osquery-defense-kit/process/high-disk-bytes-written.sql
2022-10-03 16:27:56 -04:00

99 lines
2.2 KiB
SQL

SELECT
p.name,
p.path,
p.pid,
p.cmdline,
p.on_disk,
p.parent,
p.start_time,
hash.sha256,
p.disk_bytes_written,
p.cwd,
(strftime("%s", "now") - start_time) AS age,
disk_bytes_written / (strftime("%s", "now") - start_time) AS bytes_per_second
FROM
processes p
LEFT JOIN hash ON p.path = hash.path
WHERE
bytes_per_second > 2000000
AND age > 120
AND pid > 2
AND p.path NOT IN (
"/bin/bash",
"/usr/bin/aptd",
"/usr/bin/bash",
"/usr/bin/bwrap",
"/usr/bin/curl",
"/usr/bin/fish",
"/usr/bin/gnome-shell",
"/usr/bin/qemu-system-x86_64",
"/usr/bin/yay",
"/usr/bin/zsh",
"/usr/lib/flatpak-system-helper",
"/usr/lib/systemd/systemd-journald",
"/usr/lib/systemd/systemd",
"/usr/lib64/thunderbird/thunderbird",
"/usr/libexec/coreduetd",
"/usr/libexec/coreduetd",
"/usr/libexec/packagekitd",
"/usr/libexec/rosetta/oahd",
"/usr/libexec/secd",
"/usr/libexec/sharingd",
"/usr/sbin/screencapture"
)
AND NOT (
name LIKE "jbd%/dm-%"
AND on_disk = -1
)
AND NOT (
name = "bindfs"
AND cmdline LIKE "bindfs -f -o fsname=%"
)
AND NOT (
name = "btrfs-transaction"
AND on_disk = -1
)
AND NOT (
name = "kernel_task"
AND p.path = ""
AND parent IN (0, 1)
AND on_disk = -1
)
AND NOT (
name = "launchd"
AND p.path = "/sbin/launchd"
AND parent = 0
)
AND NOT (
name = "logd"
AND cmdline = "/usr/libexec/logd"
AND parent = 1
)
AND NOT (
name = "aptd"
AND cmdline = "/usr/bin/python3 /usr/sbin/aptd"
)
AND NOT name IN (
"chrome",
"com.apple.MobileSoftwareUpdate.UpdateBrainService",
"containerd",
"esbuild",
"firefox",
"go",
"goland",
"java",
"launcher",
"gopls",
"jetbrains-toolb",
"slack",
"slack",
"wineserver"
)
AND p.path NOT LIKE "/Applications/%.app/Contents/%"
AND p.path NOT LIKE "/home/%/.local/share/Steam"
AND p.path NOT LIKE "/nix/store/%/bin/%sh"
AND p.path NOT LIKE "/nix/store/%/bin/nix"
AND p.path NOT LIKE "/System/Applications/%"
AND p.path NOT LIKE "/System/Library/%"
AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND p.path NOT LIKE "/nix/store/%kolide-launcher-%/bin/launcher"