RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-14 18:14:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
d86d87812e
osquery-defense-kit/unexpected-launchd.sql
Thomas Stromberg 68c8aa967f
Add osquery packs
2022-08-31 14:34:42 -04:00

86 lines
15 KiB
SQL
Raw Blame History

SELECT * FROM launchd WHERE run_at_load = 1
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/System/Library/%" OR program LIKE "/System/Library/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/usr/sbin/%" OR program LIKE "/usr/sbin/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/sbin/%" OR program LIKE "/sbin/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/usr/bin/%" OR program LIKE "/usr/bin/%"))
AND NOT (path LIKE "/System/Library/Launch%/com.apple.%.plist" AND (program_arguments LIKE "/usr/libexec/%" OR program LIKE "/usr/libexec/%"))
AND NOT (path = '/Library/Apple/System/Library/LaunchAgents/com.apple.MRTa.plist' AND program_arguments = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a')
AND NOT (path = '/Library/Apple/System/Library/LaunchDaemons/com.apple.MRTd.plist' AND program_arguments = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d')
AND NOT (path = '/Library/Apple/System/Library/LaunchDaemons/com.apple.usbmuxd.plist' AND program_arguments = '/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd')
AND NOT (path = '/Library/LaunchAgents/at.obdev.littlesnitch.agent.plist' AND program = '/Applications/Little Snitch.app/Contents/Components/Little Snitch Agent.app/Contents/MacOS/Little Snitch Agent')
AND NOT (path = '/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist' AND program = '/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility')
AND NOT (path = '/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist' AND program_arguments = '/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility -mode=logon')
AND NOT (path = '/Library/LaunchAgents/com.adobe.AdobeCreativeCloud.plist' AND program = '/Applications/Utilities/Adobe Creative Cloud/ACC/Creative Cloud.app/Contents/MacOS/Creative Cloud')
AND NOT (path = '/Library/LaunchAgents/com.adobe.AdobeCreativeCloud.plist' AND program_arguments = '/Applications/Utilities/Adobe Creative Cloud/ACC/Creative Cloud.app/Contents/MacOS/Creative Cloud --showwindow=false --onOSstartup=true')
AND NOT (path = '/Library/LaunchAgents/com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist' AND program_arguments = '/Library/Application Support/Adobe/ARMDC/Application/Acrobat Update Helper.app/Contents/MacOS/Acrobat Update Helper')
AND NOT (path = '/Library/LaunchAgents/com.adobe.ccxprocess.plist' AND program_arguments = '/usr/bin/open -a /Applications/Utilities/Adobe Creative Cloud Experience/CCXProcess/CCXProcess.app')
AND NOT (path = '/Library/LaunchAgents/com.adobe.CS5ServiceManager.plist' AND program_arguments = '/Library/Application Support/Adobe/CS5ServiceManager/CS5ServiceManager.app/Contents/MacOS/CS5ServiceManager -launchedbylogin')
AND NOT (path = '/Library/LaunchAgents/com.adobe.GC.AGM.plist' AND program = '/Library/Application Support/Adobe/AdobeGCClient/AGMService')
AND NOT (path = '/Library/LaunchAgents/com.adobe.GC.AGM.plist' AND program_arguments = '/Library/Application Support/Adobe/AdobeGCClient/AGMService -mode=logon')
AND NOT (path = '/Library/LaunchAgents/com.adobe.GC.Invoker-1.0.plist' AND program = '/Library/Application Support/Adobe/AdobeGCClient/agcinvokerutility')
AND NOT (path = '/Library/LaunchAgents/com.adobe.GC.Invoker-1.0.plist' AND program_arguments = '/Library/Application Support/Adobe/AdobeGCClient/agcinvokerutility -mode=logon')
AND NOT (path = '/Library/LaunchAgents/com.amazon.sendtokindle.launcher.plist' AND program_arguments = '/usr/local/bin/stkLaunchAgent.sh')
AND NOT (path = '/Library/LaunchAgents/com.citrix.ReceiverHelper.plist' AND program_arguments = '/usr/local/libexec/ReceiverHelper.app/Contents/MacOS/ReceiverHelper')
AND NOT (path = '/Library/LaunchAgents/com.citrix.ServiceRecords.plist' AND program_arguments = '/usr/local/libexec/ServiceRecords.app/Contents/MacOS/ServiceRecords')
AND NOT (path = '/Library/LaunchAgents/com.dymo.dcd.webservice.plist' AND program_arguments = '/Applications/DYMO.WebApi.Mac.Host.app/Contents/MacOS/DYMO.WebApi.Mac.Host')
AND NOT (path = '/Library/LaunchAgents/com.elgato.StreamDeck.plist' AND program_arguments = '/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk')
AND NOT (path = '/Library/LaunchAgents/com.google.keystone.agent.plist' AND program_arguments = '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode ifneeded')
AND NOT (path = '/Library/LaunchAgents/com.lexmark.bmlaunchd.plist' AND program_arguments = '/usr/bin/open /Library/Printers/Lexmark/Utilities.localized/Lexmark Button Monitor.app')
AND NOT (path = '/Library/LaunchAgents/com.lexmark.lexnetlaunchd.plist' AND program_arguments = '/usr/bin/open /Library/Printers/Lexmark/Utilities.localized/LxkNetworkServices.app')
AND NOT (path = '/Library/LaunchAgents/com.logi.ghub.plist' AND program = '/Applications/lghub.app/Contents/MacOS/lghub')
AND NOT (path = '/Library/LaunchAgents/com.logi.ghub.plist' AND program_arguments = '/Applications/lghub.app/Contents/MacOS/lghub --background')
AND NOT (path = '/Library/LaunchAgents/com.logi.optionsplus.plist' AND program = '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent')
AND NOT (path = '/Library/LaunchAgents/com.logi.optionsplus.plist' AND program_arguments = '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent --launchd')
AND NOT (path = '/Library/LaunchAgents/com.logitech.logitune.launcher.plist' AND program_arguments = '/Applications/LogiTune.app/Contents/MacOS/LogiTune --tray')
AND NOT (path = '/Library/LaunchAgents/com.logitech.manager.daemon.plist' AND program_arguments = '/Applications/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS/LogiMgrDaemon --launchd')
AND NOT (path = '/Library/LaunchAgents/com.logitech.manager.daemon.plist' AND program_arguments = '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrDaemon.app/Contents/MacOS/LogiMgrDaemon --launchd')
AND NOT (path = '/Library/LaunchAgents/com.logitech.vc.LogiVCCoreService.plist' AND program_arguments = '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService')
AND NOT (path = '/Library/LaunchAgents/com.microsoft.OneDriveStandaloneUpdater.plist' AND program = '/Applications/OneDrive.app/Contents/StandaloneUpdater.app/Contents/MacOS/OneDriveStandaloneUpdater')
AND NOT (path = '/Library/LaunchAgents/com.microsoft.update.agent.plist' AND program_arguments = '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant --launchByAgent')
AND NOT (path = '/Library/LaunchAgents/com.sierrawireless.SwitchTool.plist' AND program_arguments = '/Library/Sierra/SierraDevSupport')
AND NOT (path = '/Library/LaunchAgents/org.gpgtools.macgpg2.fix.plist' AND program_arguments = '/usr/local/MacGPG2/libexec/fixGpgHome')
AND NOT (path = '/Library/LaunchAgents/org.gpgtools.macgpg2.shutdown-gpg-agent.plist' AND program = '/usr/local/MacGPG2/libexec/shutdown-gpg-agent')
AND NOT (path = '/Library/LaunchDaemons/com.adobe.agsservice.plist' AND program_arguments = '/Library/Application Support/Adobe/AdobeGCClient/AGSService')
AND NOT (path = '/Library/LaunchDaemons/com.bombich.ccchelper.plist' AND program_arguments = '/Library/PrivilegedHelperTools/com.bombich.ccchelper')
AND NOT (path = '/Library/LaunchDaemons/com.crashplan.engine.plist' AND program_arguments LIKE '/Applications/CrashPlan.app/Contents/MacOS/CrashPlanService %')
AND NOT (path = '/Library/LaunchDaemons/com.docker.vmnetd.plist' AND program_arguments = '/Library/PrivilegedHelperTools/com.docker.vmnetd')
AND NOT (path = '/Library/LaunchDaemons/com.dymo.pnpd.plist' AND program_arguments = '/Library/Printers/DYMO/Utilities/pnpd')
AND NOT (path = '/Library/LaunchDaemons/com.foxit.PDFReaderUpdateService.plist' AND program_arguments = '/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService')
AND NOT (path = '/Library/LaunchDaemons/com.intego.commonservices.daemon.integod.plist' AND program_arguments = '/Library/Intego/integod')
AND NOT (path = '/Library/LaunchDaemons/com.intego.commonservices.daemon.taskmanager.plist' AND program_arguments = '/Library/Intego/TaskManager/TaskManagerDaemon')
AND NOT (path = '/Library/LaunchDaemons/com.intego.commonservices.metrics.kschecker.plist' AND program = '/Library/Intego/im_ks_tool')
AND NOT (path = '/Library/LaunchDaemons/com.intego.netupdate.daemon.plist' AND program_arguments = '/Library/Intego/netupdated.bundle/Contents/Resources/com.intego.netupdated')
AND NOT (path = '/Library/LaunchDaemons/com.kolide-k2.launcher.plist' AND program_arguments = '/usr/local/kolide-k2/bin/launcher -config /etc/kolide-k2/launcher.flags')
AND NOT (path = '/Library/LaunchDaemons/com.logi.ghub.updater.plist' AND program_arguments = '/Applications/lghub.app/Contents/Frameworks/lghub_updater.app/Contents/MacOS/lghub_updater')
AND NOT (path = '/Library/LaunchDaemons/com.logi.optionsplus.updater.plist' AND program_arguments = '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater')
AND NOT (path = '/Library/LaunchDaemons/com.radiosilenceapp.nke.PrivateEye.plist' AND program_arguments = '/sbin/kextload /Applications/Private Eye.app/Contents/Resources/Private Eye.kext')
AND NOT (path = '/Library/LaunchDaemons/com.startup.sysctl.plist' AND program_arguments = '/usr/sbin/sysctl kern.maxfiles=40480 kern.maxfilesperproc=28000')
AND NOT (path = '/Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist' AND program_arguments = '/usr/local/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /usr/local/etc/dnsmasq.conf -7 /usr/local/etc/dnsmasq.d,*.conf')
AND NOT (path = '/Library/LaunchDaemons/homebrew.mxcl.mariadb.plist' AND program_arguments = '/opt/homebrew/opt/mariadb/bin/mysqld_safe --datadir=/opt/homebrew/var/mysql')
AND NOT (path = '/Library/LaunchDaemons/net.sf.tuntaposx.tap.plist' AND program_arguments = '/sbin/kextload /Library/Extensions/tun.kext')
AND NOT (path = '/Library/LaunchDaemons/net.sf.tuntaposx.tun.plist' AND program_arguments = '/sbin/kextload /Library/Extensions/tap.kext')
AND NOT (path = '/Library/LaunchDaemons/org.nixos.activate-system.plist' AND program_arguments LIKE '/bin/sh -c exec /nix/store/%-activate-system-start')
AND NOT (path = '/Library/LaunchDaemons/org.nixos.darwin-store.plist' AND program_arguments LIKE '/bin/sh -c /usr/bin/security find-generic-password -s %')
AND NOT (path = '/Library/LaunchDaemons/org.pqrs.Karabiner.load.plist' AND program_arguments = '/Library/Application Support/org.pqrs/Karabiner/startup.sh start')
AND NOT (path = '/Library/LaunchDaemons/org.virtualbox.startup.plist' AND program_arguments = '/Library/Application Support/VirtualBox/LaunchDaemons/VirtualBoxStartup.sh restart')
AND NOT (path = '/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist' AND program = '/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF')
AND NOT (path = '/System/Library/LaunchDaemons/com.apple.installandsetup.templatemigration.plist' AND program_arguments = '/System/Installation/CDIS/templateMigrator')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.adobe.ARM.%.plist' AND program_arguments = '/Applications/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper semi-auto')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.adobe.ccxprocess.plist' AND program_arguments = '/usr/bin/open -a /Applications/Utilities/Adobe Creative Cloud Experience/CCXProcess/CCXProcess.app')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.apple.CSConfigDotMacCert-%-SharedServices.Agent.plist' AND program_arguments = '/System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotMacCert -l %')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist' AND program_arguments = '/Applications/SpamSieve.app/Contents/Frameworks/SpamSieveFramework.framework/Resources/SpamSieveLaunchAgent /Applications/SpamSieve.app')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.canva.availablility-check-agent.plist' AND program_arguments = '/Applications/Canva.app/Contents/MacOS/Canva --start-availability-check-agent')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.google.GoogleContactSyncAgent.plist' AND program_arguments = '/System/Library/PrivateFrameworks/GoogleContactSync.framework/Versions/A/Resources/gconsync --sync com.google.ContactSync --periodic')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.google.keystone.agent.plist' AND program_arguments LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode ifneeded')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.grammarly.ProjectLlama.UninstallAgent.plist' AND program_arguments LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.lwouis.alt-tab-macos.plist' AND program = '/Applications/AltTab.app/Contents/MacOS/AltTab')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.spotify.webhelper.plist' AND program LIKE '/Users/%/Library/Application Support/Spotify/SpotifyWebHelper')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.valvesoftware.steamclean.plist' AND program_arguments LIKE '/Users/%/Library/Application Support/Steam/SteamApps/steamclean Public')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.mariadb.plist' AND program_arguments = '/opt/homebrew/opt/mariadb/bin/mysqld_safe --datadir=/opt/homebrew/var/mysql')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.mysql.plist' AND program_arguments = '/opt/homebrew/opt/mysql/bin/mysqld_safe --datadir=/opt/homebrew/var/mysql')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.mysql.plist' AND program_arguments = '/usr/local/opt/mysql/bin/mysqld_safe --datadir=/usr/local/var/mysql')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.mysql.plist' AND program_arguments LIKE '/Users/%/homebrew/opt/mysql/bin/mysqld_safe --datadir=/Users/vaikas/homebrew/var/mysql')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.yabai.plist' AND program_arguments = '/opt/homebrew/opt/yabai/bin/yabai')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.yubikey-agent.plist' AND program_arguments = '/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock')
AND NOT (path LIKE '/Users/%/Library/LaunchAgents/ws.agile.1PasswordAgent.plist' AND program LIKE '/Users/%/Library/Application Support/1Password/Agent/1PasswordAgent.app/Contents/MacOS/1PasswordAgent')
Reference in New Issue View Git Blame Copy Permalink