RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-12 17:14:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
77ba879daa
osquery-defense-kit/process/low_start_time_ctime_delta.sql
Thomas Stromberg 77ba879daa
Launch day fixes
2022-09-22 13:18:16 -04:00

51 lines
1.9 KiB
SQL
Raw Blame History

SELECT p.pid,
p.path,
p.name,
p.cmdline,
p.cwd,
p.euid,
p.parent,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.cwd AS parent_cwd,
pp.euid AS parent_euid,
ch.sha256 AS child_sha256,
ph.sha256 AS parent_sha256
FROM processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash AS ch ON p.path = ch.path
LEFT JOIN hash AS ph ON pp.path = ph.path
WHERE p.start_time > 0
-- Only process programs that had an inode modification within the last 3 minutes
AND (p.start_time - f.ctime) < 180
AND (p.start_time - f.ctime) > 0
AND NOT p.path IN (
'',
'/Library/Application Support/Logitech.localized/Logitech Presentation.localized/Onboarding.app/Contents/MacOS/Onboarding',
'/opt/google/chrome/chrome',
'/usr/bin/containerd',
'/usr/bin/obs',
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
'/usr/libexec/fwupd/fwupd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/sbin/cupsd',
'/usr/lib/fwupd/fwupd',
'/usr/sbin/tailscaled'
)
AND NOT p.path LIKE "/Applications/%.app/%"
AND NOT p.path LIKE "/home/%/bin"
AND NOT p.path LIKE "/home/%/terraform-provider-%"
AND NOT p.path LIKE "/Library/Apple/System/%"
AND NOT p.path LIKE "/Library/Apple/System/Library/%"
AND NOT p.path LIKE "/nix/store/%/bin/%"
AND NOT p.path LIKE "/private/var/db/com.apple.xpc.roleaccountd.staging/%"
AND NOT p.path LIKE "/private/var/folders/%/bin/istioctl"
AND NOT p.path LIKE "/private/var/folders/%/go-build%/exe/%"
AND NOT p.path LIKE "/Users/%/bin"
AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND NOT p.path LIKE "%-go-build%"
AND NOT p.path LIKE "%/.vscode/extensions/%"
AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%"
GROUP BY p.pid
Reference in New Issue View Git Blame Copy Permalink