Run reformat

detection/c2/unexpected-talker-events.sql

@@ -110,7 +110,7 @@ WHERE
     '/opt/spotify',
     '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin'
   )
-  AND NOT exception_key IN ( 
+  AND NOT exception_key IN (
     '0,velociraptor,velociraptor,500u,80g',
     '500,0,110,syncthing',
     '500,0,123,sntp',
@@ -303,7 +303,7 @@ WHERE
     '500,99,443,Slack Helper',
     '500,99,443,Slack',
     '500,99,53,Slack Helper'
- )
+  )
   AND NOT exception_key LIKE '500,500,443,terraform%'
   AND NOT exception_key LIKE '500,500,32768,terraform-provider-%'
   AND NOT exception_key LIKE '500,500,2304,terraform%'

detection/c2/unexpected-talkers-macos.sql

@@ -186,7 +186,7 @@ WHERE
     '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
     '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
     '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
- ) -- Useful for unsigned binaries
+  ) -- Useful for unsigned binaries
   AND NOT alt_exception_key IN (
     '0,6,80,tailscaled,tailscaled,500u,80g',
     '500,6,22,ssh,ssh,0u,500g',

detection/collection/excess-google-drive-downloads-macos.sql

@@ -20,9 +20,11 @@ WHERE
   -- this does it the slow way.
   AND ea.value LIKE "https://doc-%googleusercontent.com%"
   -- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
-  AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400) 
+  AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400)
   -- Common, low-risk for exfil
   AND file.filename NOT LIKE '%.csv'
--- "GROUP BY" should be unnecessary, but Kolide seems to require it
+  -- "GROUP BY" should be unnecessary, but Kolide seems to require it
-GROUP BY ea.key
+GROUP BY
-HAVING num_downloads > 8
+  ea.key
+HAVING
+  num_downloads > 8

detection/collection/high-disk-bytes-written.sql

@@ -52,7 +52,6 @@ WHERE
   AND p0.pid > 2
   AND p0.parent != 2
   AND p0.path NOT IN (
- 
     '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
     '/bin-busybox',
     '/bin/bash',
@@ -92,7 +91,7 @@ WHERE
     '/usr/libexec/sharingd',
     '/usr/sbin/screencapture',
     '/usr/share/spotify-client/spotify'
- )
+  )
   AND NOT (
     p0.name LIKE 'jbd%/dm-%'
     AND p0.on_disk = -1
@@ -125,7 +124,7 @@ WHERE
     p0.name = 'aptd'
     AND p0.cmdline = '/usr/bin/python3 /usr/sbin/aptd'
   )
-  AND NOT p0.name IN ( 
+  AND NOT p0.name IN (
     'Cisco WebEx Start',
     'Install',
     'baloo_file_extr',
@@ -188,7 +187,7 @@ WHERE
     'wineserver',
     'wolfictl',
     'yum'
- )
+  )
   AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
   AND p0.path NOT LIKE '/home/%/.local/share/Steam'
   AND p0.path NOT LIKE '/nix/store/%/bin/%sh'
@@ -200,6 +199,5 @@ WHERE
   AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
   AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update'
   AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
-  AND NOT p0.cmdline LIKE '%brew.rb upgrade'  
+  AND NOT p0.cmdline LIKE '%brew.rb upgrade'
   AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
-  

detection/discovery/unexpected-pcap-user-macos.sql

@@ -40,7 +40,11 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   p0.pid IN (
-    SELECT pid FROM processes WHERE
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
       euid = 0
       AND path NOT LIKE '/System/%'
       AND path NOT LIKE '/Library/Apple/%'
@@ -56,9 +60,11 @@ WHERE
       AND path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
       AND path NOT LIKE '/usr/local/Cellar/htop/%/bin/htop'
       AND path NOT LIKE '/opt/homebrew/Cellar/btop/%/bin/btop'
-      AND path NOT IN ('/opt/socket_vmnet/bin/socket_vmnet', '/usr/local/sbin/velociraptor')
+      AND path NOT IN (
+        '/opt/socket_vmnet/bin/socket_vmnet',
+        '/usr/local/sbin/velociraptor'
+      )
   )
-
   AND pmm.path LIKE '%libpcap%'
   -- These are all protected directories
   AND NOT s.authority IN (

detection/evasion/missing-from-disk-linux.sql

@@ -49,4 +49,8 @@ WHERE
   -- Snap packages?
   AND p.path NOT LIKE '/tmp/.mount_%'
   AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
-  AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper', '/opt/Synergy/resources/synergy-tray')
+  AND p.path NOT IN (
+    '/usr/bin/python3.10',
+    '/opt/google/chrome/nacl_helper',
+    '/opt/Synergy/resources/synergy-tray'
+  )

detection/evasion/parent-missing-from-disk-linux.sql

@@ -35,13 +35,15 @@ SELECT -- Child
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM processes p0
+FROM
+  processes p0
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE p1.on_disk != 1
+WHERE
+  p1.on_disk != 1
   AND p0.on_disk = 1
   AND NOT p0.pid IN (1, 2)
   AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
@@ -105,4 +107,4 @@ WHERE p1.on_disk != 1
   AND NOT (
     p1.name LIKE 'kworker/%+events_unbound'
     AND p0.name IN ('modprobe')
-  )
+  )

detection/evasion/parent-pid-missing-from-procfs.sql

@@ -10,18 +10,23 @@
 --   * Can by racy if child and parent exit at the right time
 --
 -- tags: persistent daemon
-SELECT p.*,
+SELECT
+  p.*,
   hash.sha256,
   GROUP_CONCAT(DISTINCT pof.path) AS open_files
-FROM processes p
+FROM
+  processes p
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN process_open_files pof ON p.pid = pof.pid
 WHERE -- Prevent false positives by avoiding short-lived commands
   p.start_time < (strftime('%s', 'now') -1)
   AND p.parent NOT IN (
-    SELECT pid
+    SELECT
-    FROM processes
+      pid
+    FROM
+      processes
   )
   AND p.parent != 0
   AND p.parent IS NOT NULL
-GROUP BY p.pid
+GROUP BY
+  p.pid

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -5,7 +5,8 @@
 --
 -- tags: persistent state filesystem
 -- platform: darwin
-SELECT ae.path,
+SELECT
+  ae.path,
   ae.state,
   file.mtime,
   file.ctime,
@@ -25,7 +26,8 @@ SELECT ae.path,
     ',',
     MIN(file.uid, 501)
   ) AS exception_key
-FROM alf_exceptions ae
+FROM
+  alf_exceptions ae
   LEFT JOIN file ON ae.path = file.path
   LEFT JOIN hash ON ae.path = hash.path
   LEFT JOIN signature ON ae.path = signature.path
@@ -170,4 +172,5 @@ WHERE -- Filter out stock exceptions to decrease overhead
       OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe'
     )
   )
-GROUP BY exception_key
+GROUP BY
+  exception_key

detection/evasion/unexpected-hidden-system-paths.sql

@@ -225,5 +225,4 @@ WHERE
     file.path LIKE '/tmp/.ssh-%'
     AND file.type = "socket"
     AND file.mode = '0600'
-    
   )

detection/evasion/unusual-executable-name-linux.sql

@@ -100,4 +100,4 @@ WHERE
     "kactivitymanagerd",
     "gmenudbusmenuproxy",
     "irqbalance"
-  )
+  )

detection/execution/sketchy-fetcher.sql

@@ -162,4 +162,4 @@ WHERE
   )
   -- Elastic Agent
   AND NOT p0.path LIKE '/Library/Elastic/Agent/%'
-  AND NOt p0.cmdline LIKE '%/osqueryd %'
+  AND NOt p0.cmdline LIKE '%/osqueryd %'

detection/execution/tiny-executable.sql

@@ -32,7 +32,4 @@ WHERE
   AND NOT file.path LIKE '/home/%/.zsh/completion'
   AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
   AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
-  AND NOT file.path IN (
+  AND NOT file.path IN ('/', '/usr/bin/ruby')
-    '/',
-    '/usr/bin/ruby'
-  )

detection/execution/unexpected-executable-permissions.sql

@@ -127,4 +127,4 @@ WHERE
   AND NOT (
     p0.name = 'ShortcutDroplet'
     AND f.mode = '0751'
-  )
+  )

detection/initial_access/sketchy-mounted-diskimage.sql

@@ -35,8 +35,8 @@ FROM
   LEFT JOIN signature ON file.path = signature.path
 WHERE
   file.path IN (
-    SELECT
+    SELECT DISTINCT
-      DISTINCT file.path
+      file.path
     FROM
       block_devices
       JOIN mounts ON mounts.device = block_devices.name

detection/initial_access/yara-recently-downloaded-miner.sql

@@ -37,4 +37,4 @@ WHERE
     condition:
         filesize < 10MB and 1 of them
 }'
-  AND yara.count > 0
+  AND yara.count > 0

detection/initial_access/yara-recently-downloaded-ransom.sql

@@ -45,4 +45,4 @@ WHERE
         filesize < 10MB and 2 of them
 }'
   AND yara.count > 0
-  AND file.path NOT LIKE "%.csv"
+  AND file.path NOT LIKE "%.csv"

detection/initial_access/yara-recently-downloaded-rust-http-exec.sql

@@ -39,4 +39,4 @@ rule http_exec {
     condition:
         all of them
 }'
-  AND yara.count > 0
+  AND yara.count > 0

detection/initial_access/yara-recently-downloaded-stealer.sql

@@ -45,4 +45,4 @@ WHERE
 }'
   AND yara.count > 0
   AND file.path NOT LIKE "%.csv"
-  AND file.filename != 'RIT_Wireless.dmg'
+  AND file.filename != 'RIT_Wireless.dmg'

detection/initial_access/yara-recently-downloaded-upx.sql

@@ -34,4 +34,4 @@ WHERE
     condition:
         $upx_sig in (0..1024)
     }'
-  AND yara.count > 0
+  AND yara.count > 0

detection/persistence/low-fd-socket.sql

@@ -8,45 +8,52 @@
 --
 -- tags: process state
 -- platform: posix
-SELECT pos.protocol,
+SELECT
-    pos.pid,
+  pos.protocol,
-    pos.remote_address,
+  pos.pid,
-    pos.local_address,
+  pos.remote_address,
-    pos.local_port,
+  pos.local_address,
-    pos.remote_port,
+  pos.local_port,
-    pos.state,
+  pos.remote_port,
-    -- Child
+  pos.state,
-    p0.pid AS p0_pid,
+  -- Child
-    p0.path AS p0_path,
+  p0.pid AS p0_pid,
-    p0.name AS p0_name,
+  p0.path AS p0_path,
-    p0.start_time AS p0_start,
+  p0.name AS p0_name,
-    p0.cmdline AS p0_cmd,
+  p0.start_time AS p0_start,
-    p0.cwd AS p0_cwd,
+  p0.cmdline AS p0_cmd,
-    p0.cgroup_path AS p0_cgroup,
+  p0.cwd AS p0_cwd,
-    p0.euid AS p0_euid,
+  p0.cgroup_path AS p0_cgroup,
-    p0_hash.sha256 AS p0_sha256,
+  p0.euid AS p0_euid,
-    -- Parent
+  p0_hash.sha256 AS p0_sha256,
-    p0.parent AS p1_pid,
+  -- Parent
-    p1.path AS p1_path,
+  p0.parent AS p1_pid,
-    p1.name AS p1_name,
+  p1.path AS p1_path,
-    p1.start_time AS p1_start,
+  p1.name AS p1_name,
-    p1.euid AS p1_euid,
+  p1.start_time AS p1_start,
-    p1.cmdline AS p1_cmd,
+  p1.euid AS p1_euid,
-    p1_hash.sha256 AS p1_sha256,
+  p1.cmdline AS p1_cmd,
-    -- Grandparent
+  p1_hash.sha256 AS p1_sha256,
-    p1.parent AS p2_pid,
+  -- Grandparent
-    p2.name AS p2_name,
+  p1.parent AS p2_pid,
-    p2.start_time AS p2_start,
+  p2.name AS p2_name,
-    p2.path AS p2_path,
+  p2.start_time AS p2_start,
-    p2.cmdline AS p2_cmd,
+  p2.path AS p2_path,
-    p2_hash.sha256 AS p2_sha256
+  p2.cmdline AS p2_cmd,
-FROM process_open_sockets pos
+  p2_hash.sha256 AS p2_sha256
-    JOIN processes p0 ON pos.pid = p0.pid
+FROM
-    LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  process_open_sockets pos
-    LEFT JOIN processes p1 ON p0.parent = p1.pid
+  JOIN processes p0 ON pos.pid = p0.pid
-    LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
-    LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
-    LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
-WHERE pos.fd < 3
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
-    AND pos.family != 1
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-    AND p0.path NOT IN ('/usr/libexec/bootpd', '/usr/local/bin/velociraptor', '/Applications/NetSpot.app/Contents/MacOS/NetSpot')
+WHERE
+  pos.fd < 3
+  AND pos.family != 1
+  AND p0.path NOT IN (
+    '/usr/libexec/bootpd',
+    '/usr/local/bin/velociraptor',
+    '/Applications/NetSpot.app/Contents/MacOS/NetSpot'
+  )

detection/persistence/minimal-socket-client-linux.sql

@@ -8,49 +8,59 @@
 --
 -- tags: persistent process state seldom
 -- platform: linux
-SELECT pos.protocol,
+SELECT
-    pos.pid,
+  pos.protocol,
-    pos.remote_address,
+  pos.pid,
-    pos.local_address,
+  pos.remote_address,
-    pos.local_port,
+  pos.local_address,
-    pos.remote_port,
+  pos.local_port,
-    pos.state,
+  pos.remote_port,
-    GROUP_CONCAT(DISTINCT pmm.path) AS libs,
+  pos.state,
-    COUNT(DISTINCT pmm.path) AS lib_count,
+  GROUP_CONCAT(DISTINCT pmm.path) AS libs,
-    -- Child
+  COUNT(DISTINCT pmm.path) AS lib_count,
-    p0.pid AS p0_pid,
+  -- Child
-    p0.path AS p0_path,
+  p0.pid AS p0_pid,
-    p0.name AS p0_name,
+  p0.path AS p0_path,
-    p0.start_time AS p0_start,
+  p0.name AS p0_name,
-    p0.cmdline AS p0_cmd,
+  p0.start_time AS p0_start,
-    p0.cwd AS p0_cwd,
+  p0.cmdline AS p0_cmd,
-    p0.cgroup_path AS p0_cgroup,
+  p0.cwd AS p0_cwd,
-    p0.euid AS p0_euid,
+  p0.cgroup_path AS p0_cgroup,
-    p0_hash.sha256 AS p0_sha256
+  p0.euid AS p0_euid,
-FROM processes p0
+  p0_hash.sha256 AS p0_sha256
-    JOIN process_open_sockets pos ON p0.pid = pos.pid
+FROM
-    JOIN process_memory_map pmm ON p0.pid = pmm.pid
+  processes p0
-    LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  JOIN process_open_sockets pos ON p0.pid = pos.pid
-WHERE p0.path != '' -- optimization: focus on longer running processes
+  JOIN process_memory_map pmm ON p0.pid = pmm.pid
-    AND p0.start_time < (strftime('%s', 'now') - 900)
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
-    AND p0.path NOT IN (
+WHERE
-        '/usr/bin/containerd',
+  p0.path != '' -- optimization: focus on longer running processes
-        '/usr/bin/fusermount3',
+  AND p0.start_time < (strftime('%s', 'now') - 900)
-        '/usr/sbin/acpid',
+  AND p0.path NOT IN (
-        '/usr/bin/dash',
+    '/usr/bin/containerd',
-        '/usr/bin/docker',
+    '/usr/bin/fusermount3',
-        '/usr/sbin/mcelog',
+    '/usr/sbin/acpid',
-        '/usr/libexec/docker/docker-proxy',
+    '/usr/bin/dash',
-        '/usr/bin/docker-proxy',
+    '/usr/bin/docker',
-        '/usr/bin/cat',
+    '/usr/sbin/mcelog',
-        '/usr/lib/electron/chrome-sandbox',
+    '/usr/libexec/docker/docker-proxy',
-        '/usr/bin/i3blocks'
+    '/usr/bin/docker-proxy',
-    )
+    '/usr/bin/cat',
-    AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
+    '/usr/lib/electron/chrome-sandbox',
-    AND p0.path NOT LIKE '/home/%/go/bin/%'
+    '/usr/bin/i3blocks'
-    AND pos.family != 1
+  )
-    AND pos.pid > 0
+  AND p0.name NOT IN (
-    AND pos.state != 'LISTEN'
+    'chrome_crashpad',
-    AND pmm.path LIKE "%.so.%"
+    'dhcpcd',
-GROUP BY pos.pid -- libc.so, ld-linux
+    'stern',
-HAVING lib_count IN (1, 2)
+    'Brackets-node'
+  ) -- optimization: minimalistic daemons typically only run 1 pid per path
+  AND p0.path NOT LIKE '/home/%/go/bin/%'
+  AND pos.family != 1
+  AND pos.pid > 0
+  AND pos.state != 'LISTEN'
+  AND pmm.path LIKE "%.so.%"
+GROUP BY
+  pos.pid -- libc.so, ld-linux
+HAVING
+  lib_count IN (1, 2)

detection/persistence/unexpected-chrome-extensions.sql

@@ -74,7 +74,6 @@ WHERE
     )
   )
   AND NOT exception_key IN (
-
     "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
     'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
     'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
@@ -125,16 +124,16 @@ WHERE
     'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
     'true,,Extensity,jjmflmamggggndanpgfnpelongoepncg',
     'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
-    'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo', 
+    'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo',
     'true,,Fakespot Fake Amazon Reviews and eBay Sellers,nakplnnackehceedgkgkokbgbmfghain',
     'true,,FoxyProxy Basic,dookpfaalaaappcdneeahomimbllocnb',
     'true,,Free Maps Ruler,ejpahoknghmacibohhgleeacndkglgmo',
     'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec',
     'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe',
     'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno',
-    'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij', 
+    'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij',
-    'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch', 
+    'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch',
-    'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd', 
+    'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd',
     'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge',
     'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi',
     'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf',
@@ -144,12 +143,9 @@ WHERE
     'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
     'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
     'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
-<<<<<<< HEAD
+    << << << < HEAD 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
-    'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 
+    == == == = 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
-=======
+    >> >> >> > main 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
-    'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
->>>>>>> main
-    'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
     'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
     'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa',
     'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
@@ -226,13 +222,13 @@ WHERE
     'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod',
     'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh',
     'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff',
-    'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm', 
+    'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm',
     'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
     'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
     'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
     'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
     'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
-    'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan', 
+    'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan',
     'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh',
     'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',

detection/persistence/unexpected-listening-port-macos.sql

@@ -150,8 +150,8 @@ WHERE
     '7000,6,500,ControlCenter,Software Signing',
     '7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)',
     '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
-    '80,6,500,limactl,', 
+    '80,6,500,limactl,',
-    '8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',    
+    '8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
     '111,17,1,rpcbind,Software Signing',
     '111,6,1,rpcbind,Software Signing',
     '3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',

incident_response/file_events.sql

@@ -3,6 +3,9 @@
 -- tags: postmortem
 -- platform: posix
 -- interval: 900
-SELECT *
+SELECT
-FROM file_events
+  *
-WHERE time > (strftime('%s', 'now') -900)
+FROM
+  file_events
+WHERE
+  time > (strftime('%s', 'now') -900)

incident_response/files-downloads.sql

@@ -20,4 +20,4 @@ WHERE
     mtime > (strftime('%s', 'now') -3600)
     OR ctime > (strftime('%s', 'now') -3600)
     OR btime > (strftime('%s', 'now') -3600)
-  )
+  )

incident_response/files-recently-written.sql

@@ -3,46 +3,50 @@
 -- tags: postmortem
 -- platform: posix
 -- interval: 3600
-SELECT *
+SELECT
-FROM file
+  *
-WHERE (
+FROM
-        path LIKE "/var/tmp/%"
+  file
-        OR path LIKE "/var/tmp/%/%"
+WHERE
-        OR path LIKE "/Applications/%"
+  (
-        OR path LIKE "/Applications/%/%"
+    path LIKE "/var/tmp/%"
-        OR path LIKE "/home/%/%"
+    OR path LIKE "/var/tmp/%/%"
-        OR path LIKE "/home/%/.%/%"
+    OR path LIKE "/Applications/%"
-        OR path LIKE "/home/%/.%/%/%"
+    OR path LIKE "/Applications/%/%"
-        OR path LIKE "/home/%/.config/%"
+    OR path LIKE "/home/%/%"
-        OR path LIKE "/home/%/.config/%/%"
+    OR path LIKE "/home/%/.%/%"
-        OR path LIKE "/Library/%/%"
+    OR path LIKE "/home/%/.%/%/%"
-        OR path LIKE "/Library/.%"
+    OR path LIKE "/home/%/.config/%"
-        OR path LIKE "/Library/Application Support/%"
+    OR path LIKE "/home/%/.config/%/%"
-        OR path LIKE "/Library/Application Support/.%"
+    OR path LIKE "/Library/%/%"
-        OR path LIKE "/tmp/%"
+    OR path LIKE "/Library/.%"
-        OR path LIKE "/tmp/%/%"
+    OR path LIKE "/Library/Application Support/%"
-        OR path LIKE "/tmp/.%/%%"
+    OR path LIKE "/Library/Application Support/.%"
-        OR path LIKE "/Users/%/%"
+    OR path LIKE "/tmp/%"
-        OR path LIKE "/Users/%/%/%"
+    OR path LIKE "/tmp/%/%"
-        OR path LIKE "/Users/%/.%/%"
+    OR path LIKE "/tmp/.%/%%"
-        OR path LIKE "/Users/%/.%/%/%"
+    OR path LIKE "/Users/%/%"
-        OR path LIKE "/Users/Library/%"
+    OR path LIKE "/Users/%/%/%"
-        OR path LIKE "/Users/Library/%/%"
+    OR path LIKE "/Users/%/.%/%"
-        OR path LIKE "/Users/Library/.%"
+    OR path LIKE "/Users/%/.%/%/%"
-        OR path LIKE "/Users/Library/Application Support/%"
+    OR path LIKE "/Users/Library/%"
-        OR path LIKE "/Users/Library/Application Support/%/%"
+    OR path LIKE "/Users/Library/%/%"
-        OR path LIKE "/Users/Library/Application Support/.%"
+    OR path LIKE "/Users/Library/.%"
-        OR path LIKE "/var/%"
+    OR path LIKE "/Users/Library/Application Support/%"
-        OR path LIKE "/var/%/%"
+    OR path LIKE "/Users/Library/Application Support/%/%"
+    OR path LIKE "/Users/Library/Application Support/.%"
+    OR path LIKE "/var/%"
+    OR path LIKE "/var/%/%"
+  )
+  AND (
+    mtime > (strftime('%s', 'now') -3600)
+    OR (
+      atime > (strftime('%s', 'now') -3600)
+      AND file.type = "regular"
     )
-    AND (
+    OR ctime > (strftime('%s', 'now') -3600)
-        mtime > (strftime('%s', 'now') -3600)
+    OR btime > (strftime('%s', 'now') -3600)
-        OR (
+  )
-            atime > (strftime('%s', 'now') -3600)
+  AND NOT path LIKE "%/../%"
-            AND file.type = "regular"
+GROUP BY
-        )
+  inode;
-        OR ctime > (strftime('%s', 'now') -3600)
-        OR btime > (strftime('%s', 'now') -3600)
-    )
-    AND NOT path LIKE "%/../%"
-GROUP BY inode;

incident_response/socket_events.sql

@@ -7,4 +7,5 @@ SELECT
   *
 FROM
   socket_events
-WHERE time > (strftime('%s', 'now') -600)
+WHERE
+  time > (strftime('%s', 'now') -600)

policy/unexpected-rsa-keys.sql

@@ -47,4 +47,6 @@ WHERE
   AND NOT INSTR(file.filename, 'melange.rsa') > 0
   AND NOT INSTR(file.filename, 'local-melange-enterprise.rsa') > 0
   -- Demo keys
-  AND NOT sha256 IN ('a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de')
+  AND NOT sha256 IN (
+    'a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de'
+  )