RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-13 17:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
763b9eaed6
osquery-defense-kit/process/unexpected-privileged-executable.sql
Thomas Stromberg 763b9eaed6
Add crontab query
2022-09-10 07:56:40 -04:00

23 lines
566 B
SQL
Raw Blame History

SELECT p.pid,
p.name,
p.path,
p.cmdline,
p.cwd,
p.uid,
f.mode
FROM processes p
JOIN file f ON p.path = f.path
WHERE f.mode NOT LIKE '0%'
AND f.path NOT IN (
'/bin/ps',
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper',
'/usr/bin/doas',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/login',
'/usr/bin/ssh-agent',
'/usr/bin/su',
'/usr/bin/sudo'
);
Reference in New Issue View Git Blame Copy Permalink