RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-19 03:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
27b9e620f2
osquery-defense-kit/{}.conf
Thomas Stromberg 077c8f36fc
Filter out vaikas dev hostnames
2022-10-13 17:58:29 -04:00

5859 lines
203 KiB
Plaintext
Raw Blame History

{
"queries": {
"unexpected-dns-traffic": {
"query": "SELECT \
s.family, \
protocol, \
s.local_port, \
s.remote_port, \
s.local_address, \
s.remote_address, \
p.name, \
p.path, \
p.cmdline AS child_cmd, \
p.cwd, \
s.pid, \
p.parent AS parent_pid, \
pp.cmdline AS parent_cmd, \
hash.sha256, \
GROUP_CONCAT( \
( \
SELECT DISTINCT \
address \
FROM \
dns_resolvers \
WHERE \
type = 'nameserver' \
AND address != '' \
), \
',' \
) AS sys_resolvers, \
CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key \
FROM \
process_open_sockets s \
LEFT JOIN processes p ON s.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
remote_port IN (53, 5353) \
AND remote_address NOT LIKE '%:%' \
AND s.remote_address NOT LIKE '172.1%' \
AND s.remote_address NOT LIKE '172.2%' \
AND s.remote_address NOT LIKE '172.30.%' \
AND s.remote_address NOT LIKE '172.31.%' \
AND s.remote_address NOT LIKE '10.%' \
AND s.remote_address NOT LIKE '192.168.%' \
AND s.remote_address NOT LIKE '127.%' \
AND remote_address NOT IN ( \
SELECT DISTINCT \
address \
FROM \
dns_resolvers \
WHERE \
type = 'nameserver' \
and address != '' \
) \
AND NOT ( \
s.pid = -1 \
AND s.remote_port = 53 \
and s.protocol = 17 \
and p.parent = '' \
) \
AND s.remote_address NOT IN ( \
'1.1.1.1', \
'1.1.1.2', \
'8.8.8.8', \
'8.8.4.4', \
'208.67.222.222', \
'75.75.75.75', \
'68.105.28.13' \
) \
AND exception_key NOT IN ( \
'coredns,0.0.0.0,53', \
'nessusd,50.16.123.71,53', \
'syncthing,46.162.192.181,53' \
) \
AND p.path NOT IN ( \
'/usr/lib/systemd/systemd-resolved', \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', \
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper' \
) \
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' \
GROUP BY \
s.remote_address, \
s.remote_port \
HAVING \
remote_address != '';",
"interval": "10800",
"description": "Catch DNS traffic going to machines other than the host-configured DNS server (state-based)"
},
"unexpected-dns-traffic-events": {
"query": "SELECT \
protocol, \
s.remote_port, \
s.remote_address, \
p.name, \
p.path, \
p.cmdline AS child_cmd, \
p.cwd, \
s.pid, \
p.parent AS parent_pid, \
pp.cmdline AS parent_cmd, \
hash.sha256, \
CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key \
FROM \
socket_events s \
LEFT JOIN processes p ON s.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
s.time > (strftime('%s', 'now') -120) \
AND remote_port IN (53, 5353) \
AND remote_address NOT LIKE '%:%' \
AND s.remote_address NOT LIKE '172.1%' \
AND s.remote_address NOT LIKE '172.2%' \
AND s.remote_address NOT LIKE '172.30.%' \
AND s.remote_address NOT LIKE '172.31.%' \
AND s.remote_address NOT LIKE '10.%' \
AND s.remote_address NOT LIKE '192.168.%' \
AND s.remote_address NOT LIKE '127.%' \
AND remote_address NOT IN ( \
SELECT DISTINCT \
address \
FROM \
dns_resolvers \
WHERE \
type = 'nameserver' \
and address != '' \
) \
AND NOT ( \
s.pid = -1 \
AND s.remote_port = 53 \
and p.parent = '' \
) \
AND s.remote_address NOT IN ( \
'1.1.1.1', \
'1.1.1.2', \
'8.8.8.8', \
'8.8.4.4', \
'208.67.222.222', \
'75.75.75.75', \
'75.75.76.76', \
'68.105.28.13' \
) \
AND exception_key NOT IN ( \
'coredns,0.0.0.0,53', \
'syncthing,46.162.192.181,53' \
) \
AND p.name != 'nessusd' \
AND p.path NOT IN ( \
'/usr/lib/systemd/systemd-resolved', \
'/Library/Nessus/run/sbin/nessusd', \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', \
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper' \
) \
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' \
GROUP BY \
s.remote_address, \
s.remote_port \
HAVING \
remote_address != '';",
"interval": "120",
"description": "Catch DNS traffic going to machines other than the host-configured DNS server (event-based)"
},
"unexpected-icmp-socket": {
"query": "SELECT \
pop.pid, \
p.path, \
p.cmdline \
FROM \
process_open_sockets pop \
JOIN processes p ON pop.pid = p.pid \
WHERE \
family = 2 \
AND protocol = 1 \
AND p.name NOT IN ('ping');",
"interval": "10800",
"description": "Unexpected programs speaking over ICMP (state-based)"
},
"unexpected-listening-port-linux": {
"query": "SELECT \
lp.address, \
lp.port, \
lp.protocol, \
p.uid, \
p.pid, \
p.name, \
p.path, \
p.cmdline, \
p.cwd, \
hash.sha256, \
CONCAT ( \
MIN(lp.port, 32768), \
',', \
lp.protocol, \
',', \
MIN(p.uid, 500), \
',', \
p.name \
) AS exception_key \
FROM \
listening_ports lp \
LEFT JOIN processes p ON lp.pid = p.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
port != 0 \
AND lp.address NOT IN ('224.0.0.251', '::1') \
AND lp.address NOT LIKE '127.0.0.%' \
AND lp.address NOT LIKE '172.1%' \
AND lp.address NOT LIKE 'fe80::%' \
AND lp.address NOT LIKE '::ffff:127.0.0.%' \
AND NOT ( \
lp.protocol = 17 \
AND lp.port > 1024 \
) \
AND NOT ( \
p.uid > 500 \
AND lp.port IN (8000, 8080) \
AND lp.protocol = 6 \
) \
AND NOT (p.pid == '') \
AND NOT CONCAT ( \
MIN(lp.port, 32768), \
',', \
lp.protocol, \
',', \
MIN(p.uid, 500), \
',', \
p.name \
) IN ( \
'10250,6,0,kubelet', \
'10256,6,0,kube-proxy', \
'1716,6,500,kdeconnectd', \
'17,255,0,dhcpcd', \
'17,255,500,dhcpcd', \
'22000,6,500,syncthing', \
'22,6,0,sshd', \
'3000,6,472,grafana-server', \
'3000,6,500,grafana-server', \
'32768,6,0,tailscaled', \
'32768,6,0,.tailscaled-wra', \
'32768,6,500,com.docker.backend', \
'32768,6,500,dleyna-renderer', \
'32768,6,500,spotify', \
'3551,6,0,apcupsd', \
'4143,6,500,linkerd2-proxy', \
'4191,6,500,linkerd2-proxy', \
'443,6,500,jcef_helper', \
'4443,6,500,metrics-server', \
'5000,6,500,ControlCenter', \
'5001,6,0,registry', \
'53,17,0,coredns', \
'53,17,500,dnsmasq', \
'5355,6,193,systemd-resolve', \
'53,6,0,coredns', \
'53,6,500,dnsmasq', \
'5432,6,70,postgres', \
'546,17,500,dhcpcd', \
'58,255,0,dhcpcd', \
'58,255,0,NetworkManager', \
'58,255,500,dhcpcd', \
'631,17,0,cups-browsed', \
'6379,6,500,redis-server', \
'6443,6,0,kube-apiserver', \
'67,17,500,dnsmasq', \
'68,17,500,dhcpcd', \
'7000,6,500,ControlCenter', \
'8008,6,500,controlplane', \
'8009,6,0,java', \
'80,6,60,nginx', \
'8080,6,0,coredns', \
'8080,6,0,java', \
'8086,6,0,influxd', \
'8086,6,500,controller', \
'8086,6,500,influxd', \
'8090,6,500,linkerd-policy-', \
'8123,6,500,Brackets-node', \
'8181,6,0,coredns', \
'8443,6,0,kube-apiserver', \
'8443,6,500,controller', \
'8443,6,500,controlplane', \
'9000,6,500,authentik-proxy', \
'9090,6,500,controlplane', \
'9153,6,0,coredns', \
'9300,6,500,authentik-proxy' \
) \
AND NOT ( \
p.path LIKE ',ko-app,%' \
AND lp.port > 1024 \
and lp.protocol = 6 \
) \
AND NOT ( \
p.name IN ('hugo', 'docker-proxy', 'rootlessport') \
AND lp.port > 1024 \
and lp.protocol = 6 \
) \
GROUP BY \
exception_key;",
"interval": "10800",
"platform": "linux",
"description": "Unexpected programs listening on a TCP port (state-based)."
},
"unexpected-listening-port-macos": {
"query": "SELECT \
lp.address, \
lp.port, \
lp.protocol, \
p.uid, \
p.pid, \
p.name, \
p.path, \
p.cmdline, \
p.cwd, \
hash.sha256, \
signature.authority AS program_authority, \
CONCAT ( \
MIN(lp.port, 49152), \
',', \
lp.protocol, \
',', \
MIN(p.uid, 500), \
',', \
p.name, \
',', \
signature.authority \
) AS exception_key \
FROM \
listening_ports lp \
LEFT JOIN processes p ON lp.pid = p.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN signature ON p.path = signature.path \
WHERE \
port != 0 \
AND lp.address NOT IN ('224.0.0.251', '::1') \
AND lp.address NOT LIKE '127.0.0.%' \
AND lp.address NOT LIKE '172.1%' \
AND lp.address NOT LIKE 'fe80::%' \
AND lp.address NOT LIKE '::ffff:127.0.0.%' \
AND NOT ( \
lp.protocol = 17 \
AND lp.port > 1024 \
) \
AND NOT ( \
p.uid > 500 \
AND lp.port IN (8000, 8080) \
AND lp.protocol = 6 \
) \
AND NOT (p.pid == '') \
AND NOT exception_key IN ( \
'10011,6,0,launchd,Software Signing', \
'1313,6,500,hugo,', \
'1338,6,500,registry,', \
'137,17,0,launchd,Software Signing', \
'137,17,222,netbiosd,Software Signing', \
'138,17,0,launchd,Software Signing', \
'138,17,222,netbiosd,Software Signing', \
'16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)', \
'17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \
'2112,6,500,fake,', \
'2112,6,500,rekor-server,', \
'88,17,0,kdc,Software Signing', \
'22,6,0,launchd,Software Signing', \
'22000,6,500,syncthing,', \
'24678,6,500,node,', \
'2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \
'3306,6,500,mariadbd,', \
'3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)', \
'41949,6,500,IPNExtension,Apple Mac OS Application Signing', \
'43398,6,500,IPNExtension,Apple Mac OS Application Signing', \
'443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \
'45972,6,500,IPNExtension,Apple Mac OS Application Signing', \
'49152,6,0,AirPlayXPCHelper,Software Signing', \
'49152,6,0,AirPlayXPCHelper,Software Signing', \
'49152,6,0,launchd,Software Signing', \
'49152,6,0,remoted,Software Signing', \
'49152,6,0,remotepairingdeviced,Software Signing', \
'49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \
'49152,6,500,GarageBand,Apple Mac OS Application Signing', \
'49152,6,500,IPNExtension,Apple Mac OS Application Signing', \
'49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'49152,6,500,Music,Software Signing', \
'49152,6,500,node,', \
'49152,6,500,rapportd,Software Signing', \
'49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', \
'49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', \
'49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)', \
'49152,6,500,telepresence,', \
'49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)', \
'49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', \
'5000,6,500,ControlCenter,Software Signing', \
'5060,6,500,CommCenter,Software Signing', \
'546,17,0,configd,Software Signing', \
'5900,6,0,launchd,Software Signing', \
'5900,6,0,screensharingd,Software Signing', \
'6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)', \
'631,6,0,cupsd,Software Signing', \
'68,17,0,configd,Software Signing', \
'7000,6,500,ControlCenter,Software Signing', \
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', \
'8770,6,500,sharingd,Software Signing', \
'88,6,0,kdc,Software Signing', \
'8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8831,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8832,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', \
'9101,6,500,github_actions_exporter,', \
'8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)' \
) \
AND NOT ( \
p.path LIKE ',ko-app,%' \
AND lp.port > 1024 \
and lp.protocol = 6 \
) \
AND NOT ( \
p.name IN ('hugo', 'node', 'com.docker.backend') \
AND lp.port > 1024 \
and lp.protocol = 6 \
) \
AND NOT ( \
p.path LIKE '/private/var/folders/%/go-build%/exe/%' \
AND lp.port > 1024 \
AND lp.protocol = 6 \
) \
AND NOT ( \
p.cwd LIKE '/Users/%/src/%' \
AND p.cmdline LIKE './%' \
AND lp.port > 1024 \
AND lp.protocol = 6 \
) \
GROUP BY \
exception_key;",
"interval": "10800",
"platform": "darwin",
"description": "Unexpected programs listening on a TCP port."
},
"unexpected-talkers-linux": {
"query": "SELECT \
s.family, \
protocol, \
s.local_port, \
s.remote_port, \
s.local_address, \
s.remote_address, \
p.name, \
p.path, \
p.cmdline AS child_cmd, \
p.cwd, \
s.pid, \
s.net_namespace, \
pp.path AS parent_path, \
p.parent AS parent_pid, \
pp.cmdline AS parent_cmd, \
hash.sha256, \
CONCAT ( \
MIN(s.remote_port, 32768), \
',', \
protocol, \
',', \
MIN(p.uid, 500), \
',', \
p.name \
) AS exception_key \
FROM \
process_open_sockets s \
LEFT JOIN processes p ON s.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
protocol > 0 \
AND s.remote_port > 0 \
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') \
AND s.remote_address NOT LIKE 'fe80:%' \
AND s.remote_address NOT LIKE '127.%' \
AND s.remote_address NOT LIKE '192.168.%' \
AND s.remote_address NOT LIKE '172.1%' \
AND s.remote_address NOT LIKE '172.2%' \
AND s.remote_address NOT LIKE '172.30.%' \
AND s.remote_address NOT LIKE '172.31.%' \
AND s.remote_address NOT LIKE '::ffff:172.%' \
AND s.remote_address NOT LIKE '10.%' \
AND s.remote_address NOT LIKE '::ffff:10.%' \
AND s.remote_address NOT LIKE 'fc00:%' \
AND s.state != 'LISTEN' \
AND NOT ( \
remote_port = 53 \
AND protocol IN (6, 17) \
AND p.name IN ( \
'1password', \
'apt', \
'apt-get', \
'Brackets', \
'chainctl', \
'chrome', \
'chronyd', \
'cloud_sql_proxy', \
'code', \
'containerd', \
'controlplane', \
'crc', \
'curl', \
'dig', \
'dnf', \
'electron', \
'firefox', \
'.firefox-wrappe', \
'flameshot', \
'gh', \
'git-remote-http', \
'gitsign', \
'gnome-software', \
'go', \
'grafana-server', \
'grype', \
'host', \
'htop', \
'istioctl', \
'jcef_helper', \
'k6', \
'k9s', \
'ko', \
'kolide-pipeline', \
'launcher', \
'NetworkManager', \
'ngrok', \
'nix', \
'node', \
'nscd', \
'obs', \
'obs-browser-page', \
'obs-ffmpeg-mux', \
'obsidian', \
'opera', \
'pacman', \
'ping', \
'podman', \
'prometheus', \
'rootlessport', \
'signal-desktop', \
'slack', \
'slirp4netns', \
'snapd', \
'snap-store', \
'Socket Process', \
'spotify', \
'ssh', \
'steam', \
'steamwebhelper', \
'syncthing', \
'systemd-resolve', \
'tailscaled', \
'.tailscaled-wra', \
'terraform', \
'terraform-provi', \
'tkn', \
'traceroute', \
'vcluster', \
'wget', \
'whois', \
'xmobar', \
'yay', \
'zoom' \
) \
) \
AND NOT exception_key IN ( \
'123,17,,', \
'123,17,500,chronyd', \
'22067,6,500,syncthing', \
'22,6,,', \
'22,6,500,ssh', \
'27024,6,500,steam', \
'3100,6,500,firefox', \
'3100,6,500,k6', \
'32768,6,0,tailscaled', \
'3307,6,500,cloud_sql_proxy', \
'4070,6,500,spotify', \
'443,17,500,chrome', \
'443,17,500,electron', \
'443,17,500,jcef_helper', \
'443,17,500,slack', \
'443,17,500,spotify', \
'443,6,0,apk', \
'443,6,0,containerd', \
'443,6,0,depmod', \
'443,6,0,dirmngr', \
'443,6,0,dnf', \
'443,6,0,dockerd', \
'443,6,0,influxd', \
'443,6,0,launcher', \
'443,6,0,nix', \
'443,6,0,nix-daemon', \
'443,6,0,packagekitd', \
'443,6,0,pacman', \
'443,6,0,snapd', \
'443,6,0,systemctl', \
'443,6,0,tailscaled', \
'443,6,0,.tailscaled-wra', \
'443,6,0,yum', \
'443,6,105,https', \
'443,6,472,grafana-server', \
'443,6,500,1password', \
'443,6,500,authentik-proxy', \
'443,6,500,aws', \
'443,6,500,Brackets', \
'443,6,500,celery', \
'443,6,500,chainctl', \
'443,6,500,chrome', \
'443,6,500,cloud_sql_proxy', \
'443,6,500,code', \
'443,6,500,containerd', \
'443,6,500,controlplane', \
'443,6,500,cosign', \
'443,6,500,crane', \
'443,6,500,CrBrowserMain', \
'443,6,500,crc', \
'443,6,500,CrUtilityMain', \
'443,6,500,curl', \
'443,6,500,Discord', \
'443,6,500,electron', \
'443,6,500,emacs', \
'443,6,500,firefox', \
'443,6,500,.firefox-wrappe', \
'443,6,500,flameshot', \
'443,6,500,geoclue', \
'443,6,500,gh', \
'443,6,500,git-remote-http', \
'443,6,500,gitsign', \
'443,6,500,gnome-shell', \
'443,6,500,gnome-software', \
'443,6,500,go', \
'443,6,500,___go_build_github_com_anchore_grype,a.out,', \
'443,6,500,grafana-server', \
'443,6,500,grype', \
'443,6,500,gunicorn', \
'443,6,500,gvfsd-http', \
'443,6,500,htop', \
'443,6,500,influxd', \
'443,6,500,istioctl', \
'443,6,500,java', \
'443,6,500,jcef_helper', \
'443,6,500,jetbrains-toolb', \
'443,6,500,k6', \
'443,6,500,k9s', \
'443,6,500,ko', \
'443,6,500,kolide-pipeline', \
'443,6,500,kubectl', \
'443,6,500,minicli', \
'443,6,500,ngrok', \
'443,6,500,nix', \
'443,6,500,node', \
'443,6,500,obs', \
'443,6,500,obs-browser-page', \
'443,6,500,obs-ffmpeg-mux', \
'443,6,500,obsidian', \
'443,6,500,pingsender', \
'443,6,500,pip', \
'443,6,500,podman', \
'443,6,500,signal-desktop', \
'443,6,500,slack', \
'443,6,500,slirp4netns', \
'443,6,500,snap-store', \
'443,6,500,Socket Process', \
'443,6,500,spotify', \
'443,6,500,steamwebhelper', \
'443,6,500,teams', \
'443,6,500,terraform', \
'443,6,500,terraform-provi', \
'443,6,500,tkn', \
'443,6,500,.tox-wrapped', \
'443,6,500,trivy', \
'443,6,500,vcluster', \
'443,6,500,vim', \
'443,6,500,WebKitNetworkPr', \
'443,6,500,wget', \
'443,6,500,wineserver', \
'443,6,500,x11-ssh-askpass', \
'443,6,500,xmobar', \
'443,6,500,yay', \
'443,6,500,zoom', \
'5228,6,500,chrome', \
'6000,6,500,ssh', \
'80,6,0,mkinitcpio', \
'67,17,0,NetworkManager', \
'7903,6,500,syncthing', \
'8006,6,500,chrome', \
'80,6,0,dnf', \
'80,6,0,gdk-pixbuf-quer', \
'80,6,0,NetworkManager', \
'80,6,0,pacman', \
'80,6,0,tailscaled', \
'80,6,0,.tailscaled-wra', \
'443,6,0,yay', \
'80,6,0,yum', \
'443,6,500,rustup', \
'443,6,500,cargo', \
'80,6,500,thunderbird', \
'80,6,105,http', \
'80,6,500,curl', \
'80,6,500,firefox', \
'80,6,500,.firefox-wrappe', \
'80,6,500,gitsign', \
'80,6,500,slack', \
'80,6,500,spotify', \
'80,6,500,steam', \
'80,6,500,steamwebhelper', \
'80,6,500,syncthing', \
'8801,17,500,zoom', \
'9090,6,500,firefox', \
'9090,6,500,k6', \
'9090,6,500,prometheus', \
'9090,6,500,rootlessport' \
) \
AND NOT ( \
( \
remote_address LIKE '151.101.%' \
OR remote_address LIKE '140.82.%' \
) \
AND remote_port = 443 \
AND protocol = 6 \
AND ( \
parent_path LIKE '/nix/%/bin/bash' \
OR parent_path LIKE '/nix/%/bin/zsh' \
OR parent_path LIKE '%/bin/nix' \
OR p.path LIKE '/nix/store/%' \
) \
) \
AND NOT p.cmdline LIKE 'bash --rcfile /tmp/nix-shell.%' -- Other more complicated situations \
AND NOT ( \
p.name = 'rootlessport' \
AND remote_port > 1024 \
) \
AND NOT ( \
p.name = 'syncthing' \
AND ( \
remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451) \
OR remote_port > 1024 \
) \
) \
AND NOT ( \
p.name IN ( \
'chrome', \
'Google Chrome Helper', \
'Brave Browser Helper', \
'Chromium Helper', \
'Opera Helper' \
) \
AND remote_port IN ( \
53, \
3100, \
443, \
80, \
8006, \
9000, \
5004, \
8009, \
8080, \
8888, \
8443, \
5228, \
32211, \
53, \
10001, \
3478, \
19305, \
19306, \
19307, \
19308, \
19309 \
) \
) \
AND NOT ( \
p.name IN ('thunderbird') \
AND remote_port IN (53, 143, 443, 587, 465, 585, 993) \
) \
AND NOT ( \
p.name IN ('spotify', 'Spotify Helper', 'Spotify') \
AND remote_port IN (53, 443, 8009, 4070, 32211) \
) \
AND NOT ( \
remote_port IN (443, 53) \
AND p.name LIKE 'terraform-provider-%' \
) \
AND NOT ( \
remote_port IN (443, 53) \
AND p.name LIKE 'npm exec %' \
) \
AND NOT ( \
remote_port iN (443, 53) \
AND p.name LIKE 'kubectl.%' \
) \
AND NOT ( \
p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' \
AND remote_port IN (80, 53, 443) \
) \
GROUP BY \
p.cmdline;",
"interval": "10800",
"platform": "linux",
"description": "Programs communicating over the network in unexpected ways (state-based)"
},
"unexpected-talkers-macos": {
"query": "SELECT \
protocol, \
s.local_port, \
s.remote_port, \
s.remote_address, \
p.name, \
p.path, \
p.cmdline AS child_cmd, \
p.cwd, \
s.pid, \
p.parent AS parent_pid, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
hash.sha256, \
CONCAT ( \
MIN(s.remote_port, 32768), \
',', \
protocol, \
',', \
MIN(p.uid, 500), \
',', \
p.name, \
',', \
signature.identifier, \
',', \
signature.authority \
) AS exception_key \
FROM \
process_open_sockets s \
LEFT JOIN processes p ON s.pid = p.pid \
LEFT JOIN processes pp ON pp.pid = p.parent \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN signature ON p.path = signature.path \
WHERE \
protocol > 0 \
AND s.remote_port > 0 \
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') \
AND s.remote_address NOT LIKE 'fe80:%' \
AND s.remote_address NOT LIKE '127.%' \
AND s.remote_address NOT LIKE '192.168.%' \
AND s.remote_address NOT LIKE '172.1%' \
AND s.remote_address NOT LIKE '172.2%' \
AND s.remote_address NOT LIKE '172.30.%' \
AND s.remote_address NOT LIKE '172.31.%' \
AND s.remote_address NOT LIKE '::ffff:172.%' \
AND s.remote_address NOT LIKE '10.%' \
AND s.remote_address NOT LIKE '::ffff:10.%' \
AND s.remote_address NOT LIKE 'fc00:%' \
AND s.state != 'LISTEN' \
AND p.path NOT LIKE '/Applications/%.app/Contents/%' \
AND p.path NOT LIKE '/Library/Apple/System/Library/%' \
AND p.path NOT LIKE '/Library/Application Support/%/Contents/%' \
AND p.path NOT LIKE '/System/Applications/%' \
AND p.path NOT LIKE '/System/Library/%' \
AND p.path NOT LIKE '/Users/%/Library/%.app/Contents/MacOS/%' \
AND p.path NOT LIKE '/System/%' \
AND p.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' \
AND p.path NOT LIKE '/usr/libexec/%' \
AND p.path NOT LIKE '/usr/sbin/%' \
AND p.path NOT LIKE '/private/var/folders/%/go-build%/%' \
AND NOT ( \
remote_port = 53 \
AND protocol IN (6, 17) \
AND p.name IN ( \
'1password', \
'Acrobat Update Helper', \
'chainctl', \
'cloud_sql_proxy', \
'Code Helper', \
'com.apple.MobileSoftwareUpdate.UpdateBrainService', \
'cosign', \
'crc', \
'curl', \
'dig', \
'Evernote Helper', \
'figma_agent', \
'gh', \
'git-remote-http', \
'gitsign', \
'go', \
'grafana-server', \
'grype', \
'host', \
'htop', \
'istioctl', \
'k6', \
'k9s', \
'ko', \
'launcher', \
'ngrok', \
'nix', \
'node', \
'obs', \
'obs-browser-page', \
'obs-ffmpeg-mux', \
'obsidian', \
'opera', \
'ping', \
'Python', \
'python3.10', \
'Reflect', \
'Reflect Helper', \
'ruby', \
'sample', \
'ssh', \
'steam_osx', \
'syncthing', \
'tailscaled', \
'terraform', \
'tkn', \
'traceroute', \
'vcluster', \
'wget', \
'whois', \
'zoom' \
) \
) \
AND NOT exception_key IN ( \
'22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)', \
'22,6,500,ssh,,', \
'22,6,500,ssh,com.apple.openssh,Software Signing', \
'22,6,500,ssh,ssh,', \
'22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', \
'30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'3307,6,500,cloud_sql_proxy,a.out,', \
'43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \
'443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', \
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \
'443,17,500,Slack Helper,,', \
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', \
'443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)', \
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', \
'443,6,0,nix,nix,', \
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'443,6,500,,,', \
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'443,6,500,bash,bash,', \
'443,6,500,chainctl,,', \
'443,6,500,chainctl,a.out,', \
'443,6,500,chainctl_Darwin_arm64,a.out,', \
'443,6,500,civo,a.out,', \
'443,6,500,cloud_sql_proxy,a.out,', \
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,500,cosign,,', \
'443,6,500,cosign,a.out,', \
'443,6,500,crane,,', \
'443,6,500,crane,a.out,', \
'443,6,500,ctclient,a.out,', \
'443,6,500,curl,com.apple.curl,Software Signing', \
'443,6,500,docker-credential-gcr,a.out,', \
'443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,500,emacs-28.2,emacs-28.2,', \
'443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', \
'443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)', \
'443,6,500,gh,a.out,', \
'443,6,500,gh,gh,', \
'443,6,500,git,com.apple.git,Software Signing', \
'443,6,500,git,git,', \
'443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing', \
'443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,', \
'443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,', \
'443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,', \
'443,6,500,gitsign,,', \
'443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing', \
'443,6,500,gitsign,a.out,', \
'443,6,500,gitsign,gitsign,', \
'443,6,500,go,a.out,', \
'443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'443,6,500,helm,a.out,', \
'443,6,500,istioctl,a.out,', \
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'443,6,500,ko,a.out,', \
'443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'443,6,500,kubectl,,', \
'443,6,500,kubectl,a.out,', \
'443,6,500,limactl,,', \
'443,6,500,main,a.out,', \
'443,6,500,melange,a.out,', \
'443,6,500,minikube,,', \
'443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)', \
'443,6,500,nix,nix,', \
'443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)', \
'443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'443,6,500,prober,a.out,', \
'443,6,500,pulumi-resource-gcp,a.out,', \
'443,6,500,pulumi-resource-github,a.out,', \
'443,6,500,python2.7,python2.7,', \
'443,6,500,python3.10,python3.10,', \
'443,6,500,Python,com.apple.python3,Software Signing', \
'443,6,500,Python,org.python.python,', \
'443,6,500,Python,Python,', \
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', \
'443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing', \
'443,6,500,scorecard-darwin-amd64,,', \
'443,6,500,Slack Helper,,', \
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', \
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', \
'443,6,500,step,step,', \
'443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)', \
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \
'443,6,500,vegeta,a.out,', \
'443,6,500,vim,vim,', \
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', \
'443,6,500,zsh,com.apple.zsh,Software Signing', \
'53,17,500,docker-credential-gcr,a.out,', \
'6000,6,500,ssh,,', \
'6000,6,500,ssh,com.apple.openssh,Software Signing', \
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', \
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', \
'80,6,500,curl,com.apple.curl,Software Signing', \
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', \
'80,6,500,webhook.test,a.out,' \
) \
AND NOT ( \
parent_cmd LIKE '%/tmp/nix-shell%' \
AND remote_port = 443 \
AND protocol = 6 \
) \
AND NOT ( \
( \
remote_address LIKE '151.101.%' \
OR remote_address LIKE '140.82.%' \
) \
AND remote_port = 443 \
AND protocol = 6 \
AND parent_path LIKE '/nix/%/bash' \
) \
AND NOT ( \
p.name = 'syncthing' \
AND ( \
remote_port IN (53, 80, 88, 110, 443, 587, 993) \
OR remote_port > 1024 \
) \
) \
AND NOT ( \
p.name IN ( \
'Google Chrome Helper', \
'Brave Browser Helper', \
'Chromium Helper', \
'Opera Helper' \
) \
AND remote_port IN ( \
53, \
443, \
80, \
8009, \
8080, \
8888, \
8443, \
5228, \
32211, \
53, \
10001, \
3478, \
19305, \
19306, \
5004, \
9000, \
19307, \
19308, \
19309 \
) \
) \
AND NOT ( \
p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') \
AND remote_port IN (53, 143, 443, 587, 465, 585, 993) \
) \
AND NOT ( \
parent_path = '/Applications/Minecraft.app/Contents/MacOS/launcher' \
AND remote_port > 30000 \
) \
AND NOT ( \
p.name IN ('Spotify Helper', 'Spotify') \
AND remote_port IN (53, 443, 8009, 4070, 32211) \
) \
AND NOT ( \
remote_port IN (53, 443) \
AND p.name LIKE 'terraform-provider-%' \
) \
AND NOT ( \
remote_port IN (53, 443) \
AND p.name LIKE 'kubectl.%' \
) \
AND NOT ( \
p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' \
AND remote_port IN (80, 443, 53) \
) \
AND NOT ( \
p.path = '' \
AND pp.cmdline LIKE '%/Slack' \
) \
AND NOT ( \
p.cmdline = '/Applications/Craft.app/Contents/MacOS/Craft' \
AND remote_port = 443 \
AND protocol = 6 \
) \
AND NOT ( \
remote_port IN (53, 443) \
AND p.path LIKE '/private/var/folders/%/T/GoLand/%' \
) \
GROUP BY \
s.pid;",
"interval": "10800",
"platform": "macos",
"description": "Programs communicating over the network in unexpected ways (state-based)"
}
}
}
{
"queries": {
"macos_keyboard_sniffer": {
"query": "SELECT \
et.enabled, \
et.process_being_tapped, \
et.tapping_process, \
p.path, \
s.authority, \
s.identifier, \
h.sha256, \
CONCAT ( \
REPLACE( \
p.path, \
RTRIM(p.path, REPLACE(p.path, '/', '')), \
'' \
), \
',', \
identifier, \
',', \
authority \
) AS exception_key \
FROM \
event_taps et \
LEFT JOIN processes p ON et.tapping_process = p.pid \
LEFT JOIN signature s ON s.path = p.path \
LEFT JOIN hash h ON h.path = p.path \
WHERE \
event_tapped IN ('EventKeyDown', 'EventKeyUp') \
AND authority != 'Software Signing' \
AND NOT exception_key IN ( \
'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \
'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)', \
'skhd,skhd,' \
) \
GROUP BY \
p.path;",
"interval": "10800",
"platform": "darwin",
"description": "Find programs that are sniffing keyboard events on macOS"
},
"unexpected-dev-opener-linux": {
"query": "SELECT \
pof.pid, \
pof.path AS device, \
p.path AS program, \
p.name AS program_name, \
p.cmdline AS cmdline, \
hash.sha256, \
CONCAT ( \
IIF( \
REGEX_MATCH ( \
REPLACE(pof.path, ' (deleted)', ''), \
'(/dev/.*)[\\d ]+$', \
1 \
) != '', \
REGEX_MATCH ( \
REPLACE(pof.path, ' (deleted)', ''), \
'(/dev/.*)[\\d ]+$', \
1 \
), \
REPLACE(pof.path, ' (deleted)', '') \
), \
',', \
REPLACE( \
p.path, \
RTRIM(p.path, REPLACE(p.path, '/', '')), \
'' \
) \
) AS path_exception, \
CONCAT ( \
TRIM( \
REPLACE( \
pof.path, \
CONCAT ( \
'/', \
REPLACE( \
pof.path, \
RTRIM(pof.path, REPLACE(pof.path, '/', '')), \
'' \
) \
), \
'' \
) \
), \
',', \
REPLACE( \
p.path, \
RTRIM(p.path, REPLACE(p.path, '/', '')), \
'' \
) \
) AS dir_exception \
FROM \
process_open_files pof \
LEFT JOIN processes p ON pof.pid = p.pid \
LEFT JOIN hash ON hash.path = p.path \
WHERE \
pof.path LIKE '/dev/%' \
AND pof.path NOT IN ( \
'/dev/dri/card0', \
'/dev/dri/card1', \
'/dev/dri/renderD128', \
'/dev/dri/renderD129', \
'/dev/fuse', \
'/dev/io8log', \
'/dev/io8logmt', \
'/dev/io8logtemp', \
'/dev/null', \
'/dev/nvidia-modeset', \
'/dev/nvidia-uvm', \
'/dev/nvidia0', \
'/dev/nvidiactl', \
'/dev/ptmx', \
'/dev/pts/ptmx', \
'/dev/random', \
'/dev/rfkill', \
'/dev/snd/seq', \
'/dev/urandom', \
'/dev/vga_arbiter', \
'/dev/video10' \
) \
AND pof.path NOT LIKE '/dev/pts/%' \
AND pof.path NOT LIKE '/dev/snd/%' \
AND pof.path NOT LIKE '/dev/tty%' \
AND pof.path NOT LIKE '/dev/hidraw%' \
AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%' \
AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%' \
AND pof.path NOT LIKE '/dev/shm/authentik_%' \
AND NOT dir_exception IN ( \
'/dev/bus/usb,pcscd', \
'/dev/bus/usb/001,pcscd', \
'/dev/bus/usb/005,python3.10', \
'/dev/input,acpid', \
'/dev/kmsg,systemd-coredump', \
'/dev/input,gnome-shell', \
'/dev/input,systemd-logind', \
'/dev/input,systemd', \
'/dev/input,upowerd', \
'/dev/input,Xorg', \
'/dev/net,.tailscaled-wrapped', \
'/dev/net,tailscaled', \
'/dev/shm,1password', \
'/dev/shm,chrome', \
'/dev/shm,code', \
'/dev/shm,electron', \
'/dev/shm,Brackets', \
'/dev/shm,firefox', \
'/dev/shm,gopls', \
'/dev/shm,java', \
'/dev/shm,jcef_helper', \
'/dev/shm,slack', \
'/dev/shm,spotify', \
'/dev/shm,steam', \
'/dev/shm,steamwebhelper', \
'/dev/shm,wine64-preloader', \
'/dev/shm,winedevice.exe', \
'/dev/snd,.pulseaudio-wrapped', \
'/dev/snd,alsactl', \
'/dev/net/tun,qemu-system-x86_64', \
'/dev/snd,pipewire', \
'/dev/snd,pulseaudio', \
'/dev/snd,wireplumber' \
) \
AND NOT path_exception IN ( \
'/dev/autofs,systemd', \
'/dev/hidraw,chrome', \
'/dev/input/event,thermald', \
'/dev/input/event,Xorg', \
'/dev/kmsg,kubelet', \
'/dev/kmsg,systemd', \
'/dev/kmsg,systemd-journald', \
'/dev/kvm,qemu-system-x86_64', \
'/dev/mapper/control,dockerd', \
'/dev/mcelog,mcelog', \
'/dev/media,pipewire', \
'/dev/media,wireplumber', \
'/dev/net/tun,slirp4netns', \
'/dev/tty,agetty', \
'/dev/tty,gdm-wayland-session', \
'/dev/tty,gdm-x-session', \
'/dev/tty,systemd-logind', \
'/dev/tty,Xorg', \
'/dev/uinput,bluetoothd', \
'/dev/usb/hiddev,apcupsd', \
'/dev/usb/hiddev,upowerd', \
'/dev/video,chrome', \
'/dev/video,ffmpeg', \
'/dev/video,firefox', \
'/dev/video,obs', \
'/dev/video,pipewire', \
'/dev/video,zoom', \
'/dev/video,obs-ffmpeg-mux', \
'/dev/video,vlc', \
'/dev/video,wireplumber', \
'/dev/zfs,zed', \
'/dev/zfs,zfs', \
'/dev/zfs,zpool' \
) \
AND NOT ( \
device LIKE '/dev/bus/usb/%' \
AND program_name IN ( \
'streamdeck', \
'gphoto2', \
'fwupd', \
'pcscd', \
'gvfs-gphoto2-vo', \
'gvfs-gphoto2-volume-monitor' \
) \
) \
GROUP BY \
pof.pid;",
"interval": "10800",
"platform": "linux",
"description": "Detects unexpected programs opening files in /dev on Linux"
},
"unexpected-dev-opener-macos": {
"query": "SELECT \
pof.pid, \
pof.path AS device, \
p.path AS program, \
p.name AS program_name, \
p.cmdline AS cmdline, \
hash.sha256, \
s.authority, \
s.identifier, \
CONCAT ( \
IIF( \
REGEX_MATCH (pof.path, '(/dev/.*)\\d+$', 1) != '', \
REGEX_MATCH (pof.path, '(/dev/.*)\\d+', 1), \
pof.path \
), \
',', \
REPLACE( \
p.path, \
RTRIM(p.path, REPLACE(p.path, '/', '')), \
'' \
), \
',', \
s.authority, \
',', \
s.identifier \
) AS exception_key \
FROM \
process_open_files pof \
LEFT JOIN processes p ON pof.pid = p.pid \
LEFT JOIN hash ON hash.path = p.path \
LEFT JOIN signature s ON p.path = s.path \
WHERE \
pof.path LIKE '/dev/%' \
AND pof.path NOT IN ( \
'/dev/null', \
'/dev/ptmx', \
'/dev/random', \
'/dev/tty', \
'/dev/urandom' \
) \
AND pof.path NOT LIKE '/dev/ttys%' \
AND p.path NOT LIKE '/System/%' \
AND p.path NOT LIKE '/usr/libexec/%' \
AND p.path NOT LIKE '/usr/sbin/%' \
AND exception_key NOT IN ( \
'/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond', \
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', \
'/dev/auditsessions,authd,Software Signing,com.apple.authd', \
'/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred', \
'/dev/auditsessions,securityd,Software Signing,com.apple.securityd', \
'/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', \
'/dev/autofs,automountd,Software Signing,com.apple.automountd', \
'/dev/bpf,airportd,Software Signing,com.apple.airport.airportd', \
'/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd', \
'/dev/console,launchd,Software Signing,com.apple.xpc.launchd', \
'/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd', \
'/dev/io8log,airportd,Software Signing,com.apple.airport.airportd', \
'/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter', \
'/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd', \
'/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \
'/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd', \
'/dev/io8logtemp,airportd,Software Signing,com.apple.airport.airportd', \
'/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter', \
'/dev/io8logtemp,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \
'/dev/io8logtemp,symptomsd,Software Signing,com.apple.symptomsd', \
'/dev/io8logtemp,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \
'/dev/io8logtemp,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \
'/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \
'/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \
'/dev/io,airportd,Software Signing,com.apple.airport.airportd', \
'/dev/io,ControlCenter,Software Signing,com.apple.controlcenter', \
'/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \
'/dev/io,symptomsd,Software Signing,com.apple.symptomsd', \
'/dev/io,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', \
'/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', \
'/dev/klog,syslogd,Software Signing,com.apple.syslogd', \
'/dev/oslog,logd,Software Signing,com.apple.logd', \
'/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', \
'/dev/xcpm,systemstats,Software Signing,com.apple.systemstats', \
'/dev/xcpm,thermald,Software Signing,com.apple.thermald' \
) \
GROUP BY \
pof.pid;",
"interval": "10800",
"platform": "darwin",
"description": "Detects unexpected programs opening files in /dev on Linux"
},
"unexpected-sensitive-file-access-linux": {
"query": "SELECT \
pof.pid, \
pof.fd, \
pof.path, \
f.uid AS file_uid, \
p.cwd AS cwd, \
p.euid, \
p.uid AS process_uid, \
p.name AS program_name, \
p.cmdline AS cmdline, \
pp.name AS parent_name, \
pp.cwd AS parent_cwd, \
pp.path AS parent_path, \
hp.sha256 AS parent_sha256, \
pf.filename AS program_base, \
hash.sha256, \
REPLACE(f.directory, u.directory, '~') AS dir, \
CONCAT ( \
pf.filename, \
',', \
p.name, \
',', \
IIF( \
REGEX_MATCH ( \
REPLACE(f.directory, u.directory, '~'), \
'([/~].*?/.*?/.*?)/', \
1 \
) != '', \
REGEX_MATCH ( \
REPLACE(f.directory, u.directory, '~'), \
'([/~].*?/.*?/.*?)/', \
1 \
), \
REPLACE(f.directory, u.directory, '~') \
) \
) AS exception_key \
FROM \
process_open_files pof \
LEFT JOIN processes p ON pof.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN file f ON pof.path = f.path \
LEFT JOIN file pf ON p.path = pf.path \
LEFT JOIN users u ON p.uid = u.uid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN hash hp ON pp.path = hp.path \
WHERE \
f.uid != '' \
AND pf.filename != '' \
AND ( \
pof.path LIKE '/home/%/.ssh/%' \
OR pof.path LIKE '/home/%/.mozilla/firefox/%' \
OR pof.path LIKE '/home/%/.config/google-chrome/%' \
OR pof.path LIKE '/root/.ssh/%' \
OR pof.path LIKE '/root/.bash_history' \
OR pof.path LIKE '/home/%/.config/gcloud/%' \
OR pof.path LIKE '/home/%/.config/Slack/%' \
OR pof.path LIKE '/home/%/.bash_history' \
OR pof.path LIKE '/home/%/.cache/mozilla/firefox%' \
OR pof.path LIKE '/home/%/.config/mozilla/firefox%' \
OR pof.path LIKE '/home/%/.aws%' \
) \
AND NOT ( \
file_uid == process_uid \
AND exception_key IN ( \
'aws,aws,~/.aws', \
'chrome_crashpad_handler,chrome_crashpad,', \
'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome', \
'chrome,chrome,~/.config/google-chrome', \
'firefox,.firefox-wrappe,~/.cache/mozilla', \
'firefox,.firefox-wrappe,~/.mozilla/firefox', \
'firefox,file:// Content,~/.mozilla/firefox', \
'firefox,firefox,~/.cache/mozilla', \
'firefox,firefox,~/.mozilla/firefox', \
'firefox,file:// Content,~/.cache/mozilla', \
'firefox,firefox,~/snap/firefox', \
'firefox,Isolated Servic,~/.cache/mozilla', \
'firefox,Isolated Servic,~/snap/firefox', \
'firefox,Isolated Web Co,~/.cache/mozilla', \
'firefox,Isolated Web Co,~/.mozilla/firefox', \
'firefox,Isolated Web Co,~/snap/firefox', \
'firefox,Privileged Cont,~/.cache/mozilla', \
'firefox,Privileged Cont,~/.mozilla/firefox', \
'firefox,Privileged Cont,~/snap/firefox', \
'firefox,Web Content,~/.cache/mozilla', \
'firefox,Web Content,~/snap/firefox', \
'firefox,WebExtensions,~/.cache/mozilla', \
'firefox,WebExtensions,~/.mozilla/firefox', \
'firefox,WebExtensions,~/snap/firefox', \
'plugin-container,MainThread,~/.mozilla/firefox', \
'slack,slack,~/.config/Slack', \
'slack,slack,~/snap/slack' \
) \
) \
GROUP BY \
pof.pid, \
pof.path;",
"interval": "10800",
"platform": "linux",
"description": "This query looks for exotic open file/process combinations"
}
}
}
{
"queries": {
"unexpected-bpf-user": {
"query": "SELECT \
SELECT \
pmm.pid, \
pmm.path AS lib_path, \
p.path, \
p.name, \
p.cmdline, \
p.cwd, \
p.euid, \
p.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
hash.sha256 AS child_sha256, \
phash.sha256 AS parent_sha256 \
FROM \
process_memory_map pmm \
LEFT JOIN processes p ON pmm.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN hash AS phash ON pp.path = phash.path \
WHERE \
( \
lib_path LIKE '%:bpf%' \
OR lib_path LIKE '%libbpf%' \
) \
AND p.path NOT IN ( \
'/usr/bin/qemu-system-x86_64', \
'/usr/lib/systemd/systemd' \
) \
AND p.path NOT LIKE '/nix/store/%/lib/systemd/systemd' \
GROUP BY \
pmm.pid;",
"interval": "10800",
"platform": "darwin",
"description": "Find root-run processes which link against libpf"
},
"unexpected-pcap-user-linux": {
"query": "SELECT \
pmm.pid, \
p.uid, \
p.gid, \
pmm.path AS lib_path, \
p.path AS child_path, \
p.name AS child_name, \
p.cmdline AS child_cmd, \
p.cwd AS child_cwd, \
h.sha256 AS child_sha256, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
ph.sha256 AS parent_sha256 \
FROM \
process_memory_map pmm \
LEFT JOIN processes p ON pmm.pid = p.pid \
LEFT JOIN hash h ON p.path = h.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash AS ph ON pp.path = ph.path \
WHERE \
pmm.path LIKE '%libpcap%' \
AND p.euid = 0 \
AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
AND child_path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%' \
AND child_path NOT LIKE '/nix/store/%-systemd-%/bin/udevadm' \
AND child_path NOT LIKE '/System/Library/%' \
AND child_path NOT LIKE '/nix/store/%/bin/nix' \
AND child_path NOT IN ( \
'/usr/libexec/UserEventAgent', \
'/usr/sbin/systemstats', \
'/usr/bin/libvirtd', \
'/usr/sbin/cupsd', \
'/run/current-system/systemd/lib/systemd/systemd' \
) \
AND child_cmd NOT IN ( \
'/nix/var/nix/profiles/default/bin/nix-daemon', \
'/run/current-system/systemd/lib/systemd/systemd', \
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid' \
) \
GROUP BY \
pmm.pid;",
"interval": "10800",
"platform": "linux",
"description": "Find root-run processes which link against libpcap"
},
"unexpected-pcap-user-macos": {
"query": "SELECT \
SELECT \
pmm.pid, \
p.uid, \
p.gid, \
pmm.path AS lib_path, \
p.path AS child_path, \
p.name AS child_name, \
p.cmdline AS child_cmd, \
p.cwd AS child_cwd, \
h.sha256 AS child_sha256, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
ph.sha256 AS parent_sha256, \
s.authority, \
s.identifier \
FROM \
process_memory_map pmm \
LEFT JOIN processes p ON pmm.pid = p.pid \
LEFT JOIN hash h ON p.path = h.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash AS ph ON pp.path = ph.path \
LEFT JOIN signature s ON p.path = s.path \
WHERE \
pmm.path LIKE '%libpcap%' \
AND p.euid = 0 \
AND child_path NOT LIKE '/System/%' \
AND child_path NOT LIKE '/usr/libexec/%' \
AND child_path NOT LIKE '/usr/sbin/%' \
AND child_path NOT LIKE '/usr/bin/%' \
AND child_path NOT LIKE '/nix/store/%/bin/nix' \
AND child_path NOT LIKE '/opt/homebrew/Cellar/vim/%/bin/vim' \
AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
AND NOT s.authority IN ( \
'Software Signing', \
'Apple Mac OS Application Signing', \
'Developer ID Application: Kolide Inc (YZ3EM74M78)', \
'Developer ID Application: Docker Inc (9BNSXJN65R)' \
) \
GROUP BY \
pmm.pid;",
"interval": "10800",
"platform": "darwin",
"description": "Find root-run processes which link against libpcap"
}
}
}
{
"queries": {
"empty_environ": {
"query": "SELECT \
COUNT(*) AS count, \
p.pid, \
p.path, \
p.cmdline \
FROM \
process_envs pe \
JOIN processes p ON pe.pid = p.pid \
GROUP BY \
p.pid \
HAVING \
count == 0;",
"interval": "10800",
"description": "Inspired by BPFdoor"
},
"executables-from-the-future": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.cmdline, \
p.cwd, \
p.euid, \
p.parent, \
f.ctime, \
f.btime, \
f.mtime, \
p.start_time, \
f.mtime > strftime('%s', 'now') AS mtime_newer, \
f.ctime > strftime('%s', 'now') AS ctime_newer, \
f.btime > strftime('%s', 'now') AS btime_newer, \
hash.sha256 AS child_hash256, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
mtime_newer == 1 \
OR ctime_newer == 1 \
OR btime_newer == 1;",
"interval": "10800",
"description": "Programs which claim to be from the future, based on (btime,ctime,mtime)"
},
"hidden-cwd": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.cmdline, \
p.cwd, \
p.euid, \
p.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
hash.sha256, \
REPLACE(p.cwd, u.directory, '~') AS dir, \
CONCAT ( \
p.name, \
',', \
IIF( \
REGEX_MATCH ( \
REPLACE(p.cwd, u.directory, '~'), \
'([/~].*?/.*?/.*?)/', \
1 \
) != '', \
REGEX_MATCH ( \
REPLACE(p.cwd, u.directory, '~'), \
'([/~].*?/.*?/.*?)/', \
1 \
), \
REPLACE(p.cwd, u.directory, '~') \
) \
) AS exception_key \
FROM \
processes p \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN users u ON p.uid = u.uid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
dir LIKE '%/.%' \
AND NOT ( \
exception_key IN ( \
'bash,~/.local/share', \
'bash,~/go/src', \
'Electron,~/.vscode/extensions', \
'fish,~/.local/share', \
'git,~/.local/share', \
'makepkg,~/.cache/yay', \
'make,~/.cache/yay', \
'java,~/.gradle/daemon', \
'java,~/.local/share', \
'rust-analyzer-p,~/.cargo/registry', \
'as,~/.cache/yay', \
'c++,~/.cache/yay', \
'cc1plus,~/.cache/yay', \
'mysqld,~/.local/share' \
) \
OR dir IN ( \
'~/.vim', \
'~/.cache/yay', \
'~/.local/share/chezmoi', \
'~/.local/share/nvim', \
'~/.gmailctl' \
) \
OR p.name IN ( \
'bindfs', \
'vim', \
'nvim', \
'code', \
'updatedb', \
'git', \
'gitsign', \
'Code Helper' \
) \
OR dir LIKE '~/.dotfiles/%' \
OR dir LIKE '~/.gradle/%' \
OR dir LIKE '~/.local/share/kotlin/%' \
OR dir LIKE '~/go/src/%' \
OR dir LIKE '~/.local/share/nvim/%' \
OR dir LIKE '~/.vscode/extensions/%' \
OR dir LIKE '~/.local/share/fish/%' \
OR dir LIKE '~/.cache/yay/%' \
OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' \
OR dir LIKE '~/src/%' \
OR dir LIKE '~/%/.github%' \
OR dir LIKE '~/.cargo/%' \
OR dir LIKE '~/.local/share/JetBrains/%' \
OR dir LIKE '~/code/%' \
);",
"interval": "10800",
"description": "Programs running with a hidden current working directory"
},
"hidden-launchd-files-macos": {
"query": "SELECT file.path, \
file.type, \
file.filename, \
file.size, \
file.mtime, \
file.uid, \
file.ctime, \
file.gid, \
hash.sha256, \
signature.identifier, \
signature.authority \
FROM file \
LEFT JOIN signature ON file.path = signature.path \
LEFT JOIN hash ON file.path = hash.path \
WHERE ( \
file.path LIKE '/Library/LaunchAgents/.%' \
OR file.path LIKE '/Users/%/Library/LaunchAgents/.%' \
OR file.path LIKE '/Users/%/Library/LaunchDaemons/.%' \
) \
AND file.filename NOT IN ('.', '..', '.DS_Store') \
AND NOT ( \
file.filename = '.DS_Store' \
AND hash.sha256 = 'd65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3' \
);",
"interval": "10800",
"platform": "darwin",
"description": "osquery can't see hidden launch agents/daemons"
},
"hidden-parent-pid": {
"query": "SELECT \
pp.* \
FROM \
processes \
JOIN processes pp ON processes.parent = pp.pid \
WHERE \
processes.parent NOT IN ( \
SELECT \
pid \
FROM \
processes \
) \
AND processes.parent != 0;",
"interval": "10800",
"description": "Works well for revealing boopkit, so long as boopkit has a child process."
},
"missing-from-disk-linux": {
"query": "SELECT \
p.pid, \
p.uid, \
p.cmdline, \
p.path, \
mnt_namespace, \
p.cwd, \
p.on_disk, \
p.state, \
file.inode, \
pp.on_disk AS parent_on_disk, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmdline, \
pp.cwd AS parent_cwd, \
ph.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ph ON pp.path = ph.path \
WHERE \
p.on_disk != 1 \
AND p.path != '' \
AND mnt_namespace IN ( \
SELECT DISTINCT \
(mnt_namespace) \
FROM \
process_namespaces \
JOIN processes ON processes.pid = process_namespaces.pid \
WHERE \
processes.name IN ('osqueryi', 'osqueryd') \
) \
AND file.inode IS NULL \
AND p.path NOT LIKE '/tmp/.mount_%';",
"interval": "10800",
"platform": "linux",
"description": "Processes that do not exist on disk"
},
"missing-from-disk-macos": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.parent, \
p.state, \
p.cwd, \
p.gid, \
p.uid, \
p.euid, \
p.cmdline AS cmd, \
p.cwd, \
p.on_disk, \
p.state, \
pp.on_disk AS parent_on_disk, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
p.on_disk != 1 \
AND (strftime('%s', 'now') - p.start_time) > 15 \
AND p.pid > 0 \
AND p.parent != 2 \
AND p.state != 'Z' \
AND NOT ( \
p.parent = 1 \
AND p.path = '' \
) \
AND NOT ( \
p.gid = 20 \
AND ( \
cmd LIKE '/Library/Apple/System/%' \
OR cmd LIKE '/Applications/%/Contents/%' \
OR cmd LIKE '/Library/Apple/System/%' \
OR cmd LIKE '/Library/Application Support/Logitech.localized/%' \
OR cmd LIKE '/Library/Developer/CommandLineTools/%' \
OR p.path IN ( \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper' \
) \
OR cmd LIKE '/opt/homebrew/Cellar/%' \
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' \
OR cmd LIKE '/opt/homebrew/opt/%' \
OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' \
OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' \
OR parent_cmd LIKE '/Applications/Google Chrome.app/%' \
) \
) \
AND NOT ( \
p.name = '' \
AND parent_cmd = '/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox -foreground' \
);",
"interval": "10800",
"platform": "darwin",
"description": "Processes that do not exist on disk"
},
"name_path_mismatch": {
"query": "SELECT \
p.name, \
TRIM(SUBSTR(SPLIT (p.name, ':./ ', 0), 0, 15)) AS short_name, \
TRIM(SUBSTR(SPLIT (f.filename, ':./ ', 0), 0, 15)) AS short_filename, \
f.filename, \
p.path, \
p.cwd, \
p.cmdline AS cmd, \
p.parent AS parent_pid, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
hash.sha256 AS child_sha256, \
phash.sha256 AS parent_sha256, \
CONCAT ( \
'name=', \
TRIM(SUBSTR(SPLIT (p.name, ':./ ', 0), 0, 15)), \
',file=', \
TRIM(SUBSTR(SPLIT (f.filename, ':./ ', 0), 0, 15)), \
',', \
MIN(p.uid, 500) \
) AS exception_key \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN hash AS phash ON pp.path = phash.path \
WHERE \
short_filename != short_name \
AND NOT cmd LIKE '/nix/store/%/bin/bash%' \
AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3') \
AND exception_key NOT IN ( \
'name=blueman-applet,file=python3,500', \
'name=blueman-tray,file=python3,500', \
'name=cat,file=coreutils,500', \
'name=chrome-gnome-s,file=python3,500', \
'name=Chroot,file=firefox,500', \
'name=code-oss,file=electron,500', \
'name=exe,file=rootlessport,500', \
'name=file,file=firefox,500', \
'name=firefox-wrappe,file=firefox,500', \
'name=Web,file=thunderbird,500', \
'name=Isolated,file=thunderbird,500', \
'name=firewalld,file=python3,0', \
'name=gjs,file=gjs-console,120', \
'name=gjs,file=gjs-console,500', \
'name=gnome-characte,file=gjs-console,500', \
'name=gnome-character,file=gjs-console,500', \
'name=gnome-tweak-to,file=python3,500', \
'name=gsettings-hel,file=gsettings-help,500', \
'name=Isolated,file=firefox,500', \
'name=MainThread,file=plugin-contain,500', \
'name=mysqld,file=mariadbd,500', \
'name=networkd-dispa,file=python3,0', \
'name=Web,file=thunderbird,500', \
'name=nix-daemon,file=nix,0', \
'name=sessionclean,file=dash,0', \
'name=npm,file=node,500', \
'name=pidof,file=killall5,0', \
'name=osqueryi,file=osqueryd,0', \
'name=osqueryi,file=osqueryd,500', \
'name=phpstorm,file=dash,500', \
'name=Privileged,file=firefox,500', \
'name=RDD,file=firefox,500', \
'name=sd_espeak-ng-m,file=sd_espeak-ng,500', \
'name=sh,file=dash,0', \
'name=sh,file=dash,500', \
'name=slic3r_main,file=prusa-slicer,500', \
'name=Socket,file=firefox,500', \
'name=streamdeck,file=python3,500', \
'name=systemd-udevd,file=udevadm,0', \
'name=terminator,file=python3,500', \
'name=Thunar,file=thunar,500', \
'name=unattended-upg,file=python3,0', \
'name=Utility,file=firefox,500', \
'name=vi,file=nvim,500', \
'name=vi,file=vim,500', \
'name=WebExtensions,file=firefox,500', \
'name=Web,file=firefox,500', \
'name=X,file=Xorg,0', \
'name=zfs-auto-snaps,file=ruby,0', \
'name=zoom,file=ZoomLauncher,500' \
) \
AND NOT ( \
short_filename = 'systemd' \
AND short_name LIKE '(sd%' \
) \
AND NOT ( \
short_filename LIKE 'emacs%' \
AND short_name = 'emacs' \
) \
AND NOT (p.path LIKE '/nix/store/%/bin/coreutils') \
GROUP by \
short_name, \
short_filename;",
"interval": "10800",
"description": "Processes that do not exist on disk"
},
"old-binaries-running": {
"query": "SELECT \
p.path, \
p.cmdline, \
p.cwd, \
((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days, \
((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days, \
((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days, \
h.sha256, \
f.uid, \
f.gid \
FROM \
processes p \
JOIN file f ON p.path = f.path \
JOIN hash h ON p.path = h.path \
WHERE \
( \
ctime_age_days > 1050 \
OR mtime_age_days > 1050 \
) \
AND p.path NOT LIKE '%/opt/brackets/Brackets%' \
AND h.sha256 NOT IN ( \
'f61dcfce6f0c04263780700e0e9a8ff2363edefc344c08bd792fd401ddaa160f' \
);",
"interval": "10800",
"description": "Alert on programs running that are unusually old (poor timestomping)"
},
"parent-missing-from-disk": {
"query": "SELECT \
p.name AS child_name, \
p.pid AS child_pid, \
p.path AS child_path, \
p.cmdline AS child_cmd, \
p.uid AS child_uid, \
p.gid AS child_gid, \
hash.path, \
p.on_disk AS child_on_disk, \
pp.pid AS parent_pid, \
pp.name AS parent_name, \
pp.path AS parent_path, \
pp.cmdline AS cmd, \
pp.on_disk AS parent_on_disk, \
pp.uid AS parent_uid, \
pp.gid AS parent_gid \
FROM \
processes p \
JOIN processes pp ON pp.pid = p.parent \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
parent_on_disk != 1 \
AND child_on_disk = 1 \
AND NOT child_pid IN (1, 2) \
AND NOT parent_pid IN (1, 2) \
AND NOT parent_path IN ( \
'/opt/google/chrome/chrome', \
'/usr/bin/gnome-shell' \
) \
AND NOT parent_name IN ( \
'lightdm', \
'nvim', \
'gnome-shell', \
'slack', \
'kube-proxy', \
'kubelet' \
) \
AND NOT ( \
parent_path = '' \
AND p.uid > 500 \
) \
AND parent_path NOT LIKE '/app/extra/%' \
AND parent_path NOT LIKE '/opt/homebrew/Cellar/%' \
AND NOT ( \
parent_name LIKE 'kworker/%+events_unbound' \
AND child_name IN ('modprobe') \
);",
"interval": "10800",
"description": "Parent PID is not on disk"
},
"ssh-notty": {
"query": "SELECT * FROM ( \
SELECT p.pid,p.name,p.cmdline,GROUP_CONCAT(DISTINCT pof.path) AS open_files \
FROM processes p \
LEFT JOIN process_open_files pof ON p.pid = pof.pid \
WHERE p.name = 'sshd' \
GROUP BY p.pid \
) \
WHERE INSTR(cmdline, '@notty') > 0 \
OR \
INSTR(open_files, '/dev/ptmx') = 0;",
"interval": "10800",
"description": "Find ssh sessions that are hiding from 'w'/'who'"
},
"touched-executable-linux": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.cmdline, \
p.cwd, \
p.euid, \
p.parent, \
f.ctime, \
f.btime, \
f.mtime, \
p.start_time, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
hash.sha256 AS sha256 \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
f.ctime = f.mtime \
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' \
AND f.path NOT LIKE '/snap/%' \
AND f.path NOT LIKE '/home/%/go/bin/%' \
AND f.path NOT LIKE '/home/%/.rustup/%' \
AND f.path NOT LIKE '/home/eddiezane/.local/share/JetBrains/Toolbox/bin/%' \
AND f.path NOT LIKE '/home/%/.cache/cloud-code/bin/%' \
GROUP by \
p.pid;",
"interval": "10800",
"platform": "linux",
"description": "Programs which were spawned by an executable containing a matching ctime & mtime, which"
},
"touched-executable-macos": {
"query": "SELECT \
p.path, \
p.name, \
p.cmdline, \
p.euid, \
DATETIME(p.start_time, 'unixepoch') AS started, \
DATETIME(f.ctime, 'unixepoch') AS changed, \
DATETIME(f.btime, 'unixepoch') AS birthed, \
DATETIME(f.mtime, 'unixepoch') AS modified, \
DATETIME(f.atime, 'unixepoch') AS accessed, \
(f.btime - f.ctime) / 86400 AS btime_ctime_days_diff, \
(p.start_time - f.atime) / 86400 AS start_atime_days_diff, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
pp.cwd AS parent_cwd, \
hash.sha256 AS sha256, \
signature.identifier, \
signature.authority \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN signature ON p.path = signature.path \
WHERE \
f.btime == f.mtime \
AND ( \
btime_ctime_days_diff > 0 \
OR ( \
(btime_ctime_days_diff < -365) \
AND (btime_ctime_days_diff < -1000) \
) \
OR start_atime_days_diff > 90 \
OR start_atime_days_diff < -10 \
) \
AND NOT signature.authority IN ( \
'Apple Mac OS Application Signing', \
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)', \
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', \
'Developer ID Application: Bryan Jones (49EYHPJ4Q3)', \
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', \
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \
'Developer ID Application: Docker Inc (9BNSXJN65R)', \
'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)', \
'Developer ID Application: Galvanix (5BRAQAFB8B)', \
'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)', \
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', \
'Developer ID Application: GitHub (VEKTX9H2N7)', \
'Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'Developer ID Application: Michael Jones (YD6LEYT6WZ)', \
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', \
'Developer ID Application: RescueTime, Inc (FSY4RB8H39)', \
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \
'Developer ID Application: Yubico Limited (LQA3CS5MM7)', \
'Software Signing' \
) \
AND NOT ( \
p.euid > 500 \
AND ( \
p.path IN ( \
'/Applications/Divvy.app/Contents/MacOS/Divvy', \
'/Applications/Sourcetree.app/Contents/MacOS/Sourcetree', \
'/Library/CoreMediaIO/Plug-Ins/DAL/LogiCapture.plugin/Contents/MacOS/Assistant', \
'/Applications/Canon Utilities/IJ Scan Utility/Canon IJ Scan Utility Lite.app/Contents/Library/LoginItems/CIJSULAgent.app/Contents/MacOS/CIJSULAgent', \
'/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/MacOS/ESPController.app/Contents/Library/LoginItems/CanonIJExtendedSurveyLaunchAgent.app/Contents/MacOS/CanonIJExtendedSurveyLaunchAgent' \
) \
OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%' \
OR p.path LIKE '/Applications/%.app/Contents/MacOS/%' \
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' \
OR p.path LIKE '/nix/store/%' \
) \
) \
AND NOT ( \
p.euid = 0 \
AND ( \
p.path LIKE '/nix/store/%/bin/nix' \
OR p.path LIKE '/nix/store/%/bin/nix-daemon' \
) \
) \
GROUP by \
p.pid;",
"interval": "10800",
"platform": "darwin",
"description": "Programs which appear to have been touched on macOS"
},
"unexpected-alf-exceptions-macos": {
"query": "SELECT \
ae.path, \
ae.state, \
file.mtime, \
file.ctime, \
file.uid, \
file.directory, \
file.size, \
file.type, \
hash.sha256, \
signature.identifier, \
signature.authority, \
CONCAT ( \
signature.authority, \
',', \
signature.identifier, \
',', \
ae.path, \
',', \
MIN(file.uid, 501) \
) AS exception_key \
FROM \
alf_exceptions ae \
LEFT JOIN file ON ae.path = file.path \
LEFT JOIN hash ON ae.path = hash.path \
LEFT JOIN signature ON ae.path = signature.path \
WHERE \
exception_key NOT IN ( \
',,/Applications/Google%20Chrome.app/,', \
',,/Applications/IntelliJ%20IDEA.app/,', \
',,/Applications/ProtonMail%20Bridge.app/,', \
',,/Applications/Visual%20Studio%20Code.app/,', \
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,', \
',,/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig,', \
',,/usr/bin/nmblookup,', \
',,/usr/libexec/discoveryd,', \
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', \
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501', \
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0', \
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0', \
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0', \
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501', \
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501', \
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0', \
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', \
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', \
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', \
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0', \
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', \
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', \
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501', \
'Software Signing,com.apple.bootpd,/usr/libexec/bootpd,0', \
'Software Signing,com.apple.configd,/usr/libexec/configd,0', \
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0', \
'Software Signing,com.apple.EmbeddedOSInstallService,/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/,0', \
'Software Signing,com.apple.mDNSResponder,/usr/sbin/mDNSResponder,0', \
'Software Signing,com.apple.Music,/System/Applications/Music.app/,0', \
'Software Signing,com.apple.nc,/usr/bin/nc,0', \
'Software Signing,com.apple.racoon,/usr/sbin/racoon,0', \
'Software Signing,com.apple.universalcontrol,/System/Library/CoreServices/UniversalControl.app/,0', \
'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', \
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0' \
) \
AND NOT ( \
signature.identifier LIKE 'cargo-%' \
AND ae.path LIKE '/Users/%/.rustup/%' \
) \
AND NOT ( \
signature.identifier LIKE 'fake-%' \
AND ae.path LIKE '%/exe/fake' \
) \
AND NOT ( \
signature.identifier LIKE 'mariadbd-%' \
AND ae.path LIKE '/opt/homebrew/%/mariadbd' \
) \
AND NOT ( \
signature.identifier = 'netcat' \
AND ae.path LIKE '/Users/%/homebrew/Cellar/netcat/%/bin/netcat' \
) \
AND NOT ( \
signature.identifier = 'syncthing' \
AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing' \
) \
AND NOT ( \
ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/' \
) \
AND NOT ( \
( \
signature.identifier = 'a.out' \
OR signature.identifier LIKE '%-%' \
) \
AND file.uid > 500 \
AND ( \
file.directory LIKE '/opt/homebrew/Cellar/%/bin' \
OR file.directory LIKE '/Users/%/bin' \
OR file.directory LIKE '/Users/%/code/%' \
OR file.directory LIKE '/Users/%/src/%' \
OR file.directory LIKE '/Users/%/node_modules/.bin/%' \
OR file.directory LIKE '/Users/%/git/%' \
OR file.directory LIKE '/Users/%/%-cli' \
OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe' \
) \
) \
GROUP BY \
exception_key;",
"interval": "10800",
"platform": "darwin",
"description": "macOS application layer firewall (ALF) service exceptions."
},
"unexpected-dev-entries": {
"query": "SELECT \
file.path, \
file.type, \
file.size, \
file.mtime, \
file.uid, \
file.ctime, \
file.gid, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash ON file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
( \
file.path LIKE '/dev/shm/%%' \
OR file.path LIKE '/dev/%/.%' \
OR file.path LIKE '/dev/.%' \
OR file.path LIKE '/dev/.%/%' \
OR file.path LIKE '/dev/%%/.%/%' \
OR file.path LIKE '/dev/mqueue/%%' \
) \
AND NOT ( \
file.uid > 499 \
AND ( \
file.path NOT LIKE '/dev/shm/.com.google.%' \
OR file.path LIKE '/dev/shm/.org.chromium.%' \
OR file.path LIKE '/dev/shm/wayland.mozilla.%' \
OR file.path LIKE '/dev/shm/shm-%-%-%' \
OR file.path LIKE 'pulse-shm-%' \
OR file.path LIKE 'u1000-Shm%' \
OR file.path LIKE 'u1000-Valve%' \
OR file.path LIKE '/dev/shm/jack_db%' \
) \
) \
AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%' \
AND file.path NOT LIKE '/dev/shm/flatpak-%' \
AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%' \
AND file.path NOT LIKE '%/../%' \
AND file.path NOT LIKE '%/./%' \
AND filename NOT IN ('..') \
AND file.path NOT IN ('/dev/.mdadm/');",
"interval": "10800",
"description": "Inspired by BPFdoor"
},
"unexpected-dev-executables-linux": {
"query": "SELECT \
file.path, \
file.directory, \
uid, \
gid, \
mode, \
file.mtime, \
file.size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
( \
file.path LIKE '/dev/%%' \
OR file.path LIKE '/dev/%%/%%' \
) \
AND file.type = 'regular' \
AND ( \
file.mode LIKE '%7%' \
or file.mode LIKE '%5%' \
or file.mode LIKE '%1%' \
);",
"interval": "10800",
"platform": "linux",
"description": "Find unexpected executables in /dev"
},
"unexpected-etc-executables-linux": {
"query": "SELECT \
file.path, \
file.directory, \
uid, \
gid, \
mode, \
file.mtime, \
file.size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
(file.path LIKE '/etc/%%') \
AND file.type = 'regular' \
AND ( \
file.mode LIKE '%7%' \
or file.mode LIKE '%5%' \
or file.mode LIKE '%1%' \
) \
AND file.directory NOT IN ( \
'/etc/X11/xinit/xinitrc.d', \
'/etc/apcupsd', \
'/etc/menu-methods', \
'/etc/avahi', \
'/etc/chromium/native-messaging-hosts', \
'/etc/cifs-utils', \
'/etc/cron.hourly', \
'/etc/flatpak/remotes.d', \
'/etc/gdm/Init', \
'/etc/gdm/PostLogin', \
'/etc/gdm/PostSession', \
'/etc/gdm/PreSession', \
'/etc/gdm', \
'/etc/grub.d', \
'/etc/httpd/modules', \
'/etc/ifplugd', \
'/etc/init.d', \
'/etc/lightdm', \
'/etc/pinentry', \
'/etc/ppp', \
'/etc/ppp/ip-down.d', \
'/etc/ppp/ip-up.d', \
'/etc/ppp/ipv6-up.d', \
'/etc/profile.d', \
'/etc/rdnssd', \
'/etc/security', \
'/etc/skel', \
'/etc/ssl/misc', \
'/etc/systemd/system', \
'/etc/systemd/system/graphical.target.wants', \
'/etc/vpnc', \
'/etc/xdg/Xwayland-session.d', \
'/etc/NetworkManager/dispatcher.d', \
'/etc/X11', \
'/etc/X11/xinit', \
'/etc/acpi', \
'/etc/alternatives', \
'/etc/apm/resume.d', \
'/etc/apm/scripts.d', \
'/etc/apm/suspend.d', \
'/etc/brltty/Contraction', \
'/etc/console-setup', \
'/etc/cron.daily', \
'/etc/cron.monthly', \
'/etc/cron.weekly', \
'/etc/dhcp/dhclient-enter-hooks.d', \
'/etc/dhcp/dhclient-exit-hooks.d', \
'/etc/dkms', \
'/etc/gdm3/Init', \
'/etc/gdm3/PostLogin', \
'/etc/gdm3/PostSession', \
'/etc/gdm3/PreSession', \
'/etc/gdm3/Prime', \
'/etc/gdm3/PrimeOff', \
'/etc/gdm3', \
'/etc/ifplugd/action.d', \
'/etc/kernel/header_postinst.d', \
'/etc/kernel/install.d', \
'/etc/kernel/postinst.d', \
'/etc/kernel/postrm.d', \
'/etc/kernel/preinst.d', \
'/etc/kernel/prerm.d', \
'/etc/network/if-down.d', \
'/etc/network/if-post-down.d', \
'/etc/network/if-pre-up.d', \
'/etc/network/if-up.d', \
'/etc/openvpn', \
'/etc/pm/sleep.d', \
'/etc/rc0.d', \
'/etc/rc1.d', \
'/etc/rc2.d', \
'/etc/rc3.d', \
'/etc/rc4.d', \
'/etc/rc5.d', \
'/etc/rc6.d', \
'/etc/rcS.d', \
'/etc/update-motd.d', \
'/etc/wpa_supplicant', \
'/etc/zfs/zed.d', \
'/etc/zfs/zpool.d', \
'/etc/bash_completion.d', \
'/etc/dhcp/dhclient.d', \
'/etc/mcelog/triggers', \
'/etc/qemu-ga', \
'/etc/rc.d/init.d', \
'/etc/rc.d/rc0.d', \
'/etc/rc.d/rc1.d', \
'/etc/rc.d/rc2.d', \
'/etc/rc.d/rc3.d', \
'/etc/rc.d/rc4.d', \
'/etc/rc.d/rc5.d', \
'/etc/rc.d/rc6.d', \
'/etc/vmware-tools', \
'/etc/zfs-fuse', \
'/etc/ssl/certs', \
'/etc/ssl/trust-source', \
'/etc/systemd/system-shutdown' \
) \
AND file.path NOT IN ( \
'/etc/nftables.conf', \
'/etc/rmt', \
'/etc/qemu-ifdown', \
'/etc/qemu-ifup', \
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json' \
);",
"interval": "10800",
"platform": "linux",
"description": "Find unexpected executables in /etc"
},
"unexpected-hidden-system-folders": {
"query": "SELECT \
file.path, \
uid, \
gid, \
mode, \
mtime, \
ctime, \
type, \
size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash ON file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
( \
file.path LIKE '/lib/.%' \
OR file.path LIKE '/.%' \
OR file.path LIKE '/bin/%/.%' \
OR file.path LIKE '/lib/%/.%' \
OR file.path LIKE '/libexec/.%' \
OR file.path LIKE '/Library/.%' \
OR file.path LIKE '/sbin/.%' \
OR file.path LIKE '/sbin/%/.%' \
OR file.path LIKE '/tmp/.%' \
OR file.path LIKE '/usr/bin/.%' \
OR file.path LIKE '/usr/lib/.%' \
OR file.path LIKE '/usr/lib/%/.%' \
OR file.path LIKE '/usr/libexec/.%' \
OR file.path LIKE '/usr/local/bin/.%' \
OR file.path LIKE '/usr/local/lib/.%' \
OR file.path LIKE '/usr/local/lib/.%' \
OR file.path LIKE '/usr/local/libexec/.%' \
OR file.path LIKE '/usr/local/sbin/.%' \
OR file.path LIKE '/usr/sbin/.%' \
OR file.path LIKE '/var/.%' \
OR file.path LIKE '/var/lib/.%' \
OR file.path LIKE '/var/tmp/.%' \
OR file.path LIKE '/dev/.%' \
) \
AND strftime('%s', 'now') - file.ctime > 20 \
AND file.path NOT IN ( \
'/.autorelabel', \
'/.file', \
'/.vol/', \
'/.VolumeIcon.icns', \
'/dev/.mdadm/', \
'/tmp/._contentbarrier_installed', \
'/tmp/../', \
'/tmp/./', \
'/tmp/.%.lock', \
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', \
'/tmp/.dracula-tmux-weather.lock', \
'/tmp/.dracula-tmux-data', \
'/tmp/.dotnet/', \
'/tmp/.vbox-t-ipc/', \
'/tmp/.font-unix/', \
'/tmp/.ICE-unix/', \
'/tmp/.Test-unix/', \
'/tmp/.X0-lock', \
'/tmp/.X1-lock', \
'/tmp/.X11-unix/', \
'/tmp/.XIM-unix/', \
'/var/.ntw_cache', \
'/var/.Parallels_swap/', \
'/var/.pwd_cache' \
) \
AND file.path NOT LIKE '/tmp/.#%' \
AND file.path NOT LIKE '/tmp/.com.google.Chrome.%' \
AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%' \
AND file.path NOT LIKE '/tmp/.X1%-lock' \
AND file.path NOT LIKE '/usr/local/%/.keepme' \
AND file.path NOT LIKE '%/../' \
AND file.path NOT LIKE '%/./' \
AND file.path NOT LIKE '%/.build-id/' \
AND file.path NOT LIKE '%/.dwz/' \
AND file.path NOT LIKE '%/.updated' \
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components' \
AND file.path NOT LIKE '%/google-cloud-sdk/.install/' \
AND file.path NOT LIKE '/tmp/.%.gcode' \
AND NOT ( \
type = 'regular' \
AND ( \
filename LIKE '%.swp' \
OR size < 2 \
) \
) \
AND NOT ( \
file.path = '/.cache/' \
AND file.uid = 0 \
AND file.gid = 0 \
AND file.mode = '0755' \
AND file.size = 3 \
) \
AND NOT ( \
file.path = '/.config/' \
AND file.uid = 0 \
AND file.gid = 0 \
AND file.mode IN ('0755', '0700') \
AND file.size = 4 \
);",
"interval": "10800"
},
"unexpected-ld-so-files-linux": {
"query": "SELECT \
file.path, \
uid, \
gid, \
mode, \
file.mtime, \
file.size, \
hash.sha256, \
CONCAT (file.path, ',', mode, ',', size, ',', sha256) AS exception_key \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
( \
file.path IN ('/etc/ld.so.conf', '/etc/ld.so.preload') \
OR file.path LIKE '/etc/ld.so.conf.d/%' \
OR file.path LIKE '/etc/ld.so.conf.d/.%' \
) \
AND file.filename NOT IN ('.', '..') \
AND exception_key NOT IN ( \
'/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5', \
'/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f', \
'/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8', \
'/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28', \
'/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50', \
'/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181', \
'/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee', \
'/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a', \
'/etc/ld.so.conf.d/lib32-glibc.conf,0644,11,c27424154a6096ae32c0824b785e05de6acef33d9224fd6147d1936be9b4962b', \
'/etc/ld.so.conf.d/libc.conf,0644,44,90d4c7e43e7661cd116010eb9f50ad5817e43162df344bd1ad10898851b15d41', \
'/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3', \
'/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0', \
'/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f', \
'/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221', \
'/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a', \
'/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98' \
);",
"interval": "10800",
"platform": "linux",
"description": "If you have Augeas available, you may want to use that in conjunction with this more limited check."
},
"unexpected-var-executables-linux": {
"query": "SELECT \
file.path, \
file.directory, \
uid, \
gid, \
mode, \
file.mtime, \
file.size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
(file.path LIKE '/var/%%') \
AND file.type = 'regular' \
AND ( \
file.mode LIKE '%7%' \
or file.mode LIKE '%5%' \
or file.mode LIKE '%1%' \
) \
AND file.directory NOT IN ( \
'/var/lib/colord', \
'/var/ossec/agentless', \
'/var/ossec/bin', \
'/var/ossec/wodles', \
'/var/run/booted-system', \
'/var/run/current-system' \
);",
"interval": "10800",
"platform": "linux",
"description": "Find unexpected executables in /var"
}
}
}
{
"queries": {
"recently-created-executables": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.cmdline, \
p.cwd, \
p.euid, \
p.parent, \
f.directory, \
f.ctime, \
f.btime, \
f.mtime, \
p.start_time, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.cwd AS parent_cwd, \
pp.euid AS parent_euid, \
ch.sha256 AS child_sha256, \
ph.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash AS ch ON p.path = ch.path \
LEFT JOIN hash AS ph ON pp.path = ph.path \
WHERE \
p.start_time > 0 \
AND f.ctime > 0 \
AND (p.start_time - MAX(f.ctime, f.btime)) < 180 \
AND p.start_time >= MAX(f.ctime, f.ctime) \
AND NOT f.directory IN ( \
'/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS', \
'/Applications/Grammarly Desktop.app/Contents/MacOS', \
'/Applications/Opal.app/Contents/Library/LaunchServices', \
'/Applications/Opal.app/Contents/MacOS', \
'/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS', \
'/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS', \
'/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS', \
'/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS', \
'/Applications/Signal.app/Contents/MacOS', \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS', \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS', \
'/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS', \
'/Applications/Slack.app/Contents/MacOS', \
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS', \
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (GPU).app/Contents/MacOS', \
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (Renderer).app/Contents/MacOS', \
'/Applications/Spotify.app/Contents/MacOS', \
'/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS', \
'/Applications/Stream Deck.app/Contents/MacOS', \
'/Applications/Tailscale.app/Contents/MacOS', \
'/usr/lib/firefox', \
'/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS', \
'/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS', \
'/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS', \
'/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (Renderer).app/Contents/MacOS', \
'/Applications/Todoist.app/Contents/MacOS', \
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS', \
'/Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources', \
'/Library/Application Support/Adobe/AdobeGCClient', \
'/Library/CoreMediaIO/Plug-Ins/DAL/OpalVirtualCamera.plugin/Contents/Resources', \
'/Library/Developer/CommandLineTools/usr/bin', \
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS', \
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS', \
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS', \
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS', \
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS', \
'/usr/local/kolide-k2/bin' \
) \
AND NOT p.path IN ( \
'', \
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd', \
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \
'/Library/PrivilegedHelperTools/com.docker.vmnetd', \
'/opt/google/chrome/chrome', \
'/usr/bin/containerd', \
'/usr/bin/dockerd', \
'/usr/bin/obs', \
'/usr/bin/udevadm', \
'/usr/bin/pipewire', \
'/usr/lib/at-spi2-registryd', \
'/usr/lib/at-spi-bus-launcher', \
'/usr/libexec/fwupd/fwupd', \
'/usr/libexec/sssd/sssd_kcm', \
'/usr/lib/fwupd/fwupd', \
'/usr/lib/slack/chrome_crashpad_handler', \
'/usr/lib/slack/slack', \
'/usr/lib/systemd/systemd-journald', \
'/usr/lib/systemd/systemd-oomd', \
'/usr/lib/systemd/systemd-resolved', \
'/usr/lib/systemd/systemd-timesyncd', \
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page', \
'/usr/lib/xf86-video-intel-backlight-helper', \
'/usr/sbin/cupsd', \
'/usr/sbin/tailscaled' \
) \
AND NOT p.path LIKE '/Applications/%.app/%' \
AND NOT p.path LIKE '%-go-build%' \
AND NOT p.path LIKE '/home/%/bin/%' \
AND NOT p.path LIKE '/home/%/terraform-provider-%' \
AND NOT p.path LIKE '/home/%/%.test' \
AND NOT p.path LIKE '/Library/Apple/System/%' \
AND NOT p.path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%' \
AND NOT p.path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' \
AND NOT p.path LIKE '/Library/Application Support/Logitech.localized/%' \
AND NOT p.path LIKE '/nix/store/%/bin/%' \
AND NOT p.path LIKE '/opt/homebrew/bin/%' \
AND NOT p.path LIKE '/opt/homebrew/Cellar/%' \
AND NOT p.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install' \
AND NOT p.path LIKE '/private/tmp/go-build%' \
AND NOT p.path LIKE '/private/tmp/nix-build-%' \
AND NOT p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' \
AND NOT p.path LIKE '/private/var/folders/%/bin/%' \
AND NOT p.path LIKE '/private/var/folders/%/go-build%' \
AND NOT p.path LIKE '/private/var/folders/%/GoLand/%' \
AND NOT p.path LIKE '/private/var/folders/%/T/pulumi-go.%' \
AND NOT p.path LIKE '/Users/%/bin/%' \
AND NOT p.path LIKE '/Users/%/code/%' \
AND NOT p.path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%' \
AND NOT p.path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%' \
AND NOT p.path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%' \
AND NOT p.path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%' \
AND NOT p.path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%' \
AND NOT p.path LIKE '/Users/%/terraform-provider-%' \
AND NOT p.path LIKE '/Users/%/%.test' \
AND NOT p.path LIKE '/usr/local/bin/%' \
AND NOT p.path LIKE '/usr/local/Cellar/%' \
AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
AND NOT p.path LIKE '%/.vscode/extensions/%' \
AND NOT pp.path IN ('/usr/bin/gnome-shell') \
AND NOT ( \
( \
p.path LIKE '/Users/%' \
OR p.path LIKE '/home/%' \
) \
AND p.uid > 499 \
AND f.ctime = f.mtime \
AND f.uid = p.uid \
AND p.cmdline LIKE './%' \
) \
GROUP BY \
p.pid;",
"interval": "10800",
"description": "Programs who were recently written to disk, based on btime (macOS) or ctime (Linux)"
},
"reverse-shell-socket": {
"query": "SELECT DISTINCT \
(p.pid), \
p.parent, \
p.name, \
p.path, \
p.cmdline, \
p.cwd, \
p.root, \
p.uid, \
p.gid, \
p.start_time, \
pos.remote_address, \
pos.remote_port, \
pp.cmdline, \
pp.path \
FROM \
process_open_files pof \
JOIN process_open_sockets pos USING (pid) \
LEFT JOIN processes p ON pof.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid \
WHERE \
p.name IN ('sh', 'bash', 'perl', 'python') \
AND pof.pid IS NULL \
AND pos.remote_port > 0 \
AND NOT ( \
p.path = '/usr/bin/bash' \
AND pp.cmdline LIKE 'pacman -S%' \
);",
"interval": "10800",
"description": "An alternate way to discover reverse shells, inspired by the osxattack pack"
},
"sketchy-fetcher": {
"query": "SELECT \
p.pid, \
p.path, \
p.name, \
p.cmdline, \
REGEX_MATCH (p.cmdline, '/(\\d+\\.\\d+\\.\\d+\\.\\d+)[:/]', 1) AS remote_address, \
REGEX_MATCH (p.cmdline, '/(:\\d+\\/)/', 1) AS remote_port, \
p.cwd, \
p.euid, \
p.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
( \
INSTR(p.cmdline, 'wget ') > 0 \
OR INSTR(p.cmdline, 'curl ') > 0 \
) \
AND ( \
remote_address NOT IN ('', '127.0.0.1', '::1') \
OR remote_port != '' \
OR p.cmdline LIKE '%.onion%' \
OR p.cmdline LIKE '%tor2web%' \
OR p.cmdline LIKE '%aliyun%' \
OR p.cmdline LIKE '%pastebin%' \
OR p.cmdline LIKE '%curl %--user-agent%' \
OR p.cmdline LIKE '%curl -k%' \
OR p.cmdline LIKE '%curl -sL%' \
OR p.cmdline LIKE '%curl%--insecure%' \
OR p.cmdline LIKE '%wget %--user-agent%' \
OR p.cmdline LIKE '%wget %--no-check-certificate%' \
OR p.cmdline LIKE '%curl%--connect-timeout%' \
OR p.cmdline LIKE '%wget -nc%' \
OR p.cmdline LIKE '%wget -t%' \
OR ( \
p.cmdline LIKE '%wget %' \
AND p.euid < 500 \
) \
OR ( \
p.cmdline LIKE '%curl %' \
AND p.euid < 500 \
) \
) \
AND pp.name NOT IN ('makepkg') \
AND NOT ( \
p.euid > 500 \
AND ( \
p.cmdline LIKE '%--dump-header%' \
OR p.cmdline LIKE '%/api/v%' \
OR p.cmdline LIKE '%curl -X %' \
OR p.cmdline LIKE '%go mod %' \
OR p.cmdline LIKE '%application/json%' \
OR p.cmdline LIKE '%grpcurl%' \
OR p.cmdline LIKE '%Homebrew%' \
OR p.cmdline LIKE '%Nixpkgs/%' \
OR p.cmdline LIKE '%If-None-Match%' \
OR p.cmdline LIKE '%ctlog%' \
OR p.cmdline LIKE '%.well-known/openid-configuration%' \
OR p.cmdline LIKE '%/openid/v1/jwks%' \
OR p.cmdline LIKE '%--progress-bar%' \
OR parent_cmdline LIKE '%brew.rb%' \
OR parent_cmdline LIKE '%brew.sh%' \
OR parent_cmdline LIKE '/nix/store/%-builder.sh' \
OR p.cmdline LIKE 'git %' \
OR p.cmdline LIKE '%LICENSES/vendor/%' \
OR p.cmdline LIKE '%localhost:%' \
OR p.cmdline LIKE '%127.0.0.1:%' \
OR p.name IN ('apko') \
) \
);",
"interval": "60",
"platform": "posix",
"description": "Suspicious URL requests by built-in fetching tools"
},
"sketchy-fetcher-events": {
"query": "SELECT \
p.pid, \
p.path, \
p.cmdline, \
REGEX_MATCH (p.cmdline, '/(\\d+\\.\\d+\\.\\d+\\.\\d+)[:/]', 1) AS remote_address, \
REGEX_MATCH (p.cmdline, '/(:\\d+\\/)/', 1) AS remote_port, \
p.mode, \
p.cwd, \
p.euid, \
p.parent, \
p.syscall, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
process_events p \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
p.time > (strftime('%s', 'now') -60) \
AND ( \
INSTR(p.cmdline, 'wget ') > 0 \
OR INSTR(p.cmdline, 'curl ') > 0 \
) \
AND ( \
remote_address NOT IN ('', '127.0.0.1', '::1') \
OR remote_port != '' \
OR p.cmdline LIKE '%.onion%' \
OR p.cmdline LIKE '%tor2web%' \
OR p.cmdline LIKE '%aliyun%' \
OR p.cmdline LIKE '%pastebin%' \
OR p.cmdline LIKE '%curl.*—write-out%' \
OR p.cmdline LIKE '%curl.*—write-out%' \
OR p.cmdline LIKE '%curl %--user-agent%' \
OR p.cmdline LIKE '%curl -k%' \
OR p.cmdline LIKE '%curl -sL%' \
OR p.cmdline LIKE '%curl%--connect-timeout%' \
OR p.cmdline LIKE '%curl%--output /dev/null%' \
OR p.cmdline LIKE '%curl%--O /dev/null%' \
OR p.cmdline LIKE '%curl%--insecure%' \
OR p.cmdline LIKE '%wget %--user-agent%' \
OR p.cmdline LIKE '%wget %--no-check-certificate%' \
OR p.cmdline LIKE '%wget -nc%' \
OR p.cmdline LIKE '%wget -t%' \
OR ( \
p.cmdline LIKE '%wget %' \
AND p.euid < 500 \
) \
OR ( \
p.cmdline LIKE '%curl %' \
AND p.euid < 500 \
) \
) \
AND pp.name NOT IN ('makepkg', 'apko') \
AND NOT ( \
p.euid > 500 \
AND ( \
p.cmdline LIKE '%--dump-header%' \
OR p.cmdline LIKE '%/api/v%' \
OR p.cmdline LIKE '%curl -X %' \
OR p.cmdline LIKE '%go mod %' \
OR p.cmdline LIKE '%application/json%' \
OR p.cmdline LIKE '%grpcurl%' \
OR p.cmdline LIKE '%Homebrew%' \
OR p.cmdline LIKE '%If-None-Match%' \
OR p.cmdline LIKE '%ctlog%' \
OR p.cmdline LIKE '%.well-known/openid-configuration%' \
OR p.cmdline LIKE '%/openid/v1/jwks%' \
OR p.cmdline LIKE '%--progress-bar%' \
OR parent_cmdline LIKE '%brew.rb%' \
OR parent_cmdline LIKE '%brew.sh%' \
OR p.cmdline LIKE 'git %' \
OR p.cmdline LIKE '%LICENSES/vendor/%' \
OR p.cmdline LIKE '%localhost:%' \
OR p.cmdline LIKE '%127.0.0.1:%' \
OR p.cmdline LIKE '%/192.168.%:%' \
OR p.cmdline LIKE '%/chainctl_%' \
) \
);",
"interval": "10800",
"description": "Events version of sketchy-fetchers"
},
"tiny-executable": {
"query": "SELECT \
p.pid, \
p.path, \
p.cmdline, \
file.size, \
file.mode, \
p.cwd, \
p.euid, \
p.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
file.size > 0 \
AND file.size < 10000;",
"interval": "10800",
"description": "Discover tiny dropper binaries, such as Shikitega:"
},
"tiny-executable-events": {
"query": "SELECT \
p.pid, \
p.path, \
p.cmdline, \
file.size, \
p.mode, \
p.cwd, \
p.euid, \
p.parent, \
p.syscall, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
process_events p \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
p.time > (strftime('%s', 'now') -30) \
AND file.size > 0 \
AND file.size < 10000;",
"interval": "10800",
"description": "Discover tiny dropper binaries, such as Shikitega:"
},
"unexpected-env-values": {
"query": "SELECT \
key, \
value, \
p.pid, \
p.path, \
p.cmdline, \
p.parent AS parent_pid, \
pp.cmdline AS parent_cmd, \
hash.sha256 \
FROM \
process_envs pe \
LEFT JOIN processes p ON pe.pid = p.pid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
( \
key = 'HISTFILE' \
AND NOT VALUE LIKE '/Users/%/.%_history' \
AND NOT VALUE LIKE '/home/%/.%_history' \
) \
OR ( \
key = 'LD_PRELOAD' \
AND NOT p.path LIKE '%/firefox' \
AND NOT pe.value = 'libfakeroot.so' \
AND NOT pe.value LIKE ':/home/%/.local/share/Steam' \
AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%' \
AND NOT pe.value LIKE ':/snap/%' \
AND NOT pe.value LIKE '/app/bin/%' \
AND NOT pe.value LIKE 'libmozsandbox.so%' \
) \
OR ( \
key = 'DYLD_INSERT_LIBRARIES' \
) \
OR ( \
key = 'DYLD_FRAMEWORK_PATH' \
);",
"interval": "10800",
"description": "Inpsired by BPFdoor and other intrusions"
},
"unexpected-execdir-events-linux": {
"query": "SELECT \
pe.pid, \
pe.path, \
REGEX_MATCH (pe.path, '(.*)/', 1) AS dirname, \
pe.mode, \
pe.cwd, \
pe.euid, \
pe.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmd, \
pp.euid AS parent_euid, \
phash.sha256 AS parent_sha256, \
hash.sha256 AS sha256 \
FROM \
process_events pe \
LEFT JOIN processes p ON pe.pid = pe.pid \
LEFT JOIN processes pp ON pe.parent = p.pid \
LEFT JOIN hash ON pe.path = hash.path \
LEFT JOIN hash phash ON pp.path = hash.path \
WHERE \
pe.time > (strftime('%s', 'now') -15) \
AND dirname NOT LIKE '/home/%' \
AND dirname NOT LIKE '/nix/store/%/bin' \
AND dirname NOT LIKE '/nix/store/%/lib/%' \
AND dirname NOT LIKE '/nix/store/%/libexec' \
AND dirname NOT LIKE '/nix/store/%/libexec/%' \
AND dirname NOT LIKE '/nix/store/%/share/%' \
AND dirname NOT LIKE '/opt/%' \
AND dirname NOT LIKE '/tmp/go-build%' \
AND dirname NOT LIKE '/snap/%' \
AND dirname NOT LIKE '/usr/libexec/%' \
AND dirname NOT LIKE '/usr/local/%/bin/%' \
AND dirname NOT LIKE '/usr/local/%bin' \
AND dirname NOT LIKE '/usr/local/%libexec' \
and dirname NOT LIKE '/usr/local/Cellar/%' \
AND dirname NOT LIKE '/usr/lib/%' \
AND dirname NOT LIKE '/usr/lib64/%' \
AND dirname NOT LIKE '/tmp/%/bin' \
AND dirname NOT LIKE '/usr/local/go/pkg/tool/%' \
AND dirname NOT IN ( \
'/', \
'/app', \
'/bin', \
'/ko-app', \
'/sbin', \
'/usr/bin', \
'/usr/lib', \
'/usr/lib64/firefox', \
'/usr/lib/bluetooth', \
'/usr/lib/cups/notifier', \
'/usr/lib/evolution-data-server', \
'/usr/libexec', \
'/usr/libexec/ApplicationFirewall', \
'/usr/libexec/rosetta', \
'/usr/lib/firefox', \
'/usr/lib/fwupd', \
'/usr/lib/ibus', \
'/usr/lib/libreoffice/program', \
'/usr/lib/polkit-1', \
'/usr/lib/slack', \
'/usr/lib/snapd', \
'/usr/lib/systemd', \
'/usr/lib/telepathy', \
'/usr/lib/udisks2', \
'/usr/lib/xorg', \
'/usr/sbin', \
'/usr/share/code', \
'/usr/share/teams', \
'/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin' \
) \
AND NOT pe.path IN ('/usr/lib32/ld-linux.so.2') \
AND NOT ( \
dirname = '' \
AND p.name LIKE 'runc%' \
) \
AND NOT ( \
dirname = '' \
AND parent_name IN ('dockerd') \
) \
AND NOT (pe.euid = 65532) \
GROUP BY \
pe.pid;",
"interval": "10800",
"platform": "linux",
"description": "Events version of unexpected-executable-directory"
},
"unexpected-execdir-events-macos": {
"query": "SELECT \
p.pid, \
p.path, \
REGEX_MATCH (p.path, '(.*)/', 1) AS dirname, \
REPLACE(file.directory, u.directory, '~') AS homedir, \
p.cmdline, \
p.mode, \
p.cwd, \
p.euid, \
p.parent, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmd, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
process_events p \
LEFT JOIN processes ON p.pid = processes.pid \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN users u ON p.uid = u.uid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
p.time > (strftime('%s', 'now') -60) \
AND dirname LIKE '/%' \
AND file.size > 0 \
AND dirname NOT IN ( \
'/bin', \
'/Library/DropboxHelperTools/Dropbox_u501', \
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', \
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS', \
'/Library/Printers/DYMO/Utilities', \
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources', \
'/usr/lib/system', \
'/Library/PrivilegedHelperTools', \
'/sbin', \
'/nix/store', \
'/usr/bin', \
'/usr/lib', \
'/Library/TeX/texbin', \
'/usr/lib/bluetooth', \
'/usr/lib/cups/notifier', \
'/Library/Frameworks/Python.framework/Versions/3.10/bin', \
'/usr/libexec', \
'/usr/libexec/ApplicationFirewall', \
'/usr/libexec/rosetta', \
'/node_modules/.bin', \
'/nix/var/nix/profiles/default/bin', \
'/run/current-system/sw/bin', \
'/usr/libexec/firmwarecheckers/eficheck', \
'/usr/sbin', \
'/usr/share/code' \
) \
AND dirname NOT LIKE '/Applications/%.app/%' \
AND dirname NOT LIKE '/etc/profiles/per-user/%/bin' \
AND dirname NOT LIKE '/home/%' \
AND dirname NOT LIKE '/Library/%/%.bundle/Contents/Helpers' \
AND dirname NOT LIKE '/Library/%/Resources/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/%/sbin' \
AND dirname NOT LIKE '/Library/Apple/System/%' \
AND dirname NOT LIKE '/Library/Application Support/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/Application Support/Adobe/%' \
AND dirname NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' \
AND dirname NOT LIKE '/Library/Developer/%' \
AND dirname NOT LIKE '/Library/Developer/CommandLineTools/Library/%' \
AND dirname NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/Java/JavaVirtualMachines/%' \
AND dirname NOT LIKE '/Library/SystemExtensions/%' \
AND dirname NOT LIKE '/nix/store/%' \
AND dirname NOT LIKE '/opt/%' \
AND dirname NOT LIKE '/private/tmp/go-build%/exe' \
AND dirname NOT LIKE '/private/tmp/nix-build-%' \
AND dirname NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' \
AND dirname NOT LIKE '/private/var/folders/%/bin' \
AND dirname NOT LIKE '/private/var/folders/%/Contents/%' \
AND dirname NOT LIKE '/private/var/folders/%/go-build%' \
AND dirname NOT LIKE '/private/var/folders/%/GoLand' \
AND dirname NOT LIKE '/snap/%' \
AND dirname NOT LIKE '/store/%/bin' \
AND dirname NOT LIKE '/System/%' \
AND dirname NOT LIKE '/Users/%' \
AND dirname NOT LIKE '/usr/libexec/%' \
AND dirname NOT LIKE '/usr/local/%' \
AND dirname NOT LIKE '/Volumes/com.getdropbox.dropbox-%' \
AND dirname NOT LIKE '../%' \
AND p.path NOT IN ( \
'/Applications/Stats.app/Contents/MacOS/Stats', \
'/usr/libexec/AssetCache/AssetCache', \
'_build/krew/bin/git', \
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \
'/Library/DropboxHelperTools/DropboxHelperInstaller', \
'/Library/PrivilegedHelperTools/com.adobe.ARMDC.Communicator', \
'/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper', \
'/Library/PrivilegedHelperTools/com.docker.vmnetd', \
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', \
'/Library/PrivilegedHelperTools/keybase.Helper' \
) \
AND parent_path NOT LIKE '/nix/store/%' \
AND parent_cmd NOT LIKE '%./configure%' \
AND NOT ( \
dirname LIKE '/private/var/%' \
AND processes.name LIKE 'pulumi-go.%' \
) \
AND NOT ( \
dirname LIKE '/private/tmp/%' \
AND processes.name = 'goobspatch' \
) \
GROUP BY \
p.cmdline, \
p.cwd, \
p.euid;",
"interval": "10800",
"platform": "darwin",
"description": "Events version of unexpected-executable-directory"
},
"unexpected-executable-directory-linux": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
p.euid, \
p.gid, \
f.ctime, \
f.directory AS dirname, \
p.cmdline, \
hash.sha256, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN hash ON hash.path = p.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
WHERE \
dirname NOT IN ( \
'/bin', \
'/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin', \
'/sbin', \
'/usr/bin', \
'/usr/lib', \
'/usr/lib/bluetooth', \
'/usr/lib/cups/notifier', \
'/usr/share/teams', \
'/usr/lib/evolution-data-server', \
'/usr/lib/firefox', \
'/usr/lib/fwupd', \
'/usr/lib/ibus', \
'/usr/lib/libreoffice/program', \
'/usr/lib/polkit-1', \
'/usr/lib/slack', \
'/usr/lib/snapd', \
'/usr/lib/systemd', \
'/usr/lib/telepathy', \
'/usr/lib/udisks2', \
'/usr/lib/xorg', \
'/usr/lib64/firefox', \
'/usr/libexec', \
'/usr/sbin', \
'/usr/share/code' \
) \
AND dirname NOT LIKE '/home/%' \
AND dirname NOT LIKE '/nix/store/%' \
AND dirname NOT LIKE '/opt/%' \
AND dirname NOT LIKE '/snap/%' \
AND dirname NOT LIKE '/tmp/%/bin' \
AND dirname NOT LIKE '/tmp/go-build%' \
AND dirname NOT LIKE '/usr/lib/%' \
AND dirname NOT LIKE '/usr/lib64/%' \
AND dirname NOT LIKE '/usr/libexec/%' \
AND dirname NOT LIKE '/usr/local/%' \
AND p.path NOT IN ( \
'/usr/lib/firefox/firefox', \
'/usr/lib64/firefox/firefox' \
) \
AND NOT ( \
dirname = '' \
AND p.name LIKE 'runc%' \
);",
"interval": "10800",
"platform": "linux",
"description": "Programs running out of unexpected directories, such as /tmp"
},
"unexpected-executable-directory-macos": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
p.euid, \
p.gid, \
f.ctime, \
f.directory AS dirname, \
REPLACE(f.directory, u.directory, '~') AS dirname, \
p.cmdline, \
hash.sha256, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
hash.sha256 AS parent_sha256, \
signature.identifier, \
signature.authority \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN hash ON hash.path = p.path \
LEFT JOIN users u ON p.uid = u.uid \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN signature ON p.path = signature.path \
WHERE \
dirname NOT IN ( \
'/bin', \
'/Library/DropboxHelperTools/Dropbox_u501', \
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', \
'/Library/Printers/DYMO/Utilities', \
'/Library/PrivilegedHelperTools', \
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin', \
'/opt/usr/bin', \
'/opt/X11/bin', \
'/opt/X11/libexec', \
'/sbin', \
'/usr/bin', \
'/usr/lib', \
'/usr/lib/bluetooth', \
'/usr/lib/cups/notifier', \
'/usr/lib/fwupd', \
'/usr/lib/ibus', \
'/usr/libexec', \
'/usr/libexec/ApplicationFirewall', \
'/usr/libexec/AssetCache', \
'/usr/libexec/rosetta', \
'/usr/sbin', \
'/usr/share/code', \
'/usr/share/teams/resources/app.asar.unpacked/node_modules/slimcore/bin' \
) \
AND homedir NOT IN ( \
'~/bin', \
'~/go/bin', \
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', \
'~/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin', \
'~/Library/Application Support/com.elgato.StreamDeck/Plugins/com.lostdomain.zoom.sdPlugin' \
) \
AND signature.authority NOT IN ( \
'Apple Mac OS Application Signing', \
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \
'Developer ID Application: Docker Inc (9BNSXJN65R)', \
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', \
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)', \
'Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', \
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', \
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)', \
'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', \
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', \
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \
'Developer ID Application: Valve Corporation (MXGJJ98X76)', \
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', \
'Apple iPhone OS Application Signing', \
'Developer ID Application: Node.js Foundation (HX7739G8FX)', \
'Software Signing' \
) \
AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' \
AND dirname NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' \
AND dirname NOT LIKE '/Applications/%.app/%' \
AND dirname NOT LIKE '/Applications/Utilities/Adobe Creative Cloud/%' \
AND dirname NOT LIKE '/Library/%/%.bundle/Contents/Helpers' \
AND dirname NOT LIKE '/Library/%/Resources/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/%/sbin' \
AND dirname NOT LIKE '/Library/Apple/System/Library%' \
AND dirname NOT LIKE '/Library/Application Support/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/Application Support/Adobe/%' \
AND dirname NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' \
AND dirname NOT LIKE '/Library/Developer/%' \
AND dirname NOT LIKE '/Library/Developer/CommandLineTools/Library/%' \
AND dirname NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' \
AND dirname NOT LIKE '/Library/Java/JavaVirtualMachines/%' \
AND dirname NOT LIKE '/Library/Printers/%.app/Contents/MacOS' \
AND dirname NOT LIKE '/Library/PrivilegedHelperTools/com.%' \
AND dirname NOT LIKE '/nix/store/%' \
AND dirname NOT LIKE '/opt/homebrew/Cellar/%/bin' \
AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec' \
AND dirname NOT LIKE '/opt/homebrew/Cellar/%/libexec/%' \
AND dirname NOT LIKE '/opt/homebrew/Cellar/%/Contents/MacOS' \
AND dirname NOT LIKE '/opt/homebrew/Caskroom/%/bin' \
AND dirname NOT LIKE '/private/tmp/%.app/Contents/MacOS' \
AND dirname NOT LIKE '/private/tmp/go-build%/exe' \
AND dirname NOT LIKE '/private/tmp/nix-build-%' \
AND dirname NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' \
AND dirname NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' \
AND dirname NOT LIKE '/private/var/folders/%/bin' \
AND dirname NOT LIKE '/private/var/folders/%/Contents/%' \
AND dirname NOT LIKE '/private/var/folders/%/go-build%' \
AND dirname NOT LIKE '/private/var/folders/%/GoLand' \
AND dirname NOT LIKE '/System/%' \
AND dirname NOT LIKE '/Users/%/bin/%' \
AND dirname NOT LIKE '/Users/%/src/%' \
AND dirname NOT LIKE '/usr/libexec/%' \
AND dirname NOT LIKE '/usr/local/%' \
AND NOT ( \
dirname LIKE '/private/var/%' \
AND p.name LIKE 'pulumi-go.%' \
) \
AND NOT ( \
dirname LIKE '/private/tmp/%' \
AND p.name = 'goobspatch' \
) \
AND NOT ( \
homedir = '~' \
AND p.name = 'cloud_sql_proxy' \
);",
"interval": "10800",
"platform": "darwin",
"description": "Planning on running something in an unexpected place without a signature?"
},
"unexpected-executable-permissions": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
f.mode, \
f.uid, \
f.gid, \
hash.sha256, \
pp.name AS parent_name, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
JOIN file f ON p.path = f.path \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN processes pp ON pp.pid = p.parent \
WHERE \
f.mode NOT IN ( \
'0500', \
'0544', \
'0555', \
'0711', \
'0755', \
'0775', \
'6755', \
'0700', \
'2755', \
'4511', \
'4555', \
'4755' \
) \
AND NOT ( \
f.path IN ( \
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', \
'/Applications/Camera Settings.app/Contents/MacOS/LogitechCamera' \
) \
AND f.mode = '0777' \
AND f.uid > 500 \
) \
AND NOT ( \
f.path LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin/jsonnet-language-server' \
AND f.mode = '0777' \
AND f.uid > 500 \
) \
AND NOT ( \
f.path = '/usr/bin/sudo' \
AND f.mode = '0411' \
AND f.uid = 0 \
) \
AND NOT ( \
f.path LIKE '/home/%/.local/share/JetBrains/Toolbox/bin/jetbrains-toolbox' \
AND f.mode = '0744' \
AND f.uid = 0 \
);",
"interval": "10800",
"description": "Find processes running that are tied to binaries with unsual permissions. Namely, 0777."
},
"unexpected-gatekeeper-approvals-macos": {
"query": "SELECT \
gap.ctime, \
gap.mtime, \
gap.path, \
file.mtime, \
file.uid, \
file.ctime, \
file.gid, \
hash.sha256, \
signature.identifier, \
signature.authority \
FROM \
gatekeeper_approved_apps AS gap \
LEFT JOIN file ON gap.path = file.path \
LEFT JOIN hash ON gap.path = hash.path \
LEFT JOIN signature ON gap.path = signature.path \
WHERE \
gap.path NOT LIKE '/Users/%/bin/%' \
AND gap.path NOT LIKE '/Users/%/rekor-cli' \
AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64' \
AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64' \
AND gap.path NOT LIKE '/Users/%/configure' \
GROUP BY \
gap.requirement;",
"interval": "10800",
"platform": "darwin",
"description": "Gatekeeper exceptions are exceptions for downloaded binaries"
},
"unexpected-mounts": {
"query": "SELECT * FROM mounts WHERE device = '/dev/disk0s1' AND type = 'msdos';",
"interval": "10800",
"description": "Detect weird mounts, like mounting the EFI partition"
},
"unexpected-osascript-calls": {
"query": "SELECT \
p.pid, \
p.path, \
TRIM(p.cmdline) AS cmd, \
p.mode, \
p.cwd, \
p.euid, \
p.parent, \
p.syscall, \
hash.sha256, \
pp.path AS parent_path, \
pp.name AS parent_name, \
TRIM(p.cmdline) AS parent_cmd, \
pp.euid AS parent_euid, \
phash.sha256 AS parent_sha256 \
FROM \
uptime, \
process_events p \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN hash AS phash ON pp.path = hash.path \
WHERE \
p.path = '/usr/bin/osascript' \
AND p.time > (strftime('%s', 'now') -60);",
"interval": "10800",
"description": "Detect unusual calls to osascript"
},
"unexpected-raw-socket": {
"query": "SELECT \
pop.pid, \
p.path, \
p.cmdline, \
p.name, \
hash.sha256 \
FROM \
process_open_sockets pop \
JOIN processes p ON pop.pid = p.pid \
JOIN hash ON p.path = hash.path \
WHERE \
family = 17 \
AND name NOT IN ( \
'wpa_supplicant', \
'NetworkManager', \
'dhcpcd', \
'tcpdump' \
);",
"interval": "10800"
},
"unexpected-setuid-binaries": {
"query": "SELECT \
file.path, \
gid, \
uid, \
mode, \
type, \
size, \
sha256 \
FROM \
file \
JOIN hash ON file.path = hash.path \
WHERE \
( \
file.path LIKE '/bin/%' \
OR file.path LIKE '/home/%/bin/%' \
OR file.path LIKE '/opt/%/bin/%' \
OR file.path LIKE '/opt/%/sbin/%' \
OR file.path LIKE '/sbin/%' \
OR file.path LIKE '/tmp/%' \
OR file.path LIKE '/Users/%/bin/%' \
OR file.path LIKE '/usr/bin/%' \
OR file.path LIKE '/usr/lib/%' \
OR file.path LIKE '/usr/lib64/%' \
OR file.path LIKE '/usr/libexec/%' \
OR file.path LIKE '/usr/local/bin/%' \
OR file.path LIKE '/usr/local/lib/%' \
OR file.path LIKE '/usr/local/lib64/%' \
OR file.path LIKE '/usr/local/libexec/%' \
OR file.path LIKE '/usr/local/sbin/%' \
OR file.path LIKE '/usr/sbin/%' \
OR file.path LIKE '/var/lib/%' \
OR file.path LIKE '/var/tmp/%' \
) \
AND type = 'regular' \
AND mode NOT LIKE '0%' \
AND mode NOT LIKE '1%' \
AND mode NOT LIKE '2%' \
AND NOT ( \
mode LIKE '4%11' \
AND uid = 0 \
AND gid = 0 \
AND file.path IN ( \
'/bin/cdda2wav', \
'/bin/cdrecord', \
'/bin/icedax', \
'/bin/mount.nfs', \
'/bin/mount.nfs4', \
'/bin/readcd', \
'/bin/readom', \
'/bin/rscsi', \
'/bin/staprun', \
'/bin/sudo', \
'/bin/sudoedit', \
'/bin/umount.nfs', \
'/bin/umount.nfs4', \
'/bin/wodim', \
'/sbin/cdda2wav', \
'/sbin/cdrecord', \
'/sbin/icedax', \
'/sbin/mount.nfs', \
'/sbin/mount.nfs4', \
'/sbin/readcd', \
'/sbin/readom', \
'/sbin/rscsi', \
'/sbin/umount.nfs', \
'/sbin/umount.nfs4', \
'/sbin/userhelper', \
'/sbin/wodim', \
'/usr/bin/cdda2wav', \
'/usr/bin/cdrecord', \
'/usr/bin/icedax', \
'/usr/bin/mount.nfs', \
'/usr/bin/mount.nfs4', \
'/usr/bin/readcd', \
'/usr/bin/readom', \
'/usr/bin/rscsi', \
'/usr/bin/staprun', \
'/usr/bin/sudo', \
'/usr/bin/sudoedit', \
'/usr/bin/umount.nfs', \
'/usr/bin/umount.nfs4', \
'/usr/bin/wodim', \
'/usr/libexec/security_authtrampoline', \
'/usr/sbin/cdda2wav', \
'/usr/sbin/cdrecord', \
'/usr/sbin/icedax', \
'/usr/sbin/mount.nfs', \
'/usr/sbin/mount.nfs4', \
'/usr/sbin/readcd', \
'/usr/sbin/readom', \
'/usr/sbin/rscsi', \
'/usr/sbin/umount.nfs', \
'/usr/sbin/umount.nfs4', \
'/usr/sbin/userhelper', \
'/usr/sbin/wodim' \
) \
) \
AND NOT ( \
mode LIKE '4%55' \
AND uid = 0 \
AND gid = 0 \
AND file.path IN ( \
'/bin/chage', \
'/bin/chfn', \
'/bin/chsh', \
'/bin/crontab', \
'/bin/doas', \
'/bin/expiry', \
'/bin/fusermount-glusterfs', \
'/bin/fusermount', \
'/bin/fusermount3', \
'/bin/gpasswd', \
'/bin/ksu', \
'/bin/mount', \
'/bin/ndisc6', \
'/bin/newgidmap', \
'/bin/newgrp', \
'/bin/newuidmap', \
'/usr/bin/newgidmap', \
'/bin/nvidia-modprobe', \
'/bin/passwd', \
'/bin/pkexec', \
'/bin/ps', \
'/bin/rdisc6', \
'/bin/rltraceroute6', \
'/bin/sg', \
'/bin/su', \
'/bin/sudo', \
'/bin/sudoedit', \
'/bin/suexec', \
'/bin/ubuntu-core-launcher', \
'/bin/umount', \
'/bin/vmware-user-suid-wrapper', \
'/bin/vmware-user', \
'/sbin/chage', \
'/sbin/chfn', \
'/sbin/chsh', \
'/sbin/crontab', \
'/sbin/doas', \
'/sbin/expiry', \
'/sbin/fusermount', \
'/sbin/fusermount3', \
'/sbin/gpasswd', \
'/sbin/grub2-set-bootflag', \
'/sbin/ksu', \
'/sbin/mount.nfs', \
'/sbin/mount.nfs4', \
'/sbin/mount', \
'/sbin/ndisc6', \
'/sbin/newgrp', \
'/sbin/nvidia-modprobe', \
'/sbin/pam_timestamp_check', \
'/sbin/passwd', \
'/sbin/pkexec', \
'/sbin/rdisc6', \
'/sbin/rltraceroute6', \
'/sbin/sg', \
'/sbin/su', \
'/sbin/sudo', \
'/sbin/sudoedit', \
'/sbin/suexec', \
'/sbin/umount.nfs', \
'/sbin/umount.nfs4', \
'/sbin/umount', \
'/sbin/unix_chkpwd', \
'/usr/bin/at', \
'/usr/bin/atq', \
'/usr/bin/atrm', \
'/usr/bin/batch', \
'/usr/bin/chage', \
'/usr/bin/chfn', \
'/usr/bin/chsh', \
'/usr/bin/crontab', \
'/usr/bin/doas', \
'/usr/bin/expiry', \
'/usr/bin/fusermount-glusterfs', \
'/usr/bin/fusermount', \
'/usr/bin/fusermount3', \
'/usr/bin/gpasswd', \
'/usr/bin/ksu', \
'/usr/bin/login', \
'/usr/bin/mount', \
'/usr/bin/ndisc6', \
'/usr/bin/newgrp', \
'/usr/bin/newuidmap', \
'/usr/bin/nvidia-modprobe', \
'/usr/bin/passwd', \
'/usr/bin/pkexec', \
'/usr/bin/quota', \
'/usr/bin/mullvad-exclude', \
'/usr/sbin/mullvad-exclude', \
'/usr/bin/rdisc6', \
'/usr/bin/rltraceroute6', \
'/usr/bin/sg', \
'/sbin/mullvad-exclude', \
'/bin/mullvad-exclude', \
'/usr/bin/su', \
'/usr/bin/sudo', \
'/usr/bin/sudoedit', \
'/usr/bin/suexec', \
'/usr/bin/top', \
'/usr/bin/ubuntu-core-launcher', \
'/usr/bin/umount', \
'/usr/bin/vmware-user-suid-wrapper', \
'/usr/bin/vmware-user', \
'/usr/lib/mail-dotlock', \
'/usr/lib/xf86-video-intel-backlight-helper', \
'/usr/lib/Xorg.wrap', \
'/usr/lib64/mail-dotlock', \
'/usr/lib64/xf86-video-intel-backlight-helper', \
'/usr/lib64/Xorg.wrap', \
'/usr/libexec/authopen', \
'/usr/libexec/polkit-agent-helper-1', \
'/usr/libexec/qemu-bridge-helper', \
'/usr/libexec/Xorg.wrap', \
'/usr/sbin/chage', \
'/usr/sbin/chfn', \
'/usr/sbin/chsh', \
'/usr/sbin/crontab', \
'/usr/sbin/doas', \
'/usr/sbin/expiry', \
'/usr/sbin/fusermount', \
'/usr/sbin/fusermount3', \
'/usr/sbin/gpasswd', \
'/usr/sbin/grub2-set-bootflag', \
'/usr/sbin/ksu', \
'/usr/sbin/mount.nfs', \
'/usr/sbin/mount.nfs4', \
'/usr/sbin/mount', \
'/usr/sbin/ndisc6', \
'/usr/sbin/newgrp', \
'/usr/sbin/nvidia-modprobe', \
'/usr/sbin/pam_timestamp_check', \
'/usr/sbin/passwd', \
'/usr/sbin/pkexec', \
'/usr/sbin/rdisc6', \
'/usr/sbin/rltraceroute6', \
'/usr/sbin/sg', \
'/usr/sbin/su', \
'/usr/sbin/sudo', \
'/usr/sbin/sudoedit', \
'/usr/sbin/suexec', \
'/usr/sbin/traceroute', \
'/usr/sbin/traceroute6', \
'/usr/sbin/umount.nfs', \
'/usr/sbin/umount.nfs4', \
'/usr/sbin/umount', \
'/usr/sbin/unix_chkpwd' \
) \
) \
AND NOT ( \
mode = '4754' \
AND uid = 0 \
AND gid = 30 \
AND file.path IN ('/usr/sbin/pppd', '/sbin/pppd') \
) \
AND NOT ( \
mode = '6755' \
AND uid = 0 \
AND gid = 0 \
AND file.path IN ( \
'/bin/mount.cifs', \
'/bin/mount.smb3', \
'/bin/unix_chkpwd', \
'/sbin/mount.cifs', \
'/sbin/mount.smb3', \
'/sbin/unix_chkpwd', \
'/usr/bin/mount.cifs', \
'/usr/bin/mount.smb3', \
'/usr/bin/unix_chkpwd', \
'/usr/lib/xtest', \
'/usr/lib64/xtest', \
'/usr/sbin/mount.cifs', \
'/usr/sbin/mount.smb3', \
'/usr/sbin/unix_chkpwd' \
) \
) \
AND NOT ( \
mode = '4110' \
AND uid = 0 \
AND gid = 156 \
AND file.path IN ('/bin/staprun', '/usr/bin/staprun') \
);",
"interval": "10800"
},
"unexpected-tmp-executables": {
"query": "SELECT \
file.path, \
uid, \
gid, \
mode, \
file.mtime, \
file.size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
( \
file.path LIKE '/tmp/%%' \
OR file.path LIKE '/tmp/.%/%%' \
OR file.path LIKE '/tmp/%/%%' \
OR file.path LIKE '/tmp/%/%/.%' \
OR file.path LIKE '/tmp/%/.%/%%' \
OR file.path LIKE '/var/tmp/%%' \
OR file.path LIKE '/var/tmp/.%/%%' \
OR file.path LIKE '/var/tmp/%/%%' \
OR file.path LIKE '/var/tmp/%/%/.%' \
OR file.path LIKE '/var/tmp/%/.%/%%' \
OR file.path LIKE '/var/spool/%%' \
OR file.path LIKE '/var/spool/.%/%%' \
OR file.path LIKE '/var/spool/%/%%' \
OR file.path LIKE '/var/spool/%/%/.%' \
OR file.path LIKE '/var/spool/%/.%/%%' \
OR file.path LIKE '/dev/mqueue/%%' \
OR file.path LIKE '/dev/mqueue/.%/%%' \
OR file.path LIKE '/dev/mqueue/%/%%' \
OR file.path LIKE '/dev/mqueue/%/%/.%' \
OR file.path LIKE '/dev/mqueue/%/.%/%%' \
OR file.path LIKE '/dev/shm/%%' \
OR file.path LIKE '/dev/shm/.%/%%' \
OR file.path LIKE '/dev/shm/%/%%' \
OR file.path LIKE '/dev/shm/%/%/.%' \
OR file.path LIKE '/dev/shm/%/.%/%%' \
) \
AND file.type = 'regular' \
AND file.path NOT LIKE '%/../%' \
AND file.path NOT LIKE '%/./%' \
AND ( \
file.mode LIKE '%7%' \
or file.mode LIKE '%5%' \
or file.mode LIKE '%1%' \
) \
AND NOT ( \
uid > 500 \
AND ( \
file.path LIKE '%/go-build%' \
OR file.path LIKE '/tmp/checkout/%' \
OR file.path LIKE '/tmp/com.apple.installer%' \
OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%' \
OR file.path LIKE '/tmp/go.%.sum' \
OR file.path LIKE '/tmp/guile-%/guile-%' \
OR file.path LIKE '/tmp/terraformer/%' \
OR file.path LIKE '/tmp/tmp.%' \
OR file.path LIKE '%/bin/%-gen' \
OR file.path LIKE '%/bin/%' \
OR file.path LIKE '%/CCLBS/%' \
OR file.path LIKE '%/ko/%' \
OR file.path LIKE '%/pdf-tools/%' \
OR file.path LIKE '%/tmp/epdf%' \
OR \
( \
file.size < 4000 \
AND file.path LIKE '/tmp/%.sh' \
) \
OR ( \
file.size < 4000 \
AND file.path LIKE '/tmp/%.py' \
) \
) \
) \
AND NOT ( \
file.directory LIKE '/tmp/tmp%' \
AND gid = 0 \
AND uid > 300 \
AND uid < 350 \
) \
AND NOT magic.data LIKE '%nix-shell script%' \
AND NOT ( \
file.directory LIKE '/tmp/%' \
AND (strftime('%s', 'now') - ctime) < 60 \
) \
AND NOT file.directory LIKE '/tmp/msu-target-%' \
AND NOT ( \
file.path LIKE('/tmp/%compressed') \
AND size < 4000 \
AND uid > 500 \
) \
AND NOT ( \
file.type = 'regular' \
AND size < 10 \
);",
"interval": "10800",
"description": "Find unexpected executables in temp directories"
},
"xprotect-reports": {
"query": "SELECT * FROM xprotect_reports;",
"interval": "1200",
"platform": "darwin",
"description": "Returns a list of malware matches from macOS XProtect"
}
}
}
{
"queries": {
"high-disk-bytes-written": {
"query": "SELECT \
p.name, \
p.path, \
p.pid, \
p.cmdline, \
p.on_disk, \
p.parent, \
p.start_time, \
hash.sha256, \
p.disk_bytes_written, \
p.cwd, \
(strftime('%s', 'now') - start_time) AS age, \
disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second \
FROM \
processes p \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
bytes_per_second > 2000000 \
AND age > 120 \
AND pid > 2 \
AND p.path NOT IN ( \
'/bin/bash', \
'/usr/bin/aptd', \
'/usr/bin/bash', \
'/usr/bin/bwrap', \
'/usr/bin/curl', \
'/usr/bin/fish', \
'/usr/bin/gnome-shell', \
'/usr/bin/qemu-system-x86_64', \
'/usr/bin/yay', \
'/usr/bin/zsh', \
'/usr/lib/flatpak-system-helper', \
'/usr/lib/systemd/systemd-journald', \
'/usr/lib/systemd/systemd', \
'/usr/lib64/thunderbird/thunderbird', \
'/usr/libexec/coreduetd', \
'/usr/libexec/coreduetd', \
'/usr/libexec/packagekitd', \
'/usr/libexec/rosetta/oahd', \
'/usr/libexec/secd', \
'/usr/libexec/sharingd', \
'/usr/sbin/screencapture' \
) \
AND NOT ( \
name LIKE 'jbd%/dm-%' \
AND on_disk = -1 \
) \
AND NOT ( \
name = 'bindfs' \
AND cmdline LIKE 'bindfs -f -o fsname=%' \
) \
AND NOT ( \
name = 'btrfs-transaction' \
AND on_disk = -1 \
) \
AND NOT ( \
name = 'kernel_task' \
AND p.path = '' \
AND parent IN (0, 1) \
AND on_disk = -1 \
) \
AND NOT ( \
name = 'launchd' \
AND p.path = '/sbin/launchd' \
AND parent = 0 \
) \
AND NOT ( \
name = 'logd' \
AND cmdline = '/usr/libexec/logd' \
AND parent = 1 \
) \
AND NOT ( \
name = 'aptd' \
AND cmdline = '/usr/bin/python3 /usr/sbin/aptd' \
) \
AND NOT name IN ( \
'chrome', \
'com.apple.MobileSoftwareUpdate.UpdateBrainService', \
'containerd', \
'esbuild', \
'firefox', \
'go', \
'goland', \
'java', \
'launcher', \
'gopls', \
'jetbrains-toolb', \
'slack', \
'slack', \
'wineserver' \
) \
AND p.path NOT LIKE '/Applications/%.app/Contents/%' \
AND p.path NOT LIKE '/home/%/.local/share/Steam' \
AND p.path NOT LIKE '/nix/store/%/bin/%sh' \
AND p.path NOT LIKE '/nix/store/%/bin/nix' \
AND p.path NOT LIKE '/System/Applications/%' \
AND p.path NOT LIKE '/System/Library/%' \
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher';",
"interval": "10800"
},
"high_disk_bytes_read": {
"query": "SELECT \
p.name, \
p.path, \
p.cmdline, \
p.on_disk, \
p.parent, \
p.start_time, \
hash.sha256, \
p.disk_bytes_read, \
p.cwd, \
(strftime('%s', 'now') - start_time) AS age, \
disk_bytes_read / (strftime('%s', 'now') - start_time) AS bytes_per_second \
FROM \
processes p \
LEFT JOIN hash ON p.path = hash.path \
WHERE \
bytes_per_second > 2000000 \
AND age > 180 \
AND p.path NOT LIKE '/Applications/%.app/Contents/%' \
AND p.path NOT LIKE '/System/Library/%' \
AND p.path NOT LIKE '/System/Applications/%' \
AND p.path NOT LIKE '/Library/Apple/System/Library/%' \
AND name NOT IN ( \
'bash', \
'emacs', \
'firefox', \
'fish', \
'gopls', \
'GoogleSoftwareUpdateAgent', \
'nautilus', \
'qemu-system-x86-64', \
'qemu-system-x86', \
'slack', \
'java', \
'wineserver', \
'nix', \
'ykman-gui', \
'osqueryd', \
'zsh' \
) \
AND NOT ( \
name = 'aned' \
AND cmdline = '/usr/libexec/aned' \
AND parent = 1 \
) \
AND NOT ( \
name = 'bindfs' \
AND cmdline LIKE 'bindfs -f -o fsname=%' \
) \
AND NOT ( \
name = 'jetbrains-toolb' \
AND p.path LIKE '/tmp/.mount_jet%/jetbrains-toolbox' \
) \
AND NOT ( \
name = 'chrome' \
AND p.path = '/opt/google/chrome/chrome' \
) \
AND NOT ( \
name = 'com.apple.MobileSoftwareUpdate.UpdateBrainService' \
AND p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.MobileSoftwareUpdate.UpdateBrainService.%.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.UpdateBrainService' \
) \
AND NOT ( \
name = 'FindMy' \
AND p.path = '/System/Applications/FindMy.app/Contents/MacOS/FindMy' \
) \
AND NOT ( \
name = 'go' \
AND cmdline LIKE 'go run %' \
) \
AND NOT ( \
name = 'gopls' \
AND p.path LIKE '/home/%/bin/gopls' \
) \
AND NOT ( \
name = 'gopls' \
AND p.path LIKE '/home/%/gopls/gopls' \
) \
AND NOT ( \
name = 'gopls' \
AND p.path LIKE '/Users/%/bin/gopls' \
) \
AND NOT ( \
name = 'gopls' \
AND p.path LIKE '/Users/%/gopls/gopls' \
) \
AND NOT ( \
name = 'kernel_task' \
AND p.path = '' \
AND parent IN (0, 1) \
AND on_disk = -1 \
) \
AND NOT ( \
name = 'launcher' \
AND p.path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' \
) \
AND NOT ( \
name = 'logd' \
AND cmdline = '/usr/libexec/logd' \
AND parent = 1 \
) \
AND NOT (name = 'LogiFacecamService') \
AND NOT ( \
name = 'node' \
AND cwd LIKE '%/console-ui/app' \
) \
AND NOT ( \
name = 'osqueryd' \
AND p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
) \
AND NOT ( \
name = 'packagekitd' \
AND p.path = '/usr/libexec/packagekitd' \
) \
AND NOT ( \
name = 'PerfPowerServices' \
AND p.path = '/usr/libexec/PerfPowerServices' \
) \
AND NOT ( \
name = 'ruby' \
AND cmdline LIKE '%brew.rb upgrade' \
) \
AND NOT ( \
name = 'signpost_reporter' \
AND cmdline = '/usr/libexec/signpost_reporter' \
AND parent = 1 \
) \
AND NOT ( \
name = 'snapd' \
AND p.path = '/usr/lib/snaptd/snaptd' \
) \
AND NOT ( \
name = 'spindump' \
AND p.path = '/usr/sbin/spindump' \
) \
AND NOT ( \
name = 'syspolicyd' \
AND p.path = '/usr/libexec/syspolicyd' \
AND parent = 1 \
) \
AND NOT ( \
name = 'systemd-udevd' \
AND p.path = '/usr/bin/udevadm' \
) \
AND NOT ( \
name = 'systemd' \
AND p.path = '/usr/lib/systemd/systemd' \
) \
AND NOT ( \
name = 'systemstats' \
AND p.path = '/usr/sbin/systemstats' \
) \
AND NOT (p.path = '/usr/bin/gnome-shell') \
AND NOT ( \
name = 'terraform-ls' \
AND cmdline LIKE 'terraform-ls serve%' \
) \
AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java');",
"interval": "10800"
},
"spotlight-database-export-macos": {
"query": "SELECT \
f.path, \
f.size, \
datetime(f.btime, 'unixepoch') AS file_created, \
magic.data \
FROM \
file f \
JOIN mdfind ON mdfind.path = f.path \
LEFT JOIN magic ON f.path = magic.path \
WHERE \
( \
( \
mdfind.query = 'kMDItemFSName == '*enforce*' && kMDItemTextContent == 'CREATE TABLE'' \
) \
OR ( \
mdfind.query = 'kMDItemFSName == '*iam*' && kMDItemTextContent == 'CREATE TABLE'' \
) \
OR ( \
mdfind.query = 'kMDItemFSName == '*tenant*' && kMDItemTextContent == 'CREATE TABLE'' \
) \
) \
AND f.path NOT LIKE '%.json' \
AND f.path NOT LIKE '%.log' \
AND f.size > 32768;",
"interval": "10800",
"platform": "darwin",
"description": "Find database exports. Will need tuning based on your table names."
}
}
}
{
"queries": {
"unexpected-etc-hosts": {
"query": "SELECT \
* \
FROM \
etc_hosts \
WHERE \
hostnames NOT IN ( \
'localhost', \
'localhost ip6-localhost ip6-loopback', \
'ip6-allnodes', \
'ip6-allrouters', \
'kubernetes' \
) \
AND address NOT IN ( \
'127.0.1.1', \
'::1', \
'ff02::1', \
'ff02::2', \
'255.255.255.255', \
'fe00::0', \
'ff00::0' \
) \
AND hostnames NOT LIKE 'localhost.%' \
AND hostnames NOT LIKE '%.svc' \
AND hostnames NOT LIKE '%.test' \
AND hostnames NOT LIKE '%.internal' \
AND hostnames NOT LIKE '%.local' \
AND hostnames NOT LIKE 'ip6-%';",
"interval": "10800"
}
}
}
{
"queries": {
"unexpected-shell-parents": {
"query": "SELECT \
p.name, \
p.path AS path, \
p.cmdline AS cmd, \
p.pid, \
p.parent, \
pp.name AS parent_name, \
pp.path AS parent_path, \
pp.cmdline AS parent_cmd, \
hash.sha256 AS parent_sha256 \
FROM \
processes p \
LEFT JOIN processes pp ON pp.pid = p.parent \
LEFT JOIN hash ON pp.path = hash.path \
WHERE \
p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'osascript') \
AND parent_path != '' \
AND pp.name NOT IN ( \
'abrt-handle-eve', \
'alacritty', \
'bash', \
'build-script-build', \
'clang-11', \
'Code - Insiders Helper (Renderer)', \
'Code Helper (Renderer)', \
'collect2', \
'conmon', \
'containerd-shim', \
'dash', \
'demoit', \
'direnv', \
'chezmoi', \
'find', \
'FinderSyncExtension', \
'fish', \
'go', \
'goland', \
'java', \
'ko', \
'kubectl', \
'doas', \
'make', \
'monorail', \
'nix-daemon', \
'nix', \
'nix-build', \
'package_script_service', \
'node', \
'nvim', \
'perl', \
'PK-Backend', \
'python', \
'roxterm', \
'sdzoomplugin', \
'sh', \
'skhd', \
'swift', \
'systemd', \
'helm', \
'terminator', \
'test2json', \
'tmux:server', \
'tmux', \
'vi', \
'vim', \
'watch', \
'wezterm-gui', \
'sshd', \
'xargs', \
'xcrun', \
'xfce4-terminal', \
'yum', \
'zsh' \
) \
AND parent_path NOT IN ( \
'/Applications/Docker.app/Contents/MacOS/Docker', \
'/bin/dash', \
'/bin/sh', \
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon', \
'/opt/X11/libexec/launchd_startx', \
'/sbin/launchd', \
'/usr/lib/xorg/Xorg', \
'/usr/bin/alacritty', \
'/usr/bin/apt-get', \
'/usr/bin/bash', \
'/usr/bin/bwrap', \
'/usr/bin/sysdiagnose', \
'/usr/bin/crond', \
'/usr/bin/login', \
'/Applications/IntelliJ IDEA.app/Contents/MacOS/idea', \
'/Applications/Docker.app/Contents/Resources/bin/com.docker.cli', \
'/usr/bin/man', \
'/usr/bin/sudo', \
'/usr/bin/xargs', \
'/usr/bin/zsh', \
'/usr/libexec/gnome-terminal-server', \
'/usr/libexec/periodic-wrapper', \
'/usr/bin/su' \
) \
AND NOT p.cmdline IN ( \
'sh -c -- exec-bin node_modules/.bin/hugo/hugo server', \
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null' \
) \
AND NOT ( \
pp.name = 'sshd' \
AND p.cmdline LIKE '%askpass%' \
) \
AND NOT ( \
pp.name = 'bash' \
AND p.cmdline LIKE 'sh -s _hostname %' \
) \
AND NOT ( \
pp.cmdline LIKE 'perl%/help2man%' \
AND p.cmdline LIKE 'sh -c man/%' \
) \
AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%' \
AND NOT p.cmdline LIKE '%gcloud config config-helper%' \
AND NOT pp.cmdline LIKE '/Applications/Warp.app/%' \
AND NOT pp.cmdline LIKE '%brew.rb%' \
AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%' \
AND NOT pp.cmdline LIKE '%Code Helper%' \
AND NOT pp.cmdline LIKE '%gcloud.py config config-helper%' \
AND NOT pp.name LIKE '%term%' \
AND NOT pp.name LIKE '%Term%' \
AND NOT pp.name LIKE 'Emacs%' \
AND NOT pp.name LIKE 'terraform-provider-%' \
AND NOT pp.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent' \
AND NOT pp.name LIKE '%/bin/bash' \
AND NOT pp.name LIKE '%/bin/direnv' \
AND NOT parent_path LIKE '/nix/store/%sh' \
AND NOT parent_path LIKE '/opt/homebrew/%';",
"interval": "10800"
},
"unexpected-volume-contents": {
"query": "SELECT \
RTRIM(file.path, '/') AS trimpath, \
uid, \
filename, \
gid, \
mode, \
REGEX_MATCH (file.path, '(.*)/', 1) AS dirname, \
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS basename, \
REGEX_MATCH (RTRIM(file.path, '/'), '.*\\.(.*?)$', 1) AS extension, \
mtime, \
ctime, \
symlink, \
type, \
size, \
hash.sha256, \
magic.data, \
signature.identifier, \
signature.authority \
FROM \
file \
LEFT JOIN hash on file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
LEFT JOIN signature ON file.path = signature.path \
WHERE \
( \
file.path LIKE '/Volumes/%/%' \
OR file.path LIKE '/Volumes/%/.%' \
) \
AND file.path NOT LIKE '/Volumes/Macintosh HD%' \
AND file.path NOT LIKE '/Volumes/%/.com.apple.timemachine%' \
AND ( \
extension IN ( \
'command', \
'lnk', \
'mpkg', \
'scpt', \
'dmg', \
'iso', \
'gz', \
'sh', \
'sql' \
) \
OR file.symlink != 0 \
OR basename LIKE '.%' \
OR basename LIKE '%.sql%' \
OR basename LIKE '%Chrome%' \
OR basename LIKE '%Extension%' \
OR basename LIKE '%enforce%' \
OR basename LIKE '%hidden%' \
OR basename LIKE '%Installer%' \
OR basename LIKE '%mono%' \
OR basename LIKE '%secret%' \
OR basename LIKE '%sql%' \
OR basename LIKE '%guard%' \
OR basename LIKE 'cg%' \
) \
AND basename NOT IN ( \
'..', \
'.', \
'.background', \
'.disk_label_2x', \
'.disk_label', \
'.DS_Store', \
'.iotest', \
'.file-revisions-by-id', \
'.file', \
'.metadata_never_index_unless_rootfs', \
'.shortcut-targets-by-id', \
'.TemporaryItems', \
'.Trashes', \
'._Id.txt', \
'.vol', \
'.apdisk', \
'._.Trashes', \
'._.TemporaryItems', \
'._.apdisk', \
'.VolumeIcon.icns' \
) \
AND authority NOT IN ( \
'Developer ID Application: Google LLC (EQHXZ8M8AV)' \
) \
AND trimpath NOT IN ( \
'/Volumes/Google Chrome/.keystone_install', \
'/Volumes/Google Chrome Canary/.keystone_install', \
'/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg' \
);",
"interval": "10800",
"platform": "darwin",
"description": "Scan removable volumes for sketchy files"
}
}
}
{
"queries": {
"fake-apple-launchd": {
"query": "select \
* \
FROM \
signature s \
JOIN launchd d ON d.program_arguments = s.path \
WHERE \
d.name LIKE 'com.apple.%' \
AND ( \
signed = 0 \
OR authority != 'Software Signing' \
) \
AND d.run_at_load = 1;",
"interval": "10800",
"platform": "darwin",
"description": "Find launchd entries which purport to be by Apple, but are not signed by Apple."
},
"unexpected-cron-entries": {
"query": "SELECT \
* \
FROM \
crontab \
WHERE \
command NOT LIKE 'root%run-parts%' \
AND command NOT LIKE '%freshclam%' \
AND command NOT LIKE '%clamscan%' \
AND command NOT LIKE '%e2scrub%' \
AND command NOT LIKE '%zfs-linux%' \
AND command NOT LIKE '%anacron start%' \
AND command NOT LIKE '%/usr/lib/php/sessionclean%';",
"interval": "10800"
},
"unexpected-kernel-extensions": {
"query": "SELECT \
* \
FROM \
kernel_extensions \
WHERE \
path NOT LIKE '/System/Library/Extensions/%' \
AND NOT ( \
idx = 0 \
AND name = '__kernel__' \
);",
"interval": "10800",
"platform": "darwin",
"description": "Display a list of non-Apple kernel extensions, which are exceedingly rare."
},
"unexpected-launchd-program": {
"query": "SELECT \
l.label, \
l.name, \
l.path, \
l.program, \
l.program_arguments, \
l.keep_alive, \
signature.authority AS program_authority, \
signature.identifier AS program_identifier, \
hash.sha256 \
FROM \
launchd l \
LEFT JOIN signature ON l.program = signature.path \
LEFT JOIN hash ON l.path = hash.path \
WHERE \
( \
run_at_load = 1 \
OR keep_alive = 1 \
) \
AND l.path NOT LIKE '/System/%' \
AND program IS NOT NULL \
AND program_authority NOT IN ( \
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'Developer ID Application: Docker Inc (9BNSXJN65R)', \
'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', \
'Developer ID Application: Valve Corporation (MXGJJ98X76)', \
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)' \
) \
AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent');",
"interval": "10800",
"platform": "darwin",
"description": "Unexpected launchd scripts that use the 'program' field"
},
"unexpected-launchd-program-arguments": {
"query": "SELECT \
l.label, \
l.name, \
l.path, \
TRIM(REGEX_SPLIT (l.program_arguments, ' -', 0)) AS program_path, \
l.program_arguments, \
l.keep_alive, \
signature.authority AS program_authority, \
hash.sha256 \
FROM \
launchd l \
LEFT JOIN signature ON program_path = signature.path \
LEFT JOIN hash ON program_path = hash.path \
WHERE \
( \
run_at_load = 1 \
OR keep_alive = 1 \
) \
AND ( \
program IS NULL \
OR program = '' \
) \
AND l.path NOT LIKE '/System/%' \
AND program_authority NOT IN ( \
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', \
'Developer ID Application: Foxit Corporation (8GN47HTP75)', \
'Developer ID Application: Google LLC (EQHXZ8M8AV)', \
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', \
'Developer ID Application: Keybase, Inc. (99229SGT5K)', \
'Developer ID Application: Kolide Inc (YZ3EM74M78)', \
'Developer ID Application: Logitech Inc. (QED4VVPZWA)', \
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', \
'Developer ID Application: Mersive Technologies (63B5A5WDNG)', \
'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'Developer ID Application: Proton Technologies AG (6UN54H93QT)', \
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', \
'Developer ID Application: Sanford, L.P. (N3S6676K3E)', \
'Developer ID Application: Canva Pty Ltd (5HD2ARTBFS)', \
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', \
'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \
'Software Signing', \
'yabai-cert' \
) \
AND program_arguments NOT IN ( \
'/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk', \
'/opt/homebrew/opt/mariadb/bin/mysqld_safe', \
'/opt/homebrew/opt/skhd/bin/skhd', \
'/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080', \
'/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock', \
'/usr/local/MacGPG2/libexec/fixGpgHome' \
) \
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh' \
AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%';",
"interval": "10800",
"platform": "darwin",
"description": "Unexpected launchd scripts that use the 'program_arguments' field"
},
"unexpected-modules": {
"query": "SELECT \
* \
FROM \
kernel_modules \
WHERE \
name NOT IN ( \
'8021q', \
'ac97_bus', \
'acpi_cpufreq', \
'acpi_pad', \
'acpi_tad', \
'acpi_thermal_rel', \
'aesni_intel', \
'af_alg', \
'af_packet', \
'agpgart', \
'ahci', \
'algif_aead', \
'algif_hash', \
'algif_skcipher', \
'amd_pmc', \
'amdgpu', \
'apple_mfi_fastcharge', \
'asn1_encoder', \
'asus_wmi', \
'atkbd', \
'authenc', \
'autofs4', \
'backlight', \
'battery', \
'binfmt_misc', \
'bluetooth', \
'bnep', \
'bpf_preload', \
'br_netfilter', \
'bridge', \
'btbcm', \
'btintel', \
'btmtk', \
'btrtl', \
'btusb', \
'button', \
'cbc', \
'ccm', \
'ccp', \
'cdc_ether', \
'cec', \
'cfg80211', \
'cmac', \
'configfs', \
'coretemp', \
'cqhci', \
'crc_t10dif', \
'crc16', \
'crc32_pclmul', \
'crc32c_generic', \
'crc32c_intel', \
'crct10dif_common', \
'crct10dif_generic', \
'crct10dif_pclmul', \
'cros_ec_chardev', \
'cros_ec_debugfs', \
'cros_ec_dev', \
'cros_ec_lpcs', \
'cros_ec_sysfs', \
'cros_ec', \
'cros_usbpd_charger', \
'cros_usbpd_logger', \
'cros_usbpd_notify', \
'cryptd', \
'crypto_simd', \
'crypto_user', \
'dca', \
'deflate', \
'des_generic', \
'dm_crypt', \
'dm_mod', \
'dm_multipath', \
'drm_buddy', \
'drm_display_helper', \
'drm_dp_helper', \
'drm_kms_helper', \
'drm_ttm_helper', \
'drm', \
'ecb', \
'ecc', \
'ecdh_generic', \
'edac_core', \
'edac_mce_amd', \
'ee1004', \
'eeepc_wmi', \
'efi_pstore', \
'efivarfs', \
'encrypted_keys', \
'essiv', \
'evdev', \
'ext4', \
'fat', \
'fb_sys_fops', \
'firmware_attributes_class', \
'fuse', \
'ghash_clmulni_intel', \
'gigabyte_wmi', \
'gpio_amdpt', \
'gpio_generic', \
'gpu_sched', \
'hid_apple', \
'hid_generic', \
'hid_jabra', \
'hid_logitech_dj', \
'hid_logitech_hidpp', \
'hid_multitouch', \
'hid_sensor_als', \
'hid_sensor_custom', \
'hid_sensor_hub', \
'hid_sensor_iio_common', \
'hid_sensor_trigger', \
'hid', \
'i2c_algo_bit', \
'i2c_core', \
'i2c_designware_core', \
'i2c_designware_platform', \
'i2c_hid_acpi', \
'i2c_hid', \
'i2c_i801', \
'i2c_piix4', \
'i2c_scmi', \
'i2c_smbus', \
'i8042', \
'i915', \
'icp', \
'idma64', \
'igb', \
'igc', \
'igen6_edac', \
'industrialio_triggered_buffer', \
'industrialio', \
'input_leds', \
'int3400_thermal', \
'int3403_thermal', \
'int340x_thermal_zone', \
'intel_cstate', \
'intel_gtt', \
'intel_ish_ipc', \
'intel_ishtp_hid', \
'intel_ishtp', \
'intel_lpss_pci', \
'intel_lpss', \
'intel_pmc_bxt', \
'intel_powerclamp', \
'intel_rapl_common', \
'intel_rapl_msr', \
'intel_soc_dts_iosf', \
'intel_tcc_cooling', \
'intel_uncore', \
'intel_vsec', \
'iommu_v2', \
'ip_set', \
'ip_tables', \
'ip_vs_rr', \
'ip_vs_sh', \
'ip_vs_wrr', \
'ip_vs', \
'ip6_tables', \
'ip6t_REJECT', \
'ip6t_rpfilter', \
'ip6t_rt', \
'ip6table_nat', \
'ipmi_devintf', \
'ipmi_msghandler', \
'ipt_REJECT', \
'ipt_rpfilter', \
'iptable_filter', \
'iptable_nat', \
'irqbypass', \
'iTCO_vendor_support', \
'iTCO_wdt', \
'iwlmei', \
'iwlmvm', \
'iwlwifi', \
'jbd2', \
'joydev', \
'k10temp', \
'kfifo_buf', \
'kvm_amd', \
'kvm_intel', \
'kvm', \
'led_class', \
'ledtrig_audio', \
'libaes', \
'libahci', \
'libarc4', \
'libata', \
'libcrc32c', \
'libdes', \
'libps2', \
'llc', \
'loop', \
'lp', \
'mac_hid', \
'mac80211', \
'macvlan', \
'mbcache', \
'mc', \
'md4', \
'mei_hdcp', \
'mei_me', \
'mei_pxp', \
'mei_wdt', \
'mei', \
'mii', \
'mmc_core', \
'mousedev', \
'msr', \
'mtd', \
'mxm_wmi', \
'nf_conntrack_broadcast', \
'nf_conntrack_netbios_ns', \
'nf_conntrack_netlink', \
'nf_conntrack', \
'nf_defrag_ipv4', \
'nf_defrag_ipv6', \
'nf_log_syslog', \
'nf_nat', \
'nf_reject_ipv4', \
'nf_reject_ipv6', \
'nf_tables', \
'nfnetlink', \
'nft_chain_nat', \
'nft_compat', \
'nft_counter', \
'nft_ct', \
'nft_fib_inet', \
'nft_fib_ipv4', \
'nft_fib_ipv6', \
'nft_fib', \
'nft_limit', \
'nft_objref', \
'nft_reject_inet', \
'nft_reject', \
'nls_cp437', \
'nls_iso8859_1', \
'nvidia_drm', \
'nvidia_modeset', \
'nvidia_uvm', \
'nvidia', \
'nvme_core', \
'nvme', \
'nvram', \
'overlay', \
'parport_pc', \
'parport', \
'pcspkr', \
'pinctrl_amd', \
'pinctrl_tigerlake', \
'pkcs8_key_parser', \
'platform_profile', \
'pmt_class', \
'pmt_telemetry', \
'ppdev', \
'pps_core', \
'processor_thermal_device_pci_legacy', \
'processor_thermal_device', \
'processor_thermal_mbox', \
'processor_thermal_rapl', \
'processor_thermal_rfim', \
'psmouse', \
'pstore_blk', \
'pstore_zone', \
'pstore', \
'ptp', \
'qrtr', \
'r8152', \
'r8153_ecm', \
'r8169', \
'ramoops', \
'rapl', \
'raydium_i2c_ts', \
'rc_core', \
'reed_solomon', \
'rfcomm', \
'rfkill', \
'rndis_host', \
'rndis_wlan', \
'rng_core', \
'roles', \
'rtc_cmos', \
'rtsx_pci_sdmmc', \
'rtsx_pci', \
'rtw89_8852a', \
'rtw89_8852ae', \
'rtw89_core', \
'rtw89_pci', \
'sch_fq_codel', \
'scsi_common', \
'scsi_mod', \
'sdhci_pci', \
'sdhci', \
'serio_raw', \
'serio', \
'sg', \
'snd_acp_config', \
'snd_acp3x_pdm_dma', \
'snd_acp3x_rn', \
'snd_compress', \
'snd_ctl_led', \
'snd_hda_codec_generic', \
'snd_hda_codec_hdmi', \
'snd_hda_codec_idt', \
'snd_hda_codec_realtek', \
'snd_hda_codec', \
'snd_hda_core', \
'snd_hda_ext_core', \
'snd_hda_intel', \
'snd_hrtimer', \
'snd_hwdep', \
'snd_intel_dspcfg', \
'snd_intel_sdw_acpi', \
'snd_pci_acp3x', \
'snd_pci_acp5x', \
'snd_pci_acp6x', \
'snd_pcm_dmaengine', \
'snd_pcm', \
'snd_rawmidi', \
'snd_rn_pci_acp3x', \
'snd_seq_device', \
'snd_seq_dummy', \
'snd_seq_midi_event', \
'snd_seq_midi', \
'snd_seq', \
'snd_soc_acpi_intel_match', \
'snd_soc_acpi', \
'snd_soc_core', \
'snd_soc_dmic', \
'snd_soc_hdac_hda', \
'snd_soc_hdac_hdmi', \
'snd_soc_intel_hda_dsp_common', \
'snd_soc_skl_hda_dsp', \
'snd_sof_amd_acp', \
'snd_sof_amd_renoir', \
'snd_sof_intel_hda_common', \
'snd_sof_intel_hda', \
'snd_sof_pci_intel_tgl', \
'snd_sof_pci', \
'snd_sof_utils', \
'snd_sof_xtensa_dsp', \
'snd_sof', \
'snd_timer', \
'snd_usb_audio', \
'snd_usbmidi_lib', \
'snd', \
'soundcore', \
'soundwire_bus', \
'soundwire_cadence', \
'soundwire_generic_allocation', \
'soundwire_intel', \
'sp5100_tco', \
'sparse_keymap', \
'spi_intel_pci', \
'spi_intel', \
'spi_nor', \
'spl', \
'squashfs', \
'stp', \
'sunrpc', \
'syscopyarea', \
'sysfillrect', \
'sysimgblt', \
't10_pi', \
'tap', \
'tee', \
'think_lmi', \
'thinkpad_acpi', \
'thunderbolt', \
'tiny_power_button', \
'tls', \
'tpm_crb', \
'tpm_tis_core', \
'tpm_tis', \
'tpm', \
'trusted', \
'ttm', \
'tun', \
'typec_ucsi', \
'typec', \
'uas', \
'ucsi_acpi', \
'uinput', \
'usb_common', \
'usb_storage', \
'usbcore', \
'usbhid', \
'usbnet', \
'uvcvideo', \
'veth', \
'vfat', \
'video', \
'videobuf2_common', \
'videobuf2_memops', \
'videobuf2_v4l2', \
'videobuf2_vmalloc', \
'videodev', \
'vivaldi_fmap', \
'watchdog', \
'wmi_bmof', \
'wmi', \
'x_tables', \
'x86_pkg_temp_thermal', \
'xfrm_algo', \
'xfrm_user', \
'xhci_hcd', \
'xhci_pci_renesas', \
'xhci_pci', \
'xt_addrtype', \
'xt_comment', \
'xt_conntrack', \
'xt_hl', \
'xt_limit', \
'xt_LOG', \
'xt_mark', \
'xt_MASQUERADE', \
'xt_nat', \
'xt_pkttype', \
'xt_statistic', \
'xt_tcpudp', \
'zavl', \
'zcommon', \
'zfs', \
'zlua', \
'znvpair', \
'zram', \
'zunicode', \
'zzstd' \
);",
"interval": "10800"
},
"unexpected-small-udev-entry": {
"query": "SELECT \
file.path, \
uid, \
gid, \
mode, \
mtime, \
ctime, \
type, \
size, \
hash.sha256, \
magic.data \
FROM \
file \
LEFT JOIN hash ON file.path = hash.path \
LEFT JOIN magic ON file.path = magic.path \
WHERE \
file.path LIKE '/usr/lib/udev/rules.d/%' \
AND file.size < 180 \
AND file.path NOT IN ( \
'/usr/lib/udev/rules.d/60-rfkill.rules', \
'/usr/lib/udev/rules.d/50-apport.rules', \
'/usr/lib/udev/rules.d/60-net.rules', \
'/usr/lib/udev/rules.d/61-mutter.rules', \
'/usr/lib/udev/rules.d/66-saned.rules', \
'/usr/lib/udev/rules.d/70-hypervfcopy.rules', \
'/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules', \
'/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules', \
'/usr/lib/udev/rules.d/70-hypervkvp.rules', \
'/usr/lib/udev/rules.d/70-hypervvss.rules', \
'/usr/lib/udev/rules.d/70-spice-vdagentd.rules', \
'/usr/lib/udev/rules.d/70-spice-webdavd.rules', \
'/usr/lib/udev/rules.d/71-nacon-controllers.rules', \
'/usr/lib/udev/rules.d/75-probe_mtd.rules', \
'/usr/lib/udev/rules.d/71-sony-vr.rules', \
'/usr/lib/udev/rules.d/71-betop-controllers.rules', \
'/usr/lib/udev/rules.d/85-hdparm.rules', \
'/usr/lib/udev/rules.d/85-regulatory.rules', \
'/usr/lib/udev/rules.d/90-daxctl-device.rules', \
'/usr/lib/udev/rules.d/91-drm-modeset.rules', \
'/usr/lib/udev/rules.d/96-e2scrub.rules', \
'/usr/lib/udev/rules.d/99-fuse.rules', \
'/usr/lib/udev/rules.d/99-fuse3.rules', \
'/usr/lib/udev/rules.d/99-libsane1.rules', \
'/usr/lib/udev/rules.d/99-nfs.rules', \
'/usr/lib/udev/rules.d/99-qemu-guest-agent.rules' \
);",
"interval": "10800",
"description": "Inspired by Operation Earth Berberoka"
},
"unexpected-uid0-daemon-linux": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
p.euid, \
p.gid, \
f.ctime, \
f.directory AS dirname, \
p.cmdline, \
mnt_namespace, \
hash.sha256, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
WHERE \
p.uid = 0 \
AND (strftime('%s', 'now') - p.start_time) > 15 \
AND mnt_namespace IN ( \
SELECT DISTINCT \
(mnt_namespace) \
FROM \
process_namespaces \
JOIN processes ON processes.pid = process_namespaces.pid \
WHERE \
processes.name IN ('osqueryi', 'osqueryd') \
) \
AND p.path NOT IN ( \
'', \
'/sbin/apcupsd', \
'/snap/snapd/17029/usr/lib/snapd/snapd', \
'/usr/bin/abrt-dump-journal-core', \
'/usr/bin/abrt-dump-journal-oops', \
'/usr/bin/abrt-dump-journal-xorg', \
'/usr/bin/pacman', \
'/usr/bin/fish', \
'/usr/bin/anacron', \
'/usr/bin/apcupsd', \
'/usr/bin/containerd-shim-runc-v2', \
'/usr/bin/containerd', \
'/usr/bin/crond', \
'/usr/bin/docker-proxy', \
'/usr/bin/dockerd', \
'/usr/bin/gdm', \
'/usr/bin/gpg-agent', \
'/usr/bin/journalctl', \
'/usr/bin/lightdm', \
'/usr/bin/osqueryd', \
'/usr/bin/sshd', \
'/usr/bin/tailscaled', \
'/usr/bin/wpa_supplicant', \
'/usr/lib/gdm-session-worker', \
'/usr/lib/software-properties/software-properties-dbus', \
'/usr/lib/systemd/systemd-homed', \
'/usr/lib/systemd/systemd-journald', \
'/usr/lib/systemd/systemd-machined', \
'/usr/lib/systemd/systemd', \
'/usr/lib/udisks2/udisksd', \
'/usr/lib/Xorg', \
'/usr/libexec/accounts-daemon', \
'/usr/libexec/docker/docker-proxy', \
'/usr/libexec/flatpak-system-helper', \
'/usr/lib/flatpak-system-helper', \
'/usr/libexec/gdm-session-worker', \
'/usr/libexec/packagekitd', \
'/usr/libexec/polkitd', \
'/usr/libexec/scdaemon', \
'/usr/libexec/snapd/snapd', \
'/usr/libexec/sssd/sssd_kcm', \
'/usr/libexec/udisks2/udisksd', \
'/usr/sbin/abrt-dbus', \
'/usr/sbin/abrtd', \
'/usr/sbin/acpid', \
'/usr/sbin/alsactl', \
'/usr/sbin/anacron', \
'/usr/sbin/cron', \
'/usr/sbin/cups-browsed', \
'/usr/sbin/cupsd', \
'/usr/sbin/gdm', \
'/usr/sbin/gdm3', \
'/usr/sbin/gssproxy', \
'/usr/sbin/pcscd', \
'/usr/sbin/tailscaled', \
'/usr/sbin/wpa_supplicant', \
'/usr/sbin/zed' \
) \
AND p.cmdline NOT IN ( \
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid', \
'/usr/bin/python /usr/bin/firewalld --nofork --nopid', \
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', \
'/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' \
) \
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' \
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' \
AND p.path NOT LIKE '/nix/store/%/bin/%' \
AND p.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%' \
AND p.path NOT LIKE '/nix/store/%/libexec/%' \
AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd';",
"interval": "10800",
"platform": "linux"
},
"unexpected-uid0-daemon-macos": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
p.euid, \
p.gid, \
f.ctime, \
f.directory AS dirname, \
p.cmdline, \
hash.sha256, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
signature.identifier, \
signature.authority \
FROM \
processes p \
LEFT JOIN file f ON p.path = f.path \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN signature ON p.path = signature.path \
WHERE \
p.uid = 0 \
AND (strftime('%s', 'now') - p.start_time) > 15 \
AND p.path NOT IN ( \
'/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService', \
'/Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon', \
'/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim', \
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service', \
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd', \
'/bin/bash', \
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect', \
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService', \
'/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer', \
'/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon', \
'/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc', \
'/Library/Nessus/run/sbin/nessusd', \
'/Library/Nessus/run/sbin/nessus-service', \
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2', \
'/Library/PrivilegedHelperTools/com.docker.vmnetd', \
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', \
'/Library/PrivilegedHelperTools/keybase.Helper', \
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension', \
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence', \
'/sbin/launchd', \
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd', \
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper', \
'/System/Library/CoreServices/CrashReporterSupportHelper', \
'/System/Library/CoreServices/iconservicesagent', \
'/System/Library/CoreServices/launchservicesd', \
'/System/Library/CoreServices/logind', \
'/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow', \
'/System/Library/CoreServices/osanalyticshelper', \
'/System/Library/CoreServices/powerd.bundle/powerd', \
'/System/Library/CoreServices/ReportCrash', \
'/System/Library/CoreServices/sharedfilelistd', \
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd', \
'/System/Library/CoreServices/SubmitDiagInfo', \
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader', \
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle', \
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice', \
'/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar', \
'/System/Library/Frameworks/AudioToolbox.framework/XPCServices/CAReportingService.xpc/Contents/MacOS/CAReportingService', \
'/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper', \
'/System/Library/Frameworks/ColorSync.framework/Versions/A/XPCServices/com.apple.ColorSyncXPCAgent.xpc/Contents/MacOS/com.apple.ColorSyncXPCAgent', \
'/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/com.apple.cmio.registerassistantservice', \
'/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/XPCServices/csnameddatad.xpc/Contents/MacOS/csnameddatad', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores', \
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync', \
'/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp', \
'/System/Library/Frameworks/GSS.framework/Helpers/GSSCred', \
'/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd', \
'/System/Library/Frameworks/Metal.framework/Versions/A/XPCServices/MTLCompilerService.xpc/Contents/MacOS/MTLCompilerService', \
'/System/Library/Frameworks/NetFS.framework/Versions/A/XPCServices/PlugInLibraryService.xpc/Contents/MacOS/PlugInLibraryService', \
'/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer', \
'/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd', \
'/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant', \
'/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd', \
'/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper', \
'/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd', \
'/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper', \
'/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent', \
'/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon', \
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService', \
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer', \
'/System/Library/PrivateFrameworks/ApplePushService.framework/apsd', \
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService', \
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService', \
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService', \
'/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd', \
'/System/Library/PrivateFrameworks/CacheDelete.framework/deleted_helper', \
'/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd', \
'/System/Library/PrivateFrameworks/CoreAccessories.framework/Support/accessoryd', \
'/System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored', \
'/System/Library/PrivateFrameworks/CoreKDL.framework/Support/corekdld', \
'/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd', \
'/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd', \
'/System/Library/PrivateFrameworks/FindMyMac.framework/Versions/A/Resources/FindMyMacd', \
'/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond', \
'/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod', \
'/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted', \
'/System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/Contents/MacOS/com.apple.MobileInstallationHelperService', \
'/System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Versions/A/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.CleanupPreparePathService', \
'/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated', \
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd', \
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd', \
'/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service', \
'/System/Library/PrivateFrameworks/SiriInference.framework/Support/siriinferenced', \
'/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer', \
'/System/Library/PrivateFrameworks/StorageKit.framework/Versions/A/Resources/storagekitd', \
'/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig', \
'/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd', \
'/System/Library/PrivateFrameworks/SystemStatusServer.framework/Support/systemstatusd', \
'/System/Library/PrivateFrameworks/TCC.framework/Support/tccd', \
'/System/Library/PrivateFrameworks/Uninstall.framework/Versions/A/Resources/uninstalld', \
'/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary', \
'/System/Library/PrivateFrameworks/WiFiPolicy.framework/XPCServices/WiFiCloudAssetsXPCService.xpc/Contents/MacOS/WiFiCloudAssetsXPCService', \
'/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd', \
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService', \
'/usr/bin/sudo', \
'/usr/bin/sysdiagnose', \
'/usr/libexec/AirPlayXPCHelper', \
'/usr/libexec/airportd', \
'/usr/libexec/amfid', \
'/usr/libexec/aned', \
'/usr/libexec/apfsd', \
'/usr/libexec/applessdstatistics', \
'/usr/libexec/ApplicationFirewall/socketfilterfw', \
'/usr/libexec/ASPCarryLog', \
'/usr/libexec/autofsd', \
'/usr/libexec/automountd', \
'/usr/libexec/batteryintelligenced', \
'/usr/libexec/biokitaggdd', \
'/usr/libexec/biometrickitd', \
'/usr/libexec/bootinstalld', \
'/usr/libexec/colorsyncd', \
'/usr/libexec/colorsync.displayservices', \
'/usr/libexec/configd', \
'/usr/libexec/containermanagerd', \
'/usr/libexec/corebrightnessd', \
'/usr/libexec/coreduetd', \
'/usr/libexec/corestoraged', \
'/usr/libexec/dasd', \
'/usr/libexec/diskarbitrationd', \
'/usr/libexec/diskmanagementd', \
'/usr/libexec/dprivacyd', \
'/usr/libexec/endpointsecurityd', \
'/usr/libexec/findmydeviced', \
'/usr/libexec/InternetSharing', \
'/usr/libexec/IOMFB_bics_daemon', \
'/usr/libexec/ioupsd', \
'/usr/libexec/kernelmanagerd', \
'/usr/libexec/keybagd', \
'/usr/libexec/logd', \
'/usr/libexec/logd_helper', \
'/usr/libexec/lsd', \
'/usr/libexec/memoryanalyticsd', \
'/usr/libexec/microstackshot', \
'/usr/libexec/misagent', \
'/usr/libexec/mobileactivationd', \
'/usr/libexec/mobileassetd', \
'/usr/libexec/nehelper', \
'/usr/libexec/nesessionmanager', \
'/usr/libexec/online-authd', \
'/usr/libexec/opendirectoryd', \
'/usr/libexec/PerfPowerServices', \
'/usr/libexec/periodic-wrapper', \
'/usr/libexec/powerdatad', \
'/usr/libexec/PowerUIAgent', \
'/usr/libexec/remoted', \
'/usr/libexec/rtcreportingd', \
'/usr/libexec/runningboardd', \
'/usr/libexec/sandboxd', \
'/usr/libexec/searchpartyd', \
'/usr/libexec/secinitd', \
'/usr/libexec/securityd_service', \
'/usr/libexec/smd', \
'/usr/libexec/symptomsd-diag', \
'/usr/libexec/sysmond', \
'/usr/libexec/syspolicyd', \
'/usr/libexec/tailspind', \
'/usr/libexec/taskgated', \
'/usr/libexec/thermalmonitord', \
'/usr/libexec/TouchBarServer', \
'/usr/libexec/tzd', \
'/usr/libexec/tzlinkd', \
'/usr/libexec/usbd', \
'/usr/libexec/UserEventAgent', \
'/usr/libexec/warmd', \
'/usr/libexec/watchdogd', \
'/usr/libexec/wifianalyticsd', \
'/usr/libexec/wifip2pd', \
'/usr/libexec/wifivelocityd', \
'/usr/local/kolide-k2/bin/osquery-extension.ext', \
'/usr/sbin/aslmanager', \
'/usr/sbin/auditd', \
'/usr/sbin/BlueTool', \
'/usr/sbin/bluetoothd', \
'/usr/sbin/BTLEServer', \
'/usr/sbin/cfprefsd', \
'/usr/sbin/distnoted', \
'/usr/sbin/filecoordinationd', \
'/usr/sbin/KernelEventAgent', \
'/usr/sbin/mDNSResponderHelper', \
'/usr/sbin/notifyd', \
'/usr/sbin/securityd', \
'/usr/sbin/spindump', \
'/usr/sbin/syslogd', \
'/usr/sbin/systemsoundserverd', \
'/usr/sbin/systemstats', \
'/usr/sbin/WirelessRadioManagerd' \
) \
AND signature.identifier IN ( \
'Developer ID Application: Adobe Inc. (JQ525L2MZD)', \
'Developer ID Application: Docker Inc (9BNSXJN65R)', \
'Developer ID Application: Foxit Corporation (8GN47HTP75)', \
'Developer ID Application: Keybase, Inc. (99229SGT5K)', \
'Developer ID Application: Kolide Inc (YZ3EM74M78)', \
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', \
'Developer ID Application: Mersive Technologies (63B5A5WDNG)', \
'Developer ID Application: Microsoft Corporation (UBF8T346G9)', \
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', \
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', \
'Developer ID Application: Parallels International GmbH (4C6364ACXT)', \
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', \
'Developer ID Application: Tenable, Inc. (4B8J598M7U)', \
'Software Signing' \
) \
GROUP BY \
p.path;",
"interval": "10800",
"platform": "darwin"
}
}
}
{
"queries": {
"unexpected-privilege-escalation": {
"query": "SELECT \
p.pid AS child_pid, \
p.path AS child_path, \
p.name AS child_name, \
p.cmdline AS child_cmdline, \
p.euid AS child_euid, \
p.state AS child_state, \
file.mode AS child_mode, \
hash.sha256 AS child_hash, \
p.parent AS parent_pid, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
pfile.mode AS parent_mode, \
hash.sha256 AS parent_hash \
FROM \
processes p \
JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN file AS pfile ON pp.path = file.path \
LEFT JOIN hash AS phash ON pp.path = hash.path \
WHERE \
p.euid < pp.euid \
AND p.path NOT IN ( \
'/usr/bin/fusermount', \
'/usr/bin/fusermount3', \
'/usr/bin/login', \
'/usr/bin/sudo', \
'/usr/bin/doas', \
'/bin/ps', \
'/usr/bin/top' \
) \
AND p.path NOT LIKE '/nix/store/%/bin/sudo' \
AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' \
AND NOT ( \
p.name = 'polkit-agent-he' \
AND parent_path = '/usr/bin/gnome-shell' \
) \
AND NOT ( \
p.name = 'fusermount3' \
AND parent_path = '/usr/lib/xdg-document-portal' \
);",
"interval": "30",
"description": "Find processes that run with a lower effective UID than their parent"
},
"unexpected-privilege-escalation-events": {
"query": "SELECT \
p.pid AS child_pid, \
p.path AS child_path, \
REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name, \
p.cmdline AS child_cmdline, \
p.euid AS child_euid, \
file.mode AS child_mode, \
hash.sha256 AS child_hash, \
p.parent AS parent_pid, \
pp.path AS parent_path, \
pp.name AS parent_name, \
pp.cmdline AS parent_cmdline, \
pp.euid AS parent_euid, \
pfile.mode AS parent_mode, \
hash.sha256 AS parent_hash \
FROM \
process_events p \
JOIN processes pp ON p.parent = pp.pid \
LEFT JOIN file ON p.path = file.path \
LEFT JOIN hash ON p.path = hash.path \
LEFT JOIN file AS pfile ON pp.path = file.path \
LEFT JOIN hash AS phash ON pp.path = hash.path \
WHERE \
p.time > (strftime('%s', 'now') -30) \
AND p.euid < pp.euid \
AND p.path NOT IN ( \
'/usr/bin/fusermount', \
'/usr/bin/fusermount3', \
'/usr/bin/login', \
'/usr/bin/sudo', \
'/usr/bin/doas', \
'/bin/ps', \
'/usr/bin/top' \
) \
AND p.path NOT LIKE '/nix/store/%/bin/sudo' \
AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' \
AND NOT ( \
child_name = 'polkit-agent-helper-1' \
AND parent_path = '/usr/bin/gnome-shell' \
) \
AND NOT ( \
child_name = 'fusermount3' \
AND parent_path = '/usr/lib/xdg-document-portal' \
);",
"interval": "10800",
"description": "Designed for execution every 30 seconds (where the parent may still be around)"
},
"unexpected-privileged-containers": {
"query": "SELECT * FROM docker_containers WHERE privileged = 1 AND image NOT LIKE 'kindest/node:%';",
"interval": "10800"
},
"unexpected-setxid-process": {
"query": "SELECT \
p.pid, \
p.name, \
p.path, \
p.cmdline, \
f.ctime, \
p.cwd, \
p.uid, \
f.mode, \
hash.sha256 \
FROM \
processes p \
JOIN file f ON p.path = f.path \
JOIN hash ON p.path = hash.path \
WHERE \
f.mode NOT LIKE '0%' \
AND f.path NOT IN ( \
'/bin/ps', \
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd', \
'/opt/1Password/1Password-BrowserSupport', \
'/opt/1Password/1Password-KeyringHelper', \
'/usr/bin/doas', \
'/usr/lib/xf86-video-intel-backlight-helper', \
'/usr/bin/mount', \
'/usr/bin/fusermount', \
'/usr/bin/fusermount3', \
'/usr/sbin/traceroute', \
'/usr/bin/login', \
'/usr/bin/ssh-agent', \
'/usr/bin/su', \
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service', \
'/usr/bin/sudo', \
'/usr/bin/top', \
'/usr/lib/Xorg.wrap' \
);",
"interval": "10800",
"description": "Processes running that originate from setuid/setgid programs"
}
}
}
Reference in New Issue View Git Blame Copy Permalink