fpr: sequoia, osquery, cups, atops, transmission, etc
This commit is contained in:
Thomas Stromberg
parent
df577d4f1c
commit
4d0a9fd533
|
|
@ -108,7 +108,9 @@ WHERE
|
|||
'com.apple.WebKit.Networking',
|
||||
'com.docker.backend',
|
||||
'go',
|
||||
'wolfictl',
|
||||
'gvproxy',
|
||||
'incusd',
|
||||
'IPNExtension',
|
||||
'Jabra Direct Helper',
|
||||
'limactl',
|
||||
|
|
|
|||
|
|
@ -57,16 +57,12 @@ WHERE
|
|||
AND s.remote_address NOT LIKE 'fc00:%'
|
||||
AND p.path != ''
|
||||
AND NOT exception_key IN (
|
||||
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
'0,agentbeat,0u,0g,agentbeat',
|
||||
'0,apk,u,g,apk',
|
||||
'0,applydeltarpm,0u,0g,applydeltarpm',
|
||||
'0,bash,0u,0g,bash',
|
||||
'0,bash,0u,0g,mkinitcpio',
|
||||
'0,bash,0u,0g,sh',
|
||||
'500,syft,500u,500g,syft',
|
||||
'500,krunner,0u,0g,krunner',
|
||||
'500,k9s,0u,0g,k9s',
|
||||
'0,canonical-livepatchd,0u,0g,canonical-livep',
|
||||
'0,chainctl,0u,0g,chainctl',
|
||||
'0,cmake,u,g,cmake',
|
||||
|
|
@ -77,6 +73,7 @@ WHERE
|
|||
'0,elastic-agent,u,g,elastic-agent',
|
||||
'0,elastic-endpoint,0u,0g,elastic-endpoin',
|
||||
'0,filebeat,0u,0g,filebeat',
|
||||
'0,flatpak,0u,0g,flatpak',
|
||||
'0,flatpak-system-helper,0u,0g,flatpak-system-',
|
||||
'0,git-remote-http,0u,0g,git-remote-http',
|
||||
'0,go,0u,0g,go',
|
||||
|
|
@ -88,6 +85,7 @@ WHERE
|
|||
'0,launcher,500u,500g,launcher',
|
||||
'0,ldconfig,0u,0g,ldconfig',
|
||||
'0,make,0u,0g,make',
|
||||
'0,melange,500u,500g,melange',
|
||||
'0,metricbeat,0u,0g,metricbeat',
|
||||
'0,nessusd,0u,0g,nessusd',
|
||||
'0,nix,0u,0g,nix',
|
||||
|
|
@ -99,10 +97,12 @@ WHERE
|
|||
'0,pacman,0u,0g,pacman',
|
||||
'0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint',
|
||||
'0,rpi-imager,0u,0g,rpi-imager',
|
||||
'0,skopeo,0u,0g,skopeo',
|
||||
'0,snapd,0u,0g,snapd',
|
||||
'0,systemctl,0u,0g,systemctl',
|
||||
'0,tailscaled,0u,0g,tailscaled',
|
||||
'0,tailscaled,500u,500g,tailscaled',
|
||||
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
'0,velociraptor,0u,0g,velociraptor_cl',
|
||||
'0,yay,0u,0g,yay',
|
||||
'105,http,0u,0g,https',
|
||||
|
|
@ -113,24 +113,13 @@ WHERE
|
|||
'129,fwupdmgr,0u,0g,fwupdmgr',
|
||||
'42,http,0u,0g,https',
|
||||
'500,1password,0u,0g,1password',
|
||||
'500,Brackets,0u,0g,Brackets',
|
||||
'500,Discord,0u,0g,Discord',
|
||||
'500,Discord,u,g,Discord',
|
||||
'500,Docker Desktop,0u,0g,Docker Desktop',
|
||||
'500,Keybase,0u,0g,Keybase',
|
||||
'500,Logseq,u,g,Logseq',
|
||||
'500,Melvor Idle,500u,500g,exe',
|
||||
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
|
||||
'500,WPILibInstaller,500u,500g,WPILibInstaller',
|
||||
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
||||
'500,___go_build_main_go,500u,500g,___go_build_mai',
|
||||
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
||||
'500,accountwizard,u,g,accountwizard',
|
||||
'500,act,0u,0g,act',
|
||||
'500,apk,500u,500g,apk',
|
||||
'500,apk,u,g,apk',
|
||||
'500,apko,500u,500g,apko',
|
||||
'500,apko,u,g,apko',
|
||||
'500,apk,u,g,apk',
|
||||
'500,armcord,u,g,armcord',
|
||||
'500,aws,0u,0g,aws',
|
||||
'500,aws,500u,500g,aws',
|
||||
|
|
@ -139,6 +128,7 @@ WHERE
|
|||
'500,bitwarden,u,g,bitwarden',
|
||||
'500,bom,500u,500g,bom',
|
||||
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
|
||||
'500,Brackets,0u,0g,Brackets',
|
||||
'500,brave,0u,0g,brave',
|
||||
'500,buildkitd,500u,500g,buildkitd',
|
||||
'500,buildkite-agent,500u,500g,buildkite-agent',
|
||||
|
|
@ -151,15 +141,17 @@ WHERE
|
|||
'500,chainctl,500u,500g,chainctl',
|
||||
'500,chainctl,500u,500g,docker-credenti',
|
||||
'500,chrome,0u,0g,chrome',
|
||||
'500,chrome,u,g,chrome',
|
||||
'500,chrome_crashpad_handler,0u,0g,chrome_crashpad',
|
||||
'500,chrome,u,g,chrome',
|
||||
'500,cilium,500u,123g,cilium',
|
||||
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
|
||||
'500,cockatrice,u,g,cockatrice',
|
||||
'500,code,0u,0g,code',
|
||||
'500,code,500u,500g,code',
|
||||
'500,code,u,g,code',
|
||||
'500,code-oss,u,g,code-oss',
|
||||
'500,code,u,g,code',
|
||||
'500,com.docker.backend,0u,0g,com.docker.back',
|
||||
'500,com.docker.build,0u,0g,com.docker.buil',
|
||||
'500,com.docker.extensions,0u,0g,com.docker.exte',
|
||||
'500,containerd,u,g,containerd',
|
||||
'500,copilot-agent-linux,500u,500g,copilot-agent-l',
|
||||
|
|
@ -170,8 +162,11 @@ WHERE
|
|||
'500,crane,500u,500g,crane',
|
||||
'500,curl,0u,0g,curl',
|
||||
'500,deno,500u,500g,deno',
|
||||
'500,Discord,0u,0g,Discord',
|
||||
'500,Discord,u,g,Discord',
|
||||
'500,docker,0u,0g,docker',
|
||||
'500,docker-buildx,0u,0g,docker-buildx',
|
||||
'500,Docker Desktop,0u,0g,Docker Desktop',
|
||||
'500,drkonqi,0u,0g,drkonqi',
|
||||
'500,eksctl,0u,0g,eksctl',
|
||||
'500,eksctl,500u,500g,eksctl',
|
||||
|
|
@ -180,9 +175,9 @@ WHERE
|
|||
'500,evolution-calendar-factory,0u,0g,evolution-calen',
|
||||
'500,evolution-source-registry,0u,0g,evolution-sourc',
|
||||
'500,extension-manager,0u,0g,extension-manag',
|
||||
'500,firefox,0u,0g,firefox',
|
||||
'500,firefox,0u,0g,.firefox-wrappe',
|
||||
'500,firefox,0u,0g,Socket Process',
|
||||
'500,firefox,0u,0g,firefox',
|
||||
'500,firefox-bin,500u,500g,firefox-bin',
|
||||
'500,firefox-bin,u,g,firefox-bin',
|
||||
'500,flameshot,0u,0g,flameshot',
|
||||
|
|
@ -201,17 +196,18 @@ WHERE
|
|||
'500,gitsign,0u,0g,gitsign',
|
||||
'500,gitsign,500u,0g,gitsign',
|
||||
'500,gitsign,500u,500g,gitsign',
|
||||
'500,gitsign,u,g,gitsign',
|
||||
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
|
||||
'500,gitsign,u,g,gitsign',
|
||||
'500,gjs-console,0u,0g,org.gnome.Maps',
|
||||
'500,gnome-recipes,0u,0g,gnome-recipes',
|
||||
'500,gnome-shell,0u,0g,gnome-shell',
|
||||
'500,gnome-software,0u,0g,gnome-software',
|
||||
'500,go,0u,0g,go',
|
||||
'500,go,500u,500g,go',
|
||||
'500,go,u,g,go',
|
||||
'500,goa-daemon,0u,0g,goa-daemon',
|
||||
'500,___go_build_main_go,500u,500g,___go_build_mai',
|
||||
'500,gobuster,500u,500g,gobuster',
|
||||
'500,go,u,g,go',
|
||||
'500,grafana,u,g,grafana',
|
||||
'500,grype,0u,0g,grype',
|
||||
'500,grype,500u,500g,grype',
|
||||
|
|
@ -229,42 +225,49 @@ WHERE
|
|||
'500,jcef_helper,500u,500g,jcef_helper',
|
||||
'500,jetbrains-toolbox,u,g,jetbrains-toolb',
|
||||
'500,k6,500u,500g,k6',
|
||||
'500,k9s,0u,0g,k9s',
|
||||
'500,kbfsfuse,0u,0g,kbfsfuse',
|
||||
'500,keybase,0u,0g,keybase',
|
||||
'500,Keybase,0u,0g,Keybase',
|
||||
'500,kioslave5,0u,0g,kioslave5',
|
||||
'500,ko,500u,500g,ko',
|
||||
'500,ko,u,g,ko',
|
||||
'500,kpromo,500u,500g,kpromo',
|
||||
'500,krel,500u,500g,krel',
|
||||
'500,krunner,0u,0g,krunner',
|
||||
'500,kubectl,0u,0g,kubectl',
|
||||
'500,kubectl,500u,500g,kubectl',
|
||||
'500,lens,0u,0g,lens',
|
||||
'500,less,0u,0g,less',
|
||||
'500,license-detector,500u,500g,license-detecto',
|
||||
'500,limactl,0u,0g,limactl',
|
||||
'500,limactl,500u,500g,limactl',
|
||||
'500,Logseq,u,g,Logseq',
|
||||
'500,losslesscut,500u,500g,losslesscut',
|
||||
'500,mconvert,500u,500g,mconvert',
|
||||
'500,mediawriter,u,g,mediawriter',
|
||||
'500,melange,500u,500g,melange',
|
||||
'500,melange,u,g,melange',
|
||||
'500,Melvor Idle,500u,500g,exe',
|
||||
'500,minikube,0u,0g,minikube',
|
||||
'500,msedge,0u,0g,msedge',
|
||||
'500,nami,500u,500g,nami',
|
||||
'500,nautilus,0u,0g,nautilus',
|
||||
'500,nerdctl,500u,500g,nerdctl',
|
||||
'500,nix,0u,0g,nix',
|
||||
'500,node,0u,0g,.node2nix-wrapp',
|
||||
'500,node,0u,0g,node',
|
||||
'500,node,0u,0g,.node2nix-wrapp',
|
||||
'500,node,0u,0g,npm install',
|
||||
'500,node,500u,500g,npm run start',
|
||||
'500,node,u,g,node',
|
||||
'500,nuclei,500u,500g,nuclei',
|
||||
'500,obs,0u,0g,obs',
|
||||
'500,obs,u,g,obs',
|
||||
'500,obs-browser-page,0u,0g,obs-browser-pag',
|
||||
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
|
||||
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
|
||||
'500,obsidian,0u,0g,obsidian',
|
||||
'500,obsidian,u,g,obsidian',
|
||||
'500,obs,u,g,obs',
|
||||
'500,op,0u,500g,op',
|
||||
'500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
|
||||
'500,pacman,0u,0g,pacman',
|
||||
|
|
@ -272,12 +275,11 @@ WHERE
|
|||
'500,php8.1,0u,0g,php',
|
||||
'500,pingsender,0u,0g,pingsender',
|
||||
'500,plasma-discover,0u,0g,plasma-discover',
|
||||
'500,plasmashell,0u,0g,plasmashell',
|
||||
'500,podman,0u,0g,podman',
|
||||
'500,promoter,500u,500g,promoter',
|
||||
'500,publish-release,500u,500g,publish-release',
|
||||
'500,python.test,500u,500g,python.test',
|
||||
'500,python3,0u,0g,python3',
|
||||
'500,python3,500u,500g,python3',
|
||||
'500,python3.10,0u,0g,aws',
|
||||
'500,python3.10,0u,0g,python',
|
||||
'500,python3.10,0u,0g,python3',
|
||||
|
|
@ -288,6 +290,8 @@ WHERE
|
|||
'500,python3.11,0u,0g,prowler',
|
||||
'500,python3.11,u,g,pip',
|
||||
'500,python3.12,0u,0g,dnf',
|
||||
'500,python3,500u,500g,python3',
|
||||
'500,python.test,500u,500g,python.test',
|
||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||
'500,reporter-ureport,0u,0g,reporter-urepor',
|
||||
'500,rpi-imager,0u,0g,rpi-imager',
|
||||
|
|
@ -302,40 +306,43 @@ WHERE
|
|||
'500,slirp4netns,500u,500g,slirp4netns',
|
||||
'500,snap-store,0u,0g,snap-store',
|
||||
'500,snyk,500u,500g,snyk',
|
||||
'500,plasmashell,0u,0g,plasmashell',
|
||||
'500,spotify,0u,0g,spotify',
|
||||
'500,spotify,500u,500g,spotify',
|
||||
'500,spotify,u,g,spotify',
|
||||
'500,limactl,500u,500g,limactl',
|
||||
'500,tidal-hifi,u,g,tidal-hifi',
|
||||
'500,ssh,0u,0g,ssh',
|
||||
'500,steam,500u,100g,steam',
|
||||
'0,skopeo,0u,0g,skopeo',
|
||||
'500,steam,500u,500g,steam',
|
||||
'500,steamwebhelper,500u,100g,steamwebhelper',
|
||||
'500,steamwebhelper,500u,500g,steamwebhelper',
|
||||
'500,step,500u,500g,step',
|
||||
'500,step-cli,0u,0g,step',
|
||||
'500,stern,500u,500g,stern',
|
||||
'500,syft,500u,500g,syft',
|
||||
'500,syncthing,0u,0g,syncthing',
|
||||
'500,syncthing,u,g,syncthing',
|
||||
'500,synergy,0u,0g,synergy',
|
||||
'500,teams,0u,0g,teams',
|
||||
'500,telegram-desktop,u,g,telegram-deskto',
|
||||
'500,terraform,0u,0g,terraform',
|
||||
'500,terraform,500u,500g,terraform',
|
||||
'500,terraform-ls,500u,500g,terraform-ls',
|
||||
'500,thunderbird,0u,0g,thunderbird',
|
||||
'500,thunderbird,u,g,thunderbird',
|
||||
'500,thunderbird-bin,u,g,thunderbird-bin',
|
||||
'500,thunderbird,u,g,thunderbird',
|
||||
'500,tidal-hifi,u,g,tidal-hifi',
|
||||
'500,tilt,500u,500g,tilt',
|
||||
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
|
||||
'500,todoist,0u,0g,todoist',
|
||||
'500,trivy,0u,0g,trivy',
|
||||
'500,trivy,500u,500g,trivy',
|
||||
'500,ubuntu-report,0u,0g,ubuntu-report',
|
||||
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
||||
'500,wget,0u,0g,wget',
|
||||
'500,ssh,0u,0g,ssh',
|
||||
'500,wine64-preloader,500u,500g,DaveTheDiver.ex',
|
||||
'500,wine64-preloader,500u,500g,Root.exe',
|
||||
'500,wolfictl,500u,500g,wolfictl',
|
||||
'500,WPILibInstaller,500u,500g,WPILibInstaller',
|
||||
'500,writerside,500u,500g,writerside',
|
||||
'500,xmobar,0u,0g,xmobar',
|
||||
'500,yay,0u,0g,yay',
|
||||
'500,zdup,500u,500g,zdup',
|
||||
|
|
@ -352,6 +359,7 @@ WHERE
|
|||
AND NOT exception_key LIKE '500,python3%,u,g,pip'
|
||||
AND NOT exception_key LIKE '500,python3.%,0u,0g,pip'
|
||||
AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
|
||||
AND NOT exception_key LIKE '500,terraform_%,500u,500g,terraform'
|
||||
AND NOT (
|
||||
exception_key LIKE '500,python3%,0u,0g,python%'
|
||||
AND (
|
||||
|
|
|
|||
|
|
@ -181,6 +181,7 @@ WHERE
|
|||
'500,istioctl,istioctl,500u,20g',
|
||||
'500,istioctl,istioctl,,a.out',
|
||||
'500,java,java,0u,0g',
|
||||
'500,streamer,streamer,Developer ID Application: Autodesk (XXKJ396S2Y),streamer',
|
||||
'500,log-streaming,log-streaming,500u,80g',
|
||||
'500,.man-wrapped,.man-wrapped,0u,500g',
|
||||
'500,nami,nami,0u,0g',
|
||||
|
|
@ -198,6 +199,7 @@ WHERE
|
|||
'500,taplo,taplo,500u,20g',
|
||||
'500,vexi,vexi,500u,20g',
|
||||
'500,vim,vim,0u,500g',
|
||||
'500,twistcli,twistcli,500u,20g',
|
||||
'500,wolfibump,wolfibump,500u,20g',
|
||||
'500,wolfictl,wolfictl,0u,0g',
|
||||
'500,wolfictl,wolfictl,500u,20g'
|
||||
|
|
@ -212,6 +214,7 @@ WHERE
|
|||
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
||||
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'Developer ID Application: TechSmith Corporation (7TQL462TU8)',
|
||||
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
||||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
|
|
@ -269,6 +272,7 @@ WHERE
|
|||
OR p0_cwd LIKE "/Users/%/src/%"
|
||||
OR p0_cmd LIKE '%bin/chaingpt %'
|
||||
OR p0_cmd LIKE '%fetch_commits%'
|
||||
OR p0_cmd LIKE '%ipykernel_launcher %'
|
||||
OR p0_cmd LIKE '%/Python update_plugins.py'
|
||||
OR p0_cmd LIKE '%/pydevd.py'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -42,6 +42,12 @@ FROM
|
|||
WHERE
|
||||
p0.euid = 0
|
||||
AND pmm.path LIKE '%libcurl%'
|
||||
AND p0.name NOT IN ('nix-daemon', 'nix')
|
||||
AND p0.name NOT IN (
|
||||
'nix-daemon',
|
||||
'nix',
|
||||
'velociraptor',
|
||||
'osqueryd',
|
||||
'socket_vmnet'
|
||||
)
|
||||
GROUP BY
|
||||
p0.pid
|
||||
|
|
@ -89,6 +89,7 @@ WHERE
|
|||
'49152,6,500,ContinuityCaptureAgent,Software Signing',
|
||||
'67,17,0,NetworkManager,0u,0g,NetworkManager',
|
||||
'8000,6,500,brave,0u,0g,brave',
|
||||
'587,6,500,perl,0u,0g,git-send-email',
|
||||
'8000,6,500,chrome,0u,0g,chrome',
|
||||
'8000,6,500,firefox,0u,0g,firefox',
|
||||
'80,6,0,grep,0u,0g,grep',
|
||||
|
|
@ -104,6 +105,7 @@ WHERE
|
|||
'80,6,0,python3.10,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.10,0u,0g,yum',
|
||||
'80,6,0,python3.11,0u,0g,dnf',
|
||||
'80,6,500,http,0u,0g,http',
|
||||
'80,6,0,python3.11,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.11,0u,0g,yum',
|
||||
'80,6,0,python3.12,0u,0g,dnf',
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
-- Unexpected programs communicating over HTTPS (state-based)
|
||||
-- Unexpected programs communicating over non-HTTPS protocols (state-based)
|
||||
--
|
||||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
||||
|
|
@ -142,6 +142,7 @@ WHERE
|
|||
'500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
|
||||
'500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos',
|
||||
'500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
|
||||
'500,17,68,com.docker.backend,com.docker.backend,500u,80g',
|
||||
'500,6,4317,flyctl,flyctl,,a.out',
|
||||
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
|
||||
|
|
@ -196,6 +197,7 @@ WHERE
|
|||
'500,6,80,thunderbird,thunderbird,Defveloper ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
|
||||
'500,6,80,TIDAL Helper,TIDAL Helper,Developer ID Application: TIDAL Music AS (GK2243L7KB),com.tidal.desktop.helper',
|
||||
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
|
||||
'500,6,8282,GeForceNOW,GeForceNOW,Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.gfnpc.mall',
|
||||
'500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
|
||||
'500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
|
||||
'500,6,9123,Elgato Control Center,Elgato Control Center,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.corsair.ControlCenter',
|
||||
|
|
@ -253,10 +255,13 @@ WHERE
|
|||
AND id_exception_key IN (
|
||||
'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
|
||||
'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
|
||||
'Apple Mac OS Application Signing,com.buildtoconnect.screenrecorder',
|
||||
'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl',
|
||||
'Apple Mac OS Application Signing,net.whatsapp.WhatsApp.ServiceExtension',
|
||||
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC',
|
||||
'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
|
||||
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
|
||||
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
|
||||
|
|
@ -269,12 +274,14 @@ WHERE
|
|||
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
|
||||
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
|
||||
'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer',
|
||||
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
|
||||
'Developer ID Application: GUILHERME RAMBO (8C7439RJLG),codes.rambo.AirBuddy.MobileDevicesService',
|
||||
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop',
|
||||
'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ FROM
|
|||
WHERE
|
||||
-- On my Linux machine, creating a gzip archive clocks in at 6780210
|
||||
bytes_written_rate > 4000000
|
||||
AND age > 180
|
||||
AND age > 200
|
||||
AND p0.pid > 2
|
||||
AND p0.parent != 2
|
||||
AND p0.path NOT IN (
|
||||
|
|
@ -82,12 +82,14 @@ WHERE
|
|||
'/usr/lib/flatpak-system-helper',
|
||||
'/usr/lib/snapd/snapd',
|
||||
'/usr/lib/systemd/systemd',
|
||||
'/app/libexec/mediawriter/helper',
|
||||
'/usr/lib/systemd/systemd-journald',
|
||||
'/usr/lib64/thunderbird/thunderbird',
|
||||
'/usr/libexec/coreduetd',
|
||||
'/usr/libexec/flatpak-system-helper',
|
||||
'/usr/libexec/logd_helper',
|
||||
'/usr/libexec/packagekitd',
|
||||
'/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/Current/AppleMobileDeviceHelper.app/Contents/Resources/AppleMobileBackup',
|
||||
'/usr/libexec/rosetta/oahd',
|
||||
'/usr/libexec/secd',
|
||||
'/usr/libexec/sharingd',
|
||||
|
|
@ -132,8 +134,13 @@ WHERE
|
|||
'baloo_file_extr',
|
||||
'bincapz',
|
||||
'bwrap',
|
||||
'nami',
|
||||
'topgrade',
|
||||
'vi',
|
||||
'vim',
|
||||
'cargo',
|
||||
'chrome',
|
||||
'wimlib-imagex',
|
||||
'code',
|
||||
'com.apple.MobileSoftwareUpdate.UpdateBrainService',
|
||||
'com.apple.NRD.UpdateBrainService',
|
||||
|
|
|
|||
|
|
@ -131,6 +131,7 @@ WHERE
|
|||
'/dev/input,systemd',
|
||||
'/dev/input,systemd-logind',
|
||||
'/dev/input,thermald',
|
||||
'/dev/shm,msedge',
|
||||
'/dev/input,upowerd',
|
||||
'/dev/input,Xorg',
|
||||
'/dev/net,tailscaled',
|
||||
|
|
@ -245,7 +246,7 @@ WHERE
|
|||
AND path_exception NOT LIKE '/dev/shm/pym-%python3%'
|
||||
-- celery
|
||||
AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
|
||||
AND dir_exception NOT LIKE '/dev/shm/byobu-%/status.tmux,'
|
||||
AND dir_exception NOT LIKE '/dev/shm/byobu-%/%.tmux%'
|
||||
AND NOT (
|
||||
pof.path = "/dev/uinput"
|
||||
AND p0.name LIKE "solaar%"
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ WHERE
|
|||
'/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
|
||||
'/dev/io,airportd,Software Signing,com.apple.airport.airportd',
|
||||
'/dev/io,symptomsd,Software Signing,com.apple.symptomsd',
|
||||
'/dev/console,Arc,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser',
|
||||
'/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter',
|
||||
'/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
|
||||
'/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
|
||||
|
|
|
|||
|
|
@ -88,6 +88,8 @@ WHERE
|
|||
'login',
|
||||
'roxterm',
|
||||
'tmux',
|
||||
'screen',
|
||||
'gnome-terminal-server',
|
||||
'newgrp',
|
||||
'tmux:server',
|
||||
'wezterm-gui',
|
||||
|
|
|
|||
|
|
@ -164,6 +164,7 @@ WHERE
|
|||
OR dir LIKE '%/.git/%'
|
||||
OR dir LIKE '%/.gradle'
|
||||
OR dir LIKE '%/.github/%'
|
||||
OR dir LIKE '%/node_modules/.bin'
|
||||
OR dir LIKE '%/.cache/melange%'
|
||||
OR dir LIKE '%/.github'
|
||||
OR dir LIKE '%/.venv'
|
||||
|
|
|
|||
|
|
@ -64,11 +64,12 @@ WHERE
|
|||
AND NOT f.directory LIKE '%/.goenv/%/bin'
|
||||
AND NOT f.directory LIKE '%/.goenv/%/pkg/%'
|
||||
AND NOT f.directory LIKE '%/.gradle/jdks/%'
|
||||
AND NOT f.directory LIKE '/home/%/.pyenv/versions/%/bin'
|
||||
AND NOT f.directory LIKE '%/.pyenv/versions/%/bin'
|
||||
AND NOT f.directory LIKE '%/.local/%'
|
||||
AND NOT f.directory LIKE '%/node_modules/.bin/%'
|
||||
AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
|
||||
AND NOT f.directory LIKE '%/.pnpm/%'
|
||||
AND NOT f.directory LIKE '%/.cache/selenium/chromedriver/%'
|
||||
AND NOT f.directory LIKE '%/.provisio/bin/%'
|
||||
AND NOT f.directory LIKE '%/.rustup/%'
|
||||
AND NOT f.directory LIKE '%/.rbenv/%'
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ WHERE
|
|||
'~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
|
||||
'~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
|
||||
'~/Library/GroupContainersAlias/.SiriTodayViewExtension',
|
||||
'~/Library/Caches/.adobe/c2pa_cache',
|
||||
'~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library',
|
||||
'~/Library/Group Containers/.SiriTodayViewExtension',
|
||||
'~/Library/Group Containers/.SiriTodayViewExtension/Library',
|
||||
|
|
|
|||
|
|
@ -57,17 +57,18 @@ WHERE
|
|||
'/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)'
|
||||
)
|
||||
OR cmd LIKE '/opt/homebrew/Cellar/%'
|
||||
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
|
||||
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
|
||||
OR p.path LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%'
|
||||
OR p.path LIKE '/Users/%/homebrew/Cellar/%'
|
||||
OR p.path LIKE '/usr/local/Cellar/%/bin/%'
|
||||
OR p.path LIKE '/opt/homebrew/Cellar/%/libexec/%'
|
||||
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
|
||||
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
|
||||
OR p.path LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%'
|
||||
OR p.path LIKE '/Users/%/go/bin/%'
|
||||
OR p.path LIKE '/Users/%/homebrew/Cellar/%'
|
||||
OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
|
||||
OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%'
|
||||
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
|
||||
OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
|
||||
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
|
||||
OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%'
|
||||
OR p.path LIKE '/usr/local/Cellar/%/bin/%'
|
||||
OR cmd LIKE '/opt/homebrew/opt/%'
|
||||
OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
|
||||
OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ WHERE
|
|||
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
|
||||
'/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor',
|
||||
'/Library/Application Support/Razer/RzUpdater.app/Contents/MacOS/RzUpdater',
|
||||
'/Library/Application Support/LogiFacecam.bundle/Contents/MacOS/LogiFacecamService',
|
||||
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
|
||||
'/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS/rastertobrother2300',
|
||||
'/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
|
||||
|
|
@ -82,6 +83,7 @@ WHERE
|
|||
'dlv'
|
||||
)
|
||||
AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch'
|
||||
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%'
|
||||
AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
|
||||
AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
|
||||
GROUP BY
|
||||
|
|
|
|||
|
|
@ -61,9 +61,12 @@ WHERE
|
|||
'/usr/bin/kitty',
|
||||
'/usr/lib/electron22/electron',
|
||||
'/usr/bin/osqueryd',
|
||||
'/usr/bin/ninja',
|
||||
'/usr/bin/cmake',
|
||||
'/usr/libexec/gvfsd',
|
||||
'/usr/bin/sudo',
|
||||
'/usr/bin/tmux',
|
||||
'/usr/bin/python3',
|
||||
'/usr/bin/yay',
|
||||
'/usr/libexec/gdm-wayland-session',
|
||||
'/usr/libexec/gdm-x-session',
|
||||
|
|
@ -80,6 +83,7 @@ WHERE
|
|||
'bash',
|
||||
'dnf',
|
||||
'electron',
|
||||
'gnome-terminal',
|
||||
'fish',
|
||||
'gnome-shell',
|
||||
'kubelet',
|
||||
|
|
|
|||
|
|
@ -71,16 +71,17 @@ WHERE -- Filter out stock exceptions to decrease overhead
|
|||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
||||
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
|
||||
'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.,/Applications/Multipass.app/,0',
|
||||
'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipassGui,/Applications/Multipass.app/,0',
|
||||
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
|
||||
'Developer ID Application: Crul, Inc. (5PTD6R25S6),com.electron.crul,/Applications/crul.app/,501',
|
||||
'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
|
||||
'Developer ID Application: Digital Ignition LLC (5DPYRBHEAR),org.m0k.transmission,/Applications/Transmission.app/,501',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501',
|
||||
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
|
||||
'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501',
|
||||
'Developer ID Application: folivora.AI GmbH (DAFVSXZ82P),com.hegenberg.BetterTouchTool,/Applications/BetterTouchTool.app/,501',
|
||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
|
||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
|
||||
'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501',
|
||||
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
|
||||
'Developer ID Application: Martijn Smit (GX645XXEAX),com.mutedeck.mac,/Applications/MuteDeck/MuteDeck.app/,501',
|
||||
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
|
||||
|
|
@ -89,6 +90,7 @@ WHERE -- Filter out stock exceptions to decrease overhead
|
|||
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0',
|
||||
'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501',
|
||||
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),c]om.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
|
||||
'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501',
|
||||
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
|
||||
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
|
||||
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
|
||||
|
|
@ -109,6 +111,7 @@ WHERE -- Filter out stock exceptions to decrease overhead
|
|||
'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
|
||||
'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
|
||||
'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0',
|
||||
'Software Signing,com.apple.RemoteDesktopAgent,/System/Library/CoreServices/RemoteManagement/ARDAgent.app/,0',
|
||||
'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0',
|
||||
'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0',
|
||||
'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
|
||||
|
|
|
|||
|
|
@ -131,6 +131,7 @@ WHERE
|
|||
'/etc/security',
|
||||
'/etc/skel',
|
||||
'/etc/smartmontools',
|
||||
'/etc/smartmontools/run.d',
|
||||
'/etc/ssl/certs',
|
||||
'/etc/ssl/misc',
|
||||
'/etc/ssl/trust-source',
|
||||
|
|
@ -153,19 +154,19 @@ WHERE
|
|||
'/etc/zfs/zpool.d'
|
||||
)
|
||||
AND file.path NOT IN (
|
||||
'/etc/auto.net',
|
||||
'/etc/cloud/clean.d/99-installer',
|
||||
'/etc/cloud/clean.d/99-installer-use-networkmanager',
|
||||
'/etc/grub2.cfg',
|
||||
'/etc/grub2-efi.cfg',
|
||||
'/etc/hibernate.sh',
|
||||
'/etc/pcp/pmie/rc',
|
||||
'/etc/sddm/wayland-session',
|
||||
'/etc/libpaper.d/texlive-base',
|
||||
'/etc/modulefiles/vpl',
|
||||
'/etc/nftables.conf',
|
||||
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
|
||||
'/etc/paths.d/100-rvictl',
|
||||
'/etc/pcp/pmcd/rc.local',
|
||||
'/etc/pcp/pmie/rc',
|
||||
'/etc/pcp/pmlogger/rc',
|
||||
'/etc/pcp/pmproxy/rc',
|
||||
'/etc/pki/tls/certs/make-dummy-cert',
|
||||
|
|
@ -177,6 +178,8 @@ WHERE
|
|||
'/etc/qemu-ifdown',
|
||||
'/etc/qemu-ifup',
|
||||
'/etc/rmt',
|
||||
'/etc/sddm/wayland-session',
|
||||
'/etc/sddm/Xsession',
|
||||
'/etc/sddm/Xsetup',
|
||||
'/etc/sddm/Xstop',
|
||||
'/etc/shutdown.sh',
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
-- Find unexpected hidden directories in operating-system foldersbin/
|
||||
-- Find unexpected hidden directories in operating-system folders
|
||||
--
|
||||
-- references:
|
||||
-- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
|
||||
|
|
@ -169,6 +169,7 @@ WHERE
|
|||
'/var/root/.provisio',
|
||||
'/var/root/.Trash/',
|
||||
'/var/root/.viminfo',
|
||||
'/var/root/.ssh/',
|
||||
'/var/root/.zsh_history',
|
||||
'/var/run/.heim_org.h5l.kcm-socket',
|
||||
'/var/run/.sim_diagnosticd_socket',
|
||||
|
|
@ -177,8 +178,10 @@ WHERE
|
|||
'/var/setup/.TemporaryItems',
|
||||
'/var/setup/.TemporaryItems/',
|
||||
'/var/tmp/.ses',
|
||||
'/tmp/.ses',
|
||||
'/var/tmp/.ses.bak',
|
||||
'/.vol/',
|
||||
'/tmp/.git/',
|
||||
'/.VolumeIcon.icns'
|
||||
)
|
||||
AND file.directory NOT IN (
|
||||
|
|
@ -189,6 +192,7 @@ WHERE
|
|||
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
|
||||
AND file.path NOT LIKE '/tmp/.#%'
|
||||
AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo'
|
||||
AND file.path NOT LIKE '%/lib/.lib%.hmac'
|
||||
AND file.path NOT LIKE '/tmp/.lark_cache_%'
|
||||
AND file.path NOT LIKE '/tmp/.cdx.json%'
|
||||
AND file.path NOT LIKE '/var/roothome/.xauth%'
|
||||
|
|
@ -199,6 +203,7 @@ WHERE
|
|||
AND file.path NOT LIKE '/tmp/.xfsm-ICE-%'
|
||||
AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
|
||||
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
|
||||
AND file.path NOT LIKe '/tmp/.com.microsoft.Edge.%'
|
||||
AND file.path NOT LIKE '/var/run/.vfs_rsrc_streams_%/'
|
||||
AND file.path NOT LIKE '/tmp/.X1%-lock'
|
||||
AND file.path NOT LIKE '/usr/local/%/.keepme'
|
||||
|
|
@ -213,6 +218,8 @@ WHERE
|
|||
type = 'regular'
|
||||
AND (
|
||||
filename LIKE '%.swp'
|
||||
OR filename LIKE '%.swo'
|
||||
OR filename LIKE '%.swn'
|
||||
OR size < 2
|
||||
)
|
||||
)
|
||||
|
|
@ -261,3 +268,11 @@ WHERE
|
|||
AND uid = 501
|
||||
AND gid = 0
|
||||
)
|
||||
-- RX100
|
||||
AND NOT (
|
||||
file.path LIKE '/var/db/.%'
|
||||
AND file.gid = 0
|
||||
AND file.uid = 0
|
||||
AND file.size = 28
|
||||
AND file.mode = '0666'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -73,6 +73,7 @@ WHERE
|
|||
'29',
|
||||
'30',
|
||||
'backend',
|
||||
'emacs',
|
||||
'build',
|
||||
'bin',
|
||||
'nox',
|
||||
|
|
@ -85,3 +86,4 @@ WHERE
|
|||
AND NOT basename LIKE 'python2.%'
|
||||
AND NOT basename LIKE 'terraform-provider%'
|
||||
AND NOT basename LIKE 'ld-%.so'
|
||||
AND NOT basename LIKE 'unison-%'
|
||||
|
|
|
|||
|
|
@ -205,6 +205,8 @@ WHERE
|
|||
)
|
||||
AND NOT homepath IN (
|
||||
'~/.config/nvm/nvm.sh',
|
||||
'~/.config/i3',
|
||||
'~/.config/polybar',
|
||||
'~/Library/Assistant/SiriAnalytics.db',
|
||||
'~/Library/Calendars/Calendar.sqlitedb',
|
||||
'~/Library/Calendars/Calendar.sqlitedb-wal',
|
||||
|
|
@ -214,7 +216,7 @@ WHERE
|
|||
'~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json',
|
||||
'~/Library/HTTPStorages/com.apple.AddressBookSourceSync',
|
||||
'~/Library/HTTPStorages/com.apple.AddressBookSourceSync/httpstorages.sqlite-shm',
|
||||
' ~/Library/Keychains/login.keychain-db',
|
||||
'~/Library/Keychains/login.keychain-db',
|
||||
'~/Library/Logs/zoom.us/upload_history.txt',
|
||||
'~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ WHERE
|
|||
'/Users/Shared/CleanMyMac X/.licence',
|
||||
'/Users/Shared/LogiTuneInstallerStarted.txt',
|
||||
'/Users/Shared/.NSVolumeHeap',
|
||||
'/Users/Shared/.4oaLkgIGnA',
|
||||
'/Users/Shared/.SeedEnrollment.plist'
|
||||
)
|
||||
OR top3_dir IN (
|
||||
|
|
@ -68,12 +69,14 @@ WHERE
|
|||
'/Users/Shared/CleanMyMac X Menu',
|
||||
'/Users/Shared/LGHUB',
|
||||
'/Users/Shared/logi',
|
||||
' /Users/Shared/Maxon',
|
||||
'/Users/Shared/Pixologic',
|
||||
'/Users/Shared/Maxon',
|
||||
'/Users/Shared/AdobeInstalledCodecsTier2',
|
||||
'/Users/Shared/LogioptionsPlus',
|
||||
'/Users/Shared/LogiOptionsPlus',
|
||||
'/Users/Shared/.logishrd',
|
||||
'/Users/Shared/logitune',
|
||||
'/Users/Shared/ZBrushData2024',
|
||||
'/Users/Shared/macenhance',
|
||||
'/Users/Shared/Parallels',
|
||||
'/Users/Shared/PPN',
|
||||
|
|
|
|||
|
|
@ -39,6 +39,8 @@ WHERE
|
|||
AND file.path NOT LIKE '%/./%'
|
||||
AND file.path NOT LIKE '/var/tmp/images/%'
|
||||
AND file.path NOT LIKE '/var/tmp/packages/%'
|
||||
AND file.path NOT LIKE '/var/tmp/buildah-cache-1000/var/cache/rpm-ostree/%'
|
||||
AND file.directory NOT LIKE '/var/tmp/buildah%/run'
|
||||
AND (
|
||||
file.mode LIKE '%7%'
|
||||
OR file.mode LIKE '%5%'
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ WHERE
|
|||
'apcupsd.pid',
|
||||
'apport.lock',
|
||||
'atd.pid',
|
||||
'atopacctd.pid',
|
||||
'auditd.pid',
|
||||
'com.rapid7.cnchub.pid',
|
||||
'com.rapid7.component_insight_agent.pid',
|
||||
|
|
@ -61,6 +62,7 @@ WHERE
|
|||
'nvidia_runtimepm_enabled',
|
||||
'nvidia_runtimepm_supported',
|
||||
'ostree-booted',
|
||||
'pacct_source',
|
||||
'pulseaudio-enable-autospawn',
|
||||
'reboot-required',
|
||||
'reboot-required.pkgs',
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ WHERE
|
|||
'FirstBootAfterUpdate',
|
||||
'FirstBootCleanupHandled',
|
||||
'appfwd.pid',
|
||||
'MobileAssetStartupActivation.doneThisBoot',
|
||||
'auditd.pid',
|
||||
'automount.initialized',
|
||||
'bootpd.pid',
|
||||
|
|
|
|||
|
|
@ -114,6 +114,7 @@ WHERE
|
|||
AND NOT pname LIKE '%-macos-arm64'
|
||||
AND NOT pname LIKE 'debug.test%'
|
||||
AND NOT pname LIKE '__%go_build%'
|
||||
AND NOt pname LIKE '___1Test%'
|
||||
AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
|
||||
AND NOT s.authority IN (
|
||||
"Software Signing",
|
||||
|
|
|
|||
|
|
@ -125,6 +125,7 @@ WHERE
|
|||
'java',
|
||||
'containerd-shim',
|
||||
'code',
|
||||
'goland',
|
||||
'emacs',
|
||||
'vim',
|
||||
'vim.nox'
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ WHERE
|
|||
p0.start_time > 0
|
||||
AND f.ctime > 0
|
||||
AND p0.start_time > (strftime('%s', 'now') - 43200)
|
||||
AND (p0.start_time - MAX(f.ctime, f.btime)) < 900
|
||||
AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
|
||||
AND p0.start_time >= MAX(f.ctime, f.ctime)
|
||||
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
|
||||
-- These are binaries that are known to get updated and subsequently executed
|
||||
|
|
@ -132,6 +132,7 @@ WHERE
|
|||
)
|
||||
AND NOT p0.path LIKE '/home/%/bin/%'
|
||||
AND NOT p0.path LIKE '/home/%/git/%'
|
||||
AND NOT p0.path LIKE '/home/%/upstream/%'
|
||||
AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
|
||||
AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
|
||||
AND NOT p0.path LIKE '/home/%/.cache/JetBrains/%/GoLand/___%'
|
||||
|
|
@ -158,6 +159,7 @@ WHERE
|
|||
AND NOT p0.path LIKE '%/.vscode/extensions/%'
|
||||
AND NOT p0.path LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
|
||||
AND NOT p0.path LIKE '%/.local/share/spotify-launcher/install/usr/%'
|
||||
AND NOT p0.path LIKE '/var/opt/Elastic/Agent/data/elastic-agent-%/components/%'
|
||||
AND NOT (
|
||||
p0.name IN ('osqtool-x86_64', 'osqtool-arm64')
|
||||
AND p0.cmdline LIKE './%'
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ WHERE
|
|||
AND NOT path LIKE '/usr/local/kolide-k2/bin/%'
|
||||
AND NOT path LIKE '%/cloud_sql_proxy'
|
||||
)
|
||||
AND (p0.start_time - MAX(f.ctime, f.btime)) < 600
|
||||
AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200
|
||||
AND f.ctime > 0
|
||||
AND NOT (
|
||||
p0.euid > 499
|
||||
|
|
@ -118,6 +118,7 @@ WHERE
|
|||
'~/gohome/bin',
|
||||
'~/code/bin',
|
||||
'~/go/bin',
|
||||
'/usr/local/aws-cli',
|
||||
'~/melange',
|
||||
'~/repos/bincapz/out',
|
||||
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
|
||||
|
|
@ -138,6 +139,7 @@ WHERE
|
|||
OR dir LIKE '~/%/go/bin'
|
||||
OR dir LIKE '~/Downloads/%.app/Contents/MacOS'
|
||||
OR dir LIKE '~/dev/%'
|
||||
OR dir LIKE '~/git/%'
|
||||
OR f.path LIKE '%go-build%'
|
||||
OR homepath LIKE '~/%/src/%.test'
|
||||
OR homepath LIKE '~/%/pkg/%.test'
|
||||
|
|
@ -165,6 +167,7 @@ WHERE
|
|||
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
|
||||
'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
|
||||
'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
|
||||
'Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||
'Developer ID Application: Cisco (DE8Y96K9QP)',
|
||||
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
|
||||
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
|
|
@ -190,7 +193,9 @@ WHERE
|
|||
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'Developer ID Application: Wesley FURLONG (P4A6FU9KZ3)',
|
||||
'Developer ID Application: Autodesk (XXKJ396S2Y)',
|
||||
'Developer ID Application: Michael Jones (YD6LEYT6WZ)',
|
||||
'Developer ID Application: VMware, Inc. (EG7KH642X6)',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||
'Developer ID Application: Mojang AB (HR992ZEAE6)',
|
||||
'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
|
||||
|
|
|
|||
|
|
@ -182,6 +182,7 @@ WHERE
|
|||
'releases.hashicorp.com',
|
||||
'github.com',
|
||||
'cdn.zoom.us',
|
||||
'repo1.maven.org',
|
||||
'dl.enforce.dev'
|
||||
)
|
||||
-- Ignore local addresses (Docker development)
|
||||
|
|
@ -193,3 +194,4 @@ WHERE
|
|||
)
|
||||
)
|
||||
AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %'
|
||||
AND NOT url in ('https://aur.archlinux.org')
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ WHERE
|
|||
'/sbin/ldconfig',
|
||||
'/usr/sbin/ldconfig',
|
||||
'/usr/bin/c_rehash',
|
||||
'/home/smoser/bin/firefox',
|
||||
'/usr/sbin/update-ca-certificates'
|
||||
)
|
||||
AND NOT (
|
||||
|
|
@ -59,3 +60,8 @@ WHERE
|
|||
p.path = "/"
|
||||
AND file.size < 8192
|
||||
)
|
||||
AND NOT cmdline IN (
|
||||
'bpftool --version',
|
||||
'bpftool --help',
|
||||
'bpftool -V'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -78,7 +78,10 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
|
|||
'curl,500,Slack,launchd',
|
||||
'curl,500,Stats,bash',
|
||||
'curl,500,zsh,login',
|
||||
'curl,500,zsh,zellij',
|
||||
'curl,500,zsh,sh',
|
||||
'curl,500,zsh,mc',
|
||||
'curl,0,bash,kandji-library-manager',
|
||||
'wget,500,env,env',
|
||||
'wget,500,sh,bwrap',
|
||||
'wget,500,zsh,bash'
|
||||
|
|
|
|||
|
|
@ -39,6 +39,8 @@ WHERE
|
|||
AND gap.path NOT LIKE '/usr/local/bin/%'
|
||||
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
|
||||
AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer'
|
||||
AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%'
|
||||
AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%'
|
||||
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
|
||||
GROUP BY
|
||||
gap.requirement
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ WHERE
|
|||
'NetworkManager',
|
||||
'dhclient',
|
||||
'packetbeat',
|
||||
'tailscaled',
|
||||
'dhcpcd',
|
||||
'tcpdump'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@ WHERE
|
|||
'500,ko,,',
|
||||
'500,ko,a.out,',
|
||||
'500,kubectl,a.out,',
|
||||
'500,Keeper Password Manager,com.callpod.keepermac.lite,Apple Mac OS Application Signing',
|
||||
'500,lua-language-server,lua-language-server,',
|
||||
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
|
||||
'500,mattermost,a.out,',
|
||||
|
|
@ -212,6 +213,7 @@ WHERE
|
|||
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
|
||||
'500,vim,,',
|
||||
'500,chromedriver,chromedriver,',
|
||||
'500,vim,vim,',
|
||||
'500,WinAppHelper,,',
|
||||
'500,WinAppHelper,WinAppHelper,'
|
||||
|
|
@ -256,5 +258,6 @@ WHERE
|
|||
AND NOT exception_key LIKE '500,rzls,apphost-%,'
|
||||
AND NOT exception_key LIKE '500,sg-nvim-agent,sg_nvim_agent-%,'
|
||||
AND NOT exception_key LIKE '500,taplo-full-darwin-%,taplo-%,'
|
||||
AND NOT exception_key LIKE '500,just,just-%,'
|
||||
GROUP BY
|
||||
p0.pid
|
||||
|
|
|
|||
|
|
@ -101,6 +101,8 @@ WHERE
|
|||
'sysctl -i sysctl.proc_translated',
|
||||
'sysctl -n hw.optional.arm64',
|
||||
'sw_vers -productName',
|
||||
'/usr/bin/security authorizationdb read system.login.screensaver',
|
||||
'security authorizationdb read system.login.screensaver',
|
||||
'unzip -h',
|
||||
'sysctl -n sysctl.proc_translated',
|
||||
'/usr/sbin/system_profiler SPUSBDataType',
|
||||
|
|
@ -111,10 +113,13 @@ WHERE
|
|||
)
|
||||
AND NOT exception_key IN (
|
||||
'ditto,500,ruby,zsh',
|
||||
'system_profiler,500,bash,DDPM',
|
||||
'ioreg,500,bash,Alfred Preferences',
|
||||
'ioreg,500,com.docker.backend,launchd',
|
||||
'system_profiler,0,launcher,launchd',
|
||||
'system_profiler,500,bash,launchd',
|
||||
'ioreg,500,com.docker.backend,com.docker.backend',
|
||||
'security_authtrampoline,500,Raycast,launchd',
|
||||
'system_profiler,500,bash,logioptionsplus_agent',
|
||||
'system_profiler,500,Google Drive,launchd',
|
||||
'system_profiler,500,steam_osx,launchd',
|
||||
|
|
|
|||
|
|
@ -84,7 +84,10 @@ WHERE
|
|||
'emacs',
|
||||
'steam_osx',
|
||||
'factorio',
|
||||
'Google Chrome',
|
||||
'firefox',
|
||||
'meta',
|
||||
'ollama',
|
||||
'fish',
|
||||
'fleet_backend',
|
||||
'fsdaemon',
|
||||
|
|
@ -108,9 +111,12 @@ WHERE
|
|||
'nautilus',
|
||||
'nessusd',
|
||||
'nix',
|
||||
'Fedora Media Writer',
|
||||
'updatedb',
|
||||
'nix-daemon',
|
||||
'nvim',
|
||||
'ollama',
|
||||
'Autodesk Identity Manager',
|
||||
'ollama-runer',
|
||||
'osqueryd',
|
||||
'osqueryi',
|
||||
|
|
@ -121,6 +127,7 @@ WHERE
|
|||
'rpi-imager',
|
||||
'rpm-ostree',
|
||||
'rsync',
|
||||
'Microsoft Update Assistant',
|
||||
'sh',
|
||||
'simdiskimaged',
|
||||
'slack',
|
||||
|
|
|
|||
|
|
@ -42,26 +42,35 @@ WHERE
|
|||
'alfredapp.com',
|
||||
'amazon.com',
|
||||
'android.com',
|
||||
'ankiweb.net',
|
||||
'apple.com',
|
||||
'arc.net',
|
||||
'asana.com',
|
||||
'astutegraphics.com',
|
||||
'backblazeb2.com',
|
||||
'balena.io',
|
||||
'balsamiq.com',
|
||||
'bblmw.com',
|
||||
'bluestacks.com',
|
||||
'boxcdn.net',
|
||||
'box.com',
|
||||
'brave.com',
|
||||
'byfly.by',
|
||||
'canon.co.uk',
|
||||
'cdn.mozilla.net',
|
||||
'charlesproxy.com',
|
||||
'chatgpt.com',
|
||||
'cloudfront.net',
|
||||
'cron.com',
|
||||
'csclub.uwaterloo.ca',
|
||||
'curseforge.com',
|
||||
'c-wss.com',
|
||||
'descript.com',
|
||||
'desktop.evernote.com',
|
||||
'digidesign.com',
|
||||
'discordapp.net',
|
||||
'discord.com',
|
||||
'dl.meitu.com',
|
||||
'dl.sourceforge.net',
|
||||
'docker.com',
|
||||
'dogado.de',
|
||||
|
|
@ -70,26 +79,35 @@ WHERE
|
|||
'eclipse.org',
|
||||
'emeet.com',
|
||||
'epson.com',
|
||||
'eventideaudio.com',
|
||||
'fcix.net',
|
||||
'figma.com',
|
||||
'foundry.com',
|
||||
'gaomon.net',
|
||||
'getutm.app',
|
||||
'gimp.org',
|
||||
'github.io',
|
||||
'githubusercontent.com',
|
||||
'google.ca',
|
||||
'google.com',
|
||||
'grammarly.com',
|
||||
'imazing.com',
|
||||
'integodownload.com',
|
||||
'irccloud.com',
|
||||
'jetbrains.com',
|
||||
'live.com',
|
||||
'kagi.com',
|
||||
'libreoffice.org',
|
||||
'live.com',
|
||||
'logitech.com',
|
||||
'loom.com',
|
||||
'macbartender.com',
|
||||
'macroplant.com',
|
||||
'maxon.net',
|
||||
'microsoft.com',
|
||||
'minecraft.net',
|
||||
'mirrorservice.org',
|
||||
'mm.cfix.net',
|
||||
'mm.fcix.net',
|
||||
'mojang.com',
|
||||
'mozilla.org',
|
||||
'mutedeck.com',
|
||||
|
|
@ -97,18 +115,27 @@ WHERE
|
|||
'notion.so',
|
||||
'notion-static.com',
|
||||
'ocf.berkeley.edu',
|
||||
'odvdev.at'
|
||||
'office.com',
|
||||
'oobesaas.adobe.com',
|
||||
'openra.net',
|
||||
'oracle.com',
|
||||
'osuosl.org',
|
||||
'overwolf.com',
|
||||
'pathofexile.com',
|
||||
'perforce.com',
|
||||
'poecdn.com',
|
||||
'pqrs.org',
|
||||
'proxmox.com',
|
||||
'prusa3d.com',
|
||||
'raspberrypi.com',
|
||||
'redhat.com',
|
||||
'remarkable.com',
|
||||
'rewind.ai',
|
||||
's3.amazonaws.com',
|
||||
'securew2.com',
|
||||
'signal.org',
|
||||
'siliconmotion.com',
|
||||
'skype.com',
|
||||
'slack.com',
|
||||
'slack-edge.com',
|
||||
|
|
@ -118,18 +145,22 @@ WHERE
|
|||
'tableplus.com',
|
||||
'teams.cdn.office.net',
|
||||
'techsmith.com',
|
||||
'tweaknews.eu',
|
||||
'ubuntu.com',
|
||||
'ultimaker.com',
|
||||
'umd.edu',
|
||||
'usa.canon.com',
|
||||
'uubyte.com',
|
||||
'vc.logitech.com',
|
||||
'vimcal.com',
|
||||
'virtualbox.org',
|
||||
'viture.dev',
|
||||
'vmware.com',
|
||||
'warp.dev',
|
||||
'webex.com',
|
||||
'whatsapp.com',
|
||||
'xtom.com',
|
||||
'xx.fbcdn.net',
|
||||
'yubico.com',
|
||||
'zoo.dev',
|
||||
'zoomgov.com',
|
||||
|
|
@ -141,10 +172,13 @@ WHERE
|
|||
'adoptium.net',
|
||||
'arc.net',
|
||||
'asana.com',
|
||||
'awscli.amazonaws.com',
|
||||
'balsamiq.com',
|
||||
'bearly.ai',
|
||||
'blyt.net',
|
||||
'brave.com',
|
||||
'calibre-ebook.com',
|
||||
'chatgpt.com',
|
||||
'cron.com',
|
||||
'discord.com',
|
||||
'dl.discordapp.net',
|
||||
|
|
@ -153,40 +187,56 @@ WHERE
|
|||
'dygma.com',
|
||||
'emacsformacosx.com',
|
||||
'epson.com',
|
||||
'evernote.com',
|
||||
'fbcdn.net',
|
||||
'figma.com',
|
||||
'flipperzero.one',
|
||||
'getkap.co',
|
||||
'github.com',
|
||||
'go.dev',
|
||||
'imazing.com',
|
||||
'kittycad.io',
|
||||
'krisp.ai',
|
||||
'evernote.com',
|
||||
'macroplant.com',
|
||||
'mail.google.com',
|
||||
'manual.canon',
|
||||
'manytricks.com',
|
||||
'maxon.net',
|
||||
'mimestream.com',
|
||||
'mnvoip.mm.fcix.net',
|
||||
'mutedeck.com',
|
||||
'obdev.at',
|
||||
'awscli.amazonaws.com',
|
||||
'obsidian.md',
|
||||
'universal-blue.discourse.group',
|
||||
'obsproject.com',
|
||||
'opalcamera.com',
|
||||
'persistent.oaistatic.com',
|
||||
'posit.co',
|
||||
'presenting.app',
|
||||
'proton.me',
|
||||
'rancherdesktop.io',
|
||||
'rectangleapp.com',
|
||||
's3.amazonaws.com',
|
||||
'scribehow.com',
|
||||
'shottr.cc',
|
||||
'sipapp.fra1.digitaloceanspaces.com',
|
||||
'sipapp.io',
|
||||
'sourceforge.net',
|
||||
'sourcegraph.com',
|
||||
'stclairsoft.s3.amazonaws.com',
|
||||
'store.steampowered.com',
|
||||
'superkey.app',
|
||||
'tableplus.com',
|
||||
'textexpander.com',
|
||||
'transmissionbt.com',
|
||||
'ubuntu.com',
|
||||
'ultimaker.com',
|
||||
'universal-blue.discourse.group',
|
||||
'warp-releases.storage.googleapis.com',
|
||||
'wavebox.io',
|
||||
'www.google.com',
|
||||
'www.messenger.com',
|
||||
'zed.dev',
|
||||
'zoo.dev',
|
||||
'zoom.us'
|
||||
)
|
||||
-- Yes, these are meant to be fairly broad.
|
||||
|
|
@ -206,13 +256,6 @@ WHERE
|
|||
AND host NOT LIKE 'software%'
|
||||
AND host NOT LIKE 'www.google.%'
|
||||
AND host NOT LIKE '%release%.storage.googleapis.com'
|
||||
AND NOT (
|
||||
host LIKE '%.fbcdn.net'
|
||||
AND (
|
||||
file.filename LIKE 'Messenger.%.dmg'
|
||||
OR file.filename LIKE '%WhatsApp.dmg'
|
||||
)
|
||||
)
|
||||
AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%'
|
||||
GROUP BY
|
||||
ea.value
|
||||
|
|
|
|||
|
|
@ -82,6 +82,7 @@ WHERE
|
|||
'build-script-build',
|
||||
'chainctl',
|
||||
'chezmoi',
|
||||
'BambuStudio',
|
||||
'clang-11',
|
||||
'code',
|
||||
'Code Helper (Renderer)',
|
||||
|
|
@ -266,6 +267,7 @@ WHERE
|
|||
'bash,0,udevadm,udevadm',
|
||||
'bash,500,accounts-daemon,systemd',
|
||||
'bash,500,busybox,bwrap',
|
||||
'bash,500,bwrap,bwrap',
|
||||
'bash,500,com.docker.dev-envs,com.docker.backend',
|
||||
'bash,500,docker-builder,bash',
|
||||
'bash,500,Foxit PDF Reader,launchd',
|
||||
|
|
@ -278,13 +280,13 @@ WHERE
|
|||
'bash,500,plasmashell,systemd',
|
||||
'bash,500,Private Internet Access,launchd',
|
||||
'bash,500,ruby,zsh',
|
||||
'bash,500,screen,screen',
|
||||
'bash,500,script,bash',
|
||||
'bash,500,steam,bash',
|
||||
'bash,500,xdg-desktop-portal,systemd',
|
||||
'bash,500,xdg-permission-store,systemd',
|
||||
'dash,0,anacron,systemd',
|
||||
'dash,0,dpkg,apt',
|
||||
'bash,500,bwrap,bwrap',
|
||||
'dash,0,dpkg,python3.10',
|
||||
'dash,0,kindnetd,containerd-shim-runc-v2',
|
||||
'dash,0,kube-proxy,containerd-shim-runc-v2',
|
||||
|
|
@ -297,6 +299,7 @@ WHERE
|
|||
'sh,0,expect,kandji-daemon',
|
||||
'sh,500,cloud_sql_proxy,zsh',
|
||||
'sh,500,docs,zsh',
|
||||
'bash,500,gdb,perl',
|
||||
'sh,500,Google Drive,launchd',
|
||||
'sh,500,LogiTune,launchd',
|
||||
'sh,500,Meeting Center,launchd',
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ WHERE
|
|||
'Code - Insiders Helper',
|
||||
'Code - Insiders Helper (Renderer)',
|
||||
'collect2',
|
||||
'com.docker.back',
|
||||
'configure',
|
||||
'conmon',
|
||||
'containerd-shim',
|
||||
|
|
@ -88,6 +89,7 @@ WHERE
|
|||
'FinderSyncExtension',
|
||||
'fish',
|
||||
'flock',
|
||||
'gopls',
|
||||
'gdm-wayland-ses',
|
||||
'gephi',
|
||||
'git',
|
||||
|
|
@ -109,6 +111,7 @@ WHERE
|
|||
'inittool2',
|
||||
'java',
|
||||
'jetbrains_client',
|
||||
'just',
|
||||
'kitty',
|
||||
'ko',
|
||||
'konsole',
|
||||
|
|
@ -212,6 +215,7 @@ WHERE
|
|||
'/usr/sbin/networksetup',
|
||||
'/usr/bin/apt-get',
|
||||
'/usr/bin/bash',
|
||||
'/usr/bin/perl',
|
||||
'/usr/bin/bwrap',
|
||||
'/usr/bin/crond',
|
||||
'/usr/bin/dash',
|
||||
|
|
@ -235,6 +239,7 @@ WHERE
|
|||
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
|
||||
'/bin/sh -c system_profiler SPDisplaysDataType | grep "Chipset Model"',
|
||||
'/usr/bin/python3 /usr/bin/terminator',
|
||||
'sh -c echo zoomMute:disabled,zoomVideo:disabled,zoomStatus:closed,zoomShare:disabled,zoomRecord:disabled',
|
||||
'/bin/sh -c sysctl hw.model kern.osrelease',
|
||||
'/bin/sh /etc/security/audit_warn soft /var/audit',
|
||||
'sh -c hugo-installer --version otherDependencies.hugo --extended --destination node_modules/.bin/hugo',
|
||||
|
|
|
|||
|
|
@ -75,17 +75,18 @@ WHERE
|
|||
p0.name IN (
|
||||
'caddy',
|
||||
'controller',
|
||||
'docker-proxy',
|
||||
'hugo',
|
||||
'gopls',
|
||||
'limactl',
|
||||
'nuclei',
|
||||
'qemu-system-aarch64',
|
||||
'qemu-system-x86',
|
||||
'crane',
|
||||
'docker-proxy',
|
||||
'gopls',
|
||||
'hugo',
|
||||
'kubectl',
|
||||
'limactl',
|
||||
'nginx-ingress-c',
|
||||
'node',
|
||||
'nuclei',
|
||||
'ollama',
|
||||
'qemu-system-aarch64',
|
||||
'qemu-system-x86',
|
||||
'rootlessport',
|
||||
'webhook'
|
||||
)
|
||||
|
|
@ -108,6 +109,8 @@ WHERE
|
|||
AND NOT exception_key IN (
|
||||
'16620,6,500,psi-bastion',
|
||||
'32768,6,500,java',
|
||||
'32768,6,500,Chromium',
|
||||
'32768,6,500,Code Helper (Plugin)',
|
||||
'24024,17,500,MTGA',
|
||||
'1,1,500,ping'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -72,6 +72,9 @@ WHERE
|
|||
'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,',
|
||||
'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,',
|
||||
'atd.service,Deferred execution scheduler,',
|
||||
'atopacct.service,Atop process accounting daemon,',
|
||||
'atop-rotate.timer,Daily atop restart,',
|
||||
'atop.service,Atop advanced performance monitor,',
|
||||
'auditd.service,Security Auditing Service,',
|
||||
'auditd.service,Security Audit Logging Service,',
|
||||
'audit.service,Kernel Auditing,',
|
||||
|
|
@ -80,6 +83,7 @@ WHERE
|
|||
'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,',
|
||||
'backup-rpmdb.timer,Backup of RPM database,',
|
||||
'backup-sysconfig.timer,Backup of /etc/sysconfig,',
|
||||
'bazzite-hardware-setup.service,Configure Bazzite for current hardware,',
|
||||
'binfmt-support.service,Enable support for additional executable binary formats,',
|
||||
'blk-availability.service,Availability of block devices,',
|
||||
'bluetooth.service,Bluetooth service,',
|
||||
|
|
@ -88,6 +92,7 @@ WHERE
|
|||
'brew-update.service,Auto update brew for mutable brew installs,1000',
|
||||
'brew-update.timer,Timer for brew update for mutable brew,',
|
||||
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
|
||||
'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,',
|
||||
'ca-certificates.path,Watch for changes in CA certificates,',
|
||||
'check-battery.timer,Check if mainboard battery is Ok,',
|
||||
'chronyd.service,NTP client/server,',
|
||||
|
|
@ -146,6 +151,7 @@ WHERE
|
|||
'fwupd.service,Firmware update daemon,',
|
||||
'gdm.service,GNOME Display Manager,',
|
||||
'geoclue.service,Location Lookup Service,geoclue',
|
||||
'geoipupdate.timer,Weekly GeoIP update,',
|
||||
'gitsign.service,Keyless Git signing with Sigstore!,',
|
||||
'gnome-remote-desktop.service,GNOME Remote Desktop,gnome-remote-desktop',
|
||||
'gssproxy.service,GSSAPI Proxy Daemon,',
|
||||
|
|
@ -160,6 +166,7 @@ WHERE
|
|||
'incus.socket,Incus - Daemon (unix socket),',
|
||||
'incus-startup.service,Incus - Startup check,',
|
||||
'incus-user.socket,Incus - Daemon (user unix socket),',
|
||||
'input-remapper.service,Service to inject keycodes without the GUI application,',
|
||||
'ir_agent.service,Rapid7 Insight Agent,root',
|
||||
'irqbalance.service,irqbalance daemon,',
|
||||
'iscsid.socket,Open-iSCSI iscsid Socket,',
|
||||
|
|
@ -260,6 +267,8 @@ WHERE
|
|||
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,',
|
||||
'plymouth-start.service,Show Plymouth Boot Screen,',
|
||||
'pmcd.service,Performance Metrics Collector Daemon,',
|
||||
'podman-auto-update.timer,Podman auto-update timer,',
|
||||
'podman-restart.service,Podman Start All Containers With Restart Policy Set To Always,',
|
||||
'podman.socket,Podman API Socket,',
|
||||
'polkit.service,Authorization Manager,',
|
||||
'polkit.service,Authorization Manager,polkitd',
|
||||
|
|
@ -300,13 +309,17 @@ WHERE
|
|||
'shadow.timer,Daily verification of password and group files,',
|
||||
'-.slice,Root Slice,',
|
||||
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
|
||||
'smartmontools.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
|
||||
'snap.canonical-livepatch.canonical-livepatchd.service,Service for snap application canonical-livepatch.canonical-livepatchd,',
|
||||
'snap.cups.cups-browsed.service,Service for snap application cups.cups-browsed,',
|
||||
'snap.cups.cupsd.service,Service for snap application cups.cupsd,',
|
||||
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,',
|
||||
'snapd.seeded.service,Wait until snapd is fully seeded,',
|
||||
'snapd.service,Snap Daemon,',
|
||||
'snapd.socket,Socket activation for snappy daemon,',
|
||||
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
|
||||
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
|
||||
'snap.multipass.multipassd.service,Service for snap application multipass.multipassd,',
|
||||
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
|
||||
'sshd.service,OpenSSH Daemon,',
|
||||
'sshd.service,OpenSSH server daemon,',
|
||||
|
|
@ -501,6 +514,7 @@ WHERE
|
|||
OR exception_key LIKE 'systemd-cryptsetup@%.service,Cryptography Setup for %,'
|
||||
OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,'
|
||||
OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,'
|
||||
OR exception_key LIKE 'snap-aws\x2dcli-%.mount,Mount unit for aws-cli, revision %'
|
||||
OR id LIKE ''
|
||||
OR id LIKE 'dev-disk-by%.swap'
|
||||
OR id LIKE 'dev-mapper-%.swap'
|
||||
|
|
|
|||
|
|
@ -243,6 +243,7 @@ WHERE
|
|||
'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji',
|
||||
'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm',
|
||||
'true,,MQTTLens,hemojaaeigabkbcookmlgmdigohjobjm',
|
||||
'true,,NordVPN - VPN proxy for privacy and security,fjoaledfpmneenckfbpdfhkmimnjocfa',
|
||||
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
|
||||
'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
|
||||
'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk',
|
||||
|
|
@ -318,7 +319,9 @@ WHERE
|
|||
'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh',
|
||||
'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk',
|
||||
'true,,Tampermonkey BETA,gcalenpjmijncebpfijmoaglllgpjagf',
|
||||
'true,,Tampermonkey,dhdgffkkebhmkfjojejmpbldmpobfkfo',
|
||||
'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc',
|
||||
'true,,Text Blaze: Templates and Snippets,idgadaccgipmpannjkmfddolnnhmeklj',
|
||||
'true,,TextExpander: Keyboard Shortcuts & Templates,mmfhhfjhpadoefoaahomoakamjcfcoil',
|
||||
'true,,The Marvellous Suspender,noogafoofpebimajpfpamcfhoaifemoa',
|
||||
'true,,The Org for LinkedIn,gnkbmaifcbniminbmbmiabamggncacag',
|
||||
|
|
@ -358,6 +361,7 @@ WHERE
|
|||
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
|
||||
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
|
||||
'true,Yuri Konotopov <ykonotopov@gnome.org>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
|
||||
'true,Zinlab <sebastian@Zinlab>,Better History,egehpkpgpgooebopjihjmnpejnjafefi',
|
||||
'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg',
|
||||
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
|
||||
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle',
|
||||
|
|
|
|||
|
|
@ -26,3 +26,5 @@ WHERE
|
|||
AND command NOT LIKE 'docker run amouat/jocko%'
|
||||
AND command NOT LIKE 'gsutil %'
|
||||
AND command NOT LIKE 'root command -v debian-sa1%'
|
||||
AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate'
|
||||
AND command NOT LIKe 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
|
||||
|
|
|
|||
|
|
@ -0,0 +1,270 @@
|
|||
-- Finds unexpected device names, sometimes used for communication to a rootkit
|
||||
--
|
||||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
|
||||
--
|
||||
-- Confirmed to catch revenge-rtkit
|
||||
--
|
||||
-- false positives:
|
||||
-- * custom kernel modules
|
||||
--
|
||||
-- tags: persistent filesystem state
|
||||
-- platform: linux
|
||||
SELECT -- Remove numerals from device names
|
||||
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
|
||||
DISTINCT REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""),
|
||||
"3",
|
||||
""
|
||||
),
|
||||
"4",
|
||||
""
|
||||
),
|
||||
"5",
|
||||
""
|
||||
),
|
||||
"6",
|
||||
""
|
||||
),
|
||||
"7",
|
||||
""
|
||||
),
|
||||
"8",
|
||||
""
|
||||
),
|
||||
"9",
|
||||
""
|
||||
) AS path_expr,
|
||||
file.*
|
||||
FROM
|
||||
file
|
||||
WHERE
|
||||
(
|
||||
path LIKE '/dev/%'
|
||||
OR directory LIKE '/dev/%'
|
||||
)
|
||||
AND path_expr NOT IN (
|
||||
'/dev/HID-SENSOR-e..auto',
|
||||
'/dev/acpi_thermal_rel',
|
||||
'/dev/autofs',
|
||||
'/dev/block/',
|
||||
'/dev/disk/by-loop-ref',
|
||||
'/dev/disk/by-loop-inode',
|
||||
'/dev/block/:',
|
||||
'/dev/bsg/',
|
||||
'/dev/bsg/:::',
|
||||
'/dev/btrfs-control',
|
||||
'/dev/bus/',
|
||||
'/dev/bus/usb',
|
||||
'/dev/cdrom',
|
||||
'/dev/cec',
|
||||
'/dev/char/',
|
||||
'/dev/char/:',
|
||||
'/dev/console',
|
||||
'/dev/core',
|
||||
'/dev/cpu/',
|
||||
'/dev/cpu/microcode',
|
||||
'/dev/cpu_dma_latency',
|
||||
'/dev/cros_ec',
|
||||
'/dev/cuse',
|
||||
'/dev/disk/',
|
||||
'/dev/disk/by-diskseq',
|
||||
'/dev/disk/by-dname',
|
||||
'/dev/disk/by-id',
|
||||
'/dev/disk/by-label',
|
||||
'/dev/disk/by-partlabel',
|
||||
'/dev/disk/by-partuuid',
|
||||
'/dev/disk/by-path',
|
||||
'/dev/disk/by-uuid',
|
||||
'/dev/dm-',
|
||||
'/dev/dma_heap/',
|
||||
'/dev/dma_heap/system',
|
||||
'/dev/dmmidi',
|
||||
'/dev/dri/',
|
||||
'/dev/dri/by-path',
|
||||
'/dev/dri/card',
|
||||
'/dev/dri/renderD',
|
||||
'/dev/drm_dp_aux',
|
||||
'/dev/dvd',
|
||||
'/dev/ecryptfs',
|
||||
'/dev/fb',
|
||||
'/dev/fd/',
|
||||
'/dev/full',
|
||||
'/dev/fuse',
|
||||
'/dev/gpiochip',
|
||||
'/dev/hidraw',
|
||||
'/dev/hpet',
|
||||
'/dev/hugepages/',
|
||||
'/dev/hugepages/libvirt',
|
||||
'/dev/hvc',
|
||||
'/dev/hwrng',
|
||||
'/dev/ic-',
|
||||
'/dev/iio:device',
|
||||
'/dev/initctl',
|
||||
'/dev/input/',
|
||||
'/dev/input/by-id',
|
||||
'/dev/input/by-path',
|
||||
'/dev/input/event',
|
||||
'/dev/input/js',
|
||||
'/dev/input/mice',
|
||||
'/dev/input/mouse',
|
||||
'/dev/kfd',
|
||||
'/dev/kmsg',
|
||||
'/dev/kvm',
|
||||
'/dev/libmtp--',
|
||||
'/dev/libmtp--.',
|
||||
'/dev/log',
|
||||
'/dev/loop',
|
||||
'/dev/loop-control',
|
||||
'/dev/lp',
|
||||
'/dev/mapper/',
|
||||
'/dev/mapper/control',
|
||||
'/dev/mcelog',
|
||||
'/dev/md',
|
||||
'/dev/md/',
|
||||
'/dev/md/ssdraid',
|
||||
'/dev/md/ssraid',
|
||||
'/dev/media',
|
||||
'/dev/mei',
|
||||
'/dev/mem',
|
||||
'/dev/midi',
|
||||
'/dev/mmcblk',
|
||||
'/dev/mqueue/',
|
||||
'/dev/mtd',
|
||||
'/dev/mtd/',
|
||||
'/dev/mtd/by-name',
|
||||
'/dev/mtdro',
|
||||
'/dev/net/',
|
||||
'/dev/net/tun',
|
||||
'/dev/ngn',
|
||||
'/dev/null',
|
||||
'/dev/nvidia',
|
||||
'/dev/nvidia-caps/',
|
||||
'/dev/nvidia-caps/nvidia-cap',
|
||||
'/dev/nvidia-modeset',
|
||||
'/dev/nvidia-uvm',
|
||||
'/dev/nvidia-uvm-tools',
|
||||
'/dev/nvidiactl',
|
||||
'/dev/nvme',
|
||||
'/dev/nvme-fabrics',
|
||||
'/dev/nvmen',
|
||||
'/dev/nvmenp',
|
||||
'/dev/nvram',
|
||||
'/dev/port',
|
||||
'/dev/ppp',
|
||||
'/dev/pps',
|
||||
'/dev/psaux',
|
||||
'/dev/ptmx',
|
||||
'/dev/ptp',
|
||||
'/dev/pts/',
|
||||
'/dev/pts/ptmx',
|
||||
'/dev/random',
|
||||
'/dev/rfkill',
|
||||
'/dev/rpool/',
|
||||
'/dev/rpool/keystore',
|
||||
'/dev/rtc',
|
||||
'/dev/sda',
|
||||
'/dev/sdb',
|
||||
'/dev/serial/',
|
||||
'/dev/serial/by-id',
|
||||
'/dev/serial/by-path',
|
||||
'/dev/sg',
|
||||
'/dev/sgx_provision',
|
||||
'/dev/sgx_vepc',
|
||||
'/dev/shm/',
|
||||
'/dev/shm/lttng-ust-wait--',
|
||||
'/dev/shm/i-log-',
|
||||
'/dev/shm/jack_db-',
|
||||
'/dev/shm/libpod_lock',
|
||||
'/dev/shm/libpod_rootless_lock_',
|
||||
'/dev/shm/pulse-shm-',
|
||||
'/dev/snapshot',
|
||||
'/dev/snd/',
|
||||
'/dev/snd/by-id',
|
||||
'/dev/snd/by-path',
|
||||
'/dev/snd/controlC',
|
||||
'/dev/snd/hwCD',
|
||||
'/dev/snd/midiCD',
|
||||
'/dev/snd/pcmCDc',
|
||||
'/dev/snd/pcmCDp',
|
||||
'/dev/snd/seq',
|
||||
'/dev/snd/timer',
|
||||
'/dev/sr',
|
||||
'/dev/stderr',
|
||||
'/dev/stdin',
|
||||
'/dev/stdout',
|
||||
'/dev/tpm',
|
||||
'/dev/tpmrm',
|
||||
'/dev/tty',
|
||||
'/dev/ttyACM',
|
||||
'/dev/ttyAMA',
|
||||
'/dev/ttyS',
|
||||
'/dev/ttyUSB',
|
||||
'/dev/ttyprintk',
|
||||
'/dev/ubuntu-vg/',
|
||||
'/dev/udmabuf',
|
||||
'/dev/uhid',
|
||||
'/dev/uinput',
|
||||
'/dev/urandom',
|
||||
'/dev/usb/',
|
||||
'/dev/usb/hiddev',
|
||||
'/dev/usbmon',
|
||||
'/dev/userfaultfd',
|
||||
'/dev/userio',
|
||||
'/dev/vboxdrv',
|
||||
'/dev/vboxdrvu',
|
||||
'/dev/vboxnetctl',
|
||||
'/dev/vboxusb/',
|
||||
'/dev/vcs',
|
||||
'/dev/vcsa',
|
||||
'/dev/vcsu',
|
||||
'/dev/vda',
|
||||
'/dev/vfio/',
|
||||
'/dev/vfio/vfio',
|
||||
'/dev/vg/',
|
||||
'/dev/vg/root',
|
||||
'/dev/vg/swap',
|
||||
'/dev/vga_arbiter',
|
||||
'/dev/vgubuntu/',
|
||||
'/dev/vgubuntu/incus-default',
|
||||
'/dev/vgubuntu/root',
|
||||
'/dev/vgubuntu/swap',
|
||||
'/dev/vgubuntu/swap_',
|
||||
'/dev/vhci',
|
||||
'/dev/vhost-net',
|
||||
'/dev/vhost-vsock',
|
||||
'/dev/video',
|
||||
'/dev/vl/',
|
||||
'/dev/vl/by-id',
|
||||
'/dev/vl/by-path',
|
||||
'/dev/vlloopback',
|
||||
'/dev/vportp',
|
||||
'/dev/vsock',
|
||||
'/dev/watchdog',
|
||||
'/dev/wmi/',
|
||||
'/dev/wmi/dell-smbios',
|
||||
'/dev/wwanat',
|
||||
'/dev/wwanmbim',
|
||||
'/dev/zd',
|
||||
'/dev/zero',
|
||||
'/dev/zfs',
|
||||
'/dev/zram',
|
||||
'/dev/zvol/',
|
||||
'/dev/zvol/rpool'
|
||||
)
|
||||
AND NOT path LIKE '/dev/mapper/%'
|
||||
AND NOT path LIKE '/dev/shm/byobu-%'
|
||||
AND NOT path LIKE '/dev/shm/sem.rpc%'
|
||||
AND NOT path LIKE '/dev/mqueue/us.zoom.aom.%'
|
||||
AND NOT path LIKE '/dev/shm/aomshm.%'
|
||||
AND NOT path LIKE '/dev/shm/sem.mp-%'
|
||||
AND NOT path LIKE '/dev/shm/u%-Shm_%'
|
||||
AND NOT path LIKE '/dev/shm/.com.google.Chrome.%'
|
||||
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
|
||||
AND NOT path LIKE '/dev/%-vg/%-lv'
|
||||
|
|
@ -93,6 +93,7 @@ WHERE
|
|||
'2380,6,500,etcd',
|
||||
'24800,6,500,synergy-core',
|
||||
'24802,6,500,synergy-service',
|
||||
'255,255,0,atop',
|
||||
'255,255,500,mtr-packet',
|
||||
'27036,6,500,steam',
|
||||
'27500,6,500,passimd',
|
||||
|
|
@ -149,6 +150,7 @@ WHERE
|
|||
'631,17,115,cups-browsed',
|
||||
'631,17,116,cups-browsed',
|
||||
'631,17,121,cups-browsed',
|
||||
'631,17,132,cups-browsed',
|
||||
'631,17,133,cups-browsed',
|
||||
'6379,6,500,redis-server',
|
||||
'6443,6,0,kube-apiserver',
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ WHERE
|
|||
AND NOT exception_key IN (
|
||||
'10011,6,0,launchd,Software Signing',
|
||||
'10011,6,0,webfilterproxyd,Software Signing',
|
||||
'49152,6,500,Capture One,Developer ID Application: Capture One A/S (5WTDB5F65L)',
|
||||
'1024,6,0,systemmigrationd,Software Signing',
|
||||
'10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
|
||||
'111,17,1,rpcbind,Software Signing',
|
||||
|
|
@ -125,6 +126,7 @@ WHERE
|
|||
'49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)',
|
||||
'49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
||||
'49152,6,500,GarageBand,Apple Mac OS Application Signing',
|
||||
'49152,6,500,HP Smart,Apple Mac OS Application Signing',
|
||||
'49152,6,500,git-daemon,',
|
||||
'49152,6,500,idea,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
|
||||
'49152,6,500,IPNExtension,Apple Mac OS Application Signing',
|
||||
|
|
@ -137,6 +139,7 @@ WHERE
|
|||
'49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
|
||||
'49152,6,500,Music,Software Signing',
|
||||
'49152,6,500,node,',
|
||||
'49152,6,500,HP Smart,Apple Mac OS Application Signing',
|
||||
'49152,6,500,qemu-system-aarch64,',
|
||||
'49152,6,500,rapportd,Software Signing',
|
||||
'49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
-- refs:
|
||||
-- * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service)
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- tags: transient process events extra
|
||||
-- platform: linux
|
||||
-- interval: 300
|
||||
SELECT -- Child
|
||||
|
|
@ -77,6 +77,7 @@ WHERE
|
|||
'systemctl,0,kubeadm,containerd-shim-runc-v2',
|
||||
'systemctl,0,pacman,pacman',
|
||||
'systemctl,0,pacman,sudo',
|
||||
'systemctl,500,snap,update-notifier',
|
||||
'systemctl,0,snapd,systemd',
|
||||
'systemctl,0,tailscaled,',
|
||||
'systemctl,500,strace,bash',
|
||||
|
|
@ -95,6 +96,8 @@ WHERE
|
|||
'/bin/systemctl -q is-enabled whoopsie.path',
|
||||
'/bin/systemctl --quiet is-enabled whoopsie.path',
|
||||
'/bin/systemctl stop --no-block nvidia-persistenced',
|
||||
'/usr/bin/systemctl is-system-running',
|
||||
'systemctl is-system-running',
|
||||
'/sbin/runlevel',
|
||||
'systemctl is-active systemd-resolved.service',
|
||||
'systemctl is-enabled power-profiles-daemon.service',
|
||||
|
|
@ -116,7 +119,8 @@ WHERE
|
|||
'systemctl --system daemon-reexec',
|
||||
'systemctl --user import-environment DISPLAY XAUTHORITY',
|
||||
'/usr/bin/systemctl try-reload-or-restart dbus',
|
||||
'/usr/bin/systemctl --user is-active slack'
|
||||
'/usr/bin/systemctl --user is-active slack',
|
||||
'systemctl --user is-active slack'
|
||||
) -- apt-helper form
|
||||
AND NOT p0_cmd LIKE '%systemctl is-active -q %.service'
|
||||
AND NOT p0_cmd LIKE '%systemctl show --property=%'
|
||||
|
|
|
|||
|
|
@ -83,8 +83,11 @@ WHERE
|
|||
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
|
||||
'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
|
||||
'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
|
||||
'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755',
|
||||
'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
|
||||
|
|
@ -93,6 +96,7 @@ WHERE
|
|||
'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
|
||||
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
|
||||
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
|
||||
'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
|
||||
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
|
||||
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
|
||||
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
|
||||
|
|
@ -104,7 +108,9 @@ WHERE
|
|||
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
|
||||
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
|
||||
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
|
||||
'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
|
||||
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
|
||||
'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
|
||||
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
|
||||
'blueman-mechanism.service,Bluetooth management mechanism,,200',
|
||||
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
|
||||
|
|
@ -308,6 +314,8 @@ WHERE
|
|||
'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
|
||||
'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
|
||||
'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755',
|
||||
'sleep,/usr/bin/sleep,0,system.slice,system-btrfs\x2ddedup.slice,0755',
|
||||
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
|
||||
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
|
||||
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ WHERE -- Focus on longer-running programs
|
|||
'/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim',
|
||||
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service',
|
||||
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd',
|
||||
'/Applications/WiFiman Desktop.app/Contents/service/wifiman-desktopd',
|
||||
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
|
||||
'/bin/bash',
|
||||
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect',
|
||||
|
|
@ -317,6 +318,7 @@ WHERE -- Focus on longer-running programs
|
|||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
||||
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
|
||||
'Developer ID Application: SURFSHARK LTD (YHUG37CKN8)',
|
||||
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ WHERE
|
|||
'/usr/bin/crontab',
|
||||
'/usr/bin/fusermount',
|
||||
'/usr/bin/fusermount3',
|
||||
'/usr/bin/schroot',
|
||||
'/usr/bin/keybase-redirector',
|
||||
'/usr/bin/login',
|
||||
'/usr/bin/mount',
|
||||
|
|
|
|||
Loading…
Reference in New Issue