Run 'make reformat'

detection/c2/unexpected-talkers-linux.sql

@@ -210,7 +210,8 @@ WHERE
     AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
   )
   AND NOT (
-    s.remote_port = 80 AND (
+    s.remote_port = 80
+    AND (
       p.cgroup_path LIKE '/system.slice/docker-%'
       OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
     )

detection/credentials/unexpected-dev-opener-linux.sql

@@ -210,4 +210,3 @@ WHERE
   )
 GROUP BY
   pof.pid
-

detection/discovery/unexpected-netutil-calls-linux.sql

@@ -48,7 +48,8 @@ SELECT
     )
   ) AS exception_key
 FROM
-  process_events pe, uptime
+  process_events pe,
+  uptime
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN hash phash ON pp.path = phash.path

detection/discovery/unexpected-netutil-calls-macos.sql

@@ -48,7 +48,8 @@ SELECT
     )
   ) AS exception_key
 FROM
-  process_events pe, uptime
+  process_events pe,
+  uptime
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN hash phash ON pp.path = phash.path
@@ -81,9 +82,7 @@ WHERE
       'zsh'
     )
   )
-  AND exception_key NOT IN (
+  AND exception_key NOT IN ('netstat,0,sh,sudo')
-    'netstat,0,sh,sudo'
-  )
   AND parent_cmd NOT IN ('/bin/sh /etc/periodic/daily/420.status-network')
 GROUP BY
   pe.pid

detection/evasion/old-binaries-running.sql

@@ -7,7 +7,8 @@
 --   * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
 --
 -- tags: transient process state
-SELECT p.path,
+SELECT
+  p.path,
   p.cmdline,
   p.cwd,
   p.pid,
@@ -22,11 +23,13 @@ SELECT p.path,
   f.uid,
   m.path,
   f.gid
-FROM processes p
+FROM
+  processes p
   LEFT JOIN file f ON p.path = f.path
   LEFT JOIN hash h ON p.path = h.path
   LEFT JOIN magic m ON p.path = m.path
-WHERE (
+WHERE
+  (
     ctime_age_days > 1050
     OR mtime_age_days > 1050
   )
@@ -59,5 +62,6 @@ WHERE (
     'Pandora Helper',
     'dlv'
   )
-GROUP BY p.pid,
+GROUP BY
-  p.path
+  p.pid,
+  p.path

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -35,7 +35,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
   -- Unfortunately, there is no column for when an exception was granted, so
   -- we're currently unable to filter out old entries.
   exception_key NOT IN (
-     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
+    ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
     'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
     'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',

detection/evasion/unexpected-dev-executables-linux.sql

@@ -4,7 +4,8 @@
 --   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
 --
 -- tags: persistent state filesystem
-SELECT file.path,
+SELECT
+  file.path,
   file.directory,
   uid,
   gid,
@@ -13,10 +14,12 @@ SELECT file.path,
   file.size,
   hash.sha256,
   magic.data
-FROM file
+FROM
+  file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
     -- This list is the result of multiple queries combined and can likely be minimized
     file.path LIKE '/dev/%%'
     OR file.path LIKE '/dev/%%/%%'
@@ -68,4 +71,4 @@ WHERE (
     AND file.mode = '0755'
     AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
     AND file.size > 1000000
-  )
+  )

detection/evasion/unexpected-hidden-system-paths.sql

@@ -8,7 +8,8 @@
 --
 -- platform: posix
 -- tags: persistent filesystem state
-SELECT file.path,
+SELECT
+  file.path,
   file.directory,
   uid,
   gid,
@@ -20,10 +21,12 @@ SELECT file.path,
   size,
   hash.sha256,
   magic.data
-FROM file
+FROM
+  file
   LEFT JOIN hash ON file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
     file.path LIKE '/lib/.%'
     OR file.path LIKE '/.%'
     OR file.path LIKE '/bin/%/.%'
@@ -155,4 +158,4 @@ WHERE (
   AND NOT (
     file.path = '/var/root/.oracle_jre_usage/'
     AND file.size = 96
-  )
+  )

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -5,7 +5,8 @@
 --
 -- tags: persistent
 -- platform: posix
-SELECT file.path,
+SELECT
+  file.path,
   uid,
   gid,
   mode,
@@ -16,10 +17,12 @@ SELECT file.path,
   file.size,
   hash.sha256,
   magic.data
-FROM file
+FROM
+  file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
     -- Recursive queries don't seem to work well with hidden directories :(
     file.path LIKE '/tmp/%%'
     OR file.path LIKE '/tmp/.%/%%'
@@ -126,7 +129,7 @@ WHERE (
     file.type = 'regular'
     AND size < 10
   )
- -- Binaries we might actually see legitimately
+  -- Binaries we might actually see legitimately
   AND NOT (
     file.path LIKE '/tmp/%'
     AND file.uid > 500
@@ -136,7 +139,6 @@ WHERE (
       OR file.filename LIKE "%-cli"
     )
   )
-
   -- All checks with magic.data must first check for a lack of NULL value,
   -- otherwise you filter out platforms without magic.data.
   AND NOT (

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -5,7 +5,8 @@
 --
 -- tags: persistent
 -- platform: macos
-SELECT file.path,
+SELECT
+  file.path,
   uid,
   gid,
   mode,
@@ -18,11 +19,13 @@ SELECT file.path,
   magic.data,
   signature.identifier,
   signature.authority
-FROM file
+FROM
+  file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
   LEFT JOIN signature ON file.path = signature.path
-WHERE (
+WHERE
+  (
     -- Recursive queries don't seem to work well with hidden directories :(
     file.path LIKE '/tmp/%%'
     OR file.path LIKE '/tmp/.%/%%'
@@ -130,7 +133,7 @@ WHERE (
   AND NOT (
     magic.data IS NOT NULL
     AND (
-        magic.data = 'JSON data'
+      magic.data = 'JSON data'
-        OR magic.data LIKE 'ELF %-bit %SB executable%'
+      OR magic.data LIKE 'ELF %-bit %SB executable%'
     )
-  )
+  )

detection/evasion/unexpected-var-executables-macos.sql

@@ -118,4 +118,4 @@ WHERE
     file.path LIKE '/var/folders/%/T/libjansi-%.jnilib'
     AND file.size < 40000
     AND file.uid = 501
-  )
+  )

detection/execution/exotic-command-events-linux.sql

@@ -9,7 +9,8 @@
 -- tags: transient process events
 -- platform: linux
 -- interval: 30
-SELECT pe.path AS path,
+SELECT
+  pe.path AS path,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
   TRIM(pe.cmdline) AS cmd,
   pe.pid AS pid,
@@ -31,7 +32,9 @@ SELECT pe.path AS path,
     1
   ) AS gparent_name,
   IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
-FROM process_events pe, uptime
+FROM
+  process_events pe,
+  uptime
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN process_events ppe ON pe.parent = ppe.pid

detection/execution/exotic-command-events-macos.sql

@@ -9,7 +9,8 @@
 -- tags: transient process events
 -- platform: darwin
 -- interval: 45
-SELECT pe.path AS path,
+SELECT
+  pe.path AS path,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
   TRIM(pe.cmdline) AS cmd,
   pe.pid AS pid,
@@ -41,7 +42,8 @@ SELECT pe.path AS path,
     signature.authority,
     esignature.authority
   ) AS parent_authority
-FROM process_events pe
+FROM
+  process_events pe
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@@ -159,4 +161,4 @@ WHERE
   AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
   AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
   AND NOT cmd LIKE '%history'
-  AND NOT name IN ('cc1', 'compile')
+  AND NOT name IN ('cc1', 'compile')

detection/execution/sketchy-fetcher-events.sql

@@ -134,11 +134,14 @@ WHERE
   AND NOT (
     addr IS NOT NULL
     AND (
-      addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
+      addr IN (
+        'releases.hashicorp.com',
+        'github.com',
+        'dl.enforce.dev'
+      )
       -- Ignore local addresses (Docker development)
       OR addr NOT LIKE '%.%'
       OR ip LIKE '172.2%'
       OR ip LIKE '192.168.%'
     )
   )
-

detection/execution/sketchy-fetcher.sql

@@ -129,11 +129,14 @@ WHERE
   AND NOT (
     addr IS NOT NULL
     AND (
-      addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
+      addr IN (
+        'releases.hashicorp.com',
+        'github.com',
+        'dl.enforce.dev'
+      )
       -- Ignore local addresses (Docker development)
       OR addr NOT LIKE '%.%'
       OR ip LIKE '172.21.%'
       OR ip LIKE '192.168.%'
     )
   )
-

detection/execution/unexpected-execdir-events-macos.sql

@@ -142,7 +142,7 @@ WHERE
     '~/google-cloud-sdk/',
     '~/homebrew/',
     '~/.kuberlr/',
-   --  '~/Library/',
+    --  '~/Library/',
     '~/.gradle/',
     '~/.local/',
     '~/Parallels/',
@@ -193,7 +193,6 @@ WHERE
   AND homedir NOT LIKE '~/%sigstore%'
   AND homedir NOT LIKE '~/%/bin'
   AND homedir NOT LIKE '~/Library/Printers/%/Contents/MacOS'
-
   -- These signers can run from wherever the hell they want.
   AND signature.authority NOT IN (
     'Apple iPhone OS Application Signing',

detection/execution/unexpected-file-made-executable.sql

@@ -6,7 +6,8 @@
 -- interval: 600
 -- platform: posix
 -- tags: process events
-SELECT pe.path AS path,
+SELECT
+  pe.path AS path,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
   TRIM(pe.cmdline) AS cmd,
   pe.pid AS pid,
@@ -29,8 +30,9 @@ SELECT pe.path AS path,
     1
   ) AS gparent_name,
   IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
-  REGEX_MATCH(TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
+  REGEX_MATCH (TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
-FROM process_events pe
+FROM
+  process_events pe
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@@ -39,17 +41,19 @@ FROM process_events pe
   LEFT JOIN hash ON pp.path = hash.path
   LEFT JOIN hash thash ON target_path = thash.path
   LEFT JOIN hash ehash ON ppe.path = ehash.path
-WHERE pe.time > (strftime('%s', 'now') -600)
+WHERE
-AND pe.path LIKE '%/chmod'
+  pe.time > (strftime('%s', 'now') -600)
-AND (
+  AND pe.path LIKE '%/chmod'
-  cmd LIKE '%chmod 7%'
+  AND (
-  OR cmd LIKE '%chmod 5%'
+    cmd LIKE '%chmod 7%'
-  OR cmd LIKE '%chmod 1%'
+    OR cmd LIKE '%chmod 5%'
-  OR cmd LIKE '%chmod +%x'
+    OR cmd LIKE '%chmod 1%'
-)
+    OR cmd LIKE '%chmod +%x'
-AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
+  )
-AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
+  AND cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
-AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
+  AND cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
-AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
+  AND cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
-AND NOT parent_cgroup LIKE '/system.slice/docker-%'
+  AND cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
-GROUP BY pe.pid
+  AND NOT parent_cgroup LIKE '/system.slice/docker-%'
+GROUP BY
+  pe.pid

detection/execution/unexpected-osascript-calls.sql

@@ -87,4 +87,5 @@ WHERE
   -- The following apply to all uids
   AND NOT cmd = 'osascript -e user locale of (get system info)'
 GROUP BY
-  pe.pid, pe.cmd
+  pe.pid,
+  pe.cmd

detection/execution/unexpected-root-signer-macos.sql

@@ -74,4 +74,3 @@ WHERE
     AND p.name = "node"
     AND parent_name IN ("vim", "nvim")
   )
-

detection/execution/unexpected-security-framework-program-macos.sql

@@ -106,4 +106,4 @@ WHERE
   )
   AND NOT p.path IN ('/opt/socket_vmnet/bin/socket_vmnet')
 GROUP BY
-  pmm.pid
+  pmm.pid

detection/execution/unexpected-xattr-calls-macos.sql

@@ -6,7 +6,8 @@
 -- interval: 60
 -- platform: darwin
 -- tags: process events
-SELECT pe.path AS path,
+SELECT
+  pe.path AS path,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
   TRIM(pe.cmdline) AS cmd,
   pe.pid AS pid,
@@ -38,7 +39,8 @@ SELECT pe.path AS path,
     signature.authority,
     esignature.authority
   ) AS parent_authority
-FROM process_events pe
+FROM
+  process_events pe
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN process_events ppe ON pe.parent = ppe.pid
@@ -48,7 +50,8 @@ FROM process_events pe
   LEFT JOIN hash ehash ON ppe.path = ehash.path
   LEFT JOIN signature ON pp.path = signature.path
   LEFT JOIN signature esignature ON ppe.path = esignature.path
-WHERE pe.path = '/usr/bin/xattr'
+WHERE
+  pe.path = '/usr/bin/xattr'
   AND pe.status = 0
   AND pe.time > (strftime('%s', 'now') -60)
   AND cmd NOT IN (
@@ -81,4 +84,6 @@ WHERE pe.path = '/usr/bin/xattr'
   )
   AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
   AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
-GROUP BY pe.pid, cmd
+GROUP BY
+  pe.pid,
+  cmd

detection/exfil/high_disk_bytes_read.sql

@@ -150,4 +150,5 @@ WHERE
   )
   AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
-GROUP BY p.pid
+GROUP BY
+  p.pid

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -66,4 +66,4 @@ WHERE
   AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
   AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
   AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'
-  AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'
+  AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'

detection/persistence/unexpected-listening-port-linux.sql

@@ -15,7 +15,7 @@ SELECT
   p.path,
   p.cmdline,
   p.cgroup_path,
-  datetime(file.mtime,'unixepoch') AS mtime,
+  datetime(file.mtime, 'unixepoch') AS mtime,
   p.cwd,
   hash.sha256,
   CONCAT (

detection/persistence/unexpected-systemctl-calls.sql

@@ -48,7 +48,8 @@ SELECT
     )
   ) AS exception_key
 FROM
-  process_events pe, uptime
+  process_events pe,
+  uptime
   LEFT JOIN processes p ON pe.pid = p.pid
   LEFT JOIN processes pp ON pe.parent = pp.pid
   LEFT JOIN hash phash ON pp.path = phash.path
@@ -87,6 +88,5 @@ WHERE
   AND NOT child_cmd LIKE 'systemctl show --property=%'
   AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
   AND NOT child_cmd LIKE '/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%/bus'
-
 GROUP BY
   pe.pid

detection/privesc/setxid-cmdline-overflow-attempt.sql

@@ -23,4 +23,4 @@ FROM
 WHERE
   p.time > (strftime('%s', 'now') -60)
   AND file.mode NOT LIKE '0%'
-  AND p.cmdline_size > 2048
+  AND p.cmdline_size > 2048

policy/gcp-service-account-keys.sql

@@ -37,6 +37,9 @@ WHERE
   AND filename LIKE "%-%-%.json"
   AND size BETWEEN 2311 AND 2385
   -- Don't alert on tokens that begin with the username-, as they may be personal
-  AND NOT INSTR(filename, CONCAT(u.username, "-")) == 1
+  AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
   -- Don't alert on tokens that begin with the users full name and a dash
-  AND NOT INSTR(filename, REPLACE(LOWER(TRIM(description))," ", "-")) == 1
+  AND NOT INSTR(
+    filename,
+    REPLACE(LOWER(TRIM(description)), " ", "-")
+  ) == 1