RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-04-01 14:38:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from tstromberg/less-false2

Browse Source 
Remove false positives, fix queries that failed to show a parent pid
This commit is contained in:
Thomas Strömberg 2023-01-09 10:47:19 -05:00 committed by GitHub
commit 814e11bdfd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 98 additions and 59 deletions

4
detection/c2/unexpected-talkers-linux.sql
View File

@ -95,6 +95,7 @@ WHERE
'22,6,500,/home/terraform,500u,500g,terraform',
'22,6,500,/usr/cargo,0u,0g,cargo',
'22,6,500,/usr/ssh,0u,0g,ssh',
'27020,6,500,/home/steam,500u,500g,steam',
'27022,6,500,/home/steam,500u,500g,steam',
'27034,6,500,/home/steam,500u,100g,steam',
'27035,6,500,/home/steam,500u,100g,steam',
@ -134,6 +135,7 @@ WHERE
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/wget,0u,0g,wget',
'80,6,105,/usr/http,0u,0g,http',
'80,6,500,/app/signal-desktop,u,g,signal-desktop',
'80,6,500,/app/spotify,u,g,spotify',
'80,6,500,/app/thunderbird,u,g,thunderbird',
'80,6,500,/home/mconvert,500u,500g,mconvert',
@ -152,10 +154,12 @@ WHERE
'80,6,500,/usr/gnome-software,0u,0g,gnome-software',
'80,6,500,/usr/pacman,0u,0g,pacman',
'80,6,500,/usr/python3.10,0u,0g,yum',
'8080,6,500,/usr/python3.11,0u,0g,speedtest-cli',
'80,6,500,/usr/python3.11,0u,0g,abrt-action-ins',
'80,6,500,/usr/rpi-imager,0u,0g,rpi-imager',
'80,6,500,/usr/signal-desktop,0u,0g,signal-desktop',
'80,6,500,/usr/thunderbird,0u,0g,thunderbird',
'8080,6,500,/usr/speedtest,500u,500g,speedtest',
'8080,6,500,/opt/chrome,0u,0g,chrome',
'8080,6,500,/usr/firefox,0u,0g,firefox',
'8443,6,500,/opt/chrome,0u,0g,chrome',

1
detection/evasion/empty_root_environ_linux.sql
View File

@ -57,6 +57,7 @@ WHERE
AND NOT p.cmdline LIKE '%--type=zygote%'
AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT (p.name = 'sh' AND p.cgroup_path='/system.slice/znapzend.service')
GROUP BY
p.pid
HAVING

25
detection/evasion/hidden-cwd.sql
View File

@ -54,25 +54,26 @@ WHERE
dir LIKE '%/.%'
AND NOT (
exception_key IN (
'bash,~/.local/share',
'as,~/.cache/yay',
'bash,~/go/src',
'bash,~/.local/share',
'bash,~/.Trash',
'cc1plus,~/.cache/yay',
'c++,~/.cache/yay',
'cgo,~/.gimme/versions',
'dirhelper,/private/var/folders',
'Electron,~/.vscode/extensions',
'fish,~/.local/share',
'git,~/.local/share',
'makepkg,~/.cache/yay',
'zsh,~/.Trash',
'cgo,~/.gimme/versions',
'bash,~/.Trash',
'fish,~/.Trash',
'make,~/.cache/yay',
'git,~/.local/share',
'java,~/.gradle/daemon',
'java,~/.local/share',
'rust-analyzer-p,~/.cargo/registry',
'as,~/.cache/yay',
'c++,~/.cache/yay',
'cc1plus,~/.cache/yay',
'make,~/.cache/yay',
'makepkg,~/.cache/yay',
'mysqld,~/.local/share',
'npm install,~/.npm/_cacache',
'mysqld,~/.local/share'
'rust-analyzer-p,~/.cargo/registry',
'zsh,~/.Trash'
)
OR exception_key LIKE '%sh,~/.Trash/%'
OR dir IN (

1
detection/evasion/missing-from-disk-macos.sql
View File

@ -58,6 +58,7 @@ WHERE
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
OR cmd LIKE '/opt/homebrew/opt/%'
OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(

1
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -56,6 +56,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', -- thanks Jed!
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
'Software Signing,com.apple.bootpd,/usr/libexec/bootpd,0',
'Software Signing,com.apple.configd,/usr/libexec/configd,0',
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',

1
detection/evasion/unexpected-dev-executables-linux.sql
View File

@ -62,7 +62,6 @@ WHERE
)
AND NOT (
file.uid = 1000
AND file.gid = 100
AND file.mode = '0755'
AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
AND file.size > 1000000

7
detection/execution/exotic-command-events-linux.sql
View File

@ -76,7 +76,10 @@ WHERE
OR cmd LIKE '%iptables -F%'
OR cmd LIKE '%chattr -ia%'
OR cmd LIKE '%chmod 777 %'
OR cmd LIKE '%history'
OR (
INSTR(cmd, 'history') > 0
AND cmd LIKE '%history'
)
OR cmd LIKE '%touch%acmr%'
OR cmd LIKE '%touch -r%'
OR cmd LIKE '%ld.so.preload%'
@ -113,7 +116,7 @@ WHERE
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR INSTR(cmd, '%Socket.%') > 0
OR INSTR(cmd, 'Socket.') > 0
) -- Things that could reasonably happen at boot.
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')

9
detection/execution/exotic-command-events-macos.sql
View File

@ -87,7 +87,10 @@ WHERE
OR cmd LIKE '%rm -f /var/tmp%'
OR cmd LIKE '%rm -f /tmp%'
OR cmd LIKE '%nohup /bin/bash%'
OR cmd LIKE '%history'
OR (
INSTR(cmd, 'history') > 0
AND cmd LIKE '%history'
)
OR cmd LIKE '%echo%|%base64 --decode %|%'
OR cmd LIKE '%launchctl list%'
OR (
@ -105,7 +108,7 @@ WHERE
)
OR cmd LIKE '%socat%'
OR cmd LIKE '%SOCK_STREAM%'
OR INSTR(cmd, '%Socket.%') > 0
OR INSTR(cmd, 'Socket.') > 0
) -- Things that could reasonably happen at boot.
AND NOT (
p.path = '/usr/bin/mkfifo'
@ -148,4 +151,4 @@ WHERE
AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
AND NOT cmd LIKE 'dirname %history'
AND NOT cmd LIKE '%-history'
AND NOT cmd LIKE '%history'

2
detection/execution/unexpected-fetcher-parent-events.sql
View File

@ -12,7 +12,7 @@ SELECT
TRIM(pe.cmdline) AS child_cmd,
pe.pid AS child_pid,
p.cgroup_path AS child_cgroup,
p.parent AS parent_pid,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,

5
detection/execution/unexpected-fetcher-parents.sql
View File

@ -91,5 +91,10 @@ WHERE
AND parent_name = 'bash'
AND parent_cmd LIKE 'bash ./hack/%.sh'
)
AND NOT (
p.euid > 500
AND parent_name = 'bash'
AND parent_cmd LIKE 'bash %/bin/go-build %'
)
GROUP BY
p.pid

6
detection/execution/unexpected-sysctl-calls.sql
View File

@ -12,7 +12,7 @@ SELECT
TRIM(pe.cmdline) AS child_cmd,
pe.pid AS child_pid,
p.cgroup_path AS child_cgroup,
p.parent AS parent_pid,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
@ -59,10 +59,12 @@ FROM
WHERE
pe.time > (strftime('%s', 'now') -900)
AND pe.path IN ('/usr/bin/sysctl', '/sbin/sysctl', '/usr/sbin/sysctl')
AND NOT p.parent IS NULL
AND NOT child_cmd IN (
'sysctl -n hw.optional.arm64',
'/usr/sbin/sysctl kern.hv_support',
'/usr/sbin/sysctl -n hw.cputype',
'sysctl.proc_translated'
'/usr/sbin/sysctl sysctl.proc_translated'
)
GROUP BY
pe.pid

4
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -17,7 +17,7 @@ SELECT
pe.pid AS child_pid,
pe.euid AS child_euid,
p.cgroup_path AS child_cgroup,
p.parent AS parent_pid,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
@ -140,7 +140,9 @@ WHERE
)
OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
OR child_cmd LIKE '/bin/sh %google-cloud-sdk/bin/docker-credential-gcloud get'
OR child_cmd LIKE '%/bash -e%/bin/as -arch%'
OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'
OR gparent_cmd LIKE '/usr/bin/python3 -m py_compile %'
)
GROUP BY
pe.pid

6
detection/initial_access/unexpected-shell-parents.sql
View File

@ -34,22 +34,24 @@ WHERE
AND pp.name NOT IN (
'abrt-handle-eve',
'alacritty',
'Alfred',
'bash',
'build-script-build',
'dnf',
'chezmoi',
'clang-11',
'code',
'Code Helper (Renderer)',
'Code - Insiders Helper (Renderer)',
'configure',
'collect2',
'configure',
'conmon',
'containerd-shim',
'dash',
'demoit',
'direnv',
'dnf',
'doas',
'Docker Desktop',
'erl_child_setup',
'find',
'FinderSyncExtension',

11
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -51,12 +51,13 @@ WHERE
AND enabled = 1
AND exception_key NOT IN (
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them
'false,juverm@chainguard.dev,auto-close-gitsign,,',
'false,,base64 encode or decode selected text,,contextMenus',
'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip,', -- Deprecated Google Extension
'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi,', -- Deprecated Google Extension
'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension
'false,,Google Drive,aghbiahbpaijignceidepookljebhfak,', -- Deprecated Google Extension
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
'false,juverm@chainguard.dev,auto-close-gitsign,,',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
@ -120,6 +121,7 @@ WHERE
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec,nativeMessaging, tabs, contextMenus',
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http:///, https:///',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp,webNavigation, webRequest, webRequestBlocking, tabs, cookies, storage, *://*/*, ftp://*/*',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
@ -135,6 +137,7 @@ WHERE
'true,,Loom Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,<all_urls>, tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl,storage, clipboardWrite, <all_urls>',
'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl,<all_urls>, notifications, contextMenus, desktopCapture',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, scripting, alarms, webRequest, declarativeNetRequest, declarativeNetRequestFeedback, downloads, notifications',
'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk,activeTab, storage, cookies',
@ -148,6 +151,7 @@ WHERE
'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep,identity, identity.email, notifications, storage, tabs, <all_urls>',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo,<all_urls>, storage, unlimitedStorage, identity, syncFileSystem,',
'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg,<all_urls>, storage',
'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag,contextMenus, tabs, <all_urls>',
'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami,storage, webRequest, <all_urls>, tabs, webRequestBlocking',
'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop,webview, system.display, http://*/*, https://*/*, contextMenus, unlimitedStorage, storage, fileSystem, fileSystem.write, notifications, identity,',
'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp,tabs, http://*/*, https://*/*, webNavigation, webRequest, webRequestBlocking, storage, privacy',
@ -157,14 +161,15 @@ WHERE
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi,file:///*, http://*/*, https://*/*',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, http://*/*, https://*/*, storage',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, storage, scripting',
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi,<all_urls>, activeTab, background, contextMenus, notifications, storage, tabs, unlimitedStorage',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb,https://*.reddit.com/*, tabs, history, storage, unlimitedStorage, webRequest',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd,tabs, http://*/*, https://*/*, storage',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne,contextMenus, identity, printerProvider, notifications, pageCapture, storage, tabs, webRequest, <all_urls>',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj,tabs, contextMenus, cookies, storage',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, activeTab, storage, unlimitedStorage, alarms, scripting',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko,tabs, unlimitedStorage',
'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp,tabs, storage',
'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
@ -182,10 +187,10 @@ WHERE
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf,activeTab, downloads, tabs, webNavigation, webRequest, http://*/, https://*/',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',

74
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -9,35 +9,48 @@
--
-- tags: events process escalation
-- platform: darwin
-- interval: 30
-- interval: 60
SELECT
p.pid AS child_pid,
p.path AS child_path,
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
p.cmdline AS child_cmdline,
p.time,
pp.start_time,
p.euid AS child_euid,
file.mode AS child_mode,
hash.sha256 AS child_hash,
p.parent AS parent_pid,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
pfile.mode AS parent_mode,
phash.sha256 AS parent_hash
pe.path AS child_path,
TRIM(REGEX_MATCH (pe.path, '.*/(.*)', 1)) AS child_name,
TRIM(pe.cmdline) AS child_cmd,
pe.pid AS child_pid,
pe.euid AS child_euid,
p.cgroup_path AS child_cgroup,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
(IIF(pp.euid != NULL, pp.euid, ppe.euid)) AS parent_euid,
IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
REGEX_MATCH (
IIF(pp.path != NULL, pp.path, ppe.path),
'.*/(.*)',
1
) AS parent_name,
TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
IIF(gp.path != NULL, gphash.sha256, gpehash.path) AS gparent_hash,
REGEX_MATCH (
IIF(gp.path != NULL, gp.path, gpe.path),
'.*/(.*)',
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
FROM
process_events p
JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN file AS pfile ON pp.path = pfile.path
LEFT JOIN hash AS phash ON pp.path = phash.path
process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN hash phash ON pp.path = phash.path
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
LEFT JOIN hash pehash ON ppe.path = pehash.path
LEFT JOIN processes gp ON gp.pid = pp.parent
LEFT JOIN hash gphash ON gp.path = gphash.path
LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
LEFT JOIN hash gpehash ON gpe.path = gpehash.path
WHERE
p.time > (strftime('%s', 'now') -30)
AND p.euid < pp.euid
AND p.path NOT IN (
pe.time > (strftime('%s', 'now') -60)
AND child_euid < parent_euid
AND pe.path NOT IN (
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
'/usr/bin/login',
'/usr/bin/su',
@ -46,16 +59,13 @@ WHERE
)
-- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
AND NOT (
p.cmdline IN (
child_cmd IN (
'/usr/sbin/cupsd -l',
'/usr/libexec/mdmclient daemon',
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
)
-- More very weird data that keeps showing up: gopls starting everything!
-- I think this may be due to some bad joining
AND NOT (
pp.cmdline LIKE '%/go/bin/gopls -mode=stdio'
AND pp.path LIKE '/Users/%/go/bin/gopls'
AND pp.euid > 500
pe.euid = 262 -- core media helper id
AND pe.path = '/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant'
)