Missing From Disk Macos
osquery
Processes that do not exist on disk
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Processes that do not exist on disk
--
-- false positives:
-- * Self-updating programs that remain running
--
-- references:
-- * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)
--
-- platform: darwin
-- tags: persistent process state
SELECT
p.pid,
p.path,
p.name,
p.parent,
p.state,
p.cwd,
p.gid,
p.uid,
p.euid,
p.cmdline AS cmd,
p.cwd,
p.on_disk,
p.state,
strftime('%s', 'now') - p.start_time AS age,
pp.on_disk AS parent_on_disk,
pp.path AS parent_path,
pp.cmdline AS parent_cmd,
pp.cwd AS parent_cwd,
hash.sha256 AS parent_sha256
FROM
processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN file ON p.path = file.path
WHERE
-- Unlike on Linux, this also excludes processes where the binary has been replaced since start time
p.on_disk != 1
AND file.path = ''
AND (strftime('%s', 'now') - p.start_time) > 25000
AND p.pid > 0
AND p.parent != 2 -- kthreadd
AND p.state != 'Z' -- The kernel no longer has enough tracking information for this alert to be useful
AND NOT (
p.parent = 1
AND p.path = ''
)
AND NOT (
p.gid = 20
AND (
-- NOTE: p.path is typically empty when on_disk != 1, so don't depend on it.
cmd LIKE '/Library/Apple/System/%'
OR cmd LIKE '/Applications/%/Contents/%'
OR cmd LIKE '/Library/Apple/System/%'
OR cmd LIKE '/Library/Application Support/Logitech.localized/%'
OR cmd LIKE '/Library/Developer/CommandLineTools/%'
OR p.path IN (
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
'/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)',
'/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'
)
OR cmd LIKE '/opt/homebrew/Cellar/%'
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/opt/homebrew/Cellar/%/libexec/%'
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
OR p.path LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%'
OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%'
OR p.path LIKE '/Users/%/go/bin/%'
OR p.path LIKE '/Users/%/homebrew/Cellar/%'
OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
OR p.path LIKE '/usr/local/Cellar/%/bin/%'
OR cmd LIKE ''
OR cmd LIKE '/opt/homebrew/opt/%'
OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(
OR cmd LIKE '%/.terraform/providers/%'
OR cmd LIKE '%/go/src/github.com/%'
OR parent_cmd LIKE '/Applications/Google Chrome.app/%'
)
)
AND NOT (
p.name = ''
AND parent_cmd = '/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox -foreground'
)
AND NOt cmd LIKE '/opt/homebrew/opt/%'tags: SStagSS