Add support for interval tags

README.md

@@ -76,25 +76,19 @@ We endeavor to exclude real-world false positives from our `detection` queries.
 
 Managing false positives is easier said than done - pull requests are welcome!
 
-## Tags Policy
+## Tag Intervals Mapping
 
-Value:
+Our base interval is 1 hour (3600s), but this interval is modified by the tags in place:
 
-* critical: queries are run 3x as often
-* high: queries are run twice as often
-* medium: queries are run at a regular pace (default)
-* low: queries are run half as often
-* very-low: queries are run 1/3rd as often
+* continuous: 15 seconds
+* transient: 5 minutes
+* persistent: 1 hour (default)
+* postmortem: 6 hours
 
-Interval Type:
+In addition, we'll also use the following modifier tags:
 
-* ephemeral: 60s (1 minute) base
-* periodic: 1200s (20 minute) base (default)
-* postmortem: 14400s (4 hour) base
-
-Status:
-
-* experimental: Run only half as often as normal
+* Often: 4X as often (~1m for transient, 15 minutes for persistent)
+* Seldom: 2X as seldomly (10 minutes for transient, 2 hours for persistent)
 
 ## Local pack generation
 

detection/c2/unexpected-dns-traffic-events.sql

@@ -4,7 +4,7 @@
 --   * https://attack.mitre.org/techniques/T1071/004/ (C2: Application Layer Protocol: DNS)
 --
 -- interval: 120
--- tags: ephemeral events net
+-- tags: events net
 --
 -- NOTE: The interval above must match WHERE clause to avoid missing events
 --

detection/c2/unexpected-dns-traffic.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/004/ (C2: Application Layer Protocol: DNS)
 --
--- tags: ephemeral state net
+-- tags: transient state net often dns
 --
 -- NOTE: This only supports IPv4 traffic due to an osquery bug with 'dns_resolvers'
 SELECT

detection/c2/unexpected-icmp-socket.sql

@@ -3,7 +3,7 @@
 -- references:
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
--- tags: ephemeral state net critical
+-- tags: transient state net often
 SELECT
   pop.pid,
   p.path,

detection/c2/unexpected-listening-port-linux.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1571/
 --
--- tags: ephemeral state net low
+-- tags: state net
 
 SELECT
   lp.address,
@@ -50,7 +50,7 @@ WHERE
   -- Filter out unmapped raw sockets
   AND NOT (p.pid == '')
   -- Exceptions: the uid is capped at 500 to represent regular users versus system users
-  -- port is capped at 32768 to represent ephemeral ports
+  -- port is capped at 32768 to represent transient ports
   AND NOT CONCAT (
     MIN(lp.port, 32768),
     ',',

detection/c2/unexpected-listening-port-macos.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1571/
 --
--- tags: ephemeral state net low
+-- tags: state net low
 -- platform: darwin
 
 SELECT
@@ -55,7 +55,7 @@ WHERE
   -- Filter out unmapped raw sockets
   AND NOT (p.pid == '')
   -- Exceptions: the uid is capped at 500 to represent regular users versus system users
-  -- port is capped at 49152 to represent ephemeral ports
+  -- port is capped at 49152 to represent transient ports
   AND NOT exception_key IN (
     '10011,6,0,launchd,Software Signing',
     '1313,6,500,hugo,',

detection/c2/unexpected-talkers-linux.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/
 --
--- tags: ephemeral state net high
+-- tags: transient state net often
 -- platform: linux
 SELECT
   s.family,

detection/c2/unexpected-talkers-macos.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/
 --
--- tags: ephemeral state net high
+-- tags: transient state net often
 -- platform: macos
 SELECT
   protocol,

detection/credentials/macos_keyboard_sniffer.sql

@@ -4,7 +4,7 @@
 --   * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
 --
 -- platform: darwin
--- tags: periodic sniffer
+-- tags: state sniffer
 SELECT
   et.enabled,
   et.process_being_tapped,

detection/credentials/unexpected-dev-opener-linux.sql

@@ -7,7 +7,7 @@
 --   * any program which needs access to device drivers
 --
 -- platform: linux
--- tags: periodic sniffer
+-- tags: state sniffer
 SELECT
   pof.pid,
   pof.path AS device,

detection/credentials/unexpected-dev-opener-macos.sql

@@ -4,7 +4,7 @@
 --   * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
 --
 -- platform: darwin
--- tags: periodic sniffer
+-- tags: state sniffer
 SELECT
   pof.pid,
   pof.path AS device,

detection/credentials/unexpected-sensitive-file-access-linux.sql

@@ -4,7 +4,7 @@
 -- and it requires catching a program at the exact moment it has
 -- the file open.
 
--- tags: ephemeral critical access
+-- tags: transient often state file access
 SELECT
   pof.pid,
   pof.fd,

detection/discovery/unexpected-bpf-user.sql

@@ -5,8 +5,8 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1205/001/ (Traffic Signaling: Port Knocking)
 --
--- platform: darwin
--- tags: periodic sniffer
+-- platform: posix
+-- tags: persistent state process sniffer often
 SELECT
   pmm.pid,
   pmm.path AS lib_path,

detection/discovery/unexpected-pcap-user-linux.sql

@@ -4,8 +4,9 @@
 --
 -- references:
 --   * https://attack.mitre.org/techniques/T1205/001/ (Traffic Signaling: Port Knocking)
+--
 -- platform: linux
--- tags: periodic sniffer critical
+-- tags: persistent state process sniffer often
 SELECT
   pmm.pid,
   p.uid,

detection/discovery/unexpected-pcap-user-macos.sql

@@ -6,7 +6,7 @@
 --   * https://attack.mitre.org/techniques/T1205/001/ (Traffic Signaling: Port Knocking)
 --
 -- platform: darwin
--- tags: periodic sniffer
+-- tags: state process sniffer
 SELECT
   pmm.pid,
   p.uid,

detection/evasion/empty_environ.sql

@@ -1,7 +1,9 @@
--- Inspired by BPFdoor
--- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
-
--- tags: periodic daemon
+-- Find programs which have cleared their environment
+--
+-- references:
+--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+--
+-- tags: persistent state daemon process
 SELECT
   COUNT(*) AS count,
   p.pid,

detection/evasion/executables-from-the-future.sql

@@ -1,5 +1,12 @@
 -- Programs which claim to be from the future, based on (btime,ctime,mtime)
--- tags: periodic daemon
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/006/
+--
+-- false positives:
+--   * None observed
+--
+-- tags: state process
 SELECT
   p.pid,
   p.path,

detection/evasion/hidden-cwd.sql

@@ -1,6 +1,9 @@
 -- Programs running with a hidden current working directory
-
--- tags: ephemeral high
+--
+-- False positives:
+--   * Users rummaging through their configuration files
+--
+-- tags: transient often
 SELECT
   p.pid,
   p.path,

detection/evasion/hidden-launchd-files-macos.sql

@@ -2,7 +2,7 @@
 -- See https://github.com/osquery/osquery/issues/7703
 --
 -- platform: darwin
--- tags: periodic daemon
+-- tags: daemon
 
 SELECT file.path,
     file.type,

detection/evasion/hidden-parent-pid.sql

@@ -1,6 +1,12 @@
 -- Works well for revealing boopkit, so long as boopkit has a child process.
 --
--- tags: periodic daemon
+-- references:
+--   * https://github.com/krisnova/boopkit
+--
+-- false positives:
+--   * None observed
+--
+-- tags: daemon
 SELECT
   pp.*
 FROM

detection/evasion/missing-from-disk-linux.sql

@@ -1,6 +1,9 @@
--- Processes that do not exist on disk
+-- Processes that do not exist on disk, running in osquery's namespace
 --
--- tags: periodic daemon
+-- false positives:
+--   * none observed
+--
+-- tags: process state
 -- platform: linux
 SELECT
   p.pid,

detection/evasion/missing-from-disk-macos.sql

@@ -1,6 +1,10 @@
 -- Processes that do not exist on disk
 --
--- tags: periodic daemon
+-- false positives:
+--   * Self-updating programs that remain running
+--
+-- platform: darwin
+-- tags: process state
 SELECT
   p.pid,
   p.path,

detection/evasion/name_path_mismatch.sql

@@ -1,6 +1,9 @@
--- Processes that do not exist on disk
+-- Processes that have an unrelated name in the process tree than the program on disk.
 --
--- tags: periodic daemon high
+-- false positives:
+--   * new software, particularly those using interpreted languages
+--
+-- tags: daemon high
 SELECT
   p.name,
   TRIM(SUBSTR(SPLIT (p.name, ':./ ', 0), 0, 15)) AS short_name,

detection/evasion/old-binaries-running.sql

@@ -1,6 +1,9 @@
 -- Alert on programs running that are unusually old (poor timestomping)
-
--- tags: periodic daemon
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/006/
+--
+-- tags: transient process state
 SELECT
   p.path,
   p.cmdline,

detection/evasion/parent-missing-from-disk.sql

@@ -2,7 +2,7 @@
 -- Reveals boopkit if a child is spawned
 -- TODO: Make mount namespace aware
 
--- tags: periodic daemon
+-- tags: daemon
 SELECT
   p.name AS child_name,
   p.pid AS child_pid,

detection/evasion/ssh-notty.sql

@@ -1,4 +1,7 @@
 -- Find ssh sessions that are hiding from 'w'/'who'
+--
+-- tags: transient process state
+-- platform: posix
 SELECT * FROM (
     SELECT p.pid,p.name,p.cmdline,GROUP_CONCAT(DISTINCT pof.path) AS open_files
     FROM processes p

detection/evasion/touched-executable-linux.sql

@@ -1,6 +1,11 @@
 -- Programs which were spawned by an executable containing a matching ctime & mtime, which
 -- on Linux only generally occurs occurs if you run 'touch <bin>'
--- NOTE: This is not suitable as a detection method on macOS, where this condition is extremely common
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/006/
+--
+-- tags: transient process state
+-- platform: linux
 SELECT
   p.pid,
   p.path,

detection/evasion/touched-executable-macos.sql

@@ -1,6 +1,13 @@
 -- Programs which appear to have been touched on macOS
+--
 -- This check is probably not very useful as there are plenty of legit reasons why
 -- the dates (in particular, 'btime'), gets doctored.
+--
+-- false positives:
+--   * Programs which are packaged weirdly and don't follow the typical Apple app layout
+--
+-- tags: transient seldom filesystem state
+-- platform: darwin
 SELECT
   p.path,
   p.name,

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -1,5 +1,9 @@
 -- macOS application layer firewall (ALF) service exceptions.
 --
+-- false positives:
+--   * locally built software
+--
+-- tags: persistent state filesystem
 SELECT
   ae.path,
   ae.state,

detection/evasion/unexpected-dev-entries.sql

@@ -1,5 +1,12 @@
--- Inspired by BPFdoor
--- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+-- Find unexpected files in /dev
+--
+-- references:
+--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+--
+-- false positives:
+--   * programs which have legimate uses for /dev/shm
+--
+-- tags: persistent state filesystem
 SELECT
   file.path,
   file.type,

detection/evasion/unexpected-dev-executables-linux.sql

@@ -1,4 +1,9 @@
 -- Find unexpected executables in /dev
+--
+-- references:
+--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+--
+-- tags: persistent state filesystem
 SELECT
   file.path,
   file.directory,

detection/evasion/unexpected-etc-executables-linux.sql

@@ -1,130 +0,0 @@
--- Find unexpected executables in /etc
--- Motivation: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
-SELECT
-  file.path,
-  file.directory,
-  uid,
-  gid,
-  mode,
-  file.mtime,
-  file.size,
-  hash.sha256,
-  magic.data
-FROM
-  file
-  LEFT JOIN hash on file.path = hash.path
-  LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (file.path LIKE '/etc/%%')
-  AND file.type = 'regular'
-  AND (
-    file.mode LIKE '%7%'
-    or file.mode LIKE '%5%'
-    or file.mode LIKE '%1%'
-  )
-  AND file.directory NOT IN (
-    '/etc/X11/xinit/xinitrc.d',
-    '/etc/apcupsd',
-    '/etc/menu-methods',
-    '/etc/avahi',
-    '/etc/chromium/native-messaging-hosts',
-    '/etc/cifs-utils',
-    '/etc/cron.hourly',
-    '/etc/flatpak/remotes.d',
-    '/etc/gdm/Init',
-    '/etc/gdm/PostLogin',
-    '/etc/gdm/PostSession',
-    '/etc/gdm/PreSession',
-    '/etc/gdm',
-    '/etc/grub.d',
-    '/etc/httpd/modules',
-    '/etc/ifplugd',
-    '/etc/init.d',
-    '/etc/lightdm',
-    '/etc/pinentry',
-    '/etc/ppp',
-    '/etc/ppp/ip-down.d',
-    '/etc/ppp/ip-up.d',
-    '/etc/ppp/ipv6-up.d',
-    '/etc/profile.d',
-    '/etc/rdnssd',
-    '/etc/security',
-    '/etc/skel',
-    '/etc/ssl/misc',
-    '/etc/systemd/system',
-    '/etc/systemd/system/graphical.target.wants',
-    '/etc/vpnc',
-    '/etc/xdg/Xwayland-session.d',
-    '/etc/NetworkManager/dispatcher.d',
-    '/etc/X11',
-    '/etc/X11/xinit',
-    '/etc/acpi',
-    '/etc/alternatives',
-    '/etc/apm/resume.d',
-    '/etc/apm/scripts.d',
-    '/etc/apm/suspend.d',
-    '/etc/brltty/Contraction',
-    '/etc/console-setup',
-    '/etc/cron.daily',
-    '/etc/cron.monthly',
-    '/etc/cron.weekly',
-    '/etc/dhcp/dhclient-enter-hooks.d',
-    '/etc/dhcp/dhclient-exit-hooks.d',
-    '/etc/dkms',
-    '/etc/gdm3/Init',
-    '/etc/gdm3/PostLogin',
-    '/etc/gdm3/PostSession',
-    '/etc/gdm3/PreSession',
-    '/etc/gdm3/Prime',
-    '/etc/gdm3/PrimeOff',
-    '/etc/gdm3',
-    '/etc/ifplugd/action.d',
-    '/etc/kernel/header_postinst.d',
-    '/etc/kernel/install.d',
-    '/etc/kernel/postinst.d',
-    '/etc/kernel/postrm.d',
-    '/etc/kernel/preinst.d',
-    '/etc/kernel/prerm.d',
-    '/etc/network/if-down.d',
-    '/etc/network/if-post-down.d',
-    '/etc/network/if-pre-up.d',
-    '/etc/network/if-up.d',
-    '/etc/openvpn',
-    '/etc/pm/sleep.d',
-    '/etc/rc0.d',
-    '/etc/rc1.d',
-    '/etc/rc2.d',
-    '/etc/rc3.d',
-    '/etc/rc4.d',
-    '/etc/rc5.d',
-    '/etc/rc6.d',
-    '/etc/rcS.d',
-    '/etc/update-motd.d',
-    '/etc/wpa_supplicant',
-    '/etc/zfs/zed.d',
-    '/etc/zfs/zpool.d',
-    '/etc/bash_completion.d',
-    '/etc/dhcp/dhclient.d',
-    '/etc/mcelog/triggers',
-    '/etc/qemu-ga',
-    '/etc/rc.d/init.d',
-    '/etc/rc.d/rc0.d',
-    '/etc/rc.d/rc1.d',
-    '/etc/rc.d/rc2.d',
-    '/etc/rc.d/rc3.d',
-    '/etc/rc.d/rc4.d',
-    '/etc/rc.d/rc5.d',
-    '/etc/rc.d/rc6.d',
-    '/etc/vmware-tools',
-    '/etc/zfs-fuse',
-    '/etc/ssl/certs',
-    '/etc/ssl/trust-source',
-    '/etc/systemd/system-shutdown'
-  )
-  AND file.path NOT IN (
-    '/etc/nftables.conf',
-    '/etc/rmt',
-    '/etc/qemu-ifdown',
-    '/etc/qemu-ifup',
-    '/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json'
-  )

detection/evasion/unexpected-hidden-system-folders.sql

@@ -1,3 +1,10 @@
+-- Find unexpected hidden directories in operating-system folders
+--
+-- false positives:
+--   * unusual installers
+--
+-- platform: linux
+-- tags: persistent filesystem state
 SELECT
   file.path,
   uid,

detection/evasion/unexpected-kernel-extensions-macos.sql

@@ -1,5 +1,10 @@
--- Display a list of non-Apple kernel extensions, which are exceedingly rare.
+-- Find unexpected 3rd-party kernel extensions
+--
+-- false positives:
+--   * none known
+--
 -- platform: darwin
+-- tags: persistent seldom kernel
 SELECT
   *
 FROM

detection/evasion/unexpected-kernel-modules-linux.sql

@@ -1,4 +1,8 @@
 -- Find kernel modules that are not part of the expected list
+--
+-- false positives:
+--   * operating-system updates
+--
 -- platform: linux
 -- tags: latent seldom kernel
 SELECT *

detection/evasion/unexpected-ld-so-files-linux.sql

@@ -1,4 +1,12 @@
+-- Find unexpected ld.so.conf files
+--
 -- If you have Augeas available, you may want to use that in conjunction with this more limited check.
+--
+-- false positives:
+--   * none known
+--
+-- tags: persistent seldom
+-- platform: linux
 SELECT
   file.path,
   uid,

detection/evasion/unexpected-var-executables-linux.sql

@@ -1,4 +1,10 @@
 -- Find unexpected executables in /var
+--
+-- false positives:
+--   * none known
+--
+-- tags: persistent seldom
+-- platform: posix
 SELECT
   file.path,
   file.directory,

detection/execution/exotic-cmdline.sql

@@ -1,75 +0,0 @@
--- The better version of this is process_events/exotic-command-events
-SELECT
-  p.pid,
-  p.path,
-  p.name,
-  p.cmdline AS cmd,
-  p.cwd,
-  p.euid,
-  p.parent,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmd,
-  pp.euid AS parent_euid,
-  hash.sha256 AS child_sha256,
-  phash.sha256 AS parent_sha256
-FROM
-  processes p
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN hash AS phash ON pp.path = hash.path
-WHERE
-  -- Known attack scripts
-  p.name IN ('nc', 'mkfifo')
-  OR p.name LIKE '%pwn%'
-  OR p.name LIKE '%xig%'
-  OR p.name LIKE '%xmr%'
-  OR cmd LIKE '%bitspin%'
-  OR cmd LIKE '%lushput%'
-  OR cmd LIKE '%incbit%'
-  OR cmd LIKE '%traitor%'
-  OR cmd LIKE '%msfvenom%'
-  OR
-  -- Unusual behaviors
-  cmd LIKE '%ufw disable%'
-  OR cmd LIKE '%iptables -P % ACCEPT%'
-  OR cmd LIKE '%iptables -F%'
-  OR cmd LIKE '%chattr -ia%'
-  OR cmd LIKE '%chmod 777 %'
-  OR cmd LIKE '%bpftool%'
-  OR cmd LIKE '%touch%acmr%'
-  OR cmd LIKE '%ld.so.preload%'
-  OR cmd LIKE '%urllib.urlopen%'
-  OR cmd LIKE '%nohup%tmp%'
-  OR cmd LIKE '%set visible of front window to false%'
-  OR cmd LIKE '%chrome%--load-extension%'
-  OR
-  -- Crypto miners
-  cmd LIKE '%c3pool%'
-  OR cmd LIKE '%cryptonight%'
-  OR cmd LIKE '%f2pool%'
-  OR cmd LIKE '%hashrate%'
-  OR cmd LIKE '%hashvault%'
-  OR cmd LIKE '%minerd%'
-  OR cmd LIKE '%monero%'
-  OR cmd LIKE '%nanopool%'
-  OR cmd LIKE '%nicehash%'
-  OR cmd LIKE '%stratum%'
-  OR
-  -- Random keywords
-  cmd LIKE '%ransom%'
-  OR cmd LIKE '%malware%'
-  OR cmd LIKE '%plant%'
-  OR
-  -- Reverse shells
-  cmd LIKE '%/dev/tcp/%'
-  OR cmd LIKE '%/dev/udp/%'
-  OR cmd LIKE '%fsockopen%'
-  OR cmd LIKE '%openssl%quiet%'
-  OR cmd LIKE '%pty.spawn%'
-  OR cmd LIKE '%sh -i'
-  OR cmd LIKE '%socat%'
-  OR cmd LIKE '%SOCK_STREAM%'
-  OR cmd LIKE '%Socket.fork%'
-  OR cmd LIKE '%Socket.new%'
-  OR cmd LIKE '%socket.socket%'

detection/execution/exotic-command-events-linux.sql

@@ -1,5 +1,10 @@
--- Ported from exotic-commands
--- Designed for execution every 15 seconds (where the parent may still be around)
+-- Pick out exotic processes based on their command-line (events-based)
+--
+-- false positives:
+--   * possible, but none known
+--
+-- tags: transient process events
+-- platform: linux
 -- interval: 15
 SELECT
   p.pid,

detection/execution/exotic-command-events-macos.sql

@@ -1,6 +1,10 @@
--- Ported from exotic-commands
--- Designed for execution every 15 seconds (where the parent may still be around)
-
+-- Pick out exotic processes based on their command-line (events-based)
+--
+-- false positives:
+--   * possible, but none known
+--
+-- tags: transient process events
+-- platform: darwin
 -- interval: 15
 SELECT
   p.pid,

detection/execution/recently-created-executables.sql

@@ -1,6 +1,10 @@
 -- Programs who were recently written to disk, based on btime (macOS) or ctime (Linux)
 --
--- NOTE: ctime
+-- false-positives:
+--   * many
+--
+-- tags: transient process state often
+-- platform: posix
 SELECT
   p.pid,
   p.path,

detection/execution/reverse-shell-socket.sql

@@ -1,4 +1,14 @@
--- An alternate way to discover reverse shells, inspired by the osxattack pack
+-- Uncover reverse-shell processes
+--
+-- refs:
+--   * https://www.invicti.com/blog/web-security/understanding-reverse-shells/
+--   * https://attack.mitre.org/techniques/T1059/ (Command & Scripting Interpreter)
+--
+-- false-positives:
+--   * none known
+--
+-- tags: transient process state often
+-- platform: posix
 SELECT DISTINCT
   (p.pid),
   p.parent,

detection/execution/sketchy-fetcher-events.sql

@@ -1,5 +1,12 @@
--- Events version of sketchy-fetchers
--- Designed for execution every minute (where the parent may still be around)
+-- Suspicious URL requests by built-in fetching tools (event-based)
+--
+-- refs:
+--   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
+--   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
+--
+-- interval: 60
+-- tags: transient process events
+-- platform: posix
 SELECT
   p.pid,
   p.path,

detection/execution/sketchy-fetcher.sql

@@ -1,10 +1,10 @@
--- Suspicious URL requests by built-in fetching tools
+-- Suspicious URL requests by built-in fetching tools (state-based)
 --
 -- refs:
 --   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
 --   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
 --
--- interval: 60
+-- tags: transient process state
 -- platform: posix
 SELECT
   p.pid,

detection/execution/tiny-executable-events.sql

@@ -1,6 +1,10 @@
--- Discover tiny dropper binaries, such as Shikitega:
--- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--- Designed for execution every 30 seconds (where the parent may still be around)
+-- Unusually small programs (events-based)
+--
+-- references:
+--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
+--
+-- interval: 30
+-- tags: transient process events
 SELECT
   p.pid,
   p.path,

detection/execution/tiny-executable.sql

@@ -1,6 +1,9 @@
--- Discover tiny dropper binaries, such as Shikitega:
--- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
--- Duration: 0.063s
+-- Unusually small programs (state-based)
+--
+-- references:
+--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
+--
+-- tags: transient process state
 SELECT
   p.pid,
   p.path,

detection/execution/unexpected-env-values.sql

@@ -1,5 +1,10 @@
+-- Applications setting environment variables to bypass security protections
+--
 -- Inpsired by BPFdoor and other intrusions
 -- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
+--
+-- tags: transient state continous
+-- platform: posix
 SELECT
   key,
   value,
@@ -7,13 +12,11 @@ SELECT
   p.path,
   p.cmdline,
   p.parent AS parent_pid,
-  pp.cmdline AS parent_cmd,
-  hash.sha256
+  pp.cmdline AS parent_cmd
 FROM
   process_envs pe
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN hash ON p.path = hash.path
 WHERE
   (
     key = 'HISTFILE'

detection/execution/unexpected-execdir-events-linux.sql

@@ -1,5 +1,14 @@
--- Events version of unexpected-executable-directory
--- Designed for execution every minute (where the parent may still be around)
+-- Catch applications running from unusual directories, such as /tmp
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1074/
+--
+-- false positives:
+--   * programs running in alternative namespaces (Docker)
+--
+-- interval: 15
+-- platform: linux
+-- tags: filesystem events
 SELECT
   pe.pid,
   pe.path,

detection/execution/unexpected-execdir-events-macos.sql

@@ -1,5 +1,15 @@
--- Events version of unexpected-executable-directory
--- Designed for execution every minute (where the parent may still be around)
+-- Catch applications running from unusual directories, such as /tmp
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1074/
+--
+-- false positives:
+--   * software installers and updaters
+--   * developers running programs out of /tmp
+--
+-- interval: 60
+-- platform: darwin
+-- tags: filesystem events
 SELECT
   p.pid,
   p.path,

detection/execution/unexpected-executable-directory-linux.sql

@@ -1,73 +0,0 @@
--- Programs running out of unexpected directories, such as /tmp
---
--- references:
---   * https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
---
--- tags: ephemeral
-
-SELECT
-  p.pid,
-  p.name,
-  p.path,
-  p.euid,
-  p.gid,
-  f.ctime,
-  f.directory AS dirname,
-  p.cmdline,
-  hash.sha256,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  pp.euid AS parent_euid,
-  hash.sha256 AS parent_sha256
-FROM
-  processes p
-  LEFT JOIN file f ON p.path = f.path
-  LEFT JOIN hash ON hash.path = p.path
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  -- NOTE: Everything after this is shared with process_events/unexpected-executable-directory-events
-WHERE
-  dirname NOT IN (
-    '/bin',
-    '/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin',
-    '/sbin',
-    '/usr/bin',
-    '/usr/lib',
-    '/usr/lib/bluetooth',
-    '/usr/lib/cups/notifier',
-    '/usr/share/teams',
-    '/usr/lib/evolution-data-server',
-    '/usr/lib/firefox',
-    '/usr/lib/fwupd',
-    '/usr/lib/ibus',
-    '/usr/lib/libreoffice/program',
-    '/usr/lib/polkit-1',
-    '/usr/lib/slack',
-    '/usr/lib/snapd',
-    '/usr/lib/systemd',
-    '/usr/lib/telepathy',
-    '/usr/lib/udisks2',
-    '/usr/lib/xorg',
-    '/usr/lib64/firefox',
-    '/usr/libexec',
-    '/usr/sbin',
-    '/usr/share/code'
-  )
-  AND dirname NOT LIKE '/home/%'
-  AND dirname NOT LIKE '/nix/store/%'
-  AND dirname NOT LIKE '/opt/%'
-  AND dirname NOT LIKE '/snap/%'
-  AND dirname NOT LIKE '/tmp/%/bin'
-  AND dirname NOT LIKE '/tmp/go-build%'
-  AND dirname NOT LIKE '/usr/lib/%'
-  AND dirname NOT LIKE '/usr/lib64/%'
-  AND dirname NOT LIKE '/usr/libexec/%'
-  AND dirname NOT LIKE '/usr/local/%'
-  AND p.path NOT IN (
-    '/usr/lib/firefox/firefox',
-    '/usr/lib64/firefox/firefox'
-  )
-  AND NOT (
-    dirname = ''
-    AND p.name LIKE 'runc%'
-  )

detection/execution/unexpected-executable-directory-macos.sql

@@ -1,136 +0,0 @@
--- Planning on running something in an unexpected place without a signature?
---
--- Not gonna happen.
-SELECT
-  p.pid,
-  p.name,
-  p.path,
-  p.euid,
-  p.gid,
-  f.ctime,
-  f.directory AS dirname,
-  REPLACE(f.directory, u.directory, '~') AS dirname,
-  p.cmdline,
-  hash.sha256,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  pp.euid AS parent_euid,
-  hash.sha256 AS parent_sha256,
-  signature.identifier,
-  signature.authority
-FROM
-  processes p
-  LEFT JOIN file f ON p.path = f.path
-  LEFT JOIN hash ON hash.path = p.path
-  LEFT JOIN users u ON p.uid = u.uid
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN signature ON p.path = signature.path -- NOTE: Everything after this is shared with process_events/unexpected-executable-directory-events
-WHERE
-  dirname NOT IN (
-    '/bin',
-    '/Library/DropboxHelperTools/Dropbox_u501',
-    '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
-    '/Library/Printers/DYMO/Utilities',
-    '/Library/PrivilegedHelperTools',
-    '/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
-    '/opt/usr/bin',
-    '/opt/X11/bin',
-    '/opt/X11/libexec',
-    '/sbin',
-    '/usr/bin',
-    '/usr/lib',
-    '/usr/lib/bluetooth',
-    '/usr/lib/cups/notifier',
-    '/usr/lib/fwupd',
-    '/usr/lib/ibus',
-    '/usr/libexec',
-    '/usr/libexec/ApplicationFirewall',
-    '/usr/libexec/AssetCache',
-    '/usr/libexec/rosetta',
-    '/usr/sbin',
-    '/usr/share/code',
-    '/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin'
-  )
-  AND homedir NOT IN (
-    '~/bin',
-    '~/go/bin',
-    '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
-    '~/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin',
-    '~/Library/Application Support/com.elgato.StreamDeck/Plugins/com.lostdomain.zoom.sdPlugin'
-  )
-  AND signature.authority NOT IN (
-    'Apple Mac OS Application Signing',
-    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
-    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
-    'Developer ID Application: Docker Inc (9BNSXJN65R)',
-    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
-    'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
-    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
-    'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
-    'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
-    'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
-    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
-    'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
-    'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
-    'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
-    'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
-    'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
-    'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
-    'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
-    'Developer ID Application: Valve Corporation (MXGJJ98X76)',
-    'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
-    'Apple iPhone OS Application Signing',
-    'Developer ID Application: Node.js Foundation (HX7739G8FX)',
-    'Software Signing'
-  )
-  AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin'
-  AND dirname NOT LIKE '/private/var/folders/%/d/Wrapper/%.app'
-  AND dirname NOT LIKE '/Applications/%.app/%'
-  AND dirname NOT LIKE '/Applications/Utilities/Adobe Creative Cloud/%'
-  AND dirname NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
-  AND dirname NOT LIKE '/Library/%/Resources/%/Contents/MacOS'
-  AND dirname NOT LIKE '/Library/%/sbin' -- Nessus
-  AND dirname NOT LIKE '/Library/Apple/System/Library%'
-  AND dirname NOT LIKE '/Library/Application Support/%/Contents/MacOS'
-  AND dirname NOT LIKE '/Library/Application Support/Adobe/%'
-  AND dirname NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS'
-  AND dirname NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%'
-  AND dirname NOT LIKE '/Library/Developer/%'
-  AND dirname NOT LIKE '/Library/Developer/CommandLineTools/Library/%'
-  AND dirname NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS'
-  AND dirname NOT LIKE '/Library/Java/JavaVirtualMachines/%'
-  AND dirname NOT LIKE '/Library/Printers/%.app/Contents/MacOS'
-  AND dirname NOT LIKE '/Library/PrivilegedHelperTools/com.%'
-  AND dirname NOT LIKE '/nix/store/%'
-  AND dirname NOT LIKE '/opt/homebrew/Cellar/%/bin'
-  AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec'
-  AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec/%'
-  AND dirname NOT LIKE '/opt/homebrew/Cellar/%/Contents/MacOS'
-  AND dirname NOT LIKE '/opt/homebrew/Caskroom/%/bin'
-  AND dirname NOT LIKE '/private/tmp/%.app/Contents/MacOS'
-  AND dirname NOT LIKE '/private/tmp/go-build%/exe'
-  AND dirname NOT LIKE '/private/tmp/nix-build-%'
-  AND dirname NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
-  AND dirname NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
-  AND dirname NOT LIKE '/private/var/folders/%/bin'
-  AND dirname NOT LIKE '/private/var/folders/%/Contents/%'
-  AND dirname NOT LIKE '/private/var/folders/%/go-build%'
-  AND dirname NOT LIKE '/private/var/folders/%/GoLand'
-  AND dirname NOT LIKE '/System/%'
-  AND dirname NOT LIKE '/Users/%/bin/%'
-  AND dirname NOT LIKE '/Users/%/src/%'
-  AND dirname NOT LIKE '/usr/libexec/%'
-  AND dirname NOT LIKE '/usr/local/%'
-  AND NOT (
-    dirname LIKE '/private/var/%'
-    AND p.name LIKE 'pulumi-go.%'
-  ) -- Chrome executes patches from /tmp :(
-  AND NOT (
-    dirname LIKE '/private/tmp/%'
-    AND p.name = 'goobspatch'
-  )
-  AND NOT (
-    homedir = '~'
-    AND p.name = 'cloud_sql_proxy'
-  )

detection/execution/unexpected-executable-permissions.sql

@@ -1,4 +1,14 @@
 -- Find processes running that are tied to binaries with unsual permissions. Namely, 0777.
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1222/
+--
+-- false positives:
+--   * poorly written software
+--
+-- platform: posix
+-- tags: persistent filesystem state
+
 SELECT
   p.pid,
   p.name,

detection/execution/unexpected-gatekeeper-approvals-macos.sql

@@ -1,6 +1,14 @@
 -- Gatekeeper exceptions are exceptions for downloaded binaries
--- https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
--- Most of these hits end up running out of the Downloads directory
+--
+-- references:
+--   * https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
+--
+-- false positives:
+--   * developers downloading binaries from Github
+--
+-- platform: macos
+-- tags: persistent filesystem state gatekeeper
+
 SELECT
   gap.ctime,
   gap.mtime,

detection/execution/unexpected-mounts.sql

@@ -1,5 +1,10 @@
 -- Detect weird mounts, like mounting the EFI partition
--- See https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
+--
+-- references:
+--   * https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
+--
+-- platform: linux
+-- tags: transient filesystem state
 SELECT
   *
 FROM

detection/execution/unexpected-osascript-calls.sql

@@ -1,5 +1,11 @@
 -- Detect unusual calls to osascript
--- Designed for execution every 60 seconds (where the parent may still be around)
+--
+-- false positives:
+--   * none observed, but they are expected
+--
+-- interval: 60
+-- platform: darwin
+-- tags: process events
 SELECT
   p.pid,
   p.path,

detection/execution/unexpected-raw-socket.sql

@@ -1,3 +1,10 @@
+-- Find unexpected use of raw sockets in executables, sometimes used for C&C communications
+--
+-- false positives:
+--   * operating-system network managers
+--
+-- tags: transient process state
+-- platform: posix
 SELECT
   pop.pid,
   p.path,

detection/execution/unexpected-setuid-binaries.sql

@@ -1,3 +1,10 @@
+-- Find unexpected setuid binaries on disk
+--
+-- false positives:
+--   * new software
+--
+-- tags: persistent seldom
+-- platform: posix
 SELECT
   file.path,
   gid,

detection/execution/unexpected-tmp-executables.sql

@@ -1,4 +1,10 @@
--- Find unexpected executables in temp directories
+-- Find unexpected executables in temp directories, often used by malware droppers
+--
+-- false positives:
+--   * developers building code out of /tmp
+--
+-- tags: persistent
+-- platform: posix
 SELECT
   file.path,
   uid,

detection/execution/xprotect-reports.sql

@@ -1,6 +1,6 @@
 -- Returns a list of malware matches from macOS XProtect
 --
--- interval: 1200
+-- tags: persistent often malware xprotect
 -- platform: darwin
 SELECT
   *

detection/exfil/high-disk-bytes-written.sql

@@ -1,3 +1,12 @@
+-- Programs which are writing an unusually large amount of data
+--
+-- Can be used to detect ransomware
+--
+-- false positives:
+--   * Package managers
+--   * Backup software
+--
+-- tags: transient process
 SELECT
   p.name,
   p.path,

detection/exfil/high_disk_bytes_read.sql

@@ -1,3 +1,12 @@
+-- Programs which are reading an unusually large amount of data
+--
+-- Can be used to detect exfiltration
+--
+-- false positives:
+--   * Virtual Machine managers
+--   * Backup software
+--
+-- tags: transient process
 SELECT
   p.name,
   p.path,

detection/exfil/spotlight-database-export-macos.sql

@@ -1,4 +1,10 @@
 -- Find database exports. Will need tuning based on your table names.
+--
+-- false positives:
+--   * none observed
+--
+-- platform: darwin
+-- tags: persistent filesystem spotlight
 SELECT
   f.path,
   f.size,

detection/impact/unexpected-etc-hosts.sql

@@ -1,3 +1,10 @@
+-- Unexpected /etc/hosts entries
+--
+-- false positives:
+--   * developers adding entries for their own use
+--
+-- tags: persistent seldom filesystem net
+
 SELECT
   *
 FROM

detection/initial_access/unexpected-shell-parents.sql

@@ -1,3 +1,11 @@
+-- Unexpected process that spawns shell processes
+--
+-- false positives:
+--   * IDE's
+--
+-- tags: transient process state
+-- platform: posix
+
 SELECT
   p.name,
   p.path AS path,

detection/initial_access/unexpected-volume-contents.sql

@@ -1,7 +1,12 @@
 -- Scan removable volumes for sketchy files
 --
--- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
+-- false positives:
+--   * Installer packages with hidden files
 --
+-- references:
+--   * https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
+--
+-- tags: transient volume filesystem
 -- platform: darwin
 SELECT
   RTRIM(file.path, '/') AS trimpath,

detection/persistence/fake-apple-launchd.sql

@@ -1,8 +1,13 @@
 -- Find launchd entries which purport to be by Apple, but are not signed by Apple.
 --
--- Inspired by https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
+-- references:
+--   * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
+--
+-- false positives:
+--   * none have been observed
 --
 -- platform: darwin
+-- tags: persistent launchd state
 select
   *
 FROM

detection/persistence/unexpected-active-systemd-units.sql

@@ -1,3 +1,12 @@
+-- Unexpected systemd units, may be evidence of persistence
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/002/
+--
+-- false positives:
+--   * System updates
+--
+-- tags: persistent seldom filesystem systemd
 SELECT description AS 'desc',
   fragment_path AS path,
   hash.sha256,

detection/persistence/unexpected-chrome-extensions.sql

@@ -1,9 +1,12 @@
 -- Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1176/
+--
 -- false positives:
 --   * anything that isn't on your whitelist
 --
--- tags: persistent seldom
+-- tags: persistent seldom browser
 SELECT name,
   profile,
   chrome_extensions.description AS 'descr',

detection/persistence/unexpected-cron-entries.sql

@@ -1,3 +1,13 @@
+-- Unexpected crontab entries
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1053/003/
+--
+-- false positives:
+--   * crontab entries added by the user
+--
+-- tags: filesystem state
+-- platform: posix
 SELECT
   *
 FROM

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -1,5 +1,12 @@
 -- Unexpected launchd scripts that use the 'program_arguments' field
+----
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/004/
 --
+-- false positives:
+--   * Software by new vendors which have not yet been added to the allow list
+--
+-- tags: filesystem state
 -- platform: darwin
 SELECT
   l.label,

detection/persistence/unexpected-launchd-program.sql

@@ -1,5 +1,12 @@
 -- Unexpected launchd scripts that use the 'program' field
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/004/
+--
+-- false positives:
+--   * Software by new vendors which have not yet been added to the allow list
+--
+-- tags: filesystem state
 -- platform: darwin
 SELECT
   l.label,

detection/persistence/unexpected-small-udev-entry.sql

@@ -1,5 +1,15 @@
--- Inspired by Operation Earth Berberoka
--- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
+-- Unexpected small udev rule entries
+--
+-- Typically vendor-provided udev rules are more verbose.
+--
+-- references:
+--   * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
+-- false positives:
+--   * rules installed by 3rd party software
+--
+-- tags: filesystem state
+-- platform: linux
+
 SELECT
   file.path,
   uid,

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -1,3 +1,10 @@
+-- Unexpected long-running processes running as root
+--
+-- false positives:
+--   * new software requiring escalated privileges
+--
+-- tags: process state
+-- platform: linux
 SELECT
   p.pid,
   p.name,

detection/persistence/unexpected-uid0-daemon-macos.sql

@@ -1,3 +1,10 @@
+-- Unexpected long-running processes running as root
+--
+-- false positives:
+--   * new software requiring escalated privileges
+--
+-- tags: process state
+-- platform: darwin
 SELECT
   p.pid,
   p.name,

detection/privesc/docker-container-mounting-root.sql

@@ -8,7 +8,7 @@
 -- dependent on the polling time.
 --
 -- platform: linux
--- tags: ephemeral often
+-- tags: transient often container escalation
 SELECT
   command, image_id, path, security_options, started_at, image
 FROM

detection/privesc/sketchy-docker-image-creator.sql

@@ -9,7 +9,8 @@
 -- may reflect the number of times the attack has been attempted.
 --
 -- platform: linux
--- tags: ephemeral often
+-- tags: transient often
+
 SELECT * FROM docker_image_history
 WHERE created > (strftime('%s', 'now') -86400)
 -- This signature is used by Traitor: https://github.com/liamg/traitor/

detection/privesc/unexpected-privilege-escalation-events.sql

@@ -1,4 +1,6 @@
 -- Designed for execution every 30 seconds (where the parent may still be around)
+--
+-- interval: 30
 SELECT
   p.pid AS child_pid,
   p.path AS child_path,

detection/privesc/unexpected-privilege-escalation.sql

@@ -5,7 +5,7 @@
 -- Related:
 --   * unexpected-privilege-escalation-events.sql
 --
--- interval: 30
+-- tags: transient continuous state process escalation
 SELECT
   p.pid AS child_pid,
   p.path AS child_path,

detection/privesc/unexpected-privileged-containers.sql

@@ -7,7 +7,7 @@
 -- where the kernel namespaces can be shared. These kind of attacks tend to be
 --
 -- platform: linux
--- tags: ephemeral
+-- tags: transient state container escalation
 SELECT
   command, image_id, path, security_options, started_at, image
 FROM

detection/privesc/unexpected-setxid-process.sql

@@ -1,4 +1,6 @@
 -- Processes running that originate from setuid/setgid programs
+--
+-- tags: state process escalation
 SELECT
   p.pid,
   p.name,