RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-12 17:14:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
77ba879daa
osquery-defense-kit/process/unexpected-privileged-executable.sql
Thomas Stromberg a512597ace
Lots of treats for the boys and girls
2022-09-13 20:46:04 -04:00

24 lines
590 B
SQL
Raw Blame History

SELECT p.pid,
p.name,
p.path,
p.cmdline,
p.cwd,
p.uid,
f.mode
FROM processes p
JOIN file f ON p.path = f.path
WHERE f.mode NOT LIKE '0%'
AND f.path NOT IN (
'/bin/ps',
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper',
'/usr/bin/doas',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/login',
'/usr/bin/ssh-agent',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/bin/top'
);
Reference in New Issue View Git Blame Copy Permalink