├── .github ├── mergify.yml └── workflows │ └── ci.yml ├── LICENSE ├── README.md ├── deleted-or-replaced.sh ├── fake-name.sh ├── hidden-files.sh ├── hidden-parent-pid.sh ├── hidden-pids.sh ├── hidden-sys-module.sh ├── images ├── logo.png └── logo.webp ├── kernel-taint.sh ├── ld-so-preload.sh ├── mystery-char-devices.sh ├── osquery-detection-kit.sh ├── raw-packet-sniffer.sh ├── root-socket-no-libraries.sh ├── root-ssh-authorized-keys.sh ├── rootkit-signal-handler.sh ├── sunlight.sh ├── suspicious-cron.sh ├── suspicious-proc-env.sh ├── thieves.sh ├── third_party └── osquery-defense-kit │ └── detection │ ├── c2 │ ├── unexpected-dns-traffic-events.sql │ ├── unexpected-dns-traffic.sql │ ├── unexpected-https-linux.sql │ ├── unexpected-https-macos.sql │ ├── unexpected-icmp-socket-events.sql │ ├── unexpected-icmp-socket.sql │ ├── unexpected-libcurl-user-linux.sql │ ├── unexpected-libcurl-user-macos.sql │ ├── unexpected-talker-events.sql │ ├── unexpected-talkers-linux.sql │ └── unexpected-talkers-macos.sql │ ├── collection │ ├── excess-google-drive-downloads-macos.sql │ ├── excess-google-drive-folder-exports-macos.sql │ ├── high-disk-bytes-written.sql │ └── spotlight-database-export-macos.sql │ ├── credentials │ ├── macos_keyboard_sniffer.sql │ ├── unexpected-dev-opener-linux.sql │ ├── unexpected-dev-opener-macos.sql │ ├── unexpected-sensitive-file-access-linux.sql │ ├── unexpected-sensitive-file-access-macos.sql │ └── yara-mounted-stealer.sql │ ├── discovery │ ├── unexpected-bpf-user.sql │ ├── unexpected-netutil-calls-linux.sql │ ├── unexpected-netutil-calls-macos.sql │ ├── unexpected-pcap-user-linux.sql │ └── unexpected-pcap-user-macos.sql │ ├── evasion │ ├── empty_root_environ_linux.sql │ ├── empty_root_environ_macos.sql │ ├── executables-from-the-future.sql │ ├── hidden-cwd-events-linux.sql │ ├── hidden-cwd.sql │ ├── hidden-executable.sql │ ├── hidden-home-config-dir.sql │ ├── hidden-home-libappsupport.sql │ ├── hidden-home-library-dir.sql │ ├── hidden-launchd-files-macos.sql │ ├── missing-from-disk-linux.sql │ ├── missing-from-disk-macos.sql │ ├── name_path_mismatch.sql │ ├── old-binaries-running.sql │ ├── overwritten-memory-map-ddexec-linux.sql │ ├── parent-missing-from-disk-linux.sql │ ├── parent-missing-from-disk-macos.sql │ ├── parent-pid-missing-from-procfs.sql │ ├── pid-hidden-by-rootkit.sql │ ├── ssh-notty.sql │ ├── touched-executable-linux.sql │ ├── touched-executable-macos.sql │ ├── unexpected-alf-exceptions-macos.sql │ ├── unexpected-dev-entries.sql │ ├── unexpected-dev-executables-linux.sql │ ├── unexpected-etc-executables.sql │ ├── unexpected-hidden-system-paths.sql │ ├── unexpected-kernel-extensions-macos.sql │ ├── unexpected-kernel-modules-linux.sql │ ├── unexpected-ld-so-files-linux.sql │ ├── unexpected-library-entries-macos.sql │ ├── unexpected-process-extension-linux.sql │ ├── unexpected-public-files_macos.sql │ ├── unexpected-tmp-executables-linux.sql │ ├── unexpected-tmp-executables-macos.sql │ ├── unexpected-user-executables-macos.sql │ ├── unexpected-user-shared-entries.sql │ ├── unexpected-var-executables-linux.sql │ ├── unexpected-var-executables-macos.sql │ ├── unexpected-var-run-linux.sql │ ├── unexpected-var-run-macos.sql │ ├── unusual-executable-name-linux.sql │ ├── unusual-executable-name-macos.sql │ ├── unusual-process-name-linux.sql │ ├── unusual-process-name-macos.sql │ └── unusually-tainted-kernel-linux.sql │ ├── execution │ ├── exec-failed-launch-constraint-violation.sql │ ├── exotic-command-events-linux.sql │ ├── exotic-command-events-macos.sql │ ├── exotic-commands-linux.sql │ ├── exotic-commands-macos.sql │ ├── recently-created-executables-long-lived-linux.sql │ ├── recently-created-executables-long-lived-macos.sql │ ├── relative-exec-low-uid-events.sql │ ├── relative-exec-low-uid.sql │ ├── reverse-shell-socket.sql │ ├── sketchy-fetcher-events.sql │ ├── sketchy-fetcher.sql │ ├── tiny-executable-events.sql │ ├── tiny-executable.sql │ ├── unexpected-chmod-exec-event-linux.sql │ ├── unexpected-chmod-exec-event-macos.sql │ ├── unexpected-env-values-linux.sql │ ├── unexpected-env-values-macos.sql │ ├── unexpected-execdir-events-linux.sql │ ├── unexpected-execdir-events-macos.sql │ ├── unexpected-execdir-linux.sql │ ├── unexpected-execdir-macos.sql │ ├── unexpected-executable-permissions.sql │ ├── unexpected-fetcher-parent-events.sql │ ├── unexpected-fetcher-parents.sql │ ├── unexpected-file-made-executable.sql │ ├── unexpected-gatekeeper-approvals-macos.sql │ ├── unexpected-mounts.sql │ ├── unexpected-osascript-calls.sql │ ├── unexpected-packet-sniffer.sql │ ├── unexpected-root-signer-macos.sql │ ├── unexpected-security-framework-program-macos.sql │ ├── unexpected-setuid-binaries.sql │ ├── unexpected-sysutils-linux.sql │ ├── unexpected-sysutils-macos.sql │ ├── unexpected-xattr-calls-macos.sql │ ├── xprotect-reports.sql │ ├── yara-unexpected-miner-process.sql │ └── yara-unexpected-upx-process.sql │ ├── exfil │ ├── high_disk_bytes_read.sql │ ├── yara-exec-connect-process-linux.sql │ ├── yara-recently-downloaded-go-crypt-exec.sql │ ├── yara-unexpected-go-crypt-exec-process.sql │ └── yara-unexpected-rust-http-exec-process.sql │ ├── impact │ ├── evenly-timestomped.sql │ └── unexpected-etc-hosts.sql │ ├── initial_access │ ├── sketchy-download-name.sql │ ├── sketchy-mounted-diskimage.sql │ ├── unexpected-diskimage-name-macos.sql │ ├── unexpected-diskimage-source-macos.sql │ ├── unexpected-shell-parent-events.sql │ ├── unexpected-shell-parents.sql │ ├── unexpected-volume-contents.sql │ ├── unexpected-webmail-downloads.sql │ ├── yara-recently-downloaded-miner.sql │ ├── yara-recently-downloaded-ransom.sql │ ├── yara-recently-downloaded-rust-http-exec.sql │ ├── yara-recently-downloaded-stealer.sql │ └── yara-recently-downloaded-upx.sql │ ├── persistence │ ├── fake-apple-launchd.sql │ ├── listening-from-unusual-location.sql │ ├── low-fd-socket.sql │ ├── minimal-socket-client-linux.sql │ ├── minimal-socket-client-macos.sql │ ├── unexpected-active-systemd-units.sql │ ├── unexpected-chrome-extensions.sql │ ├── unexpected-cron-entries.sql │ ├── unexpected-device.sql │ ├── unexpected-global-lock.sql │ ├── unexpected-launchd-program-arguments.sql │ ├── unexpected-launchd-program-macos.sql │ ├── unexpected-listening-port-linux.sql │ ├── unexpected-listening-port-macos.sql │ ├── unexpected-lock-opener.sql │ ├── unexpected-small-udev-entry-linux.sql │ ├── unexpected-ssh-authorized-keys.sql │ ├── unexpected-systemctl-calls-linux.sql │ ├── unexpected-uid0-daemon-linux.sql │ ├── unexpected-uid0-daemon-macos.sql │ ├── yara-libtomcrypt-process.sql │ └── yara-suspicious-strings-process-linux.sql │ └── privesc │ ├── docker-container-mounting-root.sql │ ├── setxid-cmdline-overflow-attempt.sql │ ├── setxid-env-overflow-attempt.sql │ ├── sketchy-docker-image-creator.sql │ ├── unexpected-elevated-children-events_linux.sql │ ├── unexpected-elevated-children-events_macos.sql │ ├── unexpected-privilege-escalation_linux.sql │ ├── unexpected-privilege-escalation_macos.sql │ ├── unexpected-privileged-containers.sql │ └── unexpected-setxid-process.sql ├── unexpected-ebpf-hooks.sh ├── unexpected-run-locks.sh ├── unexpected-trace-pipe.sh └── world-readable-run-locks.sh /.github/mergify.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/.github/mergify.yml -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/.github/workflows/ci.yml -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/README.md -------------------------------------------------------------------------------- /deleted-or-replaced.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/deleted-or-replaced.sh -------------------------------------------------------------------------------- /fake-name.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/fake-name.sh -------------------------------------------------------------------------------- /hidden-files.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/hidden-files.sh -------------------------------------------------------------------------------- /hidden-parent-pid.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/hidden-parent-pid.sh -------------------------------------------------------------------------------- /hidden-pids.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/hidden-pids.sh -------------------------------------------------------------------------------- /hidden-sys-module.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/hidden-sys-module.sh -------------------------------------------------------------------------------- /images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/images/logo.png -------------------------------------------------------------------------------- /images/logo.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/images/logo.webp -------------------------------------------------------------------------------- /kernel-taint.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/kernel-taint.sh -------------------------------------------------------------------------------- /ld-so-preload.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/ld-so-preload.sh -------------------------------------------------------------------------------- /mystery-char-devices.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/mystery-char-devices.sh -------------------------------------------------------------------------------- /osquery-detection-kit.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/osquery-detection-kit.sh -------------------------------------------------------------------------------- /raw-packet-sniffer.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/raw-packet-sniffer.sh -------------------------------------------------------------------------------- /root-socket-no-libraries.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/root-socket-no-libraries.sh -------------------------------------------------------------------------------- /root-ssh-authorized-keys.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/root-ssh-authorized-keys.sh -------------------------------------------------------------------------------- /rootkit-signal-handler.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/rootkit-signal-handler.sh -------------------------------------------------------------------------------- /sunlight.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/sunlight.sh -------------------------------------------------------------------------------- /suspicious-cron.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/suspicious-cron.sh -------------------------------------------------------------------------------- /suspicious-proc-env.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/suspicious-proc-env.sh -------------------------------------------------------------------------------- /thieves.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/thieves.sh -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-dns-traffic-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-dns-traffic-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-dns-traffic.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-dns-traffic.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-https-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-https-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-https-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-https-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-icmp-socket-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-icmp-socket-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-icmp-socket.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-icmp-socket.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-libcurl-user-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-libcurl-user-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-libcurl-user-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-libcurl-user-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-talker-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-talker-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/c2/unexpected-talkers-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/c2/unexpected-talkers-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/collection/excess-google-drive-downloads-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/collection/excess-google-drive-downloads-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/collection/excess-google-drive-folder-exports-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/collection/excess-google-drive-folder-exports-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/collection/high-disk-bytes-written.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/collection/high-disk-bytes-written.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/collection/spotlight-database-export-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/collection/spotlight-database-export-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/macos_keyboard_sniffer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/macos_keyboard_sniffer.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/unexpected-dev-opener-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/unexpected-dev-opener-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/unexpected-dev-opener-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/unexpected-dev-opener-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/unexpected-sensitive-file-access-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/unexpected-sensitive-file-access-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/unexpected-sensitive-file-access-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/unexpected-sensitive-file-access-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/credentials/yara-mounted-stealer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/credentials/yara-mounted-stealer.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/discovery/unexpected-bpf-user.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/discovery/unexpected-bpf-user.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/discovery/unexpected-netutil-calls-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/discovery/unexpected-netutil-calls-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/discovery/unexpected-netutil-calls-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/discovery/unexpected-netutil-calls-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/discovery/unexpected-pcap-user-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/discovery/unexpected-pcap-user-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/discovery/unexpected-pcap-user-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/discovery/unexpected-pcap-user-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/empty_root_environ_linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/empty_root_environ_linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/empty_root_environ_macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/empty_root_environ_macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/executables-from-the-future.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/executables-from-the-future.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-cwd-events-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-cwd-events-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-cwd.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-cwd.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-executable.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-executable.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-home-config-dir.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-home-config-dir.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-home-libappsupport.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-home-libappsupport.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-home-library-dir.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-home-library-dir.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/hidden-launchd-files-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/hidden-launchd-files-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/missing-from-disk-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/missing-from-disk-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/missing-from-disk-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/missing-from-disk-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/name_path_mismatch.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/name_path_mismatch.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/old-binaries-running.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/old-binaries-running.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/overwritten-memory-map-ddexec-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/overwritten-memory-map-ddexec-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/parent-missing-from-disk-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/parent-missing-from-disk-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/parent-missing-from-disk-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/parent-missing-from-disk-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/parent-pid-missing-from-procfs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/parent-pid-missing-from-procfs.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/pid-hidden-by-rootkit.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/pid-hidden-by-rootkit.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/ssh-notty.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/ssh-notty.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/touched-executable-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/touched-executable-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/touched-executable-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/touched-executable-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-alf-exceptions-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-alf-exceptions-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-dev-entries.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-dev-entries.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-dev-executables-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-dev-executables-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-etc-executables.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-etc-executables.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-hidden-system-paths.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-hidden-system-paths.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-kernel-extensions-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-kernel-extensions-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-kernel-modules-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-kernel-modules-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-ld-so-files-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-ld-so-files-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-library-entries-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-library-entries-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-process-extension-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-process-extension-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-public-files_macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-public-files_macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-tmp-executables-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-tmp-executables-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-tmp-executables-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-tmp-executables-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-user-executables-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-user-executables-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-user-shared-entries.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-user-shared-entries.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-var-executables-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-var-executables-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-var-executables-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-var-executables-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-var-run-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-var-run-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unexpected-var-run-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unexpected-var-run-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unusual-executable-name-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unusual-executable-name-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unusual-executable-name-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unusual-executable-name-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unusual-process-name-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unusual-process-name-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unusual-process-name-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unusual-process-name-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/evasion/unusually-tainted-kernel-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/evasion/unusually-tainted-kernel-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/exec-failed-launch-constraint-violation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/exec-failed-launch-constraint-violation.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/exotic-command-events-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/exotic-command-events-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/exotic-command-events-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/exotic-command-events-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/exotic-commands-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/exotic-commands-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/exotic-commands-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/exotic-commands-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/recently-created-executables-long-lived-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/recently-created-executables-long-lived-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/recently-created-executables-long-lived-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/recently-created-executables-long-lived-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/relative-exec-low-uid-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/relative-exec-low-uid-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/relative-exec-low-uid.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/relative-exec-low-uid.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/reverse-shell-socket.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/reverse-shell-socket.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/sketchy-fetcher-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/sketchy-fetcher-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/sketchy-fetcher.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/sketchy-fetcher.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/tiny-executable-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/tiny-executable-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/tiny-executable.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/tiny-executable.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-chmod-exec-event-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-chmod-exec-event-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-chmod-exec-event-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-chmod-exec-event-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-env-values-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-env-values-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-env-values-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-env-values-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-execdir-events-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-execdir-events-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-execdir-events-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-execdir-events-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-execdir-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-execdir-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-execdir-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-execdir-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-executable-permissions.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-executable-permissions.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-fetcher-parent-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-fetcher-parent-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-fetcher-parents.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-fetcher-parents.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-file-made-executable.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-file-made-executable.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-gatekeeper-approvals-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-gatekeeper-approvals-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-mounts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-mounts.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-osascript-calls.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-osascript-calls.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-packet-sniffer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-packet-sniffer.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-root-signer-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-root-signer-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-security-framework-program-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-security-framework-program-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-setuid-binaries.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-setuid-binaries.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-sysutils-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-sysutils-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-sysutils-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-sysutils-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/unexpected-xattr-calls-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/unexpected-xattr-calls-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/xprotect-reports.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/xprotect-reports.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/yara-unexpected-miner-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/yara-unexpected-miner-process.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/execution/yara-unexpected-upx-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/execution/yara-unexpected-upx-process.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/exfil/high_disk_bytes_read.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/exfil/high_disk_bytes_read.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/exfil/yara-exec-connect-process-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/exfil/yara-exec-connect-process-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/exfil/yara-unexpected-go-crypt-exec-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/exfil/yara-unexpected-go-crypt-exec-process.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/exfil/yara-unexpected-rust-http-exec-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/exfil/yara-unexpected-rust-http-exec-process.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/impact/evenly-timestomped.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/impact/evenly-timestomped.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/sketchy-download-name.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/sketchy-download-name.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/sketchy-mounted-diskimage.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/sketchy-mounted-diskimage.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-diskimage-name-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-diskimage-name-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-diskimage-source-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-diskimage-source-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-shell-parent-events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-shell-parent-events.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-shell-parents.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-shell-parents.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-volume-contents.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-volume-contents.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/unexpected-webmail-downloads.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/unexpected-webmail-downloads.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-miner.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-miner.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-ransom.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-ransom.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-stealer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-stealer.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-upx.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/initial_access/yara-recently-downloaded-upx.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/fake-apple-launchd.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/fake-apple-launchd.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/listening-from-unusual-location.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/listening-from-unusual-location.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/low-fd-socket.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/low-fd-socket.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/minimal-socket-client-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/minimal-socket-client-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/minimal-socket-client-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/minimal-socket-client-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-active-systemd-units.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-active-systemd-units.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-chrome-extensions.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-chrome-extensions.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-cron-entries.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-cron-entries.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-device.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-device.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-global-lock.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-global-lock.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-launchd-program-arguments.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-launchd-program-arguments.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-launchd-program-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-launchd-program-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-listening-port-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-listening-port-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-listening-port-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-listening-port-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-lock-opener.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-lock-opener.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-small-udev-entry-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-small-udev-entry-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-ssh-authorized-keys.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-ssh-authorized-keys.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-systemctl-calls-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-systemctl-calls-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/unexpected-uid0-daemon-macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/yara-libtomcrypt-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/yara-libtomcrypt-process.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/persistence/yara-suspicious-strings-process-linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/persistence/yara-suspicious-strings-process-linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/docker-container-mounting-root.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/docker-container-mounting-root.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/setxid-cmdline-overflow-attempt.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/setxid-cmdline-overflow-attempt.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/setxid-env-overflow-attempt.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/setxid-env-overflow-attempt.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/sketchy-docker-image-creator.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/sketchy-docker-image-creator.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-elevated-children-events_linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-elevated-children-events_linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-elevated-children-events_macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-elevated-children-events_macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-privilege-escalation_linux.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-privilege-escalation_linux.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-privilege-escalation_macos.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-privilege-escalation_macos.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-privileged-containers.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-privileged-containers.sql -------------------------------------------------------------------------------- /third_party/osquery-defense-kit/detection/privesc/unexpected-setxid-process.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/third_party/osquery-defense-kit/detection/privesc/unexpected-setxid-process.sql -------------------------------------------------------------------------------- /unexpected-ebpf-hooks.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/unexpected-ebpf-hooks.sh -------------------------------------------------------------------------------- /unexpected-run-locks.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/unexpected-run-locks.sh -------------------------------------------------------------------------------- /unexpected-trace-pipe.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/unexpected-trace-pipe.sh -------------------------------------------------------------------------------- /world-readable-run-locks.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tstromberg/sunlight/HEAD/world-readable-run-locks.sh --------------------------------------------------------------------------------