble',
'8080,6,500,python3.11,0u,0g,speedtest-cli',
'8080,6,500,python3.12,u,g,hass',
'8080,6,500,speedtest,500u,500g,speedtest',
'8080,6,500,bambu-studio,u,g,bambustu_main',
'8080,6,500,goland,500u,500g,goland',
'8443,6,500,chrome,0u,0g,chrome',
'8443,6,500,firefox,0u,0g,firefox',
'8801,17,500,zoom,0u,0g,zoom',
'8801,17,500,zoom.real,u,g,zoom.real',
'8883,6,500,bambu-studio,u,g,bambustu_main',
'88,6,500,syncthing,0u,0g,syncthing',
'8987,6,500,whois,0u,0g,whois',
'9,17,0,launcher,0u,0g,launcher',
'9418,6,500,git,0u,0g,git',
'993,6,500,evolution,0u,0g,evolution',
'993,6,500,thunderbird,0u,0g,thunderbird',
'993,6,500,thunderbird,u,g,thunderbird',
'993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
'80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
'8883,6,500,WebKitWebProcess,u,g,WebKitWebProces',
'9999,6,500,firefox,0u,0g,firefox'
)
AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'
AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
AND NOT exception_key LIKE '%,6,500,ssh,0u,0g,ssh'
AND NOT (
s.remote_port = 80
AND s.protocol = 6
AND p.euid > 500
AND (
p.path LIKE '%/bin/%'
OR p.path LIKE '/app/%'
OR p.path LIKE '/opt/%'
)
)
AND NOT (
p.name = 'java'
AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'
AND s.remote_port > 1024
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'ruby'
AND p.cmdline LIKE '%fluentd%'
AND s.remote_port > 1024
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name IN ('java', 'jcef_helper')
AND p.cmdline LIKE '/home/%/PhpStorm%'
AND s.remote_port > 79
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'syncthing'
AND f.filename = 'syncthing'
AND s.remote_port > 900
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
p.name = 'chrome'
AND f.filename = 'chrome'
AND s.remote_port > 1024
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'steam'
AND f.filename = 'steam'
AND s.remote_port > 27000
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'brave'
AND f.filename = 'brave'
AND s.remote_port > 3000
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name IN ('firefox', 'firefox-bin')
AND f.filename IN ('firefox', 'firefox-bin')
AND s.remote_port > 3000
AND s.protocol IN (6, 17)
AND p.euid > 500
) -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
AND NOT (
exception_key = '32768,6,500,ssh,0u,0g,ssh'
AND s.remote_port = 40022
) -- Qualys
AND NOT (
exception_key = '80,6,0,curl,0u,0g,curl'
AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'
AND child_cmd LIKE ' curl -sS -H Metadata:true http://169.254.169.254/metadata/instance%'
)
AND NOT (
s.remote_port = 80
AND (
p.cgroup_path LIKE '/system.slice/docker-%'
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
)
)
)
GROUP BY
p.cmdline
p.cmdline

525
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -9,270 +9,271 @@
-- platform: linux
-- tags: persistent state sniffer
SELECT
pof.path AS device,
CONCAT (
IIF(
REGEX_MATCH (
TRIM(REPLACE(pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
1
) != '',
REGEX_MATCH (
TRIM(REPLACE(pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
1
),
TRIM(REPLACE(pof.path, ' (deleted)', ''))
),
',',
REPLACE(
p0.path,
RTRIM(p0.path, REPLACE(p0.path, '/', '')),
''
)
) AS path_exception,
CONCAT (
TRIM(
REPLACE(
pof.path,
CONCAT (
'/',
REPLACE(
pof.path,
RTRIM(pof.path, REPLACE(pof.path, '/', '')),
''
)
pof.path AS device,
CONCAT (
IIF (
REGEX_MATCH (
TRIM(REPLACE (pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
1
) != '',
REGEX_MATCH (
TRIM(REPLACE (pof.path, ' (deleted)', '')),
'(/dev/.*)[\d ]+$',
1
),
TRIM(REPLACE (pof.path, ' (deleted)', ''))
),
''
)
),
',',
REPLACE(
p0.path,
RTRIM(p0.path, REPLACE(p0.path, '/', '')),
''
)
) AS dir_exception,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
',',
REPLACE (
p0.path,
RTRIM (p0.path, REPLACE (p0.path, '/', '')),
''
)
) AS path_exception,
CONCAT (
TRIM(
REPLACE (
pof.path,
CONCAT (
'/',
REPLACE (
pof.path,
RTRIM (pof.path, REPLACE (pof.path, '/', '')),
''
)
),
''
)
),
',',
REPLACE (
p0.path,
RTRIM (p0.path, REPLACE (p0.path, '/', '')),
''
)
) AS dir_exception,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
process_open_files pof
LEFT JOIN processes p0 ON pof.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
process_open_files pof
LEFT JOIN processes p0 ON pof.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
pof.path LIKE '/dev/%'
AND pof.path NOT IN (
'/dev/dri/card0',
'/dev/dri/card1',
'/dev/dri/card2',
'/dev/dri/renderD128',
'/dev/dri/renderD129',
'/dev/fuse',
'/dev/io8log',
'/dev/io8logmt',
'/dev/io8logtemp',
'/dev/null',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia0',
'/dev/nvidiactl',
'/dev/ptmx',
'/dev/pts/ptmx',
'/dev/shm/u1000-ValveIPCSharedObj-Steam',
'/dev/random',
'/dev/rfkill',
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/udmabuf',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE '/dev/pts/%'
AND pof.path NOT LIKE '/dev/snd/%'
AND pof.path NOT LIKE '/dev/tty%'
AND pof.path NOT LIKE '/dev/hidraw%'
AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%'
AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%'
-- Zoom
AND pof.path NOT LIKE '/dev/shm/aomshm.%'
AND pof.path NOT LIKE '/dev/shm/authentik_%'
AND NOT dir_exception IN (
'/dev/bus/usb,pcscd',
'/dev/input,acpid',
'/dev/input,gnome-shell',
'/dev/input,Hyprland',
'/dev/input,kwin_wayland',
'/dev/input,systemd',
'/dev/input,systemd-logind',
'/dev/input,thermald',
'/dev/input,touchegg',
'/dev/input,upowerd',
'/dev/input,Xorg',
'/dev/net,tailscaled',
'/dev/net,.tailscaled-wrapped',
'/dev/net/tun,qemu-system-x86_64',
'/dev/shm,1password',
'/dev/shm,Brackets',
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/shm,electron',
'/dev/shm,firefox',
'/dev/shm,gameoverlayui',
'/dev/shm,gopls',
'/dev/shm,hl2_linux',
'/dev/shm,Hyprland',
'/dev/shm,java',
'/dev/shm,jcef_helper',
'/dev/shm,Melvor Idle',
'/dev/shm,msedge',
'/dev/shm,osqueryd',
'/dev/shm,reaper',
'/dev/shm,slack',
'/dev/shm,spotify',
'/dev/shm,steam',
'/dev/shm,steamwebhelper',
'/dev/shm,Tabletop Simulator.x86_64',
'/dev/shm,wine64-preloader',
'/dev/shm,winedevice.exe',
'/dev/shm,xdg-desktop-portal-hyprland',
'/dev/snd,alsactl',
'/dev/snd,pipewire',
'/dev/snd,pulseaudio',
'/dev/snd,.pulseaudio-wrapped',
'/dev/snd,wireplumber',
'/dev/usb,apcupsd',
'/dev/usb,upowerd'
)
AND NOT path_exception IN (
'/dev/autofs,systemd',
'/dev/console,agetty',
'/dev/console,busybox',
'/dev/cpu/0/msr,nvidia-powerd',
'/dev/drm_dp_aux,fwupd',
'/dev/fb,Xorg',
'/dev/hidraw,chrome',
'/dev/hvc,agetty',
'/dev/hwrng,rngd',
'/dev/input/event,thermald',
'/dev/input/event,touchegg',
'/dev/input/event,Xorg',
'/dev/kmsg,bpfilter_umh',
'/dev/kmsg,dmesg',
'/dev/kmsg,k3s',
'/dev/kmsg,_k3s-inner',
'/dev/kmsg,kubelet',
'/dev/kmsg,systemd',
'/dev/kmsg,systemd-coredump',
'/dev/kmsg,systemd-journald',
'/dev/kvm,qemu-system-x86_64',
'/dev/mapper/control,dockerd',
'/dev/mapper/control,gpartedbin',
'/dev/mapper/control,multipathd',
'/dev/mcelog,mcelog',
'/dev/media0,pipewire',
'/dev/media0,wireplumber',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/net/tun,openvpn',
'/dev/net/tun,qemu-system-x86_64',
'/dev/net/tun,slirp4netns',
'/dev/pts,incusd',
'/dev/sda,ntfs-3g',
'/dev/shm/envoy_shared_memory_1,envoy',
'/dev/tpmrm,launcher',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/tty,systemd-logind',
'/dev/tty,Xorg',
'/dev/udmabuf,gnome-shell-portal-helper',
'/dev/uhid,bluetoothd',
'/dev/uinput,bluetoothd',
'/dev/usb/hiddev,apcupsd',
'/dev/usb/hiddev,upowerd',
'/dev/vhost-net,qemu-system-x86_64',
'/dev/vhost-vsock,qemu-system-x86_64',
'/dev/video0,chrome',
'/dev/video,brave',
'/dev/video,cheese',
'/dev/video,chrome',
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/video,firefox-bin',
'/dev/video,guvcview',
'/dev/video,msedge',
'/dev/video,obs',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,pipewire',
'/dev/net/tun,pasta.avx2',
'/dev/video,signal-desktop',
'/dev/video,slack',
'/dev/video,v4l2-relayd',
'/dev/video,vlc',
'/dev/video,wireplumber',
'/dev/video,zoom',
'/dev/video,zoom.real',
'/dev/wwan0mbim,mbim-proxy',
'/dev/udmabuf,xdg-desktop-portal-gnome',
'/dev/udmabuf,nautilus',
'/dev/zfs,',
'/dev/zfs,zed',
'/dev/zfs,zfs',
'/dev/zfs,zpool'
)
AND path_exception NOT LIKE '/dev/shm/%'
AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
AND NOT (
pof.path = "/dev/uinput"
AND p0.name LIKE "solaar%"
AND p0.path LIKE '/usr/bin/python%'
)
AND NOT (
pof.path LIKE "/dev/input/event%"
AND p0.name = "openrazer-daemo"
)
AND NOT (
pof.path LIKE '/dev/bus/usb/%'
AND p0.name IN (
'adb',
'fprintd',
'fwupd',
'gphoto2',
'gvfsd-gphoto2',
'gvfsd-mtp',
'gvfs-gphoto2-vo',
'gvfs-gphoto2-volume-monitor',
'pcscd',
'streamdeck',
'usbmuxd'
pof.path LIKE '/dev/%'
AND pof.path NOT IN (
'/dev/dri/card0',
'/dev/dri/card1',
'/dev/dri/card2',
'/dev/dri/renderD128',
'/dev/dri/renderD129',
'/dev/fuse',
'/dev/io8log',
'/dev/io8logmt',
'/dev/io8logtemp',
'/dev/null',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia0',
'/dev/nvidiactl',
'/dev/ptmx',
'/dev/pts/ptmx',
'/dev/shm/u1000-ValveIPCSharedObj-Steam',
'/dev/random',
'/dev/rfkill',
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/udmabuf',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE '/dev/pts/%'
AND pof.path NOT LIKE '/dev/snd/%'
AND pof.path NOT LIKE '/dev/tty%'
AND pof.path NOT LIKE '/dev/hidraw%'
AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%'
AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%'
-- Zoom
AND pof.path NOT LIKE '/dev/shm/aomshm.%'
AND pof.path NOT LIKE '/dev/shm/authentik_%'
AND NOT dir_exception IN (
'/dev/bus/usb,pcscd',
'/dev/input,acpid',
'/dev/input,gnome-shell',
'/dev/input,Hyprland',
'/dev/input,kwin_wayland',
'/dev/input,systemd',
'/dev/input,systemd-logind',
'/dev/input,thermald',
'/dev/input,touchegg',
'/dev/input,upowerd',
'/dev/input,Xorg',
'/dev/net,tailscaled',
'/dev/net,.tailscaled-wrapped',
'/dev/net/tun,qemu-system-x86_64',
'/dev/shm,1password',
'/dev/shm,Brackets',
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/shm,electron',
'/dev/shm,firefox',
'/dev/input/event,keyd',
'/dev/shm,gameoverlayui',
'/dev/shm,gopls',
'/dev/shm,hl2_linux',
'/dev/shm,Hyprland',
'/dev/shm,java',
'/dev/shm,jcef_helper',
'/dev/shm,Melvor Idle',
'/dev/shm,msedge',
'/dev/shm,osqueryd',
'/dev/shm,reaper',
'/dev/shm,slack',
'/dev/shm,spotify',
'/dev/shm,steam',
'/dev/shm,steamwebhelper',
'/dev/shm,Tabletop Simulator.x86_64',
'/dev/shm,wine64-preloader',
'/dev/shm,winedevice.exe',
'/dev/shm,xdg-desktop-portal-hyprland',
'/dev/snd,alsactl',
'/dev/snd,pipewire',
'/dev/snd,pulseaudio',
'/dev/snd,.pulseaudio-wrapped',
'/dev/snd,wireplumber',
'/dev/usb,apcupsd',
'/dev/usb,upowerd'
)
AND NOT path_exception IN (
'/dev/autofs,systemd',
'/dev/console,agetty',
'/dev/console,busybox',
'/dev/cpu/0/msr,nvidia-powerd',
'/dev/drm_dp_aux,fwupd',
'/dev/fb,Xorg',
'/dev/hidraw,chrome',
'/dev/hvc,agetty',
'/dev/hwrng,rngd',
'/dev/input/event,thermald',
'/dev/input/event,touchegg',
'/dev/input/event,Xorg',
'/dev/kmsg,bpfilter_umh',
'/dev/kmsg,dmesg',
'/dev/kmsg,k3s',
'/dev/kmsg,_k3s-inner',
'/dev/kmsg,kubelet',
'/dev/kmsg,systemd',
'/dev/kmsg,systemd-coredump',
'/dev/kmsg,systemd-journald',
'/dev/kvm,qemu-system-x86_64',
'/dev/mapper/control,dockerd',
'/dev/mapper/control,gpartedbin',
'/dev/mapper/control,multipathd',
'/dev/mcelog,mcelog',
'/dev/media0,pipewire',
'/dev/media0,wireplumber',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/net/tun,openvpn',
'/dev/net/tun,qemu-system-x86_64',
'/dev/net/tun,slirp4netns',
'/dev/pts,incusd',
'/dev/sda,ntfs-3g',
'/dev/shm/envoy_shared_memory_1,envoy',
'/dev/tpmrm,launcher',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/tty,systemd-logind',
'/dev/tty,Xorg',
'/dev/udmabuf,gnome-shell-portal-helper',
'/dev/uhid,bluetoothd',
'/dev/uinput,bluetoothd',
'/dev/usb/hiddev,apcupsd',
'/dev/usb/hiddev,upowerd',
'/dev/vhost-net,qemu-system-x86_64',
'/dev/vhost-vsock,qemu-system-x86_64',
'/dev/video0,chrome',
'/dev/video,brave',
'/dev/video,cheese',
'/dev/video,chrome',
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/video,firefox-bin',
'/dev/video,guvcview',
'/dev/video,msedge',
'/dev/video,obs',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,pipewire',
'/dev/net/tun,pasta.avx2',
'/dev/video,signal-desktop',
'/dev/video,slack',
'/dev/video,v4l2-relayd',
'/dev/video,vlc',
'/dev/video,wireplumber',
'/dev/video,zoom',
'/dev/video,zoom.real',
'/dev/wwan0mbim,mbim-proxy',
'/dev/udmabuf,xdg-desktop-portal-gnome',
'/dev/udmabuf,nautilus',
'/dev/zfs,',
'/dev/zfs,zed',
'/dev/zfs,zfs',
'/dev/zfs,zpool'
)
AND path_exception NOT LIKE '/dev/shm/%'
AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
AND NOT (
pof.path = "/dev/uinput"
AND p0.name LIKE "solaar%"
AND p0.path LIKE '/usr/bin/python%'
)
AND NOT (
pof.path LIKE "/dev/input/event%"
AND p0.name = "openrazer-daemo"
)
AND NOT (
pof.path LIKE '/dev/bus/usb/%'
AND p0.name IN (
'adb',
'fprintd',
'fwupd',
'gphoto2',
'gvfsd-gphoto2',
'gvfsd-mtp',
'gvfs-gphoto2-vo',
'gvfs-gphoto2-volume-monitor',
'pcscd',
'streamdeck',
'usbmuxd'
)
)
)
GROUP BY
pof.pid
pof.pid

162
detection/evasion/old-binaries-running.sql
View File

@ -8,86 +8,88 @@
--
-- tags: transient process state
SELECT
p.path,
p.cmdline,
p.cwd,
p.pid,
p.name,
f.mtime,
f.ctime,
p.cgroup_path,
((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
((strftime('%s', 'now') - f.mtime) / 86400) AS mtime_age_days,
((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days,
h.sha256,
f.uid,
m.data,
f.gid
p.path,
p.cmdline,
p.cwd,
p.pid,
p.name,
f.mtime,
f.ctime,
p.cgroup_path,
((strftime ('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
((strftime ('%s', 'now') - f.mtime) / 86400) AS mtime_age_days,
((strftime ('%s', 'now') - f.btime) / 86400) AS btime_age_days,
h.sha256,
f.uid,
m.data,
f.gid
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN magic m ON p.path = m.path
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN magic m ON p.path = m.path
WHERE
(
ctime_age_days > 1050
OR mtime_age_days > 1050
)
-- Jan 1st, 1980 (the source of many false positives)
AND f.mtime > 315561600
AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%'
AND f.directory NOT LIKE '/Applications/%.app/Contents/MacOS'
AND f.directory NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Resources'
AND f.directory NOT LIKE '/opt/homebrew/Cellar/%/bin'
AND f.path NOT IN (
'/Applications/Gitter.app/Contents/Library/LoginItems/GitterHelperApp.app/Contents/MacOS/GitterHelperApp',
'/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler',
'/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
'/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor',
'/Library/Application Support/Razer/RzUpdater.app/Contents/MacOS/RzUpdater',
'/Library/Application Support/LogiFacecam.bundle/Contents/MacOS/LogiFacecamService',
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
'/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS/rastertobrother2300',
'/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
'/Library/Application Support/EPSON/Scanner/ScannerMonitor/Epson Scanner Monitor.app/Contents/MacOS/Epson Scanner Monitor',
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
'/snap/brackets/138/opt/brackets/Brackets',
'/snap/brackets/138/opt/brackets/Brackets-node',
'/usr/bin/i3blocks',
'/usr/bin/sshfs',
'/usr/bin/mono-sgen',
'/usr/bin/xclip',
'/usr/bin/xsel',
'/usr/bin/pavucontrol',
'/usr/bin/espeak',
'/usr/bin/unpigz',
'/usr/bin/xsettingsd',
'/usr/bin/xss-lock',
'/usr/bin/i3lock',
'/usr/bin/xbindkeys',
'/usr/local/bin/dive'
)
AND p.name NOT IN (
'buildkitd',
'Flycut',
'kail',
'SetupWizard',
'Vimari Extension',
'Android File Transfer Agent',
'BluejeansHelper',
'J8RPQ294UB.com.skitch.SkitchHelper',
'Pandora',
'Pandora Helper',
'dlv'
)
AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch'
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%'
AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
(
ctime_age_days > 1050
OR mtime_age_days > 1050
)
-- Jan 1st, 1980 (the source of many false positives)
AND f.mtime > 315561600
AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%'
AND f.directory NOT LIKE '/Applications/%.app/Contents/MacOS'
AND f.directory NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Resources'
AND f.directory NOT LIKE '/opt/homebrew/Cellar/%/bin'
AND f.path NOT IN (
'/Applications/Gitter.app/Contents/Library/LoginItems/GitterHelperApp.app/Contents/MacOS/GitterHelperApp',
'/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler',
'/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
'/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor',
'/Library/Application Support/Razer/RzUpdater.app/Contents/MacOS/RzUpdater',
'/Library/Application Support/LogiFacecam.bundle/Contents/MacOS/LogiFacecamService',
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
'/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS/rastertobrother2300',
'/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
'/Library/Application Support/EPSON/Scanner/ScannerMonitor/Epson Scanner Monitor.app/Contents/MacOS/Epson Scanner Monitor',
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
'/snap/brackets/138/opt/brackets/Brackets',
'/snap/brackets/138/opt/brackets/Brackets-node',
'/usr/bin/i3blocks',
'/usr/bin/sshfs',
'/usr/bin/mono-sgen',
'/usr/bin/xclip',
'/usr/bin/xsel',
'/usr/bin/pavucontrol',
'/usr/bin/espeak',
'/usr/bin/unpigz',
'/usr/bin/xsettingsd',
'/usr/bin/xss-lock',
'/usr/bin/dbus-broker-launch',
'/usr/bin/i3lock',
'/usr/bin/xbindkeys',
'/usr/local/bin/dive'
)
AND p.name NOT IN (
'buildkitd',
'gitstatusd-darwin-arm64',
'Flycut',
'kail',
'SetupWizard',
'Vimari Extension',
'Android File Transfer Agent',
'BluejeansHelper',
'J8RPQ294UB.com.skitch.SkitchHelper',
'Pandora',
'Pandora Helper',
'dlv'
)
AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch'
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%'
AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
GROUP BY
p.pid,
p.path
p.pid,
p.path

165
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -14,87 +14,88 @@
--
-- tags: persistent daemon
SELECT -- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
p1.path AS p1_path,
REGEX_MATCH (p1.path, '(.*)/', 1) AS p1_dirname,
p1.name AS p1_name,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
p1.path AS p1_path,
REGEX_MATCH (p1.path, '(.*)/', 1) AS p1_dirname,
p1.name AS p1_name,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p1.on_disk != 1
AND p0.on_disk = 1
AND NOT p0.pid IN (1, 2)
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
-- Probably a software upgrade
AND NOT p1_dirname IN (
'/usr/lib/electron22',
'/usr/bin',
'/opt/google/chrome',
'/opt/microsoft/msedge',
'/usr/libexec',
'/usr/lib/systemd',
'/usr/lib',
'/usr/lib/go/bin',
'/usr/share/code'
) -- long-running launchers
AND NOT p1.name IN (
'bash',
'dnf',
'chrome',
'ninja',
'make',
'electron',
'gnome-terminal',
'fish',
'gnome-shell',
'kubelet',
'kube-proxy',
'Docker Desktop',
'lightdm',
'nvim',
'sh',
'slack'
)
AND NOT (
p1.path LIKE '/app/%'
AND p1.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
)
AND NOT p2.name = 'bwrap'
AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p1.cgroup_path NOT IN (
'/system.slice/docker.service',
'/system.slice/containerd.service'
)
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
AND p1.cgroup_path NOT LIKE '/lxc.monitor.n%'
AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
AND p1.path NOT LIKE '/tmp/.mount_%/%'
AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
AND NOT (
p1.name LIKE 'kworker/%+events_unbound'
AND p0.name IN ('modprobe')
)
p1.on_disk != 1
AND p0.on_disk = 1
AND NOT p0.pid IN (1, 2)
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
-- Probably a software upgrade
AND NOT p1_dirname IN (
'/usr/lib/electron22',
'/usr/bin',
'/opt/google/chrome',
'/opt/microsoft/msedge',
'/usr/libexec',
'/usr/lib/systemd',
'/usr/lib',
'/usr/lib/go/bin',
'/usr/share/code'
) -- long-running launchers
AND NOT p1.name IN (
'bash',
'dnf',
'chrome',
'ninja',
'make',
'electron',
'gnome-terminal',
'fish',
'gnome-shell',
'kubelet',
'kube-proxy',
'Docker Desktop',
'lightdm',
'nvim',
'sh',
'slack',
'zed-editor'
)
AND NOT (
p1.path LIKE '/app/%'
AND p1.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
)
AND NOT p2.name = 'bwrap'
AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p1.cgroup_path NOT IN (
'/system.slice/docker.service',
'/system.slice/containerd.service'
)
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
AND p1.cgroup_path NOT LIKE '/lxc.monitor.n%'
AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
AND p1.path NOT LIKE '/tmp/.mount_%/%'
AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
AND NOT (
p1.name LIKE 'kworker/%+events_unbound'
AND p0.name IN ('modprobe')
)

373
detection/evasion/unexpected-etc-executables.sql
View File

@ -6,191 +6,192 @@
-- tags: persistent
-- platform: posix
SELECT
file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(file.path LIKE '/etc/%%')
AND file.type = 'regular'
AND (
file.mode LIKE '%7%'
or file.mode LIKE '%5%'
or file.mode LIKE '%1%'
)
AND file.directory NOT IN (
'/etc/acpi',
'/etc/acpi/actions',
'/etc/alternatives',
'/etc/apcupsd',
'/etc/apm/resume.d',
'/etc/apm/scripts.d',
'/etc/apm/suspend.d',
'/etc/avahi',
'/etc/bash_completion.d',
'/etc/brltty/Contraction',
'/etc/ca-certificates/update.d',
'/etc/chromium/native-messaging-hosts',
'/etc/cifs-utils',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/console-setup',
'/etc/cron.daily',
'/etc/cron.hourly',
'/etc/cron.monthly',
'/etc/cron.weekly',
'/etc/dhcp/dhclient.d',
'/etc/dhcp/dhclient-enter-hooks.d',
'/etc/dhcp/dhclient-exit-hooks.d',
'/etc/dkms',
'/etc/flatpak/remotes.d',
'/etc/gdm',
'/etc/gdm3',
'/etc/gdm3/Init',
'/etc/gdm3/PostLogin',
'/etc/gdm3/PostSession',
'/etc/gdm3/PreSession',
'/etc/gdm3/Prime',
'/etc/gdm3/PrimeOff',
'/etc/gdm/Init',
'/etc/gdm/PostLogin',
'/etc/gdm/PostSession',
'/etc/gdm/PreSession',
'/etc/grub.d',
'/etc/httpd/modules',
'/etc/ifplugd',
'/etc/ifplugd/action.d',
'/etc/init.d',
'/etc/initramfs/post-update.d',
'/etc/kde/shutdown',
'/etc/kernel/header_postinst.d',
'/etc/kernel/install.d',
'/etc/kernel/postinst.d',
'/etc/kernel/postrm.d',
'/etc/kernel/preinst.d',
'/etc/kernel/prerm.d',
'/etc/lightdm',
'/etc/localtime',
'/etc/mc',
'/etc/mcelog/triggers',
'/etc/menu-methods',
'/etc/needrestart/hook.d',
'/etc/needrestart/notify.d',
'/etc/needrestart/restart.d',
'/etc/network',
'/etc/network/if-down.d',
'/etc/network/if-post-down.d',
'/etc/network/if-pre-up.d',
'/etc/network/if-up.d',
'/etc/NetworkManager/dispatcher.d',
'/etc/nix/result',
'/etc/nix/result/sw/bin',
'/etc/openvpn',
'/etc/periodic/daily',
'/etc/periodic/monthly',
'/etc/periodic/weekly',
'/etc/pinentry',
'/etc/pki/tls/misc',
'/etc/pm/sleep.d',
'/etc/pop-os/update-motd.d',
'/etc/ppp',
'/etc/ppp/ip-down.d',
'/etc/ppp/ip-up.d',
'/etc/ppp/ipv6-up.d',
'/etc/profile.d',
'/etc/qemu-ga',
'/etc/rc0.d',
'/etc/rc1.d',
'/etc/rc2.d',
'/etc/rc3.d',
'/etc/rc4.d',
'/etc/rc5.d',
'/etc/rc6.d',
'/etc/rc.d/init.d',
'/etc/rc.d/rc0.d',
'/etc/rc.d/rc1.d',
'/etc/rc.d/rc2.d',
'/etc/rc.d/rc3.d',
'/etc/rc.d/rc4.d',
'/etc/rc.d/rc5.d',
'/etc/rc.d/rc6.d',
'/etc/rcS.d',
'/etc/rdnssd',
'/etc/redhat-lsb',
'/etc/resolvconf/update.d',
'/etc/resolvconf/update-libc.d',
'/etc/schroot/setup.d',
'/etc/security',
'/etc/skel',
'/etc/smartmontools',
'/etc/smartmontools/run.d',
'/etc/ssl/certs',
'/etc/ssl/misc',
'/etc/ssl/trust-source',
'/etc/sysconfig/network-scripts',
'/etc/systemd/system',
'/etc/systemd/system/graphical.target.wants',
'/etc/systemd/system-shutdown',
'/etc/udev/rules.d',
'/etc/update-motd.d',
'/etc/vmware-tools',
'/etc/vmware-tools/scripts/vmware',
'/etc/vpnc',
'/etc/wpa_supplicant',
'/etc/X11',
'/etc/X11/xinit',
'/etc/X11/xinit/xinitrc.d',
'/etc/xdg/Xwayland-session.d',
'/etc/zfs-fuse',
'/etc/zfs/zed.d',
'/etc/zfs/zpool.d'
)
AND file.path NOT IN (
'/etc/auto.net',
'/etc/auto.smb',
'/etc/cloud/clean.d/99-installer',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/grub2.cfg',
'/etc/grub2-efi.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',
'/etc/modulefiles/vpl',
'/etc/nftables.conf',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
'/etc/paths.d/100-rvictl',
'/etc/pcp/pmcd/rc.local',
'/etc/pcp/pmie/rc',
'/etc/pcp/pmlogger/rc',
'/etc/pcp/pmproxy/rc',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/postfix/postfix-script',
'/etc/postfix/post-install',
'/etc/profile',
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/rmt',
'/etc/sddm/wayland-session',
'/etc/sddm/Xsession',
'/etc/sddm/Xsetup',
'/etc/sddm/Xstop',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',
'/etc/sv/ssh/finish',
'/etc/sv/ssh/run',
'/etc/udev/powersave.sh',
'/etc/vpl/vars.sh'
)
-- Nix (on macOS) -- actually a symbolic link
AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'
(file.path LIKE '/etc/%%')
AND file.type = 'regular'
AND (
file.mode LIKE '%7%'
or file.mode LIKE '%5%'
or file.mode LIKE '%1%'
)
AND file.directory NOT IN (
'/etc/acpi',
'/etc/acpi/actions',
'/etc/alternatives',
'/etc/apcupsd',
'/etc/apm/resume.d',
'/etc/apm/scripts.d',
'/etc/apm/suspend.d',
'/etc/avahi',
'/etc/bash_completion.d',
'/etc/brltty/Contraction',
'/etc/ca-certificates/update.d',
'/etc/chromium/native-messaging-hosts',
'/etc/cifs-utils',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/console-setup',
'/etc/cron.daily',
'/etc/cron.hourly',
'/etc/cron.monthly',
'/etc/cron.weekly',
'/etc/dhcp/dhclient.d',
'/etc/dhcp/dhclient-enter-hooks.d',
'/etc/dhcp/dhclient-exit-hooks.d',
'/etc/dkms',
'/etc/flatpak/remotes.d',
'/etc/gdm',
'/etc/gdm3',
'/etc/gdm3/Init',
'/etc/gdm3/PostLogin',
'/etc/gdm3/PostSession',
'/etc/gdm3/PreSession',
'/etc/gdm3/Prime',
'/etc/gdm3/PrimeOff',
'/etc/gdm/Init',
'/etc/gdm/PostLogin',
'/etc/gdm/PostSession',
'/etc/gdm/PreSession',
'/etc/grub.d',
'/etc/httpd/modules',
'/etc/ifplugd',
'/etc/ifplugd/action.d',
'/etc/init.d',
'/etc/initramfs/post-update.d',
'/etc/kde/shutdown',
'/etc/kernel/header_postinst.d',
'/etc/kernel/install.d',
'/etc/kernel/postinst.d',
'/etc/kernel/postrm.d',
'/etc/kernel/preinst.d',
'/etc/kernel/prerm.d',
'/etc/lightdm',
'/etc/localtime',
'/etc/mc',
'/etc/ansible/facts.d/etckeeper.fact',
'/etc/mcelog/triggers',
'/etc/menu-methods',
'/etc/needrestart/hook.d',
'/etc/needrestart/notify.d',
'/etc/needrestart/restart.d',
'/etc/network',
'/etc/network/if-down.d',
'/etc/network/if-post-down.d',
'/etc/network/if-pre-up.d',
'/etc/network/if-up.d',
'/etc/NetworkManager/dispatcher.d',
'/etc/nix/result',
'/etc/nix/result/sw/bin',
'/etc/openvpn',
'/etc/periodic/daily',
'/etc/periodic/monthly',
'/etc/periodic/weekly',
'/etc/pinentry',
'/etc/pki/tls/misc',
'/etc/pm/sleep.d',
'/etc/pop-os/update-motd.d',
'/etc/ppp',
'/etc/ppp/ip-down.d',
'/etc/ppp/ip-up.d',
'/etc/ppp/ipv6-up.d',
'/etc/profile.d',
'/etc/qemu-ga',
'/etc/rc0.d',
'/etc/rc1.d',
'/etc/rc2.d',
'/etc/rc3.d',
'/etc/rc4.d',
'/etc/rc5.d',
'/etc/rc6.d',
'/etc/rc.d/init.d',
'/etc/rc.d/rc0.d',
'/etc/rc.d/rc1.d',
'/etc/rc.d/rc2.d',
'/etc/rc.d/rc3.d',
'/etc/rc.d/rc4.d',
'/etc/rc.d/rc5.d',
'/etc/rc.d/rc6.d',
'/etc/rcS.d',
'/etc/rdnssd',
'/etc/redhat-lsb',
'/etc/resolvconf/update.d',
'/etc/resolvconf/update-libc.d',
'/etc/schroot/setup.d',
'/etc/security',
'/etc/skel',
'/etc/smartmontools',
'/etc/smartmontools/run.d',
'/etc/ssl/certs',
'/etc/ssl/misc',
'/etc/ssl/trust-source',
'/etc/sysconfig/network-scripts',
'/etc/systemd/system',
'/etc/systemd/system/graphical.target.wants',
'/etc/systemd/system-shutdown',
'/etc/udev/rules.d',
'/etc/update-motd.d',
'/etc/vmware-tools',
'/etc/vmware-tools/scripts/vmware',
'/etc/vpnc',
'/etc/wpa_supplicant',
'/etc/X11',
'/etc/X11/xinit',
'/etc/X11/xinit/xinitrc.d',
'/etc/xdg/Xwayland-session.d',
'/etc/zfs-fuse',
'/etc/zfs/zed.d',
'/etc/zfs/zpool.d'
)
AND file.path NOT IN (
'/etc/auto.net',
'/etc/auto.smb',
'/etc/cloud/clean.d/99-installer',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/grub2.cfg',
'/etc/grub2-efi.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',
'/etc/modulefiles/vpl',
'/etc/nftables.conf',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
'/etc/paths.d/100-rvictl',
'/etc/pcp/pmcd/rc.local',
'/etc/pcp/pmie/rc',
'/etc/pcp/pmlogger/rc',
'/etc/pcp/pmproxy/rc',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/postfix/postfix-script',
'/etc/postfix/post-install',
'/etc/profile',
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/rmt',
'/etc/sddm/wayland-session',
'/etc/sddm/Xsession',
'/etc/sddm/Xsetup',
'/etc/sddm/Xstop',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',
'/etc/sv/ssh/finish',
'/etc/sv/ssh/run',
'/etc/udev/powersave.sh',
'/etc/vpl/vars.sh'
)
-- Nix (on macOS) -- actually a symbolic link
AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'
AND file.path NOT LIKE '/etc/pwrstatd-%.sh'

569
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -9,288 +9,293 @@
-- platform: posix
-- tags: persistent filesystem state
SELECT
file.path,
file.inode,
file.directory,
uid,
gid,
mode,
atime,
btime,
mtime,
ctime,
type,
size,
hash.sha256,
magic.data
file.path,
file.inode,
file.directory,
uid,
gid,
mode,
atime,
btime,
mtime,
ctime,
type,
size,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
OR file.path LIKE '/dev/.%'
OR file.path LIKE '/etc/.%'
OR file.path LIKE '/etc/%/.%'
OR file.path LIKE '/lib/%/.%'
OR file.path LIKE '/libexec/.%'
OR file.path LIKE '/Library/.%'
OR file.path LIKE '/sbin/.%'
OR file.path LIKE '/sbin/%/.%'
OR file.path LIKE '/tmp/.%'
OR file.path LIKE '/usr/bin/.%'
OR file.path LIKE '/usr/lib/.%'
OR file.path LIKE '/usr/lib/%/.%'
OR file.path LIKE '/usr/libexec/.%'
OR file.path LIKE '/usr/local/bin/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/libexec/.%'
OR file.path LIKE '/usr/local/sbin/.%'
OR file.path LIKE '/usr/sbin/.%'
OR file.path LIKE '/var/.%'
OR file.path LIKE '/var/%/.%'
OR file.path LIKE '/var/lib/.%'
OR file.path LIKE '/var/tmp/.%'
)
AND file.path NOT LIKE '%/../'
AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
AND strftime ('%s', 'now') - file.ctime > 20
AND file.path NOT IN (
'/.autorelabel',
'/.cache/',
'/dev/.blkid.tab',
'/dev/.mdadm/',
'/.equarantine/',
'/etc/.bootcount',
'/etc/.clean',
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
'/etc/selinux/.config_backup',
'/etc/skel/.local/',
'/etc/skel/.mozilla/',
'/etc/skel/.var/',
'/etc/.#sudoers',
'/.file',
'/.lesshst',
'/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/.mozilla/',
'/.nofollow/',
'/.resolve/',
'/tmp/.accounts-agent/',
'/tmp/.audio-agent/',
'/tmp/.bazelci/',
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', -- Xcode
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/.content-agent/',
'/tmp/._contentbarrier_installed',
'/tmp/.dl.log',
'/tmp/.docker/',
'/tmp/.docker-tmp/',
'/tmp/.dotnet/',
'/tmp/.dracula-tmux-data',
'/tmp/.dracula-tmux-weather.lock',
'/tmp/.DS_Store',
'/tmp/.eos-update-notifier.log',
'/tmp/.featureflags-agent/',
'/tmp/.font-unix/',
'/tmp/.git/',
'/tmp/.go-version',
'/tmp/.helmrepo',
'/tmp/.ICE-unix/',
'/tmp/.last_survey_prompt.yaml',
'/tmp/.last_update_check.json',
'/tmp/.metrics-agent/',
'/tmp/.PKGINFO',
'/tmp/.searcher.tmp/',
'/tmp/.ses',
'/tmp/.settings-agent/',
'/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub',
'/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
'/tmp/.SIGN.RSA..local-melange.rsa.pub',
'/tmp/.SIGN.RSA.local-melange.rsa.pub',
'/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
'/tmp/.s.PGSQL.5432',
'/tmp/.s.PGSQL.5432.lock',
'/tmp/.terraform/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/',
'/tmp/.touchpaddefaults',
'/tmp/.ui-agent/',
'/tmp/.updater-agent/',
'/tmp/.vbox-t-ipc/',
'/tmp/.vscode.dmypy_status/',
'/tmp/.wsdl/',
'/tmp/.X0-lock',
'/tmp/.X11-unix/',
'/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.XIM-unix/',
'/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/usr/local/bin/.swtpm',
'/usr/local/libexec/.ksysguard/',
'/var/db/.AppleInstallType.plist',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
'/var/db/.com.intego.netupdate.serviceId',
'/var/db/.EntReg',
'/var/db/.GKRearmTimer',
'/var/db/.InstallerTMExcludes.plist',
'/var/db/.intl8859cache.db',
'/var/db/.LastGKApp',
'/var/db/.LastGKReject',
'/var/db/.lvm_setupdone',
'/var/db/.MASManifest',
'/var/db/.RunLanguageChooserToo',
'/var/db/.SoftwareUpdateOptions',
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/home/.duperemove.hash',
'/var/home/.snapshots',
'/var/mail/.cache/',
'/var/.ntw_cache',
'/var/.Parallels_swap/',
'/var/.pwd_cache',
'/var/discourse/.git/',
'/var/discourse/.github/',
'/var/root/.bash_history',
'/var/root/.bash_profile',
'/var/root/.cache/',
'/var/root/.CFUserTextEncoding',
'/var/root/.config/',
'/var/root/.docker/',
'/var/root/.forward',
'/var/roothome/.bash_history',
'/var/roothome/.bash_logout',
'/var/roothome/.bash_profile',
'/var/roothome/.bashrc',
'/var/roothome/.cache/',
'/var/roothome/.config/',
'/var/roothome/.dbus/',
'/var/roothome/.justfile',
'/var/roothome/.local/',
'/var/roothome/.osquery/',
'/var/roothome/.ssh/',
'/var/roothome/.var/',
'/var/home/.snapshots/',
'/var/roothome/.lesshst',
'/var/roothome/.viminfo',
'/var/root/.lesshst',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.nx/',
'/var/root/.osquery/',
'/var/root/.PenTablet/',
'/var/root/.provisio',
'/var/root/.ssh/',
'/var/root/.Trash/',
'/var/root/.viminfo',
'/var/root/.zsh_history',
'/var/run/.heim_org.h5l.kcm-socket',
'/var/run/.sim_diagnosticd_socket',
'/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
'/var/setup/.AppleSetupUser',
'/var/setup/.TemporaryItems',
'/var/setup/.TemporaryItems/',
'/var/tmp/.ses',
'/var/tmp/.ses.bak',
'/.vol/',
'/.VolumeIcon.icns'
)
AND file.directory NOT IN (
'/etc/skel',
'/etc/skel/.config',
'/var/root/.provisio'
)
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
AND file.path NOT LIKE '/tmp/.#%'
AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo'
AND file.path NOT LIKE '%/lib/.lib%.hmac'
AND file.path NOT LIKE '/tmp/.lark_cache_%'
AND file.path NOT LIKE '/tmp/.cdx.json%'
AND file.path NOT LIKE '/var/roothome/.xauth%'
AND file.path NOT LIKE '/tmp/.wine-%'
AND file.path NOT LIKE '/tmp/.%.gcode'
AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'
AND file.path NOT LIKE '/tmp/.io.nwjs.%'
AND file.path NOT LIKE '/tmp/.xfsm-ICE-%'
AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
AND file.path NOT LIKe '/tmp/.com.microsoft.Edge.%'
AND file.path NOT LIKE '/var/run/.vfs_rsrc_streams_%/'
AND file.path NOT LIKE '/tmp/.X1%-lock'
AND file.path NOT LIKE '/usr/local/%/.keepme'
AND file.path NOT LIKE '%/.build-id/'
AND file.path NOT LIKE '%/.dwz/'
AND file.path NOT LIKE '%/.updated'
AND file.path NOT LIKE '/tmp/.dropbox-dist-%'
AND file.filename NOT LIKE '.%.swo'
AND file.filename NOT LIKE '.%.swp'
AND file.path NOT LIKE '%/google-cloud-sdk/.install/'
AND file.path NOT LIKE '/usr/lib/jvm/.java-%-openjdk-%.jinfo'
AND NOT (
type = 'regular'
AND (
filename LIKE '%.swp'
OR filename LIKE '%.swo'
OR filename LIKE '%.swn'
OR size < 2
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
OR file.path LIKE '/dev/.%'
OR file.path LIKE '/etc/.%'
OR file.path LIKE '/etc/%/.%'
OR file.path LIKE '/lib/%/.%'
OR file.path LIKE '/libexec/.%'
OR file.path LIKE '/Library/.%'
OR file.path LIKE '/sbin/.%'
OR file.path LIKE '/sbin/%/.%'
OR file.path LIKE '/tmp/.%'
OR file.path LIKE '/usr/bin/.%'
OR file.path LIKE '/usr/lib/.%'
OR file.path LIKE '/usr/lib/%/.%'
OR file.path LIKE '/usr/libexec/.%'
OR file.path LIKE '/usr/local/bin/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/lib/.%'
OR file.path LIKE '/usr/local/libexec/.%'
OR file.path LIKE '/usr/local/sbin/.%'
OR file.path LIKE '/usr/sbin/.%'
OR file.path LIKE '/var/.%'
OR file.path LIKE '/var/%/.%'
OR file.path LIKE '/var/lib/.%'
OR file.path LIKE '/var/tmp/.%'
)
AND file.path NOT LIKE '%/../'
AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
AND strftime ('%s', 'now') - file.ctime > 20
AND file.path NOT IN (
'/.autorelabel',
'/.cache/',
'/dev/.blkid.tab',
'/dev/.mdadm/',
'/.equarantine/',
'/etc/.bootcount',
'/etc/.clean',
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
'/etc/selinux/.config_backup',
'/etc/skel/.local/',
'/etc/skel/.mozilla/',
'/etc/skel/.var/',
'/etc/.#sudoers',
'/etc/.gitattributes',
'/etc/.git/',
'/etc/.etckeeper',
'/.file',
'/.lesshst',
'/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/.mozilla/',
'/.nofollow/',
'/.resolve/',
'/tmp/.accounts-agent/',
'/tmp/.audio-agent/',
'/tmp/.bazelci/',
'/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', -- Xcode
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/.content-agent/',
'/tmp/._contentbarrier_installed',
'/tmp/.dl.log',
'/tmp/.docker/',
'/tmp/.docker-tmp/',
'/tmp/.dotnet/',
'/tmp/.dracula-tmux-data',
'/tmp/.dracula-tmux-weather.lock',
'/tmp/.DS_Store',
'/tmp/.eos-update-notifier.log',
'/tmp/.featureflags-agent/',
'/tmp/.font-unix/',
'/tmp/.git/',
'/tmp/.go-version',
'/tmp/.helmrepo',
'/tmp/.ICE-unix/',
'/tmp/.last_survey_prompt.yaml',
'/tmp/.last_update_check.json',
'/tmp/.metrics-agent/',
'/tmp/.PKGINFO',
'/tmp/.searcher.tmp/',
'/tmp/.ses',
'/tmp/.settings-agent/',
'/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub',
'/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
'/tmp/.SIGN.RSA..local-melange.rsa.pub',
'/tmp/.SIGN.RSA.local-melange.rsa.pub',
'/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
'/tmp/.s.PGSQL.5432',
'/tmp/.s.PGSQL.5432.lock',
'/tmp/.terraform/',
'/tmp/.terraform.lock.hcl',
'/tmp/.Test-unix/',
'/tmp/.touchpaddefaults',
'/tmp/.ui-agent/',
'/tmp/.updater-agent/',
'/tmp/.vbox-t-ipc/',
'/tmp/.vscode.dmypy_status/',
'/tmp/.wsdl/',
'/tmp/.X0-lock',
'/tmp/.X11-unix/',
'/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.XIM-unix/',
'/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/usr/local/bin/.swtpm',
'/usr/local/libexec/.ksysguard/',
'/var/db/.AppleInstallType.plist',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
'/var/db/.com.intego.netupdate.serviceId',
'/var/db/.EntReg',
'/var/db/.GKRearmTimer',
'/var/db/.InstallerTMExcludes.plist',
'/var/db/.intl8859cache.db',
'/var/db/.LastGKApp',
'/var/db/.LastGKReject',
'/var/db/.lvm_setupdone',
'/var/db/.MASManifest',
'/var/db/.RunLanguageChooserToo',
'/var/db/.SoftwareUpdateOptions',
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/home/.duperemove.hash',
'/var/home/.snapshots',
'/var/mail/.cache/',
'/var/.ntw_cache',
'/var/.Parallels_swap/',
'/var/.pwd_cache',
'/var/discourse/.git/',
'/var/discourse/.github/',
'/var/root/.bash_history',
'/var/root/.bash_profile',
'/var/root/.cache/',
'/var/root/.CFUserTextEncoding',
'/var/root/.config/',
'/var/root/.docker/',
'/var/root/.forward',
'/var/roothome/.bash_history',
'/var/roothome/.bash_logout',
'/var/roothome/.bash_profile',
'/var/roothome/.bashrc',
'/var/roothome/.cache/',
'/var/roothome/.config/',
'/var/roothome/.dbus/',
'/var/roothome/.justfile',
'/var/roothome/.local/',
'/var/roothome/.osquery/',
'/var/roothome/.ssh/',
'/var/roothome/.var/',
'/var/home/.snapshots/',
'/var/roothome/.lesshst',
'/var/roothome/.viminfo',
'/var/root/.lesshst',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.nx/',
'/var/root/.osquery/',
'/var/root/.PenTablet/',
'/var/root/.provisio',
'/var/root/.ssh/',
'/var/root/.Trash/',
'/var/root/.viminfo',
'/var/root/.zsh_history',
'/var/run/.heim_org.h5l.kcm-socket',
'/var/run/.sim_diagnosticd_socket',
'/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
'/var/setup/.AppleSetupUser',
'/var/setup/.TemporaryItems',
'/var/setup/.TemporaryItems/',
'/var/tmp/.ses',
'/var/setup/.fseventsd/',
'/var/tmp/.ses.bak',
'/.vol/',
'/.VolumeIcon.icns'
)
AND file.directory NOT IN (
'/etc/skel',
'/etc/skel/.config',
'/etc/etckeeper/commit.d',
'/var/root/.provisio'
)
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
AND file.path NOT LIKE '/tmp/.#%'
AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo'
AND file.path NOT LIKE '%/lib/.lib%.hmac'
AND file.path NOT LIKE '/tmp/.lark_cache_%'
AND file.path NOT LIKE '/tmp/.cdx.json%'
AND file.path NOT LIKE '/var/roothome/.xauth%'
AND file.path NOT LIKE '/tmp/.wine-%'
AND file.path NOT LIKE '/tmp/.%.gcode'
AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'
AND file.path NOT LIKE '/tmp/.io.nwjs.%'
AND file.path NOT LIKE '/tmp/.xfsm-ICE-%'
AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
AND file.path NOT LIKe '/tmp/.com.microsoft.Edge.%'
AND file.path NOT LIKE '/var/run/.vfs_rsrc_streams_%/'
AND file.path NOT LIKE '/tmp/.X1%-lock'
AND file.path NOT LIKE '/usr/local/%/.keepme'
AND file.path NOT LIKE '%/.build-id/'
AND file.path NOT LIKE '%/.dwz/'
AND file.path NOT LIKE '%/.updated'
AND file.path NOT LIKE '/tmp/.dropbox-dist-%'
AND file.filename NOT LIKE '.%.swo'
AND file.filename NOT LIKE '.%.swp'
AND file.path NOT LIKE '%/google-cloud-sdk/.install/'
AND file.path NOT LIKE '/usr/lib/jvm/.java-%-openjdk-%.jinfo'
AND NOT (
type = 'regular'
AND (
filename LIKE '%.swp'
OR filename LIKE '%.swo'
OR filename LIKE '%.swn'
OR size < 2
)
)
AND NOT (
type = 'regular'
AND filename IN ('.placeholder', '.abignore', '.gitignore')
) -- A curious addition seen on NixOS and Fedora machines
AND NOT (
file.path = '/.cache/'
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size < 4
) -- Ecamm Live
AND NOT (
file.path LIKE "/tmp/.elive%"
AND file.size < 7
)
AND NOT (
file.path = '/.config/'
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size = 4
)
AND NOT (
file.path LIKE '/tmp/.java_pid%'
AND file.type = 'socket'
AND file.size = 0
)
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)
AND NOT (
file.path LIKE '/tmp/.ssh-%'
AND file.type = "socket"
AND file.mode = '0600'
)
-- still not sure what the hell this is
AND NOT (
file.path LIKE '/tmp/.%3D'
AND file.size < 35000
AND file.size > 20000
AND file.mode = '0644'
AND uid = 501
AND gid = 0
)
-- RX100
AND NOT (
file.path LIKE '/var/db/.%'
AND file.gid = 0
AND file.uid = 0
AND file.size = 28
AND file.mode = '0666'
)
)
AND NOT (
type = 'regular'
AND filename IN ('.placeholder', '.abignore', '.gitignore')
) -- A curious addition seen on NixOS and Fedora machines
AND NOT (
file.path = '/.cache/'
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size < 4
) -- Ecamm Live
AND NOT (
file.path LIKE "/tmp/.elive%"
AND file.size < 7
)
AND NOT (
file.path = '/.config/'
AND file.uid = 0
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size = 4
)
AND NOT (
file.path LIKE '/tmp/.java_pid%'
AND file.type = 'socket'
AND file.size = 0
)
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)
AND NOT (
file.path LIKE '/tmp/.ssh-%'
AND file.type = "socket"
AND file.mode = '0600'
)
-- still not sure what the hell this is
AND NOT (
file.path LIKE '/tmp/.%3D'
AND file.size < 35000
AND file.size > 20000
AND file.mode = '0644'
AND uid = 501
AND gid = 0
)
-- RX100
AND NOT (
file.path LIKE '/var/db/.%'
AND file.gid = 0
AND file.uid = 0
AND file.size = 28
AND file.mode = '0666'
)

48
detection/evasion/unexpected-kernel-extensions-macos.sql
View File

@ -6,28 +6,30 @@
-- platform: darwin
-- tags: persistent seldom kernel
SELECT
linked_against,
name,
path,
size,
version,
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
linked_against,
name,
path,
size,
version,
hash.sha256,
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
FROM
kernel_extensions
kernel_extensions
LEFT JOIN hash ON kernel_extensions.path = hash.path
WHERE
path NOT LIKE '/System/Library/Extensions/%'
AND NOT (
idx = 0
AND name = '__kernel__'
)
AND exception_key NOT IN (
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>',
'/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/14/macfuse.kext,io.macfuse.filesystems.macfuse,2128.20,<1 3 4 5 7>',
'/Library/StagedExtensions/Library/Filesystems/kbfuse.fs/Contents/Extensions/13/kbfuse.kext,com.github.kbfuse.filesystems.kbfuse,2113.21,<1 3 4 5 7>',
'/usr/appleinternal/standalone/platform,com.apple.txm,24.2.0,'
)
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/UAD2System.kext,com.uaudio.driver.UAD2System,%'
AND exception_key NOT LIKE '/usr/appleinternal/standalone/platform,com.apple.sptm,24.2.0,'
path NOT LIKE '/System/Library/Extensions/%'
AND NOT (
idx = 0
AND name = '__kernel__'
)
AND exception_key NOT IN (
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>',
'/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/14/macfuse.kext,io.macfuse.filesystems.macfuse,2128.20,<1 3 4 5 7>',
'/Library/StagedExtensions/Library/Filesystems/kbfuse.fs/Contents/Extensions/13/kbfuse.kext,com.github.kbfuse.filesystems.kbfuse,2113.21,<1 3 4 5 7>'
)
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/UAD2System.kext,com.uaudio.driver.UAD2System,%'
AND exception_key NOT LIKE '/usr/appleinternal/standalone/platform,com.apple.txm,24.%'
AND exception_key NOT LIKE '/usr/appleinternal/standalone/platform,com.apple.sptm,24.%'

167
detection/evasion/unexpected-process-extension-linux.sql
View File

@ -9,88 +9,89 @@
-- tags: persistent process state
-- platform: linux
SELECT
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
REGEX_MATCH (p0.path, '.*\/(.*?)$', 1) AS basename,
REGEX_MATCH (p0.path, '.*\.(\w+)$', 1) AS extension,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
REGEX_MATCH (p0.path, '.*\/(.*?)$', 1) AS basename,
REGEX_MATCH (p0.path, '.*\.(\w+)$', 1) AS extension,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
extension IS NOT NULL
AND extension NOT IN (
'1',
'2',
'3',
'4',
'5',
'10',
'11',
'12',
'13',
'14',
'15',
'16',
'17',
'18',
'19',
'20',
'21',
'22',
'23',
'24',
'25',
'26',
'27',
'28',
'29',
'30',
'31',
'32',
'33',
'34',
'backend',
'emacs',
'build',
'bin',
'nox',
'basic',
'real',
'test',
'AppImage',
'ext'
)
AND NOT basename LIKE 'python3.%'
AND NOT basename LIKE 'python2.%'
AND NOT basename LIKE 'kubectl-%'
AND NOT basename LIKE 'terraform-provider%'
AND NOT basename LIKE 'ld-%.so'
AND NOT basename LIKE 'unison-%'
AND NOT basename IN ('io.elementary.appcenter')
extension IS NOT NULL
AND extension NOT IN (
'1',
'2',
'3',
'4',
'5',
'10',
'11',
'12',
'13',
'14',
'15',
'16',
'17',
'18',
'19',
'20',
'21',
'22',
'23',
'24',
'25',
'26',
'27',
'28',
'29',
'30',
'31',
'32',
'33',
'34',
'backend',
'emacs',
'build',
'bin',
'nox',
'basic',
'real',
'test',
'tiny',
'AppImage',
'ext'
)
AND NOT basename LIKE 'python3.%'
AND NOT basename LIKE 'python2.%'
AND NOT basename LIKE 'kubectl-%'
AND NOT basename LIKE 'terraform-provider%'
AND NOT basename LIKE 'ld-%.so'
AND NOT basename LIKE 'unison-%'
AND NOT basename IN ('io.elementary.appcenter')

163
detection/evasion/unexpected-user-shared-entries.sql
View File

@ -9,88 +9,89 @@
-- tags: persistent state filesystem seldom
-- platform: darwin
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.btime,
file.mode,
file.ctime,
file.gid,
hash.sha256,
magic.data,
RTRIM (
COALESCE(
REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
file.directory
),
"/"
) AS top3_dir
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.btime,
file.mode,
file.ctime,
file.gid,
hash.sha256,
magic.data,
RTRIM (
COALESCE(
REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
file.directory
),
"/"
) AS top3_dir
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/Users/Shared/%%'
OR file.path LIKE '/Users/Shared/.%'
OR file.path LIKE '/Users/Shared/.%/%%'
OR file.path LIKE '/Users/Shared/%/.%'
)
AND NOT (
file.type = 'directory'
OR file.size = 0
OR file.path LIKE '%/../%'
OR file.path LIKE '%/./%'
OR file.path IN (
'/Users/Shared/.BetaEnrollmentData.plist',
'/Users/Shared/.betamigrated',
'/Users/Shared/.com.intego.reporting.plist',
'/Users/Shared/.DS_Store',
'/Users/Shared/Plugin Loading.log',
'/Users/Shared/.ks.intego_metrics_2.plist',
'/Users/Shared/.localized',
'/Users/Shared/.userfonts.cachedb',
'/Users/Shared/CleanMyMac X/.licence',
'/Users/Shared/LogiTuneInstallerStarted.txt',
'/Users/Shared/.NSVolumeHeap',
'/Users/Shared/.4oaLkgIGnA',
'/Users/Shared/.SeedEnrollment.plist'
(
file.path LIKE '/Users/Shared/%%'
OR file.path LIKE '/Users/Shared/.%'
OR file.path LIKE '/Users/Shared/.%/%%'
OR file.path LIKE '/Users/Shared/%/.%'
)
OR top3_dir IN (
'/Users/Shared/Adobe',
'/Users/Shared/AdobeGCData',
'/Users/Shared/AdobeGCInfo',
'/Users/Shared/Audiority',
'/Users/Shared/UnrealEngine',
'/Users/Shared/Canon_Inc_IC',
'/Users/Shared/CleanMyMac X',
'/Users/Shared/CleanMyMac X Menu',
'/Users/Shared/Electronic Arts',
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
'/Users/Shared/Pixologic',
'/Users/Shared/Maxon',
'/Users/Shared/AdobeInstalledCodecsTier2',
'/Users/Shared/LogioptionsPlus',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/.logishrd',
'/Users/Shared/logitune',
'/Users/Shared/ZBrushData2024',
'/Users/Shared/macenhance',
'/Users/Shared/Parallels',
'/Users/Shared/PPN',
'/Users/Shared/Previously Relocated Items',
'/Users/Shared/Red Giant',
'/Users/Shared/Relocated Items',
'/Users/Shared/TechSmith',
'/Users/Shared/Media Cache Files/'
AND NOT (
file.type = 'directory'
OR file.size = 0
OR file.path LIKE '%/../%'
OR file.path LIKE '%/./%'
OR file.path IN (
'/Users/Shared/.BetaEnrollmentData.plist',
'/Users/Shared/.betamigrated',
'/Users/Shared/.com.intego.reporting.plist',
'/Users/Shared/.DS_Store',
'/Users/Shared/Plugin Loading.log',
'/Users/Shared/.ks.intego_metrics_2.plist',
'/Users/Shared/.localized',
'/Users/Shared/.userfonts.cachedb',
'/Users/Shared/CleanMyMac X/.licence',
'/Users/Shared/LogiTuneInstallerStarted.txt',
'/Users/Shared/.NSVolumeHeap',
'/Users/Shared/.4oaLkgIGnA',
'/Users/Shared/.SeedEnrollment.plist'
)
OR top3_dir IN (
'/Users/Shared/Adobe',
'/Users/Shared/AdobeGCData',
'/Users/Shared/AdobeGCInfo',
'/Users/Shared/Audiority',
'/Users/Shared/UnrealEngine',
'/Users/Shared/Canon_Inc_IC',
'/Users/Shared/CleanMyMac X',
'/Users/Shared/CleanMyMac X Menu',
'/Users/Shared/CleanMyMac_5',
'/Users/Shared/Electronic Arts',
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
'/Users/Shared/Pixologic',
'/Users/Shared/Maxon',
'/Users/Shared/AdobeInstalledCodecsTier2',
'/Users/Shared/LogioptionsPlus',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/.logishrd',
'/Users/Shared/logitune',
'/Users/Shared/ZBrushData2024',
'/Users/Shared/macenhance',
'/Users/Shared/Parallels',
'/Users/Shared/PPN',
'/Users/Shared/Previously Relocated Items',
'/Users/Shared/Red Giant',
'/Users/Shared/Relocated Items',
'/Users/Shared/TechSmith',
'/Users/Shared/Media Cache Files/'
)
OR file.path LIKE '/Users/Shared/Epic Games/%'
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
OR (
file.path LIKE "%.plist"
AND magic.data = 'XML 1.0 document, ASCII text'
)
)
OR file.path LIKE '/Users/Shared/Epic Games/%'
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
OR (
file.path LIKE "%.plist"
AND magic.data = 'XML 1.0 document, ASCII text'
)
)

199
detection/evasion/unusual-executable-name-linux.sql
View File

@ -5,105 +5,106 @@
--
-- tags: persistent process
SELECT
COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS pname,
COALESCE(
REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1),
""
) AS pext,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS pname,
COALESCE(
REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1),
""
) AS pext,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
(
pname LIKE "%kthread%"
OR pname LIKE "%-help"
OR pname LIKE "%flush%"
OR pname LIKE "%tasks%"
OR pname LIKE "%thread%"
OR pname LIKE "%initd%"
OR pname LIKE "%kdmp%"
OR pname LIKE "%kworker%"
OR pname LIKE "%launchd%"
OR pname LIKE "%user_dir%"
OR pname LIKE "%xdg%"
OR pname LIKE "cpu%"
OR pname LIKE "events%"
OR pname LIKE "idle_%"
OR pname LIKE '%xprotect%'
OR pname LIKE "%kaudit%"
OR pname LIKE "%nvme%"
OR pname LIKE "%zswap%"
OR pname LIKE "%crypt%"
OR pname LIKE "%acpi%"
OR pname LIKE "%kdev%"
OR pname LIKE "%ksoft%"
OR pname LIKE "%irq%"
OR pname LIKE "%kswap%"
OR pname LIKE "mm-%"
OR pname LIKE "nm_%"
OR pname LIKE "rcu%"
OR REGEX_MATCH (pname, '([a-z]{16,})', 1) != ""
OR REGEX_MATCH (pname, '([a-zA-Z0-9]{32,})', 1) != ""
OR REGEX_MATCH (pname, '(\w{40,})', 1) != ""
OR REGEX_MATCH (
pname,
'([a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+)',
1
) != ""
OR REGEX_MATCH (pname, "([a-z].*[A-Z].*\d+.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d.*[a-z].*\d.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d{5,})", 1) != ""
OR REGEX_MATCH (pname, "^(\d\d)", 1) != ""
OR REGEX_MATCH (pname, "^(\W)", 1) != ""
OR (
REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)"
(
pname LIKE "%kthread%"
OR pname LIKE "%-help"
OR pname LIKE "%flush%"
OR pname LIKE "%tasks%"
OR pname LIKE "%thread%"
OR pname LIKE "%initd%"
OR pname LIKE "%kdmp%"
OR pname LIKE "%kworker%"
OR pname LIKE "%launchd%"
OR pname LIKE "%user_dir%"
OR pname LIKE "%xdg%"
OR pname LIKE "cpu%"
OR pname LIKE "events%"
OR pname LIKE "idle_%"
OR pname LIKE '%xprotect%'
OR pname LIKE "%kaudit%"
OR pname LIKE "%nvme%"
OR pname LIKE "%zswap%"
OR pname LIKE "%crypt%"
OR pname LIKE "%acpi%"
OR pname LIKE "%kdev%"
OR pname LIKE "%ksoft%"
OR pname LIKE "%irq%"
OR pname LIKE "%kswap%"
OR pname LIKE "mm-%"
OR pname LIKE "nm_%"
OR pname LIKE "rcu%"
OR REGEX_MATCH (pname, '([a-z]{16,})', 1) != ""
OR REGEX_MATCH (pname, '([a-zA-Z0-9]{32,})', 1) != ""
OR REGEX_MATCH (pname, '(\w{40,})', 1) != ""
OR REGEX_MATCH (
pname,
'([a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+)',
1
) != ""
OR REGEX_MATCH (pname, "([a-z].*[A-Z].*\d+.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d.*[a-z].*\d.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d{5,})", 1) != ""
OR REGEX_MATCH (pname, "^(\d\d)", 1) != ""
OR REGEX_MATCH (pname, "^(\W)", 1) != ""
OR (
REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)"
)
AND pext NOT IN ("", "gui", "cli", "us", "node", "com", "test")
)
AND NOT pname LIKE '.%-wrapped'
AND NOT pname LIKE '__debug_bin%'
AND NOT pname LIKE '__Test%.test'
AND pname NOT IN (
"acpid",
"akonadi_followupreminder_agent",
"gmenudbusmenuproxy",
"irqbalance",
"kactivitymanagerd",
"nm-applet",
"nm-dispatcher",
"xdg-dbus-proxy",
"xdg-desktop-portal",
"xdg-desktop-portal-xapp",
"xdg-desktop-portal-gnome",
"xdg-desktop-portal-gtk",
"xdg-desktop-portal-kde",
"xdg-desktop-portal-regolith",
"xdg-document-portal",
"xdg-permission-store",
"xwaylandvideobridge"
)
AND pext NOT IN ("", "gui", "cli", "us", "node", "com", "test")
)
AND NOT pname LIKE '.%-wrapped'
AND NOT pname LIKE '__debug_bin%'
AND NOT pname LIKE '__Test%.test'
AND pname NOT IN (
"acpid",
"akonadi_followupreminder_agent",
"gmenudbusmenuproxy",
"irqbalance",
"kactivitymanagerd",
"nm-applet",
"nm-dispatcher",
"xdg-dbus-proxy",
"xdg-desktop-portal",
"xdg-desktop-portal-xapp",
"xdg-desktop-portal-gnome",
"xdg-desktop-portal-gtk",
"xdg-desktop-portal-kde",
"xdg-document-portal",
"xdg-permission-store",
"xwaylandvideobridge"
)

233
detection/evasion/unusual-process-name-macos.sql
View File

@ -5,123 +5,124 @@
--
-- tags: persistent process
SELECT
p0.name AS pname,
COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename,
COALESCE(
REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1),
""
) AS pext,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
s.authority AS p0_sauth,
s.identifier AS p0_sid,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
p0.name AS pname,
COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename,
COALESCE(
REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1),
""
) AS pext,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
s.authority AS p0_sauth,
s.identifier AS p0_sid,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time < (strftime('%s', 'now') - 43200) AND
(
pname LIKE "%kthread%"
OR pname LIKE "%-help"
OR pname LIKE "%flush%"
OR pname LIKE "%tasks%"
OR pname LIKE "%thread%"
OR pname LIKE "%initd%"
OR pname LIKE "%kdmp%"
OR pname LIKE "%/%"
OR pname LIKE "%kworker%"
OR pname LIKE "%launchd%"
OR pname LIKE "%user_dir%"
OR pname LIKE "%xdg%"
OR pname LIKE "cpu%"
OR pname LIKE "events%"
OR pname LIKE "idle_%"
OR pname LIKE '%xprotect%'
OR pname LIKE "%kaudit%"
OR pname LIKE "%nvme%"
OR pname LIKE "%zswap%"
OR pname LIKE "%crypt%"
OR pname LIKE "%acpi%"
OR pname LIKE "%kdev%"
OR pname LIKE "%ksoft%"
OR pname LIKE "%irq%"
OR pname LIKE "%kswap%"
OR pname LIKE "mm-%"
OR pname LIKE "nm_%"
OR pname LIKE "rcu%"
OR REGEX_MATCH (pname, '([a-z]{16,})', 1) != ""
OR REGEX_MATCH (pname, '([a-zA-Z0-9]{32,})', 1) != ""
OR REGEX_MATCH (pname, '(\w{40,})', 1) != ""
OR REGEX_MATCH (
pname,
'([a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+)',
1
) != ""
OR REGEX_MATCH (pname, "([a-z].*[A-Z].*\d+.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d.*[a-z].*\d.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d{5,})", 1) != ""
OR REGEX_MATCH (pname, "^(\d\d)", 1) != ""
OR (
REGEX_MATCH (pname, "^(\W)", 1) != ""
AND p0.path NOT LIKE "/nix/store/%/.%-wrapped"
p0.start_time < (strftime ('%s', 'now') - 43200)
AND (
pname LIKE "%kthread%"
OR pname LIKE "%-help"
OR pname LIKE "%flush%"
OR pname LIKE "%tasks%"
OR pname LIKE "%thread%"
OR pname LIKE "%initd%"
OR pname LIKE "%kdmp%"
OR pname LIKE "%/%"
OR pname LIKE "%kworker%"
OR pname LIKE "%launchd%"
OR pname LIKE "%user_dir%"
OR pname LIKE "%xdg%"
OR pname LIKE "cpu%"
OR pname LIKE "events%"
OR pname LIKE "idle_%"
OR pname LIKE '%xprotect%'
OR pname LIKE "%kaudit%"
OR pname LIKE "%nvme%"
OR pname LIKE "%zswap%"
OR pname LIKE "%crypt%"
OR pname LIKE "%acpi%"
OR pname LIKE "%kdev%"
OR pname LIKE "%ksoft%"
OR pname LIKE "%irq%"
OR pname LIKE "%kswap%"
OR pname LIKE "mm-%"
OR pname LIKE "nm_%"
OR pname LIKE "rcu%"
OR REGEX_MATCH (pname, '([a-z]{16,})', 1) != ""
OR REGEX_MATCH (pname, '([a-zA-Z0-9]{32,})', 1) != ""
OR REGEX_MATCH (pname, '(\w{40,})', 1) != ""
OR REGEX_MATCH (
pname,
'([a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+[a-z]+[A-Z]+)',
1
) != ""
OR REGEX_MATCH (pname, "([a-z].*[A-Z].*\d+.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d.*[a-z].*\d.*[a-z].*\d+)", 1) != ""
OR REGEX_MATCH (pname, "(\d{5,})", 1) != ""
OR REGEX_MATCH (pname, "^(\d\d)", 1) != ""
OR (
REGEX_MATCH (pname, "^(\W)", 1) != ""
AND p0.path NOT LIKE "/nix/store/%/.%-wrapped"
)
OR (
REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)"
)
AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
)
OR (
REGEX_MATCH (pname, "(\W)$", 1) != ""
AND pname NOT LIKE "%)"
AND NOT pname IN (
'BetterTouchToolAppleScriptRunner',
'BetterTouchToolAppleScriptRunner3',
'BetterTouchToolShellScriptRunner',
'EcammLiveVideoOutAssistantXPCHelper',
'ThingsWidgetExtensionMacAppStore',
'TwitterNotificationServiceExtension',
'at.obdev.littlesnitch.endpointsecurity',
'at.obdev.littlesnitch.networkextension',
'com.microsoft.teams2.notificationcenter',
'cpu',
'xdg-open',
'EncryptMe',
'dynamiclinkmanager',
'launchd_startx',
'usercontextservice'
)
-- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
AND NOT pname LIKE '___1Test%'
AND NOT pname LIKE '__debug_bin%'
AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
AND NOT pname LIKE 'cody-engine-%'
AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
AND NOT pname LIKE 'debug.test%'
AND NOT pname LIKE '__%go_build%'
AND NOT pname LIKE '%-macos-arm64'
AND NOT pname LIKE '___Test%'
AND NOT s.authority IN (
"Software Signing",
"Apple Mac OS Application Signing"
)
AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
)
AND NOT pname IN (
'BetterTouchToolAppleScriptRunner',
'BetterTouchToolAppleScriptRunner3',
'BetterTouchToolShellScriptRunner',
'EcammLiveVideoOutAssistantXPCHelper',
'ThingsWidgetExtensionMacAppStore',
'TwitterNotificationServiceExtension',
'at.obdev.littlesnitch.endpointsecurity',
'at.obdev.littlesnitch.networkextension',
'com.microsoft.teams2.notificationcenter',
'cpu',
'xdg-open',
'EncryptMe',
'dynamiclinkmanager',
'launchd_startx',
'usercontextservice'
)
-- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
AND NOt pname LIKE '___1Test%'
AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
AND NOT pname LIKE 'cody-engine-%'
AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
AND NOT pname LIKE 'debug.test%'
AND NOT pname LIKE '__%go_build%'
AND NOT pname LIKE '%-macos-arm64'
AND NOT pname LIKE '___Test%'
AND NOT s.authority IN (
"Software Signing",
"Apple Mac OS Application Signing"
)

431
detection/execution/unexpected-execdir-macos.sql
View File

@ -8,220 +8,221 @@
-- platform: darwin
-- tags: transient seldom process filesystem state
SELECT DISTINCT
COALESCE(REGEX_MATCH (p0.path, '(.*)/', 1), p0.path) AS dir,
REPLACE (f.directory, u.directory, '~') AS homedir,
COALESCE(
COALESCE(REGEX_MATCH (p0.path, '(.*)/', 1), p0.path) AS dir,
REPLACE (f.directory, u.directory, '~') AS homedir,
COALESCE(
REGEX_MATCH (
REPLACE (f.directory, u.directory, '~'),
'(~/.*?/.*?/.*?/)',
1
),
REPLACE (f.directory, u.directory, '~')
) AS top3_homedir,
REGEX_MATCH (
REPLACE (f.directory, u.directory, '~'),
'(~/.*?/.*?/.*?/)',
1
),
REPLACE (f.directory, u.directory, '~')
) AS top3_homedir,
REGEX_MATCH (
REPLACE (f.directory, u.directory, '~'),
'(~/.*?/)',
1
) AS top_homedir,
s.authority AS p0_auth,
s.identifier AS p0_id,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.start_time AS p1_start,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON p0.uid = u.uid
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
pid > 0
AND REGEX_MATCH (
path,
"^(/System|/usr/libexec/|/usr/sbin/|/usr/bin/|/usr/lib/|/bin/|/Applications|/Library/Apple/|/sbin/|/usr/local/kolide-k2)",
REPLACE (f.directory, u.directory, '~'),
'(~/.*?/)',
1
) IS NULL
GROUP BY
path
)
AND NOT dir IN (
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
'/Library/DropboxHelperTools/Dropbox_u501',
'/Library/Filesystems/kbfuse.fs/Contents/Resources',
'/Library/Frameworks/Python.framework/Versions/3.10/bin',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
'/Library/Printers/DYMO/Utilities',
'/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
'/Library/PrivilegedHelperTools',
'/Library/TeX/texbin',
'/usr/local/aws-cli',
'/nix/store',
'/nix/var/nix/profiles/default/bin',
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
'/opt/usr/bin',
'/opt/X11/bin',
'/opt/X11/libexec',
'/run/current-system/sw/bin'
)
AND NOT homedir IN (
'~/bin',
'~/.cache/gitstatus',
'~/.gvm/binscripts',
'~/.local/share/gh/extensions/gh-sbom',
'~/.magefile'
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/Downloads/%.app/Contents/MacOS'
AND NOT top_homedir IN (
'~/Applications/',
'~/Applications (Parallels)/',
'~/bin/',
'~/.cargo/',
'~/chainguard_repos/',
'~/code/',
'~/Code/',
'~/.config/',
'~/dev/',
'~/git/',
'~/go/',
'~/google-cloud-sdk/',
'~/homebrew/',
'~/.kuberlr/',
'~/Parallels/',
'~/proj/',
'~/projects/',
'~/.provisio/',
'~/.pulumi/',
'~/.pyenv/',
'~/.rbenv/',
'~/repos/',
'~/.rustup/',
'~/sigstore/',
'~/src/',
'~/.steampipe/',
'~/.supermaven/',
'~/.tflint.d/',
'~/thinkorswim/',
'~/.Trash/',
'~/.vscode/',
'~/.vs-kubernetes/',
'~/workspace/'
)
AND NOT top3_homedir IN (
'~/anaconda3/Anaconda-Navigator.app/Contents/',
'~/.cache/selenium/chromedriver/',
'/Library/Application Support/EcammLive',
'~/Library/Arduino15/packages/',
'~/Library/Caches/com.grammarly.ProjectLlama/',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/Cypress/',
'~/Library/Caches/JetBrains/',
'~/Library/Caches/org.gpgtools.updater/',
'~/Library/Caches/snyk/',
'/Library/Developer/Xcode/',
'~/Library/Services/UE4EditorServices.app/',
'~/.local/share/bob/',
'~/.local/share/nvim/',
'~/opentelemetry-operator/cmd/otel-allocator',
'/opt/rapid7/ir_agent',
'~/.terraform.d/plugin-cache/registry.terraform.io/',
'~/zed/target/release/'
)
AND dir NOT LIKE '/Applications/%'
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
AND dir NOT LIKE '/private/tmp/go-build%/exe'
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
AND dir NOT LIKE '/private/tmp/nix-build-%'
AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
AND dir NOT LIKE '/private/var/folders/%/bin'
AND dir NOT LIKE '/private/var/folders/%/Contents/%'
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
AND dir NOT LIKE '/private/var/folders/%/go-build%'
AND dir NOT LIKE '/private/var/folders/%/GoLand'
AND dir NOT LIKE '%/.terraform/providers/%'
AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
AND homedir NOT LIKE '~/%/node_modules/%'
AND homedir NOT LIKE '~/.local/%/packages/%'
AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
AND homedir NOT LIKE '~/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS'
AND homedir NOT LIKE '~/Library/Application Support/%'
AND s.authority NOT IN (
'Apple iPhone OS Application Signing',
'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: TablePlus Inc (3X57WP8E8V)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
'Software Signing'
) -- Locally built executables
AND NOT (
s.identifier = "a.out"
AND homedir LIKE '~/%'
AND p1.name LIKE '%sh'
AND p2.name = 'login'
AND p0.path NOT LIKE '%/Cache%'
AND p0.path NOT LIKE '%/Library/%'
AND p0.path NOT LIKE '%/.%'
)
) AS top_homedir,
s.authority AS p0_auth,
s.identifier AS p0_id,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.start_time AS p1_start,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON p0.uid = u.uid
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
pid > 0
AND REGEX_MATCH (
path,
"^(/System|/usr/libexec/|/usr/sbin/|/usr/bin/|/usr/lib/|/bin/|/Applications|/Library/Apple/|/sbin/|/usr/local/kolide-k2)",
1
) IS NULL
GROUP BY
path
)
AND NOT dir IN (
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
'/Library/DropboxHelperTools/Dropbox_u501',
'/Library/Filesystems/kbfuse.fs/Contents/Resources',
'/Library/Frameworks/Python.framework/Versions/3.10/bin',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
'/Library/Printers/DYMO/Utilities',
'/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
'/Library/PrivilegedHelperTools',
'/Library/TeX/texbin',
'/usr/local/aws-cli',
'/nix/store',
'/nix/var/nix/profiles/default/bin',
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
'/opt/usr/bin',
'/opt/X11/bin',
'/opt/X11/libexec',
'/run/current-system/sw/bin'
)
AND NOT homedir IN (
'~/bin',
'~/.cache/gitstatus',
'~/.gvm/binscripts',
'~/.local/share/gh/extensions/gh-sbom',
'~/.docker/cli-plugins',
'~/.magefile'
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/Downloads/%.app/Contents/MacOS'
AND NOT top_homedir IN (
'~/Applications/',
'~/Applications (Parallels)/',
'~/bin/',
'~/.cargo/',
'~/chainguard_repos/',
'~/code/',
'~/Code/',
'~/.config/',
'~/dev/',
'~/git/',
'~/go/',
'~/google-cloud-sdk/',
'~/homebrew/',
'~/.kuberlr/',
'~/Parallels/',
'~/proj/',
'~/projects/',
'~/.provisio/',
'~/.pulumi/',
'~/.pyenv/',
'~/.rbenv/',
'~/repos/',
'~/.rustup/',
'~/sigstore/',
'~/src/',
'~/.steampipe/',
'~/.supermaven/',
'~/.tflint.d/',
'~/thinkorswim/',
'~/.Trash/',
'~/.vscode/',
'~/.vs-kubernetes/',
'~/workspace/'
)
AND NOT top3_homedir IN (
'~/anaconda3/Anaconda-Navigator.app/Contents/',
'~/.cache/selenium/chromedriver/',
'/Library/Application Support/EcammLive',
'~/Library/Arduino15/packages/',
'~/Library/Caches/com.grammarly.ProjectLlama/',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/Cypress/',
'~/Library/Caches/JetBrains/',
'~/Library/Caches/org.gpgtools.updater/',
'~/Library/Caches/snyk/',
'/Library/Developer/Xcode/',
'~/Library/Services/UE4EditorServices.app/',
'~/.local/share/bob/',
'~/.local/share/nvim/',
'~/opentelemetry-operator/cmd/otel-allocator',
'/opt/rapid7/ir_agent',
'~/.terraform.d/plugin-cache/registry.terraform.io/',
'~/zed/target/release/'
)
AND dir NOT LIKE '/Applications/%'
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
AND dir NOT LIKE '/private/tmp/go-build%/exe'
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
AND dir NOT LIKE '/private/tmp/nix-build-%'
AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
AND dir NOT LIKE '/private/var/folders/%/bin'
AND dir NOT LIKE '/private/var/folders/%/Contents/%'
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
AND dir NOT LIKE '/private/var/folders/%/go-build%'
AND dir NOT LIKE '/private/var/folders/%/GoLand'
AND dir NOT LIKE '%/.terraform/providers/%'
AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
AND homedir NOT LIKE '~/%/node_modules/%'
AND homedir NOT LIKE '~/.local/%/packages/%'
AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
AND homedir NOT LIKE '~/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS'
AND homedir NOT LIKE '~/Library/Application Support/%'
AND s.authority NOT IN (
'Apple iPhone OS Application Signing',
'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: TablePlus Inc (3X57WP8E8V)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
'Software Signing'
) -- Locally built executables
AND NOT (
s.identifier = "a.out"
AND homedir LIKE '~/%'
AND p1.name LIKE '%sh'
AND p2.name = 'login'
AND p0.path NOT LIKE '%/Cache%'
AND p0.path NOT LIKE '%/Library/%'
AND p0.path NOT LIKE '%/.%'
)

169
detection/exfil/yara-unexpected-rust-http-exec-process.sql
View File

@ -3,66 +3,66 @@
-- interval: 7200
-- platform: posix
SELECT
yara.*,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
yara.*,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
JOIN yara ON p0.path = yara.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
JOIN yara ON p0.path = yara.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime ('%s', 'now') - 7200)
AND path != ""
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/libexec/%'
AND NOT path LIKE '/usr/sbin/%' -- Regular apps
AND NOT path LIKE '/Applications/%.app/Contents/macOS/%'
AND NOT path LIKE '/opt/%'
AND NOT path LIKE '/Users/%/go/%'
AND NOT path LIKE '/Users/%/dev/%'
AND NOT path LIKE '/Users/%/src/%'
AND NOT path LIKE '/Users/%/bin/%'
AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
AND NOT path LIKE '/Users/%/.terraform/providers/%'
AND NOT path LIKE '/%/.local/zed.app/libexec/zed-editor'
GROUP BY
path
)
AND yara.sigrule = '
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > (strftime ('%s', 'now') - 7200)
AND path != ""
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/libexec/%'
AND NOT path LIKE '/usr/sbin/%' -- Regular apps
AND NOT path LIKE '/Applications/%.app/Contents/macOS/%'
AND NOT path LIKE '/opt/%'
AND NOT path LIKE '/Users/%/go/%'
AND NOT path LIKE '/Users/%/dev/%'
AND NOT path LIKE '/Users/%/src/%'
AND NOT path LIKE '/Users/%/bin/%'
AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
AND NOT path LIKE '/Users/%/.terraform/providers/%'
AND NOT path LIKE '/%/.local/zed.app/libexec/zed-editor'
GROUP BY
path
)
AND yara.sigrule = '
rule http_exec {
strings:
$http_proxy = "HTTP_PROXY" ascii
@ -70,29 +70,30 @@ WHERE
condition:
all of them
}'
AND yara.count > 0
AND p0.name NOT IN (
'atuin',
'cargo',
'Cody',
'deno',
'DevPod',
'fig-darwin-universal',
'figma_agent',
'nvim',
'old',
'OrbStack Helper',
'rpm-ostree',
'sg-nvim-agent',
'sm-agent',
'stable',
'wezterm-gui',
'zed'
)
AND p0.name NOT LIKE 'cody-engine-%'
AND p0.path NOT LIKE '/Users/%/.cargo/bin/%'
AND p0.path NOT IN (
'/Applications/safeqclient.app/Contents/MacOS/safeqclient',
'/Applications/Zed.app/Contents/MacOS/Zed',
'/Library/safeqclientcore/bin/safeqclientcore'
)
AND yara.count > 0
AND p0.name NOT IN (
'atuin',
'cargo',
'Cody',
'deno',
'DevPod',
'fig-darwin-universal',
'figma_agent',
'i3status-rust',
'nvim',
'old',
'OrbStack Helper',
'rpm-ostree',
'sg-nvim-agent',
'sm-agent',
'stable',
'wezterm-gui',
'zed'
)
AND p0.name NOT LIKE 'cody-engine-%'
AND p0.path NOT LIKE '/Users/%/.cargo/bin/%'
AND p0.path NOT IN (
'/Applications/safeqclient.app/Contents/MacOS/safeqclient',
'/Applications/Zed.app/Contents/MacOS/Zed',
'/Library/safeqclientcore/bin/safeqclientcore'
)

521
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -11,266 +11,267 @@
-- platform: darwin
-- tags: persistent filesystem spotlight often
SELECT
file.path,
file.size,
datetime (file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
signature.identifier,
signature.authority,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
file.path,
file.size,
datetime (file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
signature.identifier,
signature.authority,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
)
AND ea.key = 'where_from'
AND file.btime > (strftime ('%s', 'now') -86400)
AND domain NOT IN (
'adobe.com',
'akmedia.digidesign.com',
'alfredapp.com',
'amazon.com',
'android.com',
'ankiweb.net',
'apple.com',
'arc.net',
'asana.com',
'astutegraphics.com',
'backblazeb2.com',
'balena.io',
'balsamiq.com',
'bblmw.com',
'bluestacks.com',
'boxcdn.net',
'box.com',
'brave.com',
'byfly.by',
'canon.co.uk',
'cdn.mozilla.net',
'charlesproxy.com',
'chatgpt.com',
'cloudfront.net',
'cron.com',
'csclub.uwaterloo.ca',
'curseforge.com',
'c-wss.com',
'descript.com',
'desktop.evernote.com',
'digidesign.com',
'discordapp.net',
'discord.com',
'dl.meitu.com',
'dl.sourceforge.net',
'docker.com',
'dogado.de',
'download.prss.microsoft.com',
'duckduckgo.com',
'eclipse.org',
'emeet.com',
'epson.com',
'eventideaudio.com',
'fcix.net',
'figma.com',
'foundry.com',
'gaomon.net',
'getutm.app',
'gimp.org',
'github.io',
'githubusercontent.com',
'google.ca',
'google.com',
'grammarly.com',
'imazing.com',
'integodownload.com',
'irccloud.com',
'jetbrains.com',
'kagi.com',
'kolide.com',
'libreoffice.org',
'live.com',
'logitech.com',
'loom.com',
'macbartender.com',
'macroplant.com',
'maxon.net',
'microsoft.com',
'minecraft.net',
'mirrorservice.org',
'mm.cfix.net',
'mm.fcix.net',
'mojang.com',
'mozilla.org',
'mutedeck.com',
'mysql.com',
'notion.so',
'notion-static.com',
'ocf.berkeley.edu',
'odvdev.at',
'office.com',
'oobesaas.adobe.com',
'openra.net',
'oracle.com',
'osuosl.org',
'overwolf.com',
'pathofexile.com',
'perforce.com',
'poecdn.com',
'pqrs.org',
'proxmox.com',
'prusa3d.com',
'raspberrypi.com',
'redhat.com',
'remarkable.com',
'rewind.ai',
's3.amazonaws.com',
'securew2.com',
'signal.org',
'siliconmotion.com',
'skype.com',
'slack.com',
'slack-edge.com',
'stclairsoft.com',
'steampowered.com',
'synaptics.com',
'tableplus.com',
'teams.cdn.office.net',
'techsmith.com',
'tweaknews.eu',
'ubuntu.com',
'ultimaker.com',
'umd.edu',
'usa.canon.com',
'uubyte.com',
'vc.logitech.com',
'vimcal.com',
'virtualbox.org',
'viture.dev',
'vmware.com',
'warp.dev',
'webex.com',
'whatsapp.com',
'xtom.com',
'gitbutler.com',
'xx.fbcdn.net',
'yubico.com',
'zoo.dev',
'zoomgov.com',
'zoom.us',
'zsa.io'
)
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
AND host NOT IN (
'adoptium.net',
'arc.net',
'asana.com',
'awscli.amazonaws.com',
'balsamiq.com',
'bearly.ai',
'blyt.net',
'brave.com',
'calibre-ebook.com',
'chatgpt.com',
'cron.com',
'discord.com',
'dl.discordapp.net',
'dl2.discordapp.net',
'dl.google.com',
'duckduckgo.com',
'dygma.com',
'emacsformacosx.com',
'epson.com',
'evernote.com',
'multipass.run',
'fbcdn.net',
'figma.com',
'flipperzero.one',
'fnord.com',
'getkap.co',
'github.com',
'gitbutler.com',
'go.dev',
'imazing.com',
'keybase.io',
'kittycad.io',
'krisp.ai',
'macroplant.com',
'mail.google.com',
'mangoslab.blob.core.windows.net',
'manual.canon',
'manytricks.com',
'maxon.net',
'mimestream.com',
'mnvoip.mm.fcix.net',
'mutedeck.com',
'obdev.at',
'obsidian.md',
'obsproject.com',
'opalcamera.com',
'openai.com',
'packages.openvpn.net',
'persistent.oaistatic.com',
'portswigger-cdn.net',
'posit.co',
'prerelease.keybase.io',
'presenting.app',
'proton.me',
'rancherdesktop.io',
'rectangleapp.com',
's3.amazonaws.com',
'scribehow.com',
'shottr.cc',
'sipapp.fra1.digitaloceanspaces.com',
'sipapp.io',
'sourceforge.net',
'sourcegraph.com',
'stclairsoft.s3.amazonaws.com',
'store.steampowered.com',
'superkey.app',
'superhuman.com',
'tableplus.com',
'textexpander.com',
'tosmediaserver.schwab.com',
'transmissionbt.com',
'ubuntu.com',
'ultimaker.com',
'universal-blue.discourse.group',
'warp-releases.storage.googleapis.com',
'wavebox.io',
'www.google.com',
'www.messenger.com',
'zed.dev',
'zoo.dev',
'zoom.us'
)
-- Yes, these are meant to be fairly broad.
AND host NOT LIKE 'download%'
AND host NOT LIKE 'cdn%'
AND host NOT LIKE '%.cdn.%.com'
AND host NOT LIKE '%.edu'
AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
AND host NOT LIKE '%.org'
AND host NOT LIKE 'dl.%'
AND host NOT LIKE 'dl-%'
AND host NOT LIKE 'mirror%'
AND host NOT LIKE 'driver.%'
AND host NOT LIKE 'support%'
AND host NOT LIKE 's3.%.amazonaws.com'
AND host NOT LIKe '%.s3.%.amazonaws.com'
AND host NOT LIKE 'software%'
AND host NOT LIKE 'www.google.%'
AND host NOT LIKE '%release%.storage.googleapis.com'
AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%'
AND ea.value NOT LIKE 'https://storage.googleapis.com/kolide-k2-production-downloads-f414/%'
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
)
AND ea.key = 'where_from'
AND file.btime > (strftime ('%s', 'now') -86400)
AND domain NOT IN (
'adobe.com',
'akmedia.digidesign.com',
'alfredapp.com',
'amazon.com',
'android.com',
'ankiweb.net',
'apple.com',
'arc.net',
'asana.com',
'astutegraphics.com',
'backblazeb2.com',
'balena.io',
'balsamiq.com',
'bblmw.com',
'bluestacks.com',
'boxcdn.net',
'box.com',
'brave.com',
'byfly.by',
'canon.co.uk',
'cdn.mozilla.net',
'charlesproxy.com',
'chatgpt.com',
'cloudfront.net',
'cron.com',
'csclub.uwaterloo.ca',
'curseforge.com',
'c-wss.com',
'descript.com',
'desktop.evernote.com',
'digidesign.com',
'discordapp.net',
'discord.com',
'dl.meitu.com',
'dl.sourceforge.net',
'docker.com',
'dogado.de',
'download.prss.microsoft.com',
'duckduckgo.com',
'eclipse.org',
'emeet.com',
'epson.com',
'eventideaudio.com',
'fcix.net',
'figma.com',
'foundry.com',
'gaomon.net',
'getutm.app',
'gimp.org',
'github.io',
'githubusercontent.com',
'google.ca',
'google.com',
'grammarly.com',
'imazing.com',
'integodownload.com',
'irccloud.com',
'jetbrains.com',
'kagi.com',
'kolide.com',
'libreoffice.org',
'live.com',
'logitech.com',
'loom.com',
'macbartender.com',
'macroplant.com',
'maxon.net',
'microsoft.com',
'minecraft.net',
'mirrorservice.org',
'mm.cfix.net',
'mm.fcix.net',
'mojang.com',
'mozilla.org',
'mutedeck.com',
'mysql.com',
'notion.so',
'notion-static.com',
'ocf.berkeley.edu',
'odvdev.at',
'office.com',
'oobesaas.adobe.com',
'openra.net',
'oracle.com',
'osuosl.org',
'overwolf.com',
'pathofexile.com',
'perforce.com',
'poecdn.com',
'pqrs.org',
'proxmox.com',
'prusa3d.com',
'raspberrypi.com',
'redhat.com',
'remarkable.com',
'rewind.ai',
's3.amazonaws.com',
'securew2.com',
'signal.org',
'siliconmotion.com',
'skype.com',
'slack.com',
'slack-edge.com',
'stclairsoft.com',
'steampowered.com',
'synaptics.com',
'tableplus.com',
'teams.cdn.office.net',
'techsmith.com',
'tweaknews.eu',
'ubuntu.com',
'ultimaker.com',
'umd.edu',
'usa.canon.com',
'uubyte.com',
'vc.logitech.com',
'vimcal.com',
'virtualbox.org',
'viture.dev',
'vmware.com',
'warp.dev',
'webex.com',
'whatsapp.com',
'xtom.com',
'gitbutler.com',
'xx.fbcdn.net',
'yubico.com',
'zoo.dev',
'zoomgov.com',
'zoom.us',
'zsa.io'
)
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
AND host NOT IN (
'adoptium.net',
'arc.net',
'asana.com',
'awscli.amazonaws.com',
'balsamiq.com',
'bearly.ai',
'blyt.net',
'brave.com',
'calibre-ebook.com',
'chatgpt.com',
'cron.com',
'discord.com',
'dl.discordapp.net',
'dl2.discordapp.net',
'dl.google.com',
'duckduckgo.com',
'dygma.com',
'emacsformacosx.com',
'emeet.com',
'epson.com',
'evernote.com',
'multipass.run',
'fbcdn.net',
'figma.com',
'flipperzero.one',
'fnord.com',
'getkap.co',
'github.com',
'gitbutler.com',
'go.dev',
'imazing.com',
'keybase.io',
'kittycad.io',
'krisp.ai',
'macroplant.com',
'mail.google.com',
'mangoslab.blob.core.windows.net',
'manual.canon',
'manytricks.com',
'maxon.net',
'mimestream.com',
'mnvoip.mm.fcix.net',
'mutedeck.com',
'obdev.at',
'obsidian.md',
'obsproject.com',
'opalcamera.com',
'openai.com',
'packages.openvpn.net',
'persistent.oaistatic.com',
'portswigger-cdn.net',
'posit.co',
'prerelease.keybase.io',
'presenting.app',
'proton.me',
'rancherdesktop.io',
'rectangleapp.com',
's3.amazonaws.com',
'scribehow.com',
'shottr.cc',
'sipapp.fra1.digitaloceanspaces.com',
'sipapp.io',
'sourceforge.net',
'sourcegraph.com',
'stclairsoft.s3.amazonaws.com',
'store.steampowered.com',
'superkey.app',
'superhuman.com',
'tableplus.com',
'textexpander.com',
'tosmediaserver.schwab.com',
'transmissionbt.com',
'ubuntu.com',
'ultimaker.com',
'universal-blue.discourse.group',
'warp-releases.storage.googleapis.com',
'wavebox.io',
'www.google.com',
'www.messenger.com',
'zed.dev',
'zoo.dev',
'zoom.us'
)
-- Yes, these are meant to be fairly broad.
AND host NOT LIKE 'download%'
AND host NOT LIKE 'cdn%'
AND host NOT LIKE '%.cdn.%.com'
AND host NOT LIKE '%.edu'
AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
AND host NOT LIKE '%.org'
AND host NOT LIKE 'dl.%'
AND host NOT LIKE 'dl-%'
AND host NOT LIKE 'mirror%'
AND host NOT LIKE 'driver.%'
AND host NOT LIKE 'support%'
AND host NOT LIKE 's3.%.amazonaws.com'
AND host NOT LIKe '%.s3.%.amazonaws.com'
AND host NOT LIKE 'software%'
AND host NOT LIKE 'www.google.%'
AND host NOT LIKE '%release%.storage.googleapis.com'
AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%'
AND ea.value NOT LIKE 'https://storage.googleapis.com/kolide-k2-production-downloads-f414/%'
GROUP BY
ea.value
ea.value

779
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -9,396 +9,397 @@
-- tags: persistent process state
-- platform: linux
SELECT
CONCAT (
p0.name,
',',
REPLACE (
p0.path,
COALESCE(
REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1),
"3.11"
),
"__VERSION__"
),
',',
-- This is intentionally not euid, as everything is euid 0
p0.uid,
',',
CONCAT (
SPLIT (p0.cgroup_path, "/", 0),
",",
SPLIT (p0.cgroup_path, "/", 1)
),
',',
f.mode
) AS exception_key,
DATETIME (f.ctime, 'unixepoch') AS p0_changed,
DATETIME (f.mtime, 'unixepoch') AS p0_modified,
(strftime ('%s', 'now') - p0.start_time) AS p0_runtime_s,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
p0.name,
',',
REPLACE (
p0.path,
COALESCE(
REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1),
"3.11"
),
"__VERSION__"
),
',',
-- This is intentionally not euid, as everything is euid 0
p0.uid,
',',
CONCAT (
SPLIT (p0.cgroup_path, "/", 0),
",",
SPLIT (p0.cgroup_path, "/", 1)
),
',',
f.mode
) AS exception_key,
DATETIME (f.ctime, 'unixepoch') AS p0_changed,
DATETIME (f.mtime, 'unixepoch') AS p0_modified,
(strftime ('%s', 'now') - p0.start_time) AS p0_runtime_s,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1_f.mode AS p1_mode,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN file p1_f ON p1.path = p1_f.path
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.euid = 0
AND p0.parent > 0
AND p0.path != ""
AND p0.start_time < (strftime ('%s', 'now') - 1200)
AND exception_key NOT IN (
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
'apt,/usr/bin/apt,0,user.slice,user-1000.slice,0755',
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
'bpfilter_umh,/bpfilter_umh,0,,,',
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
'containerd,/usr/sbin/containerd,0,system.slice,docker.service,0755',
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700',
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'cups-proxyd,/snap/cups/__VERSION__/sbin/cups-proxyd,0,system.slice,snap.cups.cupsd.service,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
'dirmngr,/usr/bin/dirmngr,0,system.slice,archlinux-keyring-wkd-sync.service,0755',
'dirmngr,/usr/bin/dirmngr,0,system.slice,system-dirmngr.slice,0755',
'DisplayLinkMana,/usr/libexec/displaylink/DisplayLinkManager,0,system.slice,displaylink.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755',
'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755',
'dockerd,/snap/docker/__VERSION__/bin/dockerd,0,system.slice,snap.docker.dockerd.service,0755',
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
'dpkg,/usr/bin/dpkg,0,user.slice,user-1000.slice,0755',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500',
'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'execsnoop-bpfcc,/usr/bin/python3.10,0,system.slice,com.system76.Scheduler.service,0755',
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,user.slice,user-0.slice,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
'frontend,/usr/bin/perl,0,user.slice,user-1000.slice,0755',
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1001.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'virtlockd,/usr/sbin/virtlockd,0,system.slice,virtlockd.service,0755',
'virtlogd,/usr/sbin/virtlogd,0,system.slice,virtlogd.service,0755',
'geoclue.service,Location Lookup Service,geoclue,500',
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
'group-admin-dae,/usr/libexec/group-admin-daemon,0,system.slice,group-admin-daemon.service,0755',
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755',
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.dashing-bat,,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.j1,,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.j1c,,0755',
'incusd,/opt/incus/bin/incusd,0,system.slice,incus.service,0755',
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.cheerful-parakeet,,0755',
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755',
'incusd,/usr/libexec/incus/incusd,0,system.slice,incus.service,0755',
'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755',
'input-remapper-,/usr/bin/python3.13,0,system.slice,input-remapper.service,0755',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,0700',
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,',
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,0700',
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
'just,/usr/bin/just,0,user.slice,user-1000.slice,0755',
'keyd,/usr/local/bin/keyd,0,system.slice,keyd.service,0755',
'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/var/kolide-k2/k2device.kolide.com/updates/launcher/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'libvirtd,/usr/sbin/libvirtd,0,system.slice,libvirtd.service,0755',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555',
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
'lightdm,/usr/sbin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/sbin/lightdm,0,user.slice,user-1000.slice,0755',
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
'login,/usr/bin/login,0,user.slice,user-1000.slice,0755',
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
'lxcfs,/opt/incus/bin/lxcfs,0,system.slice,incus-lxcfs.service,0755',
'lxcfs,/usr/bin/lxcfs,0,system.slice,lxcfs.service,0755',
'lxc-monitord,/usr/libexec/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'lxc-monitord,/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'make,/usr/bin/make,0,user.slice,user-1000.slice,0755',
'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755',
'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755',
'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755',
'networkd-dispat,/usr/bin/python3.12,0,system.slice,networkd-dispatcher.service,0755',
'networkd-dispat,/usr/bin/python__VERSION__,0,system.slice,networkd-dispatcher.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'newgrp,/usr/bin/newgrp,1000,user.slice,user-1000.slice,4755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'nm-dispatcher,/usr/libexec/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
'nm-dispatcher,/usr/lib/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
'nm-openvpn-serv,/usr/libexec/nm-openvpn-service,0,system.slice,NetworkManager.service,0755',
'nvidia-powerd,/usr/bin/nvidia-powerd,0,system.slice,nvidia-powerd.service,0755',
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755',
'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555',
'osqueryd,/opt/orbit/bin/osqueryd/linux/stable/osqueryd,0,system.slice,orbit.service,0755',
'osqueryd,/usr/lib/opt/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/var/kolide-k2/k2device.kolide.com/updates/osqueryd/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755',
'osqueryi,/var/usrlocal/bin/osqueryi,0,user.slice,user-1000.slice,0755',
'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'pcscd,/snap/yubioath-desktop/__VERSION__/usr/sbin/pcscd,0,system.slice,snap.yubioath-desktop.pcscd.service,0755',
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
'pmdakvm,/usr/libexec/pcp/pmdas/kvm/pmdakvm,0,system.slice,pmcd.service,0755',
'pmdalinux,/usr/libexec/pcp/pmdas/linux/pmdalinux,0,system.slice,pmcd.service,0755',
'pmdaproc,/usr/libexec/pcp/pmdas/proc/pmdaproc,0,system.slice,pmcd.service,0755',
'pmdaroot,/usr/libexec/pcp/pmdas/root/pmdaroot,0,system.slice,pmcd.service,0755',
'pmdaxfs,/usr/libexec/pcp/pmdas/xfs/pmdaxfs,0,system.slice,pmcd.service,0755',
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
'pop-system-upda,/usr/bin/pop-system-updater,0,system.slice,com.system76.SystemUpdater.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
'python3,/usr/bin/python3.10,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755',
'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
'python3,/usr/bin/python3.12,0,system.slice,dbus.service,0755',
'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
'run-cupsd,/usr/bin/dash,0,system.slice,snap.cups.cupsd.service,0755',
'runc,/usr/bin/runc,0,system.slice,docker.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/x86_64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'(sd-pam),/usr/lib/systemd/systemd-executor,0,user.slice,user-0.slice,0755',
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
'sleep,/usr/bin/sleep,0,system.slice,snap.cups.cups-browsed.service,0755',
'sleep,/usr/bin/sleep,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
'smartd,/usr/sbin/smartd,0,system.slice,smartmontools.service,0755',
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/bin/sshd,0,user.slice,user-1000.slice,0755',
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'system76-schedu,/usr/bin/system76-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
'system76-power,/usr/bin/system76-power,0,system.slice,com.system76.PowerDaemon.service,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755',
'systemd-journal,/nix/store/__VERSION__/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0555',
'systemd-journal,/usr/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0755',
'systemd-localed,/usr/lib/systemd/systemd-localed,0,system.slice,systemd-localed.service,0755',
'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755',
'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755',
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'tailscaled,/usr/bin/tailscaled,0,system.slice,tailscaled.service,0755',
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'touchegg,/usr/bin/touchegg,0,system.slice,touchegg.service,0755',
'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755',
'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
'upowerd,/usr/libexec/upower/upowerd,0,system.slice,upower.service,0755',
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
'v4l2-relayd,/usr/bin/v4l2-relayd,0,system.slice,v4l2-relayd.service,0755',
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'whiptail,/usr/bin/whiptail,0,user.slice,user-1000.slice,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gnome,0,user.slice,user-1000.slice,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
)
AND NOT exception_key LIKE '%beat,%/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,%'
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,%'
AND NOT exception_key LIKE 'elastic-agent,%/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,%'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755'
AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'tuned-ppd,/usr/bin/python3.%,system.slice,tuned-ppd.service,0755'
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
p0.euid = 0
AND p0.parent > 0
AND p0.path != ""
AND p0.start_time < (strftime ('%s', 'now') - 1200)
AND exception_key NOT IN (
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755',
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
'apt,/usr/bin/apt,0,user.slice,user-1000.slice,0755',
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
'bpfilter_umh,/bpfilter_umh,0,,,',
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
'containerd,/usr/sbin/containerd,0,system.slice,docker.service,0755',
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700',
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'cups-proxyd,/snap/cups/__VERSION__/sbin/cups-proxyd,0,system.slice,snap.cups.cupsd.service,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
'dirmngr,/usr/bin/dirmngr,0,system.slice,archlinux-keyring-wkd-sync.service,0755',
'dirmngr,/usr/bin/dirmngr,0,system.slice,system-dirmngr.slice,0755',
'DisplayLinkMana,/usr/libexec/displaylink/DisplayLinkManager,0,system.slice,displaylink.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755',
'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755',
'dockerd,/snap/docker/__VERSION__/bin/dockerd,0,system.slice,snap.docker.dockerd.service,0755',
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
'dpkg,/usr/bin/dpkg,0,user.slice,user-1000.slice,0755',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500',
'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'execsnoop-bpfcc,/usr/bin/python3.10,0,system.slice,com.system76.Scheduler.service,0755',
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,user.slice,user-0.slice,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
'frontend,/usr/bin/perl,0,user.slice,user-1000.slice,0755',
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1001.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'virtlockd,/usr/sbin/virtlockd,0,system.slice,virtlockd.service,0755',
'virtlogd,/usr/sbin/virtlogd,0,system.slice,virtlogd.service,0755',
'geoclue.service,Location Lookup Service,geoclue,500',
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
'group-admin-dae,/usr/libexec/group-admin-daemon,0,system.slice,group-admin-daemon.service,0755',
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755',
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.dashing-bat,,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.j1,,0755',
'incusd,/opt/incus/bin/incusd,0,lxc.monitor.j1c,,0755',
'incusd,/opt/incus/bin/incusd,0,system.slice,incus.service,0755',
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.cheerful-parakeet,,0755',
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755',
'incusd,/usr/libexec/incus/incusd,0,system.slice,incus.service,0755',
'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755',
'input-remapper-,/usr/bin/python3.13,0,system.slice,input-remapper.service,0755',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,0700',
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,',
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,0700',
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
'just,/usr/bin/just,0,user.slice,user-1000.slice,0755',
'keyd,/usr/local/bin/keyd,0,system.slice,keyd.service,0755',
'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'launcher,/var/kolide-k2/k2device.kolide.com/updates/launcher/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'libvirtd,/usr/sbin/libvirtd,0,system.slice,libvirtd.service,0755',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555',
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
'lightdm,/usr/sbin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/sbin/lightdm,0,user.slice,user-1000.slice,0755',
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
'login,/usr/bin/login,0,user.slice,user-1000.slice,0755',
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
'lxcfs,/opt/incus/bin/lxcfs,0,system.slice,incus-lxcfs.service,0755',
'lxcfs,/usr/bin/lxcfs,0,system.slice,lxcfs.service,0755',
'lxc-monitord,/usr/libexec/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'lxc-monitord,/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
'make,/usr/bin/make,0,user.slice,user-1000.slice,0755',
'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755',
'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755',
'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755',
'networkd-dispat,/usr/bin/python3.12,0,system.slice,networkd-dispatcher.service,0755',
'networkd-dispat,/usr/bin/python__VERSION__,0,system.slice,networkd-dispatcher.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'newgrp,/usr/bin/newgrp,1000,user.slice,user-1000.slice,4755',
'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'nm-dispatcher,/usr/libexec/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
'nm-dispatcher,/usr/lib/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
'nm-openvpn-serv,/usr/libexec/nm-openvpn-service,0,system.slice,NetworkManager.service,0755',
'nvidia-powerd,/usr/bin/nvidia-powerd,0,system.slice,nvidia-powerd.service,0755',
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755',
'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555',
'osqueryd,/opt/orbit/bin/osqueryd/linux/stable/osqueryd,0,system.slice,orbit.service,0755',
'osqueryd,/usr/lib/opt/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/var/kolide-k2/k2device.kolide.com/updates/osqueryd/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755',
'osqueryi,/var/usrlocal/bin/osqueryi,0,user.slice,user-1000.slice,0755',
'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'pcscd,/snap/yubioath-desktop/__VERSION__/usr/sbin/pcscd,0,system.slice,snap.yubioath-desktop.pcscd.service,0755',
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
'pmdakvm,/usr/libexec/pcp/pmdas/kvm/pmdakvm,0,system.slice,pmcd.service,0755',
'pmdalinux,/usr/libexec/pcp/pmdas/linux/pmdalinux,0,system.slice,pmcd.service,0755',
'pmdaproc,/usr/libexec/pcp/pmdas/proc/pmdaproc,0,system.slice,pmcd.service,0755',
'pmdaroot,/usr/libexec/pcp/pmdas/root/pmdaroot,0,system.slice,pmcd.service,0755',
'pmdaxfs,/usr/libexec/pcp/pmdas/xfs/pmdaxfs,0,system.slice,pmcd.service,0755',
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
'pop-system-upda,/usr/bin/pop-system-updater,0,system.slice,com.system76.SystemUpdater.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
'python3,/usr/bin/python3.10,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755',
'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
'python3,/usr/bin/python3.12,0,system.slice,dbus.service,0755',
'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
'run-cupsd,/usr/bin/dash,0,system.slice,snap.cups.cupsd.service,0755',
'runc,/usr/bin/runc,0,system.slice,docker.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/x86_64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'(sd-pam),/usr/lib/systemd/systemd-executor,0,user.slice,user-0.slice,0755',
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
'sleep,/usr/bin/sleep,0,system.slice,snap.cups.cups-browsed.service,0755',
'sleep,/usr/bin/sleep,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
'smartd,/usr/sbin/smartd,0,system.slice,smartmontools.service,0755',
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/bin/sshd,0,user.slice,user-1000.slice,0755',
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'system76-schedu,/usr/bin/system76-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
'system76-power,/usr/bin/system76-power,0,system.slice,com.system76.PowerDaemon.service,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755',
'systemd-journal,/nix/store/__VERSION__/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0555',
'systemd-journal,/usr/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0755',
'systemd-localed,/usr/lib/systemd/systemd-localed,0,system.slice,systemd-localed.service,0755',
'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755',
'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755',
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'tailscaled,/usr/bin/tailscaled,0,system.slice,tailscaled.service,0755',
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'touchegg,/usr/bin/touchegg,0,system.slice,touchegg.service,0755',
'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755',
'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
'upowerd,/usr/libexec/upower/upowerd,0,system.slice,upower.service,0755',
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
'v4l2-relayd,/usr/bin/v4l2-relayd,0,system.slice,v4l2-relayd.service,0755',
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'whiptail,/usr/bin/whiptail,0,user.slice,user-1000.slice,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gnome,0,user.slice,user-1000.slice,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
)
AND NOT exception_key LIKE '%beat,%/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,%'
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,%'
AND NOT exception_key LIKE 'elastic-agent,%/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,%'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755'
AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'tuned-ppd,/usr/bin/python3.%,system.slice,tuned-ppd.service,0755'
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY
p0.pid
p0.pid