Process_events

osquery

Recently executed programs

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Recently executed programs
--
-- interval: 600
-- platform: posix
-- tags: events extra
SELECT
  pe.*,
  -- pe.cwd is often blank
  p.cwd AS delayed_proc_cwd,
  pp.cwd AS delayed_parent_cwd,
  pp.path AS parent_path,
  pp.name AS delayed_parent_name
FROM
  process_events pe
  LEFT JOIN processes p ON pe.pid = p.pid
  LEFT JOIN processes pp ON pe.parent = pp.pid
WHERE
  pe.time > (strftime('%s', 'now') -600)
  -- Filter out commands generated by osquery/kolide
  AND pe.cmdline NOT LIKE '/bin/ps -x -o%'
  AND parent_path NOT LIKE '/usr/local/kolide-k2/%/launcher'
GROUP BY
  pe.pid,
  pe.eid

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit