mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-16 11:04:34 +00:00
112 lines
2.6 KiB
SQL
112 lines
2.6 KiB
SQL
-- Programs which are reading an unusually large amount of data
|
|
--
|
|
-- Can be used to detect exfiltration
|
|
--
|
|
-- false positives:
|
|
-- * Virtual Machine managers
|
|
-- * Backup software
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/tactics/TA0010/ (Exfiltration)
|
|
--
|
|
-- tags: transient process
|
|
SELECT
|
|
p.name,
|
|
p.path,
|
|
p.cmdline,
|
|
p.on_disk,
|
|
p.parent,
|
|
p.start_time,
|
|
hash.sha256,
|
|
p.disk_bytes_read,
|
|
p.cwd,
|
|
(strftime('%s', 'now') - start_time) AS age,
|
|
disk_bytes_read / (strftime('%s', 'now') - start_time) AS bytes_per_second
|
|
FROM
|
|
processes p
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
WHERE
|
|
bytes_per_second > 2000000
|
|
AND age > 180
|
|
AND p.path NOT LIKE '/Applications/%.app/Contents/%'
|
|
AND p.path NOT LIKE '/System/Library/%'
|
|
AND p.path NOT LIKE '/System/Applications/%'
|
|
AND p.path NOT LIKE '/Library/Apple/System/Library/%'
|
|
AND name NOT IN (
|
|
'bash',
|
|
'bwrap',
|
|
'chrome',
|
|
'emacs',
|
|
'firefox',
|
|
'fish',
|
|
'GoogleSoftwareUpdateAgent',
|
|
'gopls',
|
|
'java',
|
|
'launcher',
|
|
'LogiFacecamService',
|
|
'nautilus',
|
|
'nessusd',
|
|
'nix',
|
|
'osqueryd',
|
|
'qemu-system-aarch64',
|
|
'qemu-system-x86',
|
|
'qemu-system-x86-64',
|
|
'slack',
|
|
'wineserver',
|
|
'ykman-gui',
|
|
'zsh'
|
|
)
|
|
AND NOT p.path IN (
|
|
'/usr/bin/dockerd',
|
|
'/usr/bin/gnome-shell',
|
|
'/usr/bin/udevadm',
|
|
'/usr/libexec/aned',
|
|
'/usr/libexec/logd',
|
|
'/usr/libexec/packagekitd',
|
|
'/usr/libexec/PerfPowerServices',
|
|
'/usr/libexec/signpost_reporter',
|
|
'/usr/libexec/syspolicyd',
|
|
'/usr/lib/systemd/systemd',
|
|
'/usr/sbin/spindump',
|
|
'/usr/sbin/systemstats'
|
|
)
|
|
AND NOT (
|
|
name = 'bindfs'
|
|
AND cmdline LIKE 'bindfs%-o fsname=%'
|
|
)
|
|
AND NOT (
|
|
name = 'jetbrains-toolb'
|
|
AND p.path LIKE '/tmp/.mount_jet%/jetbrains-toolbox'
|
|
)
|
|
AND NOT (
|
|
name = 'com.apple.MobileSoftwareUpdate.UpdateBrainService'
|
|
AND p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.MobileSoftwareUpdate.UpdateBrainService.%.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.UpdateBrainService'
|
|
)
|
|
AND NOT (
|
|
name = 'FindMy'
|
|
AND p.path = '/System/Applications/FindMy.app/Contents/MacOS/FindMy'
|
|
)
|
|
AND NOT (
|
|
name = 'go'
|
|
AND cmdline LIKE 'go run %'
|
|
)
|
|
AND NOT (
|
|
name = 'kernel_task'
|
|
AND p.path = ''
|
|
AND parent IN (0, 1)
|
|
AND on_disk = -1
|
|
)
|
|
AND NOT (
|
|
name = 'node'
|
|
AND cwd LIKE '%/console-ui/app'
|
|
)
|
|
AND NOT (
|
|
name = 'ruby'
|
|
AND cmdline LIKE '%brew.rb upgrade'
|
|
)
|
|
AND NOT (
|
|
name = 'terraform-ls'
|
|
AND cmdline LIKE 'terraform-ls serve%'
|
|
)
|
|
AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
|