mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-04 19:51:34 +00:00
61 lines
2.1 KiB
SQL
61 lines
2.1 KiB
SQL
SELECT
|
|
p.pid,
|
|
p.path,
|
|
p.name,
|
|
p.cmdline,
|
|
p.cwd,
|
|
p.euid,
|
|
p.parent,
|
|
pp.path AS parent_path,
|
|
pp.name AS parent_name,
|
|
pp.cmdline AS parent_cmdline,
|
|
pp.cwd AS parent_cwd,
|
|
pp.euid AS parent_euid,
|
|
ch.sha256 AS child_sha256,
|
|
ph.sha256 AS parent_sha256
|
|
FROM
|
|
processes p
|
|
LEFT JOIN file f ON p.path = f.path
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
LEFT JOIN hash AS ch ON p.path = ch.path
|
|
LEFT JOIN hash AS ph ON pp.path = ph.path
|
|
WHERE
|
|
p.start_time > 0
|
|
-- Only process programs that had an inode modification within the last 3 minutes
|
|
AND (p.start_time - f.ctime) < 180
|
|
AND (p.start_time - f.ctime) > 0
|
|
AND NOT p.path IN (
|
|
'',
|
|
'/Library/Application Support/Logitech.localized/Logitech Presentation.localized/Onboarding.app/Contents/MacOS/Onboarding',
|
|
'/opt/google/chrome/chrome',
|
|
'/usr/bin/containerd',
|
|
'/usr/bin/obs',
|
|
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
|
|
'/usr/libexec/fwupd/fwupd',
|
|
'/usr/libexec/sssd/sssd_kcm',
|
|
'/usr/sbin/cupsd',
|
|
'/usr/lib/fwupd/fwupd',
|
|
'/usr/sbin/tailscaled'
|
|
)
|
|
AND NOT p.path LIKE "/Applications/%.app/%"
|
|
AND NOT p.path LIKE "/home/%/bin/%"
|
|
AND NOT p.path LIKE "/home/%/src/%"
|
|
AND NOT p.path LIKE "/home/%/terraform-provider-%"
|
|
AND NOT p.path LIKE "/Library/Apple/System/%"
|
|
AND NOT p.path LIKE "/Library/Apple/System/Library/%"
|
|
AND NOT p.path LIKE "/nix/store/%/bin/%"
|
|
AND NOT p.path LIKE "/private/tmp/nix-build-%"
|
|
AND NOT p.path LIKE "/private/var/db/com.apple.xpc.roleaccountd.staging/%"
|
|
AND NOT p.path LIKE "/private/var/folders/%/bin/istioctl"
|
|
AND NOT p.path LIKE "/private/var/folders/%/go-build%/exe/%"
|
|
AND NOT p.path LIKE "/Users/%/bin/%"
|
|
AND NOT p.path LIKE "/Users/%/git%"
|
|
AND NOT p.path LIKE "/Users/%/Library/Mobile Documents/%/Contents/Frameworks%"
|
|
AND NOT p.path LIKE "/Users/%/src/%"
|
|
AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
|
|
AND NOT p.path LIKE "%-go-build%"
|
|
AND NOT p.path LIKE "%/.vscode/extensions/%"
|
|
AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%"
|
|
GROUP BY
|
|
p.pid
|