fix

tomsonpl · tomsonpl · commit ded2180712ca · 2025-11-21T17:36:50.000+01:00
diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md
@@ -114,11 +114,11 @@ These queries existed in the original repository and provide additional coverage
 
 Advanced threat detection queries using dual-detection methodology (NON_WHITELISTED + LOTL_INDICATOR) to identify suspicious persistence mechanisms and Living off the Land (LotL) attack patterns. These queries are optimized for Elastic Security and map to MITRE ATT&CK techniques.
 
-| # | Query | ✓ | OS | File | MITRE ATT&CK | Description |
-|:-:|-------|:-:|:--:|:----:|--------------|-------------|
+| # | Query                           | ✓ | OS | File | MITRE ATT&CK | Description |
+|:-:|---------------------------------|:-:|:--:|:----:|--------------|-------------|
 | 1 | scheduled_tasks_windows_elastic | ✅ | Win | [a1b2](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-7890-abcd-ef1234567890.json) | T1053.005, T1059.001, T1105 | Detects suspicious Windows scheduled tasks using path-based whitelist filtering and LotL patterns (PowerShell -e, certutil, wscript, etc.) |
-| 2 | crontab_linux_elastic | ✅ | Linux | [b2c3](kibana/osquery_saved_query/osquery_manager-b2c3d4e5-f6a7-8901-bcde-f12345678901.json) | T1053.003, T1059.004, T1105 | Detects suspicious Linux cron jobs using system directory filtering and LotL patterns (curl\|bash, nc -e, base64 -d, etc.) |
-| 3 | launchd_macos_elastic | ✅ | Mac | [c3d4](kibana/osquery_saved_query/osquery_manager-c3d4e5f6-a7b8-9012-cdef-012345678902.json) | T1543.001, T1543.004, T1059.004, T1105, T1547.011 | Detects suspicious macOS Launch Agents/Daemons using code signature filtering and LotL patterns (curl, osascript, bash -c, base64 -D, etc.) |
+| 2 | crontab_linux_elastic           | ✅ | Linux | [b2c3](kibana/osquery_saved_query/osquery_manager-b2c3d4e5-f6a7-8901-bcde-f12345678901.json) | T1053.003, T1059.004, T1105 | Detects suspicious Linux cron jobs using system directory filtering and LotL patterns (curl\|bash, nc -e, base64 -d, etc.) |
+| 3 | launchd_darwin_elastic          | ✅ | Mac | [c3d4](kibana/osquery_saved_query/osquery_manager-c3d4e5f6-a7b8-9012-cdef-012345678902.json) | T1543.001, T1543.004, T1059.004, T1105, T1547.011 | Detects suspicious macOS Launch Agents/Daemons using code signature filtering and LotL patterns (curl, osascript, bash -c, base64 -D, etc.) |
 
 **Detection Methodology**:
 - **NON_WHITELISTED**: Flags items not in known-good allowlist (system paths, Apple/vendor signatures, package managers, maintenance tasks)
diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c3d4e5f6-a7b8-9012-cdef-012345678902.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c3d4e5f6-a7b8-9012-cdef-012345678902.json
@@ -119,7 +119,7 @@
                 }
             }
         ],
-        "id": "launchd_macos_elastic",
+        "id": "launchd_darwin_elastic",
         "interval": "3600",
         "platform": "darwin",
         "query": "-- Detects suspicious launch agents/daemons via whitelist and LotL patterns\n-- MITRE: T1543.001, T1543.004, T1059.004, T1105, T1547.011\n-- Final filter: LOTL OR unsigned OR non-Apple signed\n\nWITH non_whitelisted AS (\n    SELECT \n        l.name,\n        l.path,\n        l.program,\n        l.program_arguments,\n        l.run_at_load,\n        l.keep_alive,\n        l.on_demand,\n        l.disabled,\n        l.username,\n        l.groupname,\n        l.stdout_path,\n        l.stderr_path,\n        l.start_interval,\n        CASE\n            WHEN l.disabled = 1 THEN 'disabled'\n            WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'\n            ELSE 'enabled'\n        END AS status,\n        1 AS is_non_whitelisted,\n        0 AS is_lotl\n    FROM launchd AS l\n    WHERE l.name IS NOT NULL\n        AND l.name != ''\n        AND l.program IS NOT NULL\n        AND l.program != ''\n        -- Whitelist: Apple system paths with com.apple naming\n        AND NOT (\n            (l.path LIKE '/System/Library/LaunchDaemons/com.apple.%'\n                OR l.path LIKE '/System/Library/LaunchAgents/com.apple.%')\n            AND l.name LIKE 'com.apple.%'\n        )\n        -- Whitelist: Apple Library paths\n        AND NOT (\n            l.path LIKE '/Library/Apple/%'\n            AND l.name LIKE 'com.apple.%'\n        )\n        -- Whitelist: Known-good third-party vendors\n        AND NOT (\n            (l.path LIKE '/Library/LaunchAgents/com.google.%' OR l.path LIKE '/Library/LaunchDaemons/com.google.%')\n            AND l.name LIKE 'com.google.%'\n            AND (l.program LIKE '%Google%' OR l.program LIKE '%/Library/Application Support/Google/%')\n        )\n        AND NOT (\n            (l.path LIKE '/Library/LaunchAgents/com.microsoft.%' OR l.path LIKE '/Library/LaunchDaemons/com.microsoft.%')\n            AND l.name LIKE 'com.microsoft.%'\n            AND (l.program LIKE '%Microsoft%' OR l.program LIKE '%/Library/Application Support/Microsoft/%')\n        )\n        AND NOT (\n            (l.path LIKE '/Library/LaunchAgents/com.adobe.%' OR l.path LIKE '/Library/LaunchDaemons/com.adobe.%')\n            AND l.name LIKE 'com.adobe.%'\n            AND (l.program LIKE '%Adobe%' OR l.program LIKE '%/Library/Application Support/Adobe/%')\n        )\n        AND NOT (\n            (l.path LIKE '/Library/LaunchAgents/com.dropbox.%' OR l.path LIKE '/Library/LaunchDaemons/com.dropbox.%')\n            AND l.name LIKE 'com.dropbox.%'\n            AND l.program LIKE '%Dropbox%'\n        )\n        AND NOT (\n            (l.path LIKE '/Library/LaunchDaemons/com.docker.%' OR l.path LIKE '/Library/LaunchAgents/com.docker.%')\n            AND l.name LIKE 'com.docker.%'\n            AND l.program LIKE '%Docker%'\n        )\n        -- Whitelist: Standard binary paths\n        AND NOT (\n            l.program LIKE '/usr/bin/%'\n            OR l.program LIKE '/usr/sbin/%'\n            OR l.program LIKE '/bin/%'\n            OR l.program LIKE '/sbin/%'\n        )\n),\nlotl_indicators AS (\n    SELECT \n        l.name,\n        l.path,\n        l.program,\n        l.program_arguments,\n        l.run_at_load,\n        l.keep_alive,\n        l.on_demand,\n        l.disabled,\n        l.username,\n        l.groupname,\n        l.stdout_path,\n        l.stderr_path,\n        l.start_interval,\n        CASE\n            WHEN l.disabled = 1 THEN 'disabled'\n            WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'\n            ELSE 'enabled'\n        END AS status,\n        0 AS is_non_whitelisted,\n        1 AS is_lotl,\n        CASE\n            WHEN l.program LIKE '%curl' OR l.program_arguments LIKE '%curl %' THEN 'Download utility (curl) abuse'\n            WHEN l.program LIKE '%wget' OR l.program_arguments LIKE '%wget %' THEN 'Download utility (wget) abuse'\n            WHEN l.program_arguments LIKE '%curl%|%bash%' OR l.program_arguments LIKE '%curl%|%sh%' THEN 'Download and pipe to shell (curl|bash)'\n            WHEN l.program_arguments LIKE '%wget%|%bash%' OR l.program_arguments LIKE '%wget%|%sh%' THEN 'Download and pipe to shell (wget|sh)'\n            WHEN l.program_arguments LIKE '%nc -e%' OR l.program_arguments LIKE '%ncat -e%' THEN 'Reverse shell via netcat'\n            WHEN l.program_arguments LIKE '%/dev/tcp/%' OR l.program_arguments LIKE '%/dev/udp/%' THEN 'Bash network redirection (reverse shell)'\n            WHEN l.program_arguments LIKE '%socat%TCP%' OR l.program_arguments LIKE '%socat%EXEC%' THEN 'Socat reverse shell'\n            WHEN l.program LIKE '/tmp/%' OR l.program LIKE '/var/tmp/%' OR l.program LIKE '/private/tmp/%' OR l.program LIKE '/private/var/tmp/%' THEN 'Execution from temporary directory'\n            WHEN l.program LIKE '/Users/%/.*' OR l.program LIKE '%/.%' OR l.program_arguments LIKE '%/.%' THEN 'Execution from hidden directory'\n            WHEN l.program LIKE '/Users/%/Downloads/%' THEN 'Execution from user Downloads folder'\n            WHEN l.program LIKE '/Users/%/Desktop/%' THEN 'Execution from user Desktop'\n            WHEN l.program_arguments LIKE '%base64 -d%' OR l.program_arguments LIKE '%base64 --decode%' OR l.program_arguments LIKE '%base64 -D%' THEN 'Base64 decode for obfuscation'\n            WHEN l.program_arguments LIKE '%echo%|%base64%' THEN 'Base64 encoded command execution'\n            WHEN l.program_arguments LIKE '%bash -c%' OR l.program_arguments LIKE '%sh -c%' OR l.program_arguments LIKE '%zsh -c%' THEN 'Shell command execution via -c flag'\n            WHEN l.program_arguments LIKE '%bash -i%' OR l.program_arguments LIKE '%sh -i%' OR l.program_arguments LIKE '%zsh -i%' THEN 'Interactive shell invocation'\n            WHEN l.program_arguments LIKE '%python -c%' OR l.program_arguments LIKE '%python3 -c%' THEN 'Python one-liner execution'\n            WHEN l.program_arguments LIKE '%perl -e%' THEN 'Perl one-liner execution'\n            WHEN l.program_arguments LIKE '%ruby -e%' THEN 'Ruby one-liner execution'\n            WHEN l.program_arguments LIKE '%php -r%' THEN 'PHP one-liner execution'\n            WHEN l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%' THEN 'AppleScript execution abuse (osascript -e)'\n            WHEN l.program_arguments LIKE '%osascript%-%e%' THEN 'AppleScript inline execution'\n            WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'Persistent user-level agent with auto-restart'\n            WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%' THEN 'Persistent system-level daemon with auto-restart'\n            WHEN l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'User-level periodic execution agent'\n            WHEN l.stdout_path LIKE '%/.%' OR l.stderr_path LIKE '%/.%' THEN 'Output redirection to hidden file'\n            WHEN l.program_arguments LIKE '%/.ssh/authorized_keys%' OR l.program_arguments LIKE '%/.ssh/id_rsa%' OR l.program_arguments LIKE '%/.ssh/id_ed25519%' THEN 'SSH key access detected'\n            WHEN l.program_arguments LIKE '%security%find-generic-password%' OR l.program_arguments LIKE '%security%dump-keychain%' THEN 'Keychain credential access'\n            WHEN l.program_arguments LIKE '%sudo -n%' OR l.program_arguments LIKE '%sudo --non-interactive%' THEN 'Sudo without password prompt'\n            WHEN l.program_arguments LIKE '%chmod +s%' OR l.program_arguments LIKE '%chmod 4755%' OR l.program_arguments LIKE '%chmod 4777%' THEN 'Setuid bit modification (privilege escalation)'\n            WHEN l.program LIKE '%nc' OR l.program LIKE '%netcat' OR l.program LIKE '%ncat' OR l.program_arguments LIKE '%nc %' OR l.program_arguments LIKE '%netcat%' THEN 'Netcat network utility abuse'\n            WHEN l.program LIKE '%socat' OR l.program_arguments LIKE '%socat%' THEN 'Socat network utility abuse'\n            WHEN (\n                l.program_arguments LIKE '% eval %'\n                OR l.program_arguments LIKE '% eval(%'\n                OR l.program_arguments LIKE '%|eval %'\n                OR l.program_arguments LIKE '%;eval %'\n                OR l.program_arguments LIKE '% exec %'\n                OR l.program_arguments LIKE '%|exec %'\n                OR l.program_arguments LIKE '%;exec %'\n                OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')\n                OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')\n                OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')\n            ) AND l.program NOT LIKE '/usr/libexec/%' THEN 'Eval/exec command execution'\n            ELSE 'Unknown LotL pattern'\n        END AS lotl_reason\n    FROM launchd AS l\n    WHERE l.name IS NOT NULL\n        AND l.name != ''\n        AND l.program IS NOT NULL\n        AND l.program != ''\n        AND (\n            l.program LIKE '%curl'\n            OR l.program LIKE '%wget'\n            OR l.program_arguments LIKE '%curl %'\n            OR l.program_arguments LIKE '%wget %'\n            OR l.program_arguments LIKE '%curl%|%bash%'\n            OR l.program_arguments LIKE '%curl%|%sh%'\n            OR l.program_arguments LIKE '%wget%|%bash%'\n            OR l.program_arguments LIKE '%wget%|%sh%'\n            OR l.program_arguments LIKE '%nc -e%'\n            OR l.program_arguments LIKE '%ncat -e%'\n            OR l.program_arguments LIKE '%/dev/tcp/%'\n            OR l.program_arguments LIKE '%/dev/udp/%'\n            OR l.program_arguments LIKE '%socat%TCP%'\n            OR l.program_arguments LIKE '%socat%EXEC%'\n            OR l.program LIKE '/tmp/%'\n            OR l.program LIKE '/var/tmp/%'\n            OR l.program LIKE '/private/tmp/%'\n            OR l.program LIKE '/private/var/tmp/%'\n            OR l.program LIKE '/Users/%/.*'\n            OR l.program LIKE '%/.%'\n            OR l.program LIKE '/Users/%/Downloads/%'\n            OR l.program LIKE '/Users/%/Desktop/%'\n            OR l.program_arguments LIKE '%/.%'\n            OR l.program_arguments LIKE '%base64 -d%'\n            OR l.program_arguments LIKE '%base64 --decode%'\n            OR l.program_arguments LIKE '%base64 -D%'\n            OR l.program_arguments LIKE '%echo%|%base64%'\n            OR l.program_arguments LIKE '%bash -c%'\n            OR l.program_arguments LIKE '%sh -c%'\n            OR l.program_arguments LIKE '%zsh -c%'\n            OR l.program_arguments LIKE '%bash -i%'\n            OR l.program_arguments LIKE '%sh -i%'\n            OR l.program_arguments LIKE '%zsh -i%'\n            OR l.program_arguments LIKE '%python -c%'\n            OR l.program_arguments LIKE '%python3 -c%'\n            OR l.program_arguments LIKE '%perl -e%'\n            OR l.program_arguments LIKE '%ruby -e%'\n            OR l.program_arguments LIKE '%php -r%'\n            OR (l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%')\n            OR l.program_arguments LIKE '%osascript%-%e%'\n            OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')\n            OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%')\n            OR (l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')\n            OR l.stdout_path LIKE '%/.%'\n            OR l.stderr_path LIKE '%/.%'\n            OR l.program_arguments LIKE '%/.ssh/authorized_keys%'\n            OR l.program_arguments LIKE '%/.ssh/id_rsa%'\n            OR l.program_arguments LIKE '%/.ssh/id_ed25519%'\n            OR l.program_arguments LIKE '%security%find-generic-password%'\n            OR l.program_arguments LIKE '%security%dump-keychain%'\n            OR l.program_arguments LIKE '%sudo -n%'\n            OR l.program_arguments LIKE '%sudo --non-interactive%'\n            OR l.program_arguments LIKE '%chmod +s%'\n            OR l.program_arguments LIKE '%chmod 4755%'\n            OR l.program_arguments LIKE '%chmod 4777%'\n            OR l.program LIKE '%nc'\n            OR l.program LIKE '%netcat'\n            OR l.program LIKE '%ncat'\n            OR l.program_arguments LIKE '%nc %'\n            OR l.program_arguments LIKE '%netcat%'\n            OR l.program LIKE '%socat'\n            OR l.program_arguments LIKE '%socat%'\n            OR (\n                (\n                    l.program_arguments LIKE '% eval %'\n                    OR l.program_arguments LIKE '% eval(%'\n                    OR l.program_arguments LIKE '%|eval %'\n                    OR l.program_arguments LIKE '%;eval %'\n                    OR l.program_arguments LIKE '% exec %'\n                    OR l.program_arguments LIKE '%|exec %'\n                    OR l.program_arguments LIKE '%;exec %'\n                    OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')\n                    OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')\n                    OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')\n                )\n                AND l.program NOT LIKE '/usr/libexec/%'\n            )\n        )\n),\ncombined AS (\n    SELECT \n        l.name,\n        l.path,\n        l.program,\n        l.program_arguments,\n        l.run_at_load,\n        l.keep_alive,\n        l.on_demand,\n        l.disabled,\n        l.username,\n        l.groupname,\n        l.stdout_path,\n        l.stderr_path,\n        l.start_interval,\n        COALESCE(\n            MAX(li.status),\n            MAX(nw.status)\n        ) AS status,\n        CASE \n            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n            THEN 'Launch Agent/Daemon (LotL)'\n            ELSE 'Launch Agent/Daemon'\n        END AS type,\n        CASE \n            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1 \n            THEN 'LOTL_INDICATOR + NON_WHITELISTED'\n            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n            THEN 'LOTL_INDICATOR'\n            ELSE 'NON_WHITELISTED'\n        END AS detection_method,\n        CASE \n            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1 \n            THEN MAX(li.lotl_reason) || ' + Not in known-good allowlist'\n            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n            THEN MAX(li.lotl_reason)\n            ELSE 'Launch agent/daemon not in known-good allowlist'\n        END AS detection_reason\n    FROM launchd AS l\n    LEFT JOIN non_whitelisted AS nw ON l.name = nw.name AND l.path = nw.path AND l.program = nw.program\n    LEFT JOIN lotl_indicators AS li ON l.name = li.name AND l.path = li.path AND l.program = li.program\n    WHERE COALESCE(nw.is_non_whitelisted, 0) = 1 OR COALESCE(li.is_lotl, 0) = 1\n    GROUP BY l.name, l.path, l.program, l.program_arguments, l.run_at_load, l.keep_alive, l.on_demand, l.disabled, l.username, l.groupname, l.stdout_path, l.stderr_path, l.start_interval\n)\nSELECT \n    c.name,\n    c.path,\n    c.program,\n    c.program_arguments,\n    c.type,\n    c.run_at_load,\n    c.keep_alive,\n    c.on_demand,\n    c.disabled,\n    c.status,\n    c.username,\n    c.groupname,\n    c.stdout_path,\n    c.stderr_path,\n    c.start_interval,\n    c.detection_method,\n    c.detection_reason,\n    s.signed,\n    s.identifier,\n    h.sha256,\n    h.sha1,\n    h.md5,\n    f.size,\n    f.mtime,\n    f.ctime,\n    f.directory\nFROM combined AS c\nLEFT JOIN signature AS s ON c.program = s.path\nLEFT JOIN hash AS h ON c.program = h.path\nLEFT JOIN file AS f ON c.program = f.path\nWHERE (\n    c.detection_method LIKE 'LOTL_INDICATOR%'\n    OR s.signed IS NULL\n    OR s.signed = 0\n    OR (\n        s.identifier IS NOT NULL\n        AND s.identifier NOT LIKE 'com.apple.%'\n        AND s.identifier NOT LIKE 'Apple Inc.%'\n    )\n)\nORDER BY \n    CASE WHEN c.detection_method LIKE 'LOTL_INDICATOR%' THEN 0 ELSE 1 END,\n    c.detection_reason,\n    c.run_at_load DESC,\n    c.keep_alive DESC,\n    c.name",

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@`
`119`	`119`	`}`
`120`	`120`	`}`
`121`	`121`	`],`
`122`		`- "id": "launchd_macos_elastic",`
	`122`	`+ "id": "launchd_darwin_elastic",`
`123`	`123`	`"interval": "3600",`
`124`	`124`	`"platform": "darwin",`
`125`	`125`	"query": "-- Detects suspicious launch agents/daemons via whitelist and LotL patterns\n-- MITRE: T1543.001, T1543.004, T1059.004, T1105, T1547.011\n-- Final filter: LOTL OR unsigned OR non-Apple signed\n\nWITH non_whitelisted AS (\n SELECT \n l.name,\n l.path,\n l.program,\n l.program_arguments,\n l.run_at_load,\n l.keep_alive,\n l.on_demand,\n l.disabled,\n l.username,\n l.groupname,\n l.stdout_path,\n l.stderr_path,\n l.start_interval,\n CASE\n WHEN l.disabled = 1 THEN 'disabled'\n WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'\n ELSE 'enabled'\n END AS status,\n 1 AS is_non_whitelisted,\n 0 AS is_lotl\n FROM launchd AS l\n WHERE l.name IS NOT NULL\n AND l.name != ''\n AND l.program IS NOT NULL\n AND l.program != ''\n -- Whitelist: Apple system paths with com.apple naming\n AND NOT (\n (l.path LIKE '/System/Library/LaunchDaemons/com.apple.%'\n OR l.path LIKE '/System/Library/LaunchAgents/com.apple.%')\n AND l.name LIKE 'com.apple.%'\n )\n -- Whitelist: Apple Library paths\n AND NOT (\n l.path LIKE '/Library/Apple/%'\n AND l.name LIKE 'com.apple.%'\n )\n -- Whitelist: Known-good third-party vendors\n AND NOT (\n (l.path LIKE '/Library/LaunchAgents/com.google.%' OR l.path LIKE '/Library/LaunchDaemons/com.google.%')\n AND l.name LIKE 'com.google.%'\n AND (l.program LIKE '%Google%' OR l.program LIKE '%/Library/Application Support/Google/%')\n )\n AND NOT (\n (l.path LIKE '/Library/LaunchAgents/com.microsoft.%' OR l.path LIKE '/Library/LaunchDaemons/com.microsoft.%')\n AND l.name LIKE 'com.microsoft.%'\n AND (l.program LIKE '%Microsoft%' OR l.program LIKE '%/Library/Application Support/Microsoft/%')\n )\n AND NOT (\n (l.path LIKE '/Library/LaunchAgents/com.adobe.%' OR l.path LIKE '/Library/LaunchDaemons/com.adobe.%')\n AND l.name LIKE 'com.adobe.%'\n AND (l.program LIKE '%Adobe%' OR l.program LIKE '%/Library/Application Support/Adobe/%')\n )\n AND NOT (\n (l.path LIKE '/Library/LaunchAgents/com.dropbox.%' OR l.path LIKE '/Library/LaunchDaemons/com.dropbox.%')\n AND l.name LIKE 'com.dropbox.%'\n AND l.program LIKE '%Dropbox%'\n )\n AND NOT (\n (l.path LIKE '/Library/LaunchDaemons/com.docker.%' OR l.path LIKE '/Library/LaunchAgents/com.docker.%')\n AND l.name LIKE 'com.docker.%'\n AND l.program LIKE '%Docker%'\n )\n -- Whitelist: Standard binary paths\n AND NOT (\n l.program LIKE '/usr/bin/%'\n OR l.program LIKE '/usr/sbin/%'\n OR l.program LIKE '/bin/%'\n OR l.program LIKE '/sbin/%'\n )\n),\nlotl_indicators AS (\n SELECT \n l.name,\n l.path,\n l.program,\n l.program_arguments,\n l.run_at_load,\n l.keep_alive,\n l.on_demand,\n l.disabled,\n l.username,\n l.groupname,\n l.stdout_path,\n l.stderr_path,\n l.start_interval,\n CASE\n WHEN l.disabled = 1 THEN 'disabled'\n WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'\n ELSE 'enabled'\n END AS status,\n 0 AS is_non_whitelisted,\n 1 AS is_lotl,\n CASE\n WHEN l.program LIKE '%curl' OR l.program_arguments LIKE '%curl %' THEN 'Download utility (curl) abuse'\n WHEN l.program LIKE '%wget' OR l.program_arguments LIKE '%wget %' THEN 'Download utility (wget) abuse'\n WHEN l.program_arguments LIKE '%curl%\|%bash%' OR l.program_arguments LIKE '%curl%\|%sh%' THEN 'Download and pipe to shell (curl\|bash)'\n WHEN l.program_arguments LIKE '%wget%\|%bash%' OR l.program_arguments LIKE '%wget%\|%sh%' THEN 'Download and pipe to shell (wget\|sh)'\n WHEN l.program_arguments LIKE '%nc -e%' OR l.program_arguments LIKE '%ncat -e%' THEN 'Reverse shell via netcat'\n WHEN l.program_arguments LIKE '%/dev/tcp/%' OR l.program_arguments LIKE '%/dev/udp/%' THEN 'Bash network redirection (reverse shell)'\n WHEN l.program_arguments LIKE '%socat%TCP%' OR l.program_arguments LIKE '%socat%EXEC%' THEN 'Socat reverse shell'\n WHEN l.program LIKE '/tmp/%' OR l.program LIKE '/var/tmp/%' OR l.program LIKE '/private/tmp/%' OR l.program LIKE '/private/var/tmp/%' THEN 'Execution from temporary directory'\n WHEN l.program LIKE '/Users/%/.' OR l.program LIKE '%/.%' OR l.program_arguments LIKE '%/.%' THEN 'Execution from hidden directory'\n WHEN l.program LIKE '/Users/%/Downloads/%' THEN 'Execution from user Downloads folder'\n WHEN l.program LIKE '/Users/%/Desktop/%' THEN 'Execution from user Desktop'\n WHEN l.program_arguments LIKE '%base64 -d%' OR l.program_arguments LIKE '%base64 --decode%' OR l.program_arguments LIKE '%base64 -D%' THEN 'Base64 decode for obfuscation'\n WHEN l.program_arguments LIKE '%echo%\|%base64%' THEN 'Base64 encoded command execution'\n WHEN l.program_arguments LIKE '%bash -c%' OR l.program_arguments LIKE '%sh -c%' OR l.program_arguments LIKE '%zsh -c%' THEN 'Shell command execution via -c flag'\n WHEN l.program_arguments LIKE '%bash -i%' OR l.program_arguments LIKE '%sh -i%' OR l.program_arguments LIKE '%zsh -i%' THEN 'Interactive shell invocation'\n WHEN l.program_arguments LIKE '%python -c%' OR l.program_arguments LIKE '%python3 -c%' THEN 'Python one-liner execution'\n WHEN l.program_arguments LIKE '%perl -e%' THEN 'Perl one-liner execution'\n WHEN l.program_arguments LIKE '%ruby -e%' THEN 'Ruby one-liner execution'\n WHEN l.program_arguments LIKE '%php -r%' THEN 'PHP one-liner execution'\n WHEN l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%' THEN 'AppleScript execution abuse (osascript -e)'\n WHEN l.program_arguments LIKE '%osascript%-%e%' THEN 'AppleScript inline execution'\n WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'Persistent user-level agent with auto-restart'\n WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%' THEN 'Persistent system-level daemon with auto-restart'\n WHEN l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'User-level periodic execution agent'\n WHEN l.stdout_path LIKE '%/.%' OR l.stderr_path LIKE '%/.%' THEN 'Output redirection to hidden file'\n WHEN l.program_arguments LIKE '%/.ssh/authorized_keys%' OR l.program_arguments LIKE '%/.ssh/id_rsa%' OR l.program_arguments LIKE '%/.ssh/id_ed25519%' THEN 'SSH key access detected'\n WHEN l.program_arguments LIKE '%security%find-generic-password%' OR l.program_arguments LIKE '%security%dump-keychain%' THEN 'Keychain credential access'\n WHEN l.program_arguments LIKE '%sudo -n%' OR l.program_arguments LIKE '%sudo --non-interactive%' THEN 'Sudo without password prompt'\n WHEN l.program_arguments LIKE '%chmod +s%' OR l.program_arguments LIKE '%chmod 4755%' OR l.program_arguments LIKE '%chmod 4777%' THEN 'Setuid bit modification (privilege escalation)'\n WHEN l.program LIKE '%nc' OR l.program LIKE '%netcat' OR l.program LIKE '%ncat' OR l.program_arguments LIKE '%nc %' OR l.program_arguments LIKE '%netcat%' THEN 'Netcat network utility abuse'\n WHEN l.program LIKE '%socat' OR l.program_arguments LIKE '%socat%' THEN 'Socat network utility abuse'\n WHEN (\n l.program_arguments LIKE '% eval %'\n OR l.program_arguments LIKE '% eval(%'\n OR l.program_arguments LIKE '%\|eval %'\n OR l.program_arguments LIKE '%;eval %'\n OR l.program_arguments LIKE '% exec %'\n OR l.program_arguments LIKE '%\|exec %'\n OR l.program_arguments LIKE '%;exec %'\n OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')\n OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')\n OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')\n ) AND l.program NOT LIKE '/usr/libexec/%' THEN 'Eval/exec command execution'\n ELSE 'Unknown LotL pattern'\n END AS lotl_reason\n FROM launchd AS l\n WHERE l.name IS NOT NULL\n AND l.name != ''\n AND l.program IS NOT NULL\n AND l.program != ''\n AND (\n l.program LIKE '%curl'\n OR l.program LIKE '%wget'\n OR l.program_arguments LIKE '%curl %'\n OR l.program_arguments LIKE '%wget %'\n OR l.program_arguments LIKE '%curl%\|%bash%'\n OR l.program_arguments LIKE '%curl%\|%sh%'\n OR l.program_arguments LIKE '%wget%\|%bash%'\n OR l.program_arguments LIKE '%wget%\|%sh%'\n OR l.program_arguments LIKE '%nc -e%'\n OR l.program_arguments LIKE '%ncat -e%'\n OR l.program_arguments LIKE '%/dev/tcp/%'\n OR l.program_arguments LIKE '%/dev/udp/%'\n OR l.program_arguments LIKE '%socat%TCP%'\n OR l.program_arguments LIKE '%socat%EXEC%'\n OR l.program LIKE '/tmp/%'\n OR l.program LIKE '/var/tmp/%'\n OR l.program LIKE '/private/tmp/%'\n OR l.program LIKE '/private/var/tmp/%'\n OR l.program LIKE '/Users/%/.'\n OR l.program LIKE '%/.%'\n OR l.program LIKE '/Users/%/Downloads/%'\n OR l.program LIKE '/Users/%/Desktop/%'\n OR l.program_arguments LIKE '%/.%'\n OR l.program_arguments LIKE '%base64 -d%'\n OR l.program_arguments LIKE '%base64 --decode%'\n OR l.program_arguments LIKE '%base64 -D%'\n OR l.program_arguments LIKE '%echo%\|%base64%'\n OR l.program_arguments LIKE '%bash -c%'\n OR l.program_arguments LIKE '%sh -c%'\n OR l.program_arguments LIKE '%zsh -c%'\n OR l.program_arguments LIKE '%bash -i%'\n OR l.program_arguments LIKE '%sh -i%'\n OR l.program_arguments LIKE '%zsh -i%'\n OR l.program_arguments LIKE '%python -c%'\n OR l.program_arguments LIKE '%python3 -c%'\n OR l.program_arguments LIKE '%perl -e%'\n OR l.program_arguments LIKE '%ruby -e%'\n OR l.program_arguments LIKE '%php -r%'\n OR (l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%')\n OR l.program_arguments LIKE '%osascript%-%e%'\n OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')\n OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%')\n OR (l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')\n OR l.stdout_path LIKE '%/.%'\n OR l.stderr_path LIKE '%/.%'\n OR l.program_arguments LIKE '%/.ssh/authorized_keys%'\n OR l.program_arguments LIKE '%/.ssh/id_rsa%'\n OR l.program_arguments LIKE '%/.ssh/id_ed25519%'\n OR l.program_arguments LIKE '%security%find-generic-password%'\n OR l.program_arguments LIKE '%security%dump-keychain%'\n OR l.program_arguments LIKE '%sudo -n%'\n OR l.program_arguments LIKE '%sudo --non-interactive%'\n OR l.program_arguments LIKE '%chmod +s%'\n OR l.program_arguments LIKE '%chmod 4755%'\n OR l.program_arguments LIKE '%chmod 4777%'\n OR l.program LIKE '%nc'\n OR l.program LIKE '%netcat'\n OR l.program LIKE '%ncat'\n OR l.program_arguments LIKE '%nc %'\n OR l.program_arguments LIKE '%netcat%'\n OR l.program LIKE '%socat'\n OR l.program_arguments LIKE '%socat%'\n OR (\n (\n l.program_arguments LIKE '% eval %'\n OR l.program_arguments LIKE '% eval(%'\n OR l.program_arguments LIKE '%\|eval %'\n OR l.program_arguments LIKE '%;eval %'\n OR l.program_arguments LIKE '% exec %'\n OR l.program_arguments LIKE '%\|exec %'\n OR l.program_arguments LIKE '%;exec %'\n OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')\n OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')\n OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')\n )\n AND l.program NOT LIKE '/usr/libexec/%'\n )\n )\n),\ncombined AS (\n SELECT \n l.name,\n l.path,\n l.program,\n l.program_arguments,\n l.run_at_load,\n l.keep_alive,\n l.on_demand,\n l.disabled,\n l.username,\n l.groupname,\n l.stdout_path,\n l.stderr_path,\n l.start_interval,\n COALESCE(\n MAX(li.status),\n MAX(nw.status)\n ) AS status,\n CASE \n WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n THEN 'Launch Agent/Daemon (LotL)'\n ELSE 'Launch Agent/Daemon'\n END AS type,\n CASE \n WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1 \n THEN 'LOTL_INDICATOR + NON_WHITELISTED'\n WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n THEN 'LOTL_INDICATOR'\n ELSE 'NON_WHITELISTED'\n END AS detection_method,\n CASE \n WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1 \n THEN MAX(li.lotl_reason) \|\| ' + Not in known-good allowlist'\n WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 \n THEN MAX(li.lotl_reason)\n ELSE 'Launch agent/daemon not in known-good allowlist'\n END AS detection_reason\n FROM launchd AS l\n LEFT JOIN non_whitelisted AS nw ON l.name = nw.name AND l.path = nw.path AND l.program = nw.program\n LEFT JOIN lotl_indicators AS li ON l.name = li.name AND l.path = li.path AND l.program = li.program\n WHERE COALESCE(nw.is_non_whitelisted, 0) = 1 OR COALESCE(li.is_lotl, 0) = 1\n GROUP BY l.name, l.path, l.program, l.program_arguments, l.run_at_load, l.keep_alive, l.on_demand, l.disabled, l.username, l.groupname, l.stdout_path, l.stderr_path, l.start_interval\n)\nSELECT \n c.name,\n c.path,\n c.program,\n c.program_arguments,\n c.type,\n c.run_at_load,\n c.keep_alive,\n c.on_demand,\n c.disabled,\n c.status,\n c.username,\n c.groupname,\n c.stdout_path,\n c.stderr_path,\n c.start_interval,\n c.detection_method,\n c.detection_reason,\n s.signed,\n s.identifier,\n h.sha256,\n h.sha1,\n h.md5,\n f.size,\n f.mtime,\n f.ctime,\n f.directory\nFROM combined AS c\nLEFT JOIN signature AS s ON c.program = s.path\nLEFT JOIN hash AS h ON c.program = h.path\nLEFT JOIN file AS f ON c.program = f.path\nWHERE (\n c.detection_method LIKE 'LOTL_INDICATOR%'\n OR s.signed IS NULL\n OR s.signed = 0\n OR (\n s.identifier IS NOT NULL\n AND s.identifier NOT LIKE 'com.apple.%'\n AND s.identifier NOT LIKE 'Apple Inc.%'\n )\n)\nORDER BY \n CASE WHEN c.detection_method LIKE 'LOTL_INDICATOR%' THEN 0 ELSE 1 END,\n c.detection_reason,\n c.run_at_load DESC,\n c.keep_alive DESC,\n c.name",