RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-maco...

234 lines
14 KiB
SQL
Raw Blame History

SELECT
p.pid,
p.name,
p.path,
p.euid,
p.gid,
f.ctime,
f.directory AS dirname,
p.cmdline,
hash.sha256,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
signature.identifier,
signature.authority
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN signature ON p.path = signature.path
WHERE
p.uid = 0
AND (strftime('%s', 'now') - p.start_time) > 15
AND p.path NOT IN (
"/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService",
"/Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon",
"/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim",
"/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service",
"/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd",
"/bin/bash",
"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect",
"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService",
"/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer",
"/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon",
"/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc",
"/Library/Nessus/run/sbin/nessusd",
"/Library/Nessus/run/sbin/nessus-service",
"/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2",
"/Library/PrivilegedHelperTools/com.docker.vmnetd",
"/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent",
"/Library/PrivilegedHelperTools/keybase.Helper",
"/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension",
"/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence",
"/sbin/launchd",
"/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd",
"/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper",
"/System/Library/CoreServices/CrashReporterSupportHelper",
"/System/Library/CoreServices/iconservicesagent",
"/System/Library/CoreServices/launchservicesd",
"/System/Library/CoreServices/logind",
"/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow",
"/System/Library/CoreServices/osanalyticshelper",
"/System/Library/CoreServices/powerd.bundle/powerd",
"/System/Library/CoreServices/ReportCrash",
"/System/Library/CoreServices/sharedfilelistd",
"/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd",
"/System/Library/CoreServices/SubmitDiagInfo",
"/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader",
"/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle",
"/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice",
"/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar",
"/System/Library/Frameworks/AudioToolbox.framework/XPCServices/CAReportingService.xpc/Contents/MacOS/CAReportingService",
"/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper",
"/System/Library/Frameworks/ColorSync.framework/Versions/A/XPCServices/com.apple.ColorSyncXPCAgent.xpc/Contents/MacOS/com.apple.ColorSyncXPCAgent",
"/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/com.apple.cmio.registerassistantservice",
"/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/XPCServices/csnameddatad.xpc/Contents/MacOS/csnameddatad",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores",
"/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync",
"/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp",
"/System/Library/Frameworks/GSS.framework/Helpers/GSSCred",
"/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd",
"/System/Library/Frameworks/Metal.framework/Versions/A/XPCServices/MTLCompilerService.xpc/Contents/MacOS/MTLCompilerService",
"/System/Library/Frameworks/NetFS.framework/Versions/A/XPCServices/PlugInLibraryService.xpc/Contents/MacOS/PlugInLibraryService",
"/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer",
"/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd",
"/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant",
"/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd",
"/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper",
"/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd",
"/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper",
"/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent",
"/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon",
"/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService",
"/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer",
"/System/Library/PrivateFrameworks/ApplePushService.framework/apsd",
"/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService",
"/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService",
"/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService",
"/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd",
"/System/Library/PrivateFrameworks/CacheDelete.framework/deleted_helper",
"/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd",
"/System/Library/PrivateFrameworks/CoreAccessories.framework/Support/accessoryd",
"/System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored",
"/System/Library/PrivateFrameworks/CoreKDL.framework/Support/corekdld",
"/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd",
"/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd",
"/System/Library/PrivateFrameworks/FindMyMac.framework/Versions/A/Resources/FindMyMacd",
"/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond",
"/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod",
"/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted",
"/System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/Contents/MacOS/com.apple.MobileInstallationHelperService",
"/System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Versions/A/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.CleanupPreparePathService",
"/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated",
"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd",
"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd",
"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service",
"/System/Library/PrivateFrameworks/SiriInference.framework/Support/siriinferenced",
"/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer",
"/System/Library/PrivateFrameworks/StorageKit.framework/Versions/A/Resources/storagekitd",
"/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig",
"/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd",
"/System/Library/PrivateFrameworks/SystemStatusServer.framework/Support/systemstatusd",
"/System/Library/PrivateFrameworks/TCC.framework/Support/tccd",
"/System/Library/PrivateFrameworks/Uninstall.framework/Versions/A/Resources/uninstalld",
"/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary",
"/System/Library/PrivateFrameworks/WiFiPolicy.framework/XPCServices/WiFiCloudAssetsXPCService.xpc/Contents/MacOS/WiFiCloudAssetsXPCService",
"/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd",
"/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService",
"/usr/bin/sudo",
"/usr/bin/sysdiagnose",
"/usr/libexec/AirPlayXPCHelper",
"/usr/libexec/airportd",
"/usr/libexec/amfid",
"/usr/libexec/aned",
"/usr/libexec/apfsd",
"/usr/libexec/applessdstatistics",
"/usr/libexec/ApplicationFirewall/socketfilterfw",
"/usr/libexec/ASPCarryLog",
"/usr/libexec/autofsd",
"/usr/libexec/automountd",
"/usr/libexec/batteryintelligenced",
"/usr/libexec/biokitaggdd",
"/usr/libexec/biometrickitd",
"/usr/libexec/bootinstalld",
"/usr/libexec/colorsyncd",
"/usr/libexec/colorsync.displayservices",
"/usr/libexec/configd",
"/usr/libexec/containermanagerd",
"/usr/libexec/corebrightnessd",
"/usr/libexec/coreduetd",
"/usr/libexec/corestoraged",
"/usr/libexec/dasd",
"/usr/libexec/diskarbitrationd",
"/usr/libexec/diskmanagementd",
"/usr/libexec/dprivacyd",
"/usr/libexec/endpointsecurityd",
"/usr/libexec/findmydeviced",
"/usr/libexec/InternetSharing",
"/usr/libexec/IOMFB_bics_daemon",
"/usr/libexec/ioupsd",
"/usr/libexec/kernelmanagerd",
"/usr/libexec/keybagd",
"/usr/libexec/logd",
"/usr/libexec/logd_helper",
"/usr/libexec/lsd",
"/usr/libexec/memoryanalyticsd",
"/usr/libexec/microstackshot",
"/usr/libexec/misagent",
"/usr/libexec/mobileactivationd",
"/usr/libexec/mobileassetd",
"/usr/libexec/nehelper",
"/usr/libexec/nesessionmanager",
"/usr/libexec/online-authd",
"/usr/libexec/opendirectoryd",
"/usr/libexec/PerfPowerServices",
"/usr/libexec/periodic-wrapper",
"/usr/libexec/powerdatad",
"/usr/libexec/PowerUIAgent",
"/usr/libexec/remoted",
"/usr/libexec/rtcreportingd",
"/usr/libexec/runningboardd",
"/usr/libexec/sandboxd",
"/usr/libexec/searchpartyd",
"/usr/libexec/secinitd",
"/usr/libexec/securityd_service",
"/usr/libexec/smd",
"/usr/libexec/symptomsd-diag",
"/usr/libexec/sysmond",
"/usr/libexec/syspolicyd",
"/usr/libexec/tailspind",
"/usr/libexec/taskgated",
"/usr/libexec/thermalmonitord",
"/usr/libexec/TouchBarServer",
"/usr/libexec/tzd",
"/usr/libexec/tzlinkd",
"/usr/libexec/usbd",
"/usr/libexec/UserEventAgent",
"/usr/libexec/warmd",
"/usr/libexec/watchdogd",
"/usr/libexec/wifianalyticsd",
"/usr/libexec/wifip2pd",
"/usr/libexec/wifivelocityd",
"/usr/local/kolide-k2/bin/osquery-extension.ext",
"/usr/sbin/aslmanager",
"/usr/sbin/auditd",
"/usr/sbin/BlueTool",
"/usr/sbin/bluetoothd",
"/usr/sbin/BTLEServer",
"/usr/sbin/cfprefsd",
"/usr/sbin/distnoted",
"/usr/sbin/filecoordinationd",
"/usr/sbin/KernelEventAgent",
"/usr/sbin/mDNSResponderHelper",
"/usr/sbin/notifyd",
"/usr/sbin/securityd",
"/usr/sbin/spindump",
"/usr/sbin/syslogd",
"/usr/sbin/systemsoundserverd",
"/usr/sbin/systemstats",
"/usr/sbin/WirelessRadioManagerd"
)
AND signature.identifier IN (
"Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"Developer ID Application: Docker Inc (9BNSXJN65R)",
"Developer ID Application: Foxit Corporation (8GN47HTP75)",
"Developer ID Application: Keybase, Inc. (99229SGT5K)",
"Developer ID Application: Kolide Inc (YZ3EM74M78)",
"Developer ID Application: MacPaw Inc. (S8EX82NJP6)",
"Developer ID Application: Mersive Technologies (63B5A5WDNG)",
"Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)",
"Developer ID Application: Opal Camera Inc (97Z3HJWCRT)",
"Developer ID Application: Parallels International GmbH (4C6364ACXT)",
"Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)",
"Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"Software Signing"
)
GROUP BY
p.path
Reference in New Issue View Git Blame Copy Permalink