mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-22 05:50:02 +00:00
Run reformat
This commit is contained in:
parent
b1e05d6612
commit
f72e6424c0
@ -110,7 +110,7 @@ WHERE
|
||||
'/opt/spotify',
|
||||
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin'
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
AND NOT exception_key IN (
|
||||
'0,velociraptor,velociraptor,500u,80g',
|
||||
'500,0,110,syncthing',
|
||||
'500,0,123,sntp',
|
||||
@ -303,7 +303,7 @@ WHERE
|
||||
'500,99,443,Slack Helper',
|
||||
'500,99,443,Slack',
|
||||
'500,99,53,Slack Helper'
|
||||
)
|
||||
)
|
||||
AND NOT exception_key LIKE '500,500,443,terraform%'
|
||||
AND NOT exception_key LIKE '500,500,32768,terraform-provider-%'
|
||||
AND NOT exception_key LIKE '500,500,2304,terraform%'
|
||||
|
@ -186,7 +186,7 @@ WHERE
|
||||
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
|
||||
'500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
|
||||
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
|
||||
) -- Useful for unsigned binaries
|
||||
) -- Useful for unsigned binaries
|
||||
AND NOT alt_exception_key IN (
|
||||
'0,6,80,tailscaled,tailscaled,500u,80g',
|
||||
'500,6,22,ssh,ssh,0u,500g',
|
||||
|
@ -20,9 +20,11 @@ WHERE
|
||||
-- this does it the slow way.
|
||||
AND ea.value LIKE "https://doc-%googleusercontent.com%"
|
||||
-- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
|
||||
AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400)
|
||||
AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400)
|
||||
-- Common, low-risk for exfil
|
||||
AND file.filename NOT LIKE '%.csv'
|
||||
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
|
||||
GROUP BY ea.key
|
||||
HAVING num_downloads > 8
|
||||
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
|
||||
GROUP BY
|
||||
ea.key
|
||||
HAVING
|
||||
num_downloads > 8
|
||||
|
@ -52,7 +52,6 @@ WHERE
|
||||
AND p0.pid > 2
|
||||
AND p0.parent != 2
|
||||
AND p0.path NOT IN (
|
||||
|
||||
'/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
|
||||
'/bin-busybox',
|
||||
'/bin/bash',
|
||||
@ -92,7 +91,7 @@ WHERE
|
||||
'/usr/libexec/sharingd',
|
||||
'/usr/sbin/screencapture',
|
||||
'/usr/share/spotify-client/spotify'
|
||||
)
|
||||
)
|
||||
AND NOT (
|
||||
p0.name LIKE 'jbd%/dm-%'
|
||||
AND p0.on_disk = -1
|
||||
@ -125,7 +124,7 @@ WHERE
|
||||
p0.name = 'aptd'
|
||||
AND p0.cmdline = '/usr/bin/python3 /usr/sbin/aptd'
|
||||
)
|
||||
AND NOT p0.name IN (
|
||||
AND NOT p0.name IN (
|
||||
'Cisco WebEx Start',
|
||||
'Install',
|
||||
'baloo_file_extr',
|
||||
@ -188,7 +187,7 @@ WHERE
|
||||
'wineserver',
|
||||
'wolfictl',
|
||||
'yum'
|
||||
)
|
||||
)
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
|
||||
AND p0.path NOT LIKE '/home/%/.local/share/Steam'
|
||||
AND p0.path NOT LIKE '/nix/store/%/bin/%sh'
|
||||
@ -200,6 +199,5 @@ WHERE
|
||||
AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
|
||||
AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update'
|
||||
AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
|
||||
AND NOT p0.cmdline LIKE '%brew.rb upgrade'
|
||||
AND NOT p0.cmdline LIKE '%brew.rb upgrade'
|
||||
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
||||
|
@ -40,7 +40,11 @@ FROM
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
p0.pid IN (
|
||||
SELECT pid FROM processes WHERE
|
||||
SELECT
|
||||
pid
|
||||
FROM
|
||||
processes
|
||||
WHERE
|
||||
euid = 0
|
||||
AND path NOT LIKE '/System/%'
|
||||
AND path NOT LIKE '/Library/Apple/%'
|
||||
@ -56,9 +60,11 @@ WHERE
|
||||
AND path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
|
||||
AND path NOT LIKE '/usr/local/Cellar/htop/%/bin/htop'
|
||||
AND path NOT LIKE '/opt/homebrew/Cellar/btop/%/bin/btop'
|
||||
AND path NOT IN ('/opt/socket_vmnet/bin/socket_vmnet', '/usr/local/sbin/velociraptor')
|
||||
AND path NOT IN (
|
||||
'/opt/socket_vmnet/bin/socket_vmnet',
|
||||
'/usr/local/sbin/velociraptor'
|
||||
)
|
||||
)
|
||||
|
||||
AND pmm.path LIKE '%libpcap%'
|
||||
-- These are all protected directories
|
||||
AND NOT s.authority IN (
|
||||
|
@ -49,4 +49,8 @@ WHERE
|
||||
-- Snap packages?
|
||||
AND p.path NOT LIKE '/tmp/.mount_%'
|
||||
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
|
||||
AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper', '/opt/Synergy/resources/synergy-tray')
|
||||
AND p.path NOT IN (
|
||||
'/usr/bin/python3.10',
|
||||
'/opt/google/chrome/nacl_helper',
|
||||
'/opt/Synergy/resources/synergy-tray'
|
||||
)
|
||||
|
@ -35,13 +35,15 @@ SELECT -- Child
|
||||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM processes p0
|
||||
FROM
|
||||
processes p0
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||||
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE p1.on_disk != 1
|
||||
WHERE
|
||||
p1.on_disk != 1
|
||||
AND p0.on_disk = 1
|
||||
AND NOT p0.pid IN (1, 2)
|
||||
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
|
||||
@ -105,4 +107,4 @@ WHERE p1.on_disk != 1
|
||||
AND NOT (
|
||||
p1.name LIKE 'kworker/%+events_unbound'
|
||||
AND p0.name IN ('modprobe')
|
||||
)
|
||||
)
|
||||
|
@ -10,18 +10,23 @@
|
||||
-- * Can by racy if child and parent exit at the right time
|
||||
--
|
||||
-- tags: persistent daemon
|
||||
SELECT p.*,
|
||||
SELECT
|
||||
p.*,
|
||||
hash.sha256,
|
||||
GROUP_CONCAT(DISTINCT pof.path) AS open_files
|
||||
FROM processes p
|
||||
FROM
|
||||
processes p
|
||||
LEFT JOIN hash ON p.path = hash.path
|
||||
LEFT JOIN process_open_files pof ON p.pid = pof.pid
|
||||
WHERE -- Prevent false positives by avoiding short-lived commands
|
||||
p.start_time < (strftime('%s', 'now') -1)
|
||||
AND p.parent NOT IN (
|
||||
SELECT pid
|
||||
FROM processes
|
||||
SELECT
|
||||
pid
|
||||
FROM
|
||||
processes
|
||||
)
|
||||
AND p.parent != 0
|
||||
AND p.parent IS NOT NULL
|
||||
GROUP BY p.pid
|
||||
GROUP BY
|
||||
p.pid
|
||||
|
@ -5,7 +5,8 @@
|
||||
--
|
||||
-- tags: persistent state filesystem
|
||||
-- platform: darwin
|
||||
SELECT ae.path,
|
||||
SELECT
|
||||
ae.path,
|
||||
ae.state,
|
||||
file.mtime,
|
||||
file.ctime,
|
||||
@ -25,7 +26,8 @@ SELECT ae.path,
|
||||
',',
|
||||
MIN(file.uid, 501)
|
||||
) AS exception_key
|
||||
FROM alf_exceptions ae
|
||||
FROM
|
||||
alf_exceptions ae
|
||||
LEFT JOIN file ON ae.path = file.path
|
||||
LEFT JOIN hash ON ae.path = hash.path
|
||||
LEFT JOIN signature ON ae.path = signature.path
|
||||
@ -170,4 +172,5 @@ WHERE -- Filter out stock exceptions to decrease overhead
|
||||
OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe'
|
||||
)
|
||||
)
|
||||
GROUP BY exception_key
|
||||
GROUP BY
|
||||
exception_key
|
||||
|
@ -225,5 +225,4 @@ WHERE
|
||||
file.path LIKE '/tmp/.ssh-%'
|
||||
AND file.type = "socket"
|
||||
AND file.mode = '0600'
|
||||
|
||||
)
|
||||
|
@ -100,4 +100,4 @@ WHERE
|
||||
"kactivitymanagerd",
|
||||
"gmenudbusmenuproxy",
|
||||
"irqbalance"
|
||||
)
|
||||
)
|
||||
|
@ -162,4 +162,4 @@ WHERE
|
||||
)
|
||||
-- Elastic Agent
|
||||
AND NOT p0.path LIKE '/Library/Elastic/Agent/%'
|
||||
AND NOt p0.cmdline LIKE '%/osqueryd %'
|
||||
AND NOt p0.cmdline LIKE '%/osqueryd %'
|
||||
|
@ -32,7 +32,4 @@ WHERE
|
||||
AND NOT file.path LIKE '/home/%/.zsh/completion'
|
||||
AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
|
||||
AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
|
||||
AND NOT file.path IN (
|
||||
'/',
|
||||
'/usr/bin/ruby'
|
||||
)
|
||||
AND NOT file.path IN ('/', '/usr/bin/ruby')
|
||||
|
@ -127,4 +127,4 @@ WHERE
|
||||
AND NOT (
|
||||
p0.name = 'ShortcutDroplet'
|
||||
AND f.mode = '0751'
|
||||
)
|
||||
)
|
||||
|
@ -35,8 +35,8 @@ FROM
|
||||
LEFT JOIN signature ON file.path = signature.path
|
||||
WHERE
|
||||
file.path IN (
|
||||
SELECT
|
||||
DISTINCT file.path
|
||||
SELECT DISTINCT
|
||||
file.path
|
||||
FROM
|
||||
block_devices
|
||||
JOIN mounts ON mounts.device = block_devices.name
|
||||
|
@ -37,4 +37,4 @@ WHERE
|
||||
condition:
|
||||
filesize < 10MB and 1 of them
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND yara.count > 0
|
||||
|
@ -45,4 +45,4 @@ WHERE
|
||||
filesize < 10MB and 2 of them
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND file.path NOT LIKE "%.csv"
|
||||
AND file.path NOT LIKE "%.csv"
|
||||
|
@ -39,4 +39,4 @@ rule http_exec {
|
||||
condition:
|
||||
all of them
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND yara.count > 0
|
||||
|
@ -45,4 +45,4 @@ WHERE
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND file.path NOT LIKE "%.csv"
|
||||
AND file.filename != 'RIT_Wireless.dmg'
|
||||
AND file.filename != 'RIT_Wireless.dmg'
|
||||
|
@ -34,4 +34,4 @@ WHERE
|
||||
condition:
|
||||
$upx_sig in (0..1024)
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND yara.count > 0
|
||||
|
@ -8,45 +8,52 @@
|
||||
--
|
||||
-- tags: process state
|
||||
-- platform: posix
|
||||
SELECT pos.protocol,
|
||||
pos.pid,
|
||||
pos.remote_address,
|
||||
pos.local_address,
|
||||
pos.local_port,
|
||||
pos.remote_port,
|
||||
pos.state,
|
||||
-- Child
|
||||
p0.pid AS p0_pid,
|
||||
p0.path AS p0_path,
|
||||
p0.name AS p0_name,
|
||||
p0.start_time AS p0_start,
|
||||
p0.cmdline AS p0_cmd,
|
||||
p0.cwd AS p0_cwd,
|
||||
p0.cgroup_path AS p0_cgroup,
|
||||
p0.euid AS p0_euid,
|
||||
p0_hash.sha256 AS p0_sha256,
|
||||
-- Parent
|
||||
p0.parent AS p1_pid,
|
||||
p1.path AS p1_path,
|
||||
p1.name AS p1_name,
|
||||
p1.start_time AS p1_start,
|
||||
p1.euid AS p1_euid,
|
||||
p1.cmdline AS p1_cmd,
|
||||
p1_hash.sha256 AS p1_sha256,
|
||||
-- Grandparent
|
||||
p1.parent AS p2_pid,
|
||||
p2.name AS p2_name,
|
||||
p2.start_time AS p2_start,
|
||||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM process_open_sockets pos
|
||||
JOIN processes p0 ON pos.pid = p0.pid
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||||
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE pos.fd < 3
|
||||
AND pos.family != 1
|
||||
AND p0.path NOT IN ('/usr/libexec/bootpd', '/usr/local/bin/velociraptor', '/Applications/NetSpot.app/Contents/MacOS/NetSpot')
|
||||
SELECT
|
||||
pos.protocol,
|
||||
pos.pid,
|
||||
pos.remote_address,
|
||||
pos.local_address,
|
||||
pos.local_port,
|
||||
pos.remote_port,
|
||||
pos.state,
|
||||
-- Child
|
||||
p0.pid AS p0_pid,
|
||||
p0.path AS p0_path,
|
||||
p0.name AS p0_name,
|
||||
p0.start_time AS p0_start,
|
||||
p0.cmdline AS p0_cmd,
|
||||
p0.cwd AS p0_cwd,
|
||||
p0.cgroup_path AS p0_cgroup,
|
||||
p0.euid AS p0_euid,
|
||||
p0_hash.sha256 AS p0_sha256,
|
||||
-- Parent
|
||||
p0.parent AS p1_pid,
|
||||
p1.path AS p1_path,
|
||||
p1.name AS p1_name,
|
||||
p1.start_time AS p1_start,
|
||||
p1.euid AS p1_euid,
|
||||
p1.cmdline AS p1_cmd,
|
||||
p1_hash.sha256 AS p1_sha256,
|
||||
-- Grandparent
|
||||
p1.parent AS p2_pid,
|
||||
p2.name AS p2_name,
|
||||
p2.start_time AS p2_start,
|
||||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM
|
||||
process_open_sockets pos
|
||||
JOIN processes p0 ON pos.pid = p0.pid
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||||
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
pos.fd < 3
|
||||
AND pos.family != 1
|
||||
AND p0.path NOT IN (
|
||||
'/usr/libexec/bootpd',
|
||||
'/usr/local/bin/velociraptor',
|
||||
'/Applications/NetSpot.app/Contents/MacOS/NetSpot'
|
||||
)
|
||||
|
@ -8,49 +8,59 @@
|
||||
--
|
||||
-- tags: persistent process state seldom
|
||||
-- platform: linux
|
||||
SELECT pos.protocol,
|
||||
pos.pid,
|
||||
pos.remote_address,
|
||||
pos.local_address,
|
||||
pos.local_port,
|
||||
pos.remote_port,
|
||||
pos.state,
|
||||
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
|
||||
COUNT(DISTINCT pmm.path) AS lib_count,
|
||||
-- Child
|
||||
p0.pid AS p0_pid,
|
||||
p0.path AS p0_path,
|
||||
p0.name AS p0_name,
|
||||
p0.start_time AS p0_start,
|
||||
p0.cmdline AS p0_cmd,
|
||||
p0.cwd AS p0_cwd,
|
||||
p0.cgroup_path AS p0_cgroup,
|
||||
p0.euid AS p0_euid,
|
||||
p0_hash.sha256 AS p0_sha256
|
||||
FROM processes p0
|
||||
JOIN process_open_sockets pos ON p0.pid = pos.pid
|
||||
JOIN process_memory_map pmm ON p0.pid = pmm.pid
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
WHERE p0.path != '' -- optimization: focus on longer running processes
|
||||
AND p0.start_time < (strftime('%s', 'now') - 900)
|
||||
AND p0.path NOT IN (
|
||||
'/usr/bin/containerd',
|
||||
'/usr/bin/fusermount3',
|
||||
'/usr/sbin/acpid',
|
||||
'/usr/bin/dash',
|
||||
'/usr/bin/docker',
|
||||
'/usr/sbin/mcelog',
|
||||
'/usr/libexec/docker/docker-proxy',
|
||||
'/usr/bin/docker-proxy',
|
||||
'/usr/bin/cat',
|
||||
'/usr/lib/electron/chrome-sandbox',
|
||||
'/usr/bin/i3blocks'
|
||||
)
|
||||
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
|
||||
AND p0.path NOT LIKE '/home/%/go/bin/%'
|
||||
AND pos.family != 1
|
||||
AND pos.pid > 0
|
||||
AND pos.state != 'LISTEN'
|
||||
AND pmm.path LIKE "%.so.%"
|
||||
GROUP BY pos.pid -- libc.so, ld-linux
|
||||
HAVING lib_count IN (1, 2)
|
||||
SELECT
|
||||
pos.protocol,
|
||||
pos.pid,
|
||||
pos.remote_address,
|
||||
pos.local_address,
|
||||
pos.local_port,
|
||||
pos.remote_port,
|
||||
pos.state,
|
||||
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
|
||||
COUNT(DISTINCT pmm.path) AS lib_count,
|
||||
-- Child
|
||||
p0.pid AS p0_pid,
|
||||
p0.path AS p0_path,
|
||||
p0.name AS p0_name,
|
||||
p0.start_time AS p0_start,
|
||||
p0.cmdline AS p0_cmd,
|
||||
p0.cwd AS p0_cwd,
|
||||
p0.cgroup_path AS p0_cgroup,
|
||||
p0.euid AS p0_euid,
|
||||
p0_hash.sha256 AS p0_sha256
|
||||
FROM
|
||||
processes p0
|
||||
JOIN process_open_sockets pos ON p0.pid = pos.pid
|
||||
JOIN process_memory_map pmm ON p0.pid = pmm.pid
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
WHERE
|
||||
p0.path != '' -- optimization: focus on longer running processes
|
||||
AND p0.start_time < (strftime('%s', 'now') - 900)
|
||||
AND p0.path NOT IN (
|
||||
'/usr/bin/containerd',
|
||||
'/usr/bin/fusermount3',
|
||||
'/usr/sbin/acpid',
|
||||
'/usr/bin/dash',
|
||||
'/usr/bin/docker',
|
||||
'/usr/sbin/mcelog',
|
||||
'/usr/libexec/docker/docker-proxy',
|
||||
'/usr/bin/docker-proxy',
|
||||
'/usr/bin/cat',
|
||||
'/usr/lib/electron/chrome-sandbox',
|
||||
'/usr/bin/i3blocks'
|
||||
)
|
||||
AND p0.name NOT IN (
|
||||
'chrome_crashpad',
|
||||
'dhcpcd',
|
||||
'stern',
|
||||
'Brackets-node'
|
||||
) -- optimization: minimalistic daemons typically only run 1 pid per path
|
||||
AND p0.path NOT LIKE '/home/%/go/bin/%'
|
||||
AND pos.family != 1
|
||||
AND pos.pid > 0
|
||||
AND pos.state != 'LISTEN'
|
||||
AND pmm.path LIKE "%.so.%"
|
||||
GROUP BY
|
||||
pos.pid -- libc.so, ld-linux
|
||||
HAVING
|
||||
lib_count IN (1, 2)
|
||||
|
@ -74,7 +74,6 @@ WHERE
|
||||
)
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
|
||||
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
|
||||
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
|
||||
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
|
||||
@ -125,16 +124,16 @@ WHERE
|
||||
'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
|
||||
'true,,Extensity,jjmflmamggggndanpgfnpelongoepncg',
|
||||
'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
|
||||
'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo',
|
||||
'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo',
|
||||
'true,,Fakespot Fake Amazon Reviews and eBay Sellers,nakplnnackehceedgkgkokbgbmfghain',
|
||||
'true,,FoxyProxy Basic,dookpfaalaaappcdneeahomimbllocnb',
|
||||
'true,,Free Maps Ruler,ejpahoknghmacibohhgleeacndkglgmo',
|
||||
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec',
|
||||
'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe',
|
||||
'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno',
|
||||
'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij',
|
||||
'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch',
|
||||
'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd',
|
||||
'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij',
|
||||
'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch',
|
||||
'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd',
|
||||
'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge',
|
||||
'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi',
|
||||
'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf',
|
||||
@ -144,12 +143,9 @@ WHERE
|
||||
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
|
||||
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
|
||||
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
|
||||
<<<<<<< HEAD
|
||||
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
=======
|
||||
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
>>>>>>> main
|
||||
'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
<< << << < HEAD 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
== == == = 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
>> >> >> > main 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
|
||||
'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa',
|
||||
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
|
||||
@ -226,13 +222,13 @@ WHERE
|
||||
'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod',
|
||||
'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh',
|
||||
'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff',
|
||||
'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm',
|
||||
'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm',
|
||||
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
|
||||
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
|
||||
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
|
||||
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
|
||||
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
|
||||
'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan',
|
||||
'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan',
|
||||
'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh',
|
||||
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
|
||||
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
|
||||
|
@ -150,8 +150,8 @@ WHERE
|
||||
'7000,6,500,ControlCenter,Software Signing',
|
||||
'7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)',
|
||||
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'80,6,500,limactl,',
|
||||
'8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
|
||||
'80,6,500,limactl,',
|
||||
'8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
|
||||
'111,17,1,rpcbind,Software Signing',
|
||||
'111,6,1,rpcbind,Software Signing',
|
||||
'3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
|
||||
|
@ -3,6 +3,9 @@
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- interval: 900
|
||||
SELECT *
|
||||
FROM file_events
|
||||
WHERE time > (strftime('%s', 'now') -900)
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
file_events
|
||||
WHERE
|
||||
time > (strftime('%s', 'now') -900)
|
||||
|
@ -20,4 +20,4 @@ WHERE
|
||||
mtime > (strftime('%s', 'now') -3600)
|
||||
OR ctime > (strftime('%s', 'now') -3600)
|
||||
OR btime > (strftime('%s', 'now') -3600)
|
||||
)
|
||||
)
|
||||
|
@ -3,46 +3,50 @@
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- interval: 3600
|
||||
SELECT *
|
||||
FROM file
|
||||
WHERE (
|
||||
path LIKE "/var/tmp/%"
|
||||
OR path LIKE "/var/tmp/%/%"
|
||||
OR path LIKE "/Applications/%"
|
||||
OR path LIKE "/Applications/%/%"
|
||||
OR path LIKE "/home/%/%"
|
||||
OR path LIKE "/home/%/.%/%"
|
||||
OR path LIKE "/home/%/.%/%/%"
|
||||
OR path LIKE "/home/%/.config/%"
|
||||
OR path LIKE "/home/%/.config/%/%"
|
||||
OR path LIKE "/Library/%/%"
|
||||
OR path LIKE "/Library/.%"
|
||||
OR path LIKE "/Library/Application Support/%"
|
||||
OR path LIKE "/Library/Application Support/.%"
|
||||
OR path LIKE "/tmp/%"
|
||||
OR path LIKE "/tmp/%/%"
|
||||
OR path LIKE "/tmp/.%/%%"
|
||||
OR path LIKE "/Users/%/%"
|
||||
OR path LIKE "/Users/%/%/%"
|
||||
OR path LIKE "/Users/%/.%/%"
|
||||
OR path LIKE "/Users/%/.%/%/%"
|
||||
OR path LIKE "/Users/Library/%"
|
||||
OR path LIKE "/Users/Library/%/%"
|
||||
OR path LIKE "/Users/Library/.%"
|
||||
OR path LIKE "/Users/Library/Application Support/%"
|
||||
OR path LIKE "/Users/Library/Application Support/%/%"
|
||||
OR path LIKE "/Users/Library/Application Support/.%"
|
||||
OR path LIKE "/var/%"
|
||||
OR path LIKE "/var/%/%"
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
file
|
||||
WHERE
|
||||
(
|
||||
path LIKE "/var/tmp/%"
|
||||
OR path LIKE "/var/tmp/%/%"
|
||||
OR path LIKE "/Applications/%"
|
||||
OR path LIKE "/Applications/%/%"
|
||||
OR path LIKE "/home/%/%"
|
||||
OR path LIKE "/home/%/.%/%"
|
||||
OR path LIKE "/home/%/.%/%/%"
|
||||
OR path LIKE "/home/%/.config/%"
|
||||
OR path LIKE "/home/%/.config/%/%"
|
||||
OR path LIKE "/Library/%/%"
|
||||
OR path LIKE "/Library/.%"
|
||||
OR path LIKE "/Library/Application Support/%"
|
||||
OR path LIKE "/Library/Application Support/.%"
|
||||
OR path LIKE "/tmp/%"
|
||||
OR path LIKE "/tmp/%/%"
|
||||
OR path LIKE "/tmp/.%/%%"
|
||||
OR path LIKE "/Users/%/%"
|
||||
OR path LIKE "/Users/%/%/%"
|
||||
OR path LIKE "/Users/%/.%/%"
|
||||
OR path LIKE "/Users/%/.%/%/%"
|
||||
OR path LIKE "/Users/Library/%"
|
||||
OR path LIKE "/Users/Library/%/%"
|
||||
OR path LIKE "/Users/Library/.%"
|
||||
OR path LIKE "/Users/Library/Application Support/%"
|
||||
OR path LIKE "/Users/Library/Application Support/%/%"
|
||||
OR path LIKE "/Users/Library/Application Support/.%"
|
||||
OR path LIKE "/var/%"
|
||||
OR path LIKE "/var/%/%"
|
||||
)
|
||||
AND (
|
||||
mtime > (strftime('%s', 'now') -3600)
|
||||
OR (
|
||||
atime > (strftime('%s', 'now') -3600)
|
||||
AND file.type = "regular"
|
||||
)
|
||||
AND (
|
||||
mtime > (strftime('%s', 'now') -3600)
|
||||
OR (
|
||||
atime > (strftime('%s', 'now') -3600)
|
||||
AND file.type = "regular"
|
||||
)
|
||||
OR ctime > (strftime('%s', 'now') -3600)
|
||||
OR btime > (strftime('%s', 'now') -3600)
|
||||
)
|
||||
AND NOT path LIKE "%/../%"
|
||||
GROUP BY inode;
|
||||
OR ctime > (strftime('%s', 'now') -3600)
|
||||
OR btime > (strftime('%s', 'now') -3600)
|
||||
)
|
||||
AND NOT path LIKE "%/../%"
|
||||
GROUP BY
|
||||
inode;
|
||||
|
@ -7,4 +7,5 @@ SELECT
|
||||
*
|
||||
FROM
|
||||
socket_events
|
||||
WHERE time > (strftime('%s', 'now') -600)
|
||||
WHERE
|
||||
time > (strftime('%s', 'now') -600)
|
||||
|
@ -47,4 +47,6 @@ WHERE
|
||||
AND NOT INSTR(file.filename, 'melange.rsa') > 0
|
||||
AND NOT INSTR(file.filename, 'local-melange-enterprise.rsa') > 0
|
||||
-- Demo keys
|
||||
AND NOT sha256 IN ('a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de')
|
||||
AND NOT sha256 IN (
|
||||
'a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de'
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user