v1.11.0

What's Changed

• New detectors based on JokerSpy research by @tstromberg in #286
• New detectors: excessive Google Drive exports by @tstromberg in #269
• Improve detection for bpfdoor and similar backdoors. by @tstromberg in #262
• Query tuning for Geacon detection and reduced CPU usage by @tstromberg in #264
• incident_response: Improve macOS coverage by @tstromberg in #258
• Collect recent file events by @tstromberg in #259
• hidden home config: Add ~/.config/.* to search criteria by @tstromberg in #273
• minimal socket client: speed query up by @tstromberg in #276
• The usual mess of false-positive reductions.

Full Changelog: v1.10.0...v1.11.0

v1.10.0

What's Changed

• New detector: unexpected libcurl program by @tstromberg in #220
• New detector: unexpected chmod exec event by @tstromberg in #221
• New detector: hidden ~/Library/Application Support entries by @tstromberg in #243
• New detector: unexpected /var/run files by @tstromberg in #256
• Refactor macOS talkers: reset exceptions, split https by @tstromberg in #244
• Refactor recently-created-executables to fit within complexity limits by @tstromberg in #251
• Refactor high-disk-bytes queries by @tstromberg in #226
• Refactor name/path mismatch for lower maintenance by @tstromberg in #217
• Loads of false positive removals

Full Changelog: v1.9.0...v1.10.0

v1.9.0

What's Changed

• Makefile: Add 'detect' rule, fix collection/IR rules by @tstromberg in #210
• Add RSA key finders, and mdfind-based GCP key finder by @tstromberg in #211
• Add a runnable osquery.conf example by @tstromberg in #214
• Add dhclient uid0 exception, as appears in Debian by @tstromberg in #215
• fpr: aws-sdk, melange, Tailscale, Xprotect, etc by @tstromberg in #212
• fpr: aws certs, AdobePIM, slack by @tstromberg in #213

Full Changelog: v1.8.0...v1.9.0

v1.8.0

What's Changed

New Things

• New detector: Launch Constraint Violation (macOS) by @tstromberg in #171
• New detector: unexpected ssh-authorized-keys by @tstromberg in #177
• New detector: overwritten memory map by @tstromberg in #179
• Add 60 new postmortem queries for before/after analysis by @tstromberg in #191
• Add detectors for the reveng_rtkit rootkit by @tstromberg in #194
• Makefile: Add reformat-updates target by @tstromberg in #173
• Add privacy-aware version of the IR rules by @tstromberg in #209
• incident response: Add dump of /dev files by @tstromberg in #195
• Makefile: add "make collection" target, improve others by @tstromberg in #199
• Add 'make verify' command and improve CI compatibility. by @tstromberg in #201
• Add Github CI job by @tstromberg in #202
• Add verify-ci Makefile rule by @tstromberg in #204

Improved Things

• Query performance improvements, add p0 pids, decrease query frequency by @tstromberg in #168
• Linux events: decrease CPU usage of elevated children & execdir by @tstromberg in #178
• Add chattr, setenforce to unexpected-sysutils by @tstromberg in #176
• Rewrite unexpected-execdir-events-linux with INSTR to decrease CPU time by @tstromberg in #183
• Optimize recently-created-executables-macos by @tstromberg in #207
• Makefile: collect as root by @tstromberg in #200

False Positive Reduction & Other bugfixes

• FPR: spotify, htop, dnsmasq, sshd by @tstromberg in #169
• False positive removal and minor query perf improvements by @tstromberg in #170
• listening ports: Include caddy, kubectl, node in wider listening range by @tstromberg in #172
• fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc by @tstromberg in #174
• fpr: ACE, Prusa, Ecamm, setroubleshootd, steam, pacman, Xcode, Adobe by @tstromberg in #175
• False positive flush, particularly in talkers by @tstromberg in #180
• execdir events macOS: Fix ambiguous path by @tstromberg in #181
• gcloud: filter out last_update_check, last_survey_prompt by @tstromberg in #182
• overwritten memory: filter out pathless kernel bits by @tstromberg in #184
• fpr: Fujitsu, vmware, objective-see, paragon, etc by @zestysoft in #185
• systemd units: increase size bucket from 100 to 225 by @tstromberg in #187
• fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird by @tstromberg in #188
• False positive reduction: Ubuntu LTS running on Lima VM by @tstromberg in #189
• Add exceptions for Debian running under lima by @tstromberg in #192
• Add osquery to keyboard_sniffer by @zestysoft in #190
• Debian uid0: add dhclient and unattended-upgr by @tstromberg in #193
• fpr: abrt-dbus, gdm, chrome, ff, act, qemu, lima, etc. by @tstromberg in #203
• Fix broken IR non-Wireless rule by @tstromberg in #205
• macOS: Exceptions for TestFlight apps & specifically Kindle by @tstromberg in #206
• incident response: Rename files-from-proc to process-files. by @tstromberg in #196
• incident response: remove ever-changing columns from process table by @tstromberg in #197
• incident_response: bugfixes across queries by @tstromberg in #198

New Contributors

• @zestysoft made their first contribution in #185

Full Changelog: v1.7.0...v1.8.0

v1.7.0

What's Changed

• New detector: sketchy-mounted-diskimage by @tstromberg in #163
• Refactor process_events queries, improve shlayer detection, fix fps by @tstromberg in #144
• Modified detections explicitly targeted towards macOS to not include cgroup field by @NACHOSWITHCHEESE in #164
• Make unexpected-chrome-extensions easier to maintain, address false-positives by @tstromberg in #145
• Significant performance improvements for slowest macOS queries by @tstromberg in #155
• Update configuration for osqtool v1.0 by @tstromberg in #152
• Include more process information across queries by @tstromberg in #150
• Rewrite unexpected uid0 for Linux, include cgroup info by @tstromberg in #158
• Add local port and address to network queries by @tstromberg in #162
• Loads of false-positive removals across many PRs

New Contributors

• @NACHOSWITHCHEESE made their first contribution in #164

Full Changelog: v1.6.1...v1.7.0

v1.6.1

What's Changed

• New detector: unexpected netutil calls by @tstromberg in #130
• New detector: unexpected systemctl calls by @tstromberg in #131
• Lots of false positives removed.

Full Changelog: v1.6.0...v1.6.1

v1.6.0

What's Changed

• new detector: unexpected sysctl calls by @tstromberg in #114
• new detector: unencrypted GCP service account keys by @tstromberg in #118
• new detector: unexpected xattr calls by @tstromberg in #119
• new detector: unexpected file made executable by @tstromberg in #120
• new detector: unexpected security framework program by @tstromberg in #121
• Speed up unexpected-bpf-users query by basing it on processes by @tstromberg in #117
• Various query bugfixes from the 2022 macOS malware audit by @tstromberg in #122
• Loads of false-positives removed

Full Changelog: v1.5.0...v1.6.0

v1.5.0

What's Changed

• New detector: relative exec low uid by @tstromberg in #106
• new detector: unexpected root process signer on macOS by @tstromberg in #107
• new detectors: unexpected shell & fetcher events by @tstromberg in #108
• dev opener: Add k3s /dev/kmsg exception, add parent info by @tstromberg in #100
• parent-missing-from-disk: Filter out Docker children too by @tstromberg in #101
• sketchy fetcher: Add grandparents and TLD detector by @tstromberg in #102
• sketchy fetchers: Remove trailing commas by @tstromberg in #103
• New Years FP cleanup: monitorix, snap-confine, steam, spotify, etc by @tstromberg in #104
• Catch up to other winter-break false positives by @tstromberg in #105
• Fix more false positives, particularly in newer queries by @tstromberg in #109
• Rewrite unexpected-osascript-calls for simplicity by @tstromberg in #110
• A few less false positives by @tstromberg in #111
• Catch up to some older false positives we ran into by @tstromberg in #112

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's Changed

• Post-Thanksgiving false positive flush by @tstromberg in #95
• Clear more false positives: Signal, Kitty, KIND, Acrobat, etc by @tstromberg in #96
• False positive flush: Capital One, tailscaled, agetty, snap, Jetbrains by @tstromberg in #97
• Sort out more false positives by @tstromberg in #98
• False-positive flush: mount.ntfs, docker-credential-desktop, exotic s… by @tstromberg in #99

Full Changelog: v1.3.0...v1.4.0

v1.3.0

What's Changed

• Pre-Thanksgiving False Positive cleanup, including Pop!OS support by @tstromberg in #91
• Split parent-missing-from-disk, add more explicit name to long-uptime, address fps by @tstromberg in #92
• Makefile: Rename .sql targets to .conf, extend max-duration for IR by @tstromberg in #93
• Add IR no-wifi ruleset by @tstromberg in #94

Full Changelog: v1.2.0...v1.3.0