mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-18 03:54:30 +00:00
False positive removal and minor query perf improvements
This commit is contained in:
Thomas Stromberg
parent
593991adb8
commit
4f4ae0ed38
@ -91,6 +91,7 @@ WHERE
|
||||
'bash,~/go/src',
|
||||
'bash,~/.local/share',
|
||||
'bash,~/.Trash',
|
||||
'cc1,/home/build/.cache',
|
||||
'cc1plus,~/.cache/yay',
|
||||
'c++,~/.cache/yay',
|
||||
'cgo,~/.gimme/versions',
|
||||
@ -98,16 +99,16 @@ WHERE
|
||||
'Electron,~/.vscode/extensions',
|
||||
'fish,~/.local/share',
|
||||
'fish,~/.Trash',
|
||||
'cc1,/home/build/.cache',
|
||||
'git,~/.local/share',
|
||||
'java,~/.gradle/daemon',
|
||||
'java,~/.local/share',
|
||||
'make,~/.cache/yay',
|
||||
'vet,/home/build/.cache',
|
||||
'makepkg,~/.cache/yay',
|
||||
'mysqld,~/.local/share',
|
||||
'npm install,~/.npm/_cacache',
|
||||
'opera_autoupdate,/private/var/folders',
|
||||
'rust-analyzer-p,~/.cargo/registry',
|
||||
'vet,/home/build/.cache',
|
||||
'zsh,~/.Trash'
|
||||
)
|
||||
OR exception_key LIKE '%sh,~/.Trash/%'
|
||||
|
||||
@ -77,7 +77,6 @@ WHERE
|
||||
AND pe.status = 0
|
||||
AND pe.cmdline != ''
|
||||
AND pe.cmdline IS NOT NULL
|
||||
AND pe.status == 0
|
||||
AND (
|
||||
p0_name IN (
|
||||
'bitspin',
|
||||
|
||||
@ -5,8 +5,7 @@
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
f.ctime,
|
||||
SELECT f.ctime,
|
||||
f.btime,
|
||||
f.mtime,
|
||||
p0.start_time,
|
||||
@ -33,8 +32,7 @@ SELECT
|
||||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM
|
||||
processes p0
|
||||
FROM processes p0
|
||||
LEFT JOIN signature s ON p0.path = s.path
|
||||
LEFT JOIN file f ON p0.path = f.path
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
@ -42,10 +40,52 @@ FROM
|
||||
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
p0.start_time > 0
|
||||
WHERE p0.pid IN (
|
||||
SELECT pid
|
||||
FROM processes
|
||||
WHERE start_time > 0
|
||||
AND start_time > (strftime('%s', 'now') - 7200)
|
||||
AND pid > 0
|
||||
AND REGEX_MATCH (
|
||||
path,
|
||||
"^(/System|/usr/libexec/|/usr/sbin/|/usr/local/Cellar/|/opt/homebrew/|/nix/store/|/usr/bin/|/usr/lib/|/bin/|/Applications|/Library/Apple/|/sbin/|/usr/local/kolide-k2)",
|
||||
1
|
||||
) IS NULL
|
||||
AND path != ""
|
||||
AND NOT path LIKE '/Applications/%.app/%'
|
||||
AND NOT path LIKE '%-go-build%'
|
||||
AND NOT path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%'
|
||||
AND NOT path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' -- Known parent processes, typically GUI shells and updaters
|
||||
AND NOT path LIKE '/Library/Application Support/Logitech.localized/%'
|
||||
AND NOT path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
|
||||
AND NOT path LIKE '/private/tmp/go-%'
|
||||
AND NOT path LIKE '/private/tmp/nix-build-%'
|
||||
AND NOT path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
|
||||
AND NOT path LIKE '/private/var/folders/%/bin/%'
|
||||
AND NOT path LIKE '/private/var/folders/%/go-build%'
|
||||
AND NOT path LIKE '/private/var/folders/%/GoLand/%'
|
||||
AND NOT path LIKE '/private/var/folders/%/T/download/ARMDCHammer'
|
||||
AND NOT path LIKE '/private/var/folders/%/T/pulumi-go.%'
|
||||
AND NOT path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper'
|
||||
AND NOT path LIKE '/Users/%/bin/%'
|
||||
AND NOT path LIKE '/Users/%/code/%'
|
||||
AND NOT path LIKE '/Users/%/dev/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
|
||||
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
|
||||
AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%'
|
||||
AND NOT path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper'
|
||||
AND NOT path LIKE '/Users/%/src/%'
|
||||
AND NOT path LIKE '/Users/%/terraform-provider-%'
|
||||
AND NOT path LIKE '/Users/%/%.test'
|
||||
AND NOT path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
|
||||
AND NOT path LIKE '/usr/local/Cellar/%'
|
||||
AND NOT path LIKE '/usr/sbin/%'
|
||||
AND NOT path LIKE '%/.vscode/extensions/%'
|
||||
)
|
||||
AND f.ctime > 0
|
||||
AND p0.start_time > (strftime('%s', 'now') - 7200)
|
||||
AND (p0.start_time - MAX(f.ctime, f.btime)) < 180
|
||||
AND p0.start_time >= MAX(f.ctime, f.ctime)
|
||||
AND s.authority NOT IN (
|
||||
@ -82,43 +122,6 @@ WHERE
|
||||
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
||||
'Software Signing'
|
||||
)
|
||||
AND NOT p0.path LIKE '/Applications/%.app/%'
|
||||
AND NOT p0.path LIKE '%-go-build%'
|
||||
AND NOT p0.path LIKE '/Library/Apple/System/%'
|
||||
AND NOT p0.path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%'
|
||||
AND NOT p0.path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' -- Known parent processes, typically GUI shells and updaters
|
||||
AND NOT p0.path LIKE '/Library/Application Support/Logitech.localized/%'
|
||||
AND NOT p0.path LIKE '/nix/store/%/bin/%'
|
||||
AND NOT p0.path LIKE '/opt/homebrew/bin/%'
|
||||
AND NOT p0.path LIKE '/opt/homebrew/Cellar/%'
|
||||
AND NOT p0.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
|
||||
AND NOT p0.path LIKE '/private/tmp/go-build%'
|
||||
AND NOT p0.path LIKE '/private/tmp/go-%/go/pkg/%'
|
||||
AND NOT p0.path LIKE '/private/tmp/nix-build-%'
|
||||
AND NOT p0.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
|
||||
AND NOT p0.path LIKE '/private/var/folders/%/bin/%'
|
||||
AND NOT p0.path LIKE '/private/var/folders/%/go-build%'
|
||||
AND NOT p0.path LIKE '/private/var/folders/%/T/download/ARMDCHammer'
|
||||
AND NOT p0.path LIKE '/private/var/folders/%/GoLand/%'
|
||||
AND NOT p0.path LIKE '/private/var/folders/%/T/pulumi-go.%'
|
||||
AND NOT p0.path LIKE '/Users/%/bin/%'
|
||||
AND NOT p0.path LIKE '/Users/%/code/%'
|
||||
AND NOT p0.path LIKE '/Users/%/dev/%'
|
||||
AND NOT p0.path LIKE '/Users/%/src/%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%'
|
||||
AND NOT p0.path LIKE '/Users/%/terraform-provider-%'
|
||||
AND NOT p0.path LIKE '/Users/%/%.test'
|
||||
AND NOT p0.path LIKE '/usr/local/bin/%'
|
||||
AND NOT p0.path LIKE '/usr/local/Cellar/%'
|
||||
AND NOT p0.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
|
||||
AND NOT p0.path LIKE '%/.vscode/extensions/%'
|
||||
AND NOT p0.path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
|
||||
AND NOT p0.path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper'
|
||||
AND NOT p0.path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper'
|
||||
AND NOT (
|
||||
p0.path LIKE '/Users/%/__debug_bin'
|
||||
AND s.identifier = 'a.out'
|
||||
@ -135,5 +138,4 @@ WHERE
|
||||
AND s.identifier = 'com.apple.print.PrinterProxy'
|
||||
AND s.authority = ''
|
||||
)
|
||||
GROUP BY
|
||||
p0.pid
|
||||
GROUP BY p0.pid
|
||||
@ -10,30 +10,29 @@
|
||||
-- interval: 240
|
||||
-- platform: darwin
|
||||
-- tags: filesystem events
|
||||
SELECT
|
||||
SELECT REGEX_MATCH (REPLACE(pe.path, u.directory, '~'), '(.*)/', 1) AS dir,
|
||||
REGEX_MATCH (
|
||||
REPLACE(pe.path, u.directory, '~'),
|
||||
'(~*/.*?)/',
|
||||
1
|
||||
) AS top1_dir,
|
||||
REGEX_MATCH (
|
||||
REPLACE(pe.path, u.directory, '~'),
|
||||
'(~*/.*?/.*?/.*?)/',
|
||||
1
|
||||
) AS top3_dir,
|
||||
-- Child
|
||||
pe.path AS p0_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
|
||||
REGEX_MATCH (p.path, '(.*)/', 1) AS dir,
|
||||
REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep
|
||||
REPLACE(f.directory, u.directory, '~') AS homedir,
|
||||
REGEX_MATCH (
|
||||
REPLACE(f.directory, u.directory, '~'),
|
||||
'(~/.*?/.*?/.*?/)',
|
||||
1
|
||||
) AS top3_homedir,
|
||||
REGEX_MATCH (
|
||||
REPLACE(f.directory, u.directory, '~'),
|
||||
'(~/.*?/)',
|
||||
1
|
||||
) AS top_homedir, -- 1 level deep
|
||||
TRIM(pe.cmdline) AS p0_cmd,
|
||||
pe.cwd AS p0_cwd,
|
||||
-- pe.cwd is NULL on macOS
|
||||
p.cwd AS p0_cwd,
|
||||
pe.pid AS p0_pid,
|
||||
pe.euid AS p0_euid,
|
||||
-- Parent
|
||||
pe.parent AS p1_pid,
|
||||
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
|
||||
p1.cwd AS p1_cwd,
|
||||
COALESCE(p1.path, pe1.path) AS p1_path,
|
||||
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
|
||||
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
|
||||
@ -42,6 +41,7 @@ SELECT
|
||||
TRIM(
|
||||
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
|
||||
) AS p2_cmd,
|
||||
p1_p2.cwd AS p2_cwd,
|
||||
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
|
||||
COALESCE(
|
||||
p1_p2_hash.path,
|
||||
@ -53,19 +53,16 @@ SELECT
|
||||
'.*/(.*)',
|
||||
1
|
||||
) AS p2_name
|
||||
FROM
|
||||
process_events pe
|
||||
FROM process_events pe
|
||||
LEFT JOIN file f ON pe.path = f.path
|
||||
LEFT JOIN signature S ON pe.path = s.path
|
||||
LEFT JOIN users u ON pe.euid = u.uid
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
-- Parents (via two paths)
|
||||
LEFT JOIN users u ON pe.uid = u.uid
|
||||
LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths)
|
||||
LEFT JOIN processes p1 ON pe.parent = p1.pid
|
||||
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
|
||||
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
|
||||
AND pe1.cmdline != ''
|
||||
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
|
||||
-- Grandparents (via 3 paths)
|
||||
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path -- Grandparents (via 3 paths)
|
||||
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
|
||||
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
|
||||
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
|
||||
@ -73,13 +70,72 @@ FROM
|
||||
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
|
||||
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
|
||||
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
|
||||
WHERE
|
||||
pe.time > (strftime('%s', 'now') -240)
|
||||
-- The process_events table on macOS ends up with relative directories for some reason?
|
||||
AND dir LIKE '/%'
|
||||
AND f.size > 0
|
||||
WHERE pe.time > (strftime('%s', 'now') -240)
|
||||
AND pe.status = 0
|
||||
AND pe.cmdline != ''
|
||||
AND pe.cmdline IS NOT NULL
|
||||
AND top1_dir NOT IN (
|
||||
'/Applications',
|
||||
'~/Applications',
|
||||
'~/Applications (Parallels)',
|
||||
'~/bin',
|
||||
'~/.cargo',
|
||||
'~/chainguard',
|
||||
'~/code',
|
||||
'~/Code',
|
||||
'~/.config',
|
||||
'~/git',
|
||||
'~/github',
|
||||
'~/go',
|
||||
'~/google-cloud-sdk',
|
||||
'~/.gradle',
|
||||
'~/homebrew',
|
||||
'~/.kuberlr',
|
||||
-- '~/Library',
|
||||
'~/.local',
|
||||
'/nix',
|
||||
'~/Parallels',
|
||||
'~/proj',
|
||||
'~/projects',
|
||||
'~/Projects',
|
||||
'~/.provisio',
|
||||
'~/.pulumi',
|
||||
'~/.pyenv',
|
||||
'~/.rustup',
|
||||
'~/src',
|
||||
'/System',
|
||||
'~/.tflint.d',
|
||||
'~/.vscode',
|
||||
'~/.vs-kubernetes'
|
||||
)
|
||||
AND top3_dir NOT IN (
|
||||
'/Library/Apple/System',
|
||||
'/usr/libexec/AssetCache',
|
||||
'/usr/libexec/rosetta',
|
||||
'/Library/Developer/CommandLineTools',
|
||||
'/Library/Application Support/Adobe',
|
||||
'~/Library/Application Support/BraveSoftware',
|
||||
'~/Library/Application Support/com.elgato.StreamDeck',
|
||||
'/Library/Application Support/GPGTools',
|
||||
'~/Library/Application Support/JetBrains',
|
||||
'~/Library/Google/GoogleSoftwareUpdate',
|
||||
'~/Library/Caches/com.mimestream.Mimestream',
|
||||
'~/Library/Caches/snyk',
|
||||
'/Library/Google/GoogleSoftwareUpdate',
|
||||
'/opt/homebrew/Caskroom',
|
||||
'/opt/homebrew/Cellar',
|
||||
'/usr/local/kolide-k2'
|
||||
)
|
||||
AND dir NOT IN (
|
||||
'/bin',
|
||||
'~/bin',
|
||||
'~/code/bin',
|
||||
'~/Downloads/google-cloud-sdk/bin',
|
||||
'~/Downloads/protoc/bin',
|
||||
'~/go/bin',
|
||||
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
|
||||
'~/Library/Application Support/dev.warp.Warp-Stable',
|
||||
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
|
||||
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
|
||||
'/Library/DropboxHelperTools/Dropbox_u501',
|
||||
'/Library/Filesystems/kbfuse.fs/Contents/Resources',
|
||||
@ -89,13 +145,13 @@ WHERE
|
||||
'/Library/Printers/DYMO/Utilities',
|
||||
'/Library/PrivilegedHelperTools',
|
||||
'/Library/TeX/texbin',
|
||||
'/nix/store',
|
||||
'/nix/var/nix/profiles/default/bin',
|
||||
'~/.local/bin',
|
||||
'~/.magefile',
|
||||
'/node_modules/.bin',
|
||||
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
|
||||
'/opt/usr/bin',
|
||||
'/opt/X11/bin',
|
||||
'/opt/X11/libexec',
|
||||
'~/projects/go/bin',
|
||||
'/run/current-system/sw/bin',
|
||||
'/sbin',
|
||||
'/usr/bin',
|
||||
@ -113,114 +169,40 @@ WHERE
|
||||
'/usr/lib/system',
|
||||
'/usr/local/bin',
|
||||
'/usr/sbin'
|
||||
)
|
||||
AND top_dir NOT IN (
|
||||
'/Applications/Firefox.app/Contents',
|
||||
'/Applications/Google Chrome.app/Contents',
|
||||
'/Library/Apple/System',
|
||||
'/Library/Application Support/Adobe',
|
||||
'/Library/Application Support/GPGTools',
|
||||
'/Library/Google/GoogleSoftwareUpdate',
|
||||
'/System/Applications/Mail.app',
|
||||
'/System/Applications/Music.app',
|
||||
'/System/Applications/News.app',
|
||||
'/System/Applications/TV.app',
|
||||
'/System/Applications/Weather.app',
|
||||
'/System/Library/CoreServices',
|
||||
'/System/Library/Filesystems',
|
||||
'/System/Library/Frameworks',
|
||||
'/System/Library/PrivateFrameworks',
|
||||
'/System/Library/SystemConfiguration',
|
||||
'/System/Library/SystemProfiler',
|
||||
'/System/Volumes/Preboot',
|
||||
'/usr/local/kolide-k2'
|
||||
)
|
||||
AND homedir NOT IN (
|
||||
'~/bin',
|
||||
'~/code/bin',
|
||||
'~/Downloads/google-cloud-sdk/bin',
|
||||
'~/Library/Application Support/dev.warp.Warp-Stable',
|
||||
'~/go/bin',
|
||||
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
|
||||
'~/.local/bin',
|
||||
'~/.magefile',
|
||||
'~/Downloads/protoc/bin',
|
||||
'~/projects/go/bin'
|
||||
)
|
||||
AND top3_homedir NOT IN (
|
||||
'~/Library/Application Support/com.elgato.StreamDeck/',
|
||||
'~/Library/Caches/snyk/',
|
||||
'~/Library/Caches/com.mimestream.Mimestream/',
|
||||
'~/Library/Application Support/JetBrains/',
|
||||
'~/Library/Application Support/BraveSoftware/'
|
||||
)
|
||||
AND top_homedir NOT IN (
|
||||
'~/Applications/',
|
||||
'~/Applications (Parallels)/',
|
||||
'~/bin/',
|
||||
'~/.cargo/',
|
||||
'~/chainguard/',
|
||||
'~/code/',
|
||||
'~/Code/',
|
||||
'~/.config/',
|
||||
'~/git/',
|
||||
'~/github/',
|
||||
'~/go/',
|
||||
'~/google-cloud-sdk/',
|
||||
'~/homebrew/',
|
||||
'~/.kuberlr/',
|
||||
-- '~/Library/',
|
||||
'~/.gradle/',
|
||||
'~/.local/',
|
||||
'~/Parallels/',
|
||||
'~/proj/',
|
||||
'~/projects/',
|
||||
'~/Projects/',
|
||||
'~/.pulumi/',
|
||||
'~/.provisio/',
|
||||
'~/.pyenv/',
|
||||
'~/.rustup/',
|
||||
'~/src/',
|
||||
'~/.tflint.d/',
|
||||
'~/.vscode/',
|
||||
'~/.vs-kubernetes/'
|
||||
)
|
||||
-- Locally built executables
|
||||
) -- Locally built executables
|
||||
AND NOT (
|
||||
s.identifier = 'a.out'
|
||||
AND homedir LIKE '~/%'
|
||||
AND dir LIKE '~/%'
|
||||
AND p1_name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code')
|
||||
)
|
||||
AND NOT (
|
||||
s.authority = ''
|
||||
AND homedir LIKE '~/%'
|
||||
AND dir LIKE '~/%'
|
||||
AND p1_name IN ('fish', 'sh', 'bash', 'zsh')
|
||||
AND p.cmdline LIKE './%'
|
||||
)
|
||||
AND dir NOT LIKE '../%' -- data issue
|
||||
AND dir NOT LIKE '/Applications/%'
|
||||
AND dir NOT LIKE '~/%/bin'
|
||||
AND dir NOT LIKE '~/%/google-cloud-sdk/bin/%'
|
||||
AND dir NOT LIKE '~/Library/Caches/ms-playwright/%'
|
||||
AND dir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
|
||||
AND dir NOT LIKE '~/.local/%/packages/%'
|
||||
AND dir NOT LIKE '~/%/node_modules/.pnpm/%'
|
||||
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
|
||||
AND dir NOT LIKE '/private/tmp/go-build%/exe'
|
||||
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
|
||||
AND dir NOT LIKE '/private/tmp/nix-build-%'
|
||||
AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
|
||||
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
|
||||
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app/%'
|
||||
AND dir NOT LIKE '/private/var/folders/%/bin'
|
||||
AND dir NOT LIKE '/private/var/folders/%/Contents/%'
|
||||
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
|
||||
AND dir NOT LIKE '/private/var/folders/%/go-build%'
|
||||
AND dir NOT LIKE '/private/var/folders/%/GoLand'
|
||||
AND dir NOT LIKE '~/%repo%'
|
||||
AND dir NOT LIKE '~/%sigstore%'
|
||||
AND dir NOT LIKE '%/.terraform/providers/%'
|
||||
AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%'
|
||||
AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%'
|
||||
AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%'
|
||||
AND homedir NOT LIKE '~/%/node_modules/.pnpm/%'
|
||||
AND homedir NOT LIKE '~/%repo%'
|
||||
AND homedir NOT LIKE '~/.local/%/packages/%'
|
||||
AND homedir NOT LIKE '~/%sigstore%'
|
||||
AND homedir NOT LIKE '~/%/bin'
|
||||
AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
|
||||
-- These signers can run from wherever the hell they want.
|
||||
AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' -- These signers can run from wherever the hell they want.
|
||||
AND s.authority NOT IN (
|
||||
'Apple iPhone OS Application Signing',
|
||||
'Apple Mac OS Application Signing',
|
||||
@ -237,7 +219,8 @@ WHERE
|
||||
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
|
||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||
'Developer ID Application: Ned Deily (DJ3H93M7VJ)', -- Python
|
||||
'Developer ID Application: Ned Deily (DJ3H93M7VJ)',
|
||||
-- ^-- Python
|
||||
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
|
||||
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
||||
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
|
||||
@ -248,9 +231,7 @@ WHERE
|
||||
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
||||
'Software Signing'
|
||||
)
|
||||
-- Don't spam alerts with repeated invocations of the same command-line
|
||||
GROUP BY
|
||||
p.cmdline,
|
||||
) -- Don't spam alerts with repeated invocations of the same command-line
|
||||
GROUP BY p.cmdline,
|
||||
p.cwd,
|
||||
p.euid;
|
||||
@ -87,8 +87,10 @@ WHERE
|
||||
'com.docker.backend',
|
||||
'conmon',
|
||||
'containerd-shim',
|
||||
'containerd-shim-runc-v2',
|
||||
'cpptools',
|
||||
'dash',
|
||||
'dbus-run-session',
|
||||
'demoit',
|
||||
'direnv',
|
||||
'doas',
|
||||
@ -137,6 +139,7 @@ WHERE
|
||||
'package_script_service',
|
||||
'perl',
|
||||
'PK-Backend',
|
||||
'provisio',
|
||||
'pulumi',
|
||||
-- 'python' - do not include this, or you won't detect supply-chain attacks.
|
||||
'roxterm',
|
||||
@ -147,7 +150,7 @@ WHERE
|
||||
'skhd',
|
||||
'snyk',
|
||||
'sshd',
|
||||
'provisio',
|
||||
'stable',
|
||||
'Stream Deck',
|
||||
'sudo',
|
||||
'swift',
|
||||
@ -156,7 +159,6 @@ WHERE
|
||||
'terminator',
|
||||
'terraform-ls',
|
||||
'test2json',
|
||||
'containerd-shim-runc-v2',
|
||||
'tmux',
|
||||
'tmux:server',
|
||||
'update-notifier',
|
||||
@ -182,21 +184,23 @@ WHERE
|
||||
-- Homebrew, except we don't want to allow all of ruby
|
||||
OR p0_cmd IN (
|
||||
'/bin/bash /usr/bin/xdg-settings set default-url-scheme-handler slack Slack.desktop',
|
||||
'/bin/sh -c lsb_release -a --short',
|
||||
"sh -c pacmd list-sinks |grep 'name:\|module:'",
|
||||
'sh -c cat /proc/sys/kernel/pid_max',
|
||||
'sh -c pactl --version',
|
||||
'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
|
||||
'/bin/sh /usr/bin/lsb_release -a --short',
|
||||
'/bin/sh -c black .',
|
||||
'/bin/zsh -c ls',
|
||||
'/bin/sh -c scutil --get ComputerName',
|
||||
'/bin/sh /usr/bin/lsb_release -a',
|
||||
'/bin/bash /usr/local/bin/mount-product-files',
|
||||
'sh -c /bin/stty size 2>/dev/null',
|
||||
"sh -c osascript -e 'user locale of (get system info)'",
|
||||
'sh -c python3.7 --version 2>&1',
|
||||
'/bin/sh -c black .',
|
||||
'/bin/sh -c lsb_release -a --short',
|
||||
'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
|
||||
'/bin/sh -c scutil --get ComputerName',
|
||||
'/bin/sh -c sysctl hw.model kern.osrelease',
|
||||
'/bin/sh /usr/bin/lsb_release -a',
|
||||
'/bin/sh /usr/bin/lsb_release -a --short',
|
||||
'/bin/zsh -c ls',
|
||||
'sh -c /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -sdk /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -find python3 2> /dev/null',
|
||||
'sh -c /bin/stty size 2>/dev/null',
|
||||
'sh -c cat /proc/sys/kernel/pid_max',
|
||||
"sh -c osascript -e 'user locale of (get system info)'",
|
||||
"sh -c pacmd list-sinks |grep 'name:\|module:'",
|
||||
'sh -c pactl --version',
|
||||
'sh -c python3.7 --version 2>&1',
|
||||
'sh -c /usr/bin/xcrun clang 2>&1',
|
||||
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
|
||||
)
|
||||
OR (
|
||||
@ -234,6 +238,8 @@ WHERE
|
||||
'bash,500,gnome-session-binary,systemd',
|
||||
'bash,500,gpg-agent,launchd',
|
||||
'bash,500,.man-wrapped,zsh',
|
||||
'dash,0,kube-proxy,containerd-shim-runc-v2',
|
||||
'dash,0,kindnetd,containerd-shim-runc-v2',
|
||||
'bash,500,Private Internet Access,launchd',
|
||||
'dash,0,anacron,systemd',
|
||||
'sh,0,auditd,launchd',
|
||||
@ -264,9 +270,13 @@ WHERE
|
||||
OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
|
||||
OR p1_cmd LIKE '%/bin/pipenv shell'
|
||||
OR p1_cmd LIKE 'gcloud% auth%login%'
|
||||
OR (exception_key = 'sh,500,ruby,zsh' AND p1_cmd LIKE '%brew.rb')
|
||||
OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
|
||||
OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
|
||||
OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'
|
||||
)
|
||||
AND NOT p0_cgroup LIKE '/system.slice/docker-%'
|
||||
AND NOT p1_cgroup LIKE '/system.slice/docker-%'
|
||||
AND NOT p2_cgroup LIKE '/system.slice/docker-%'
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
||||
@ -88,6 +88,7 @@ WHERE
|
||||
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
|
||||
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
|
||||
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
|
||||
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
|
||||
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
|
||||
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
|
||||
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
|
||||
@ -163,7 +164,6 @@ WHERE
|
||||
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
|
||||
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
|
||||
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
|
||||
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
|
||||
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
|
||||
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
|
||||
@ -171,7 +171,9 @@ WHERE
|
||||
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
|
||||
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
|
||||
|
||||
@ -6,13 +6,15 @@ SELECT
|
||||
s.identifier AS p0_sid,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
|
||||
TRIM(pe.cmdline) AS p0_cmd,
|
||||
pe.cwd AS p0_cwd,
|
||||
-- pe.cwd is NULL on macOS
|
||||
p.cwd AS p0_cwd,
|
||||
pe.pid AS p0_pid,
|
||||
pe.euid AS p0_euid,
|
||||
-- Parent
|
||||
pe.parent AS p1_pid,
|
||||
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
|
||||
COALESCE(p1.path, pe1.path) AS p1_path,
|
||||
p1.cwd AS p1_cwd,
|
||||
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
|
||||
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
|
||||
-- Grandparent
|
||||
@ -20,6 +22,7 @@ SELECT
|
||||
TRIM(
|
||||
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
|
||||
) AS p2_cmd,
|
||||
p1_p2.cwd AS p2_cwd,
|
||||
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
|
||||
COALESCE(
|
||||
p1_p2_hash.path,
|
||||
@ -49,3 +52,7 @@ FROM
|
||||
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
|
||||
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
|
||||
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
|
||||
WHERE pe.time > (strftime('%s', 'now') -240)
|
||||
AND pe.status = 0
|
||||
AND pe.cmdline != ''
|
||||
AND pe.cmdline IS NOT NULL
|
||||
Loading…
Reference in New Issue
Block a user