in the processes table, what is the intention of on_disk; to check for executables that were written, launched, and deleted to avoid detection? And if so, what would a value of -1 mean (this is on macOS, gatekeeper translocation could also maybe trigger this)

That does appear to have been the intended use case: https://github.com/osquery/osquery/blob/f2c581e2b688f0c80ab6f6ed6ccd745114dafa59/README.md?plain=1#L44 The way I think it works is a

0

value means there is a executable file path listed for the process, but no file now exists at that path. A value of

-1

means it cannot be determined because there is no path available to check

ah, so i'd need some logic to get records where a path is listed, but nothing is there

It doesn’t answer the question of the reason for why a path is not available, I’m still curious about that but it seems like it can occur normally

Just wanted to chime in - we use

on_disk

to detect malware that delete's itself. It unfortunately does trigger in cases when programs are upgraded and located at a new path - homebrew for example. Here's the query we where we use `on_disk`: https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/evasion/parent-missing-from-disk-macos.sql It's worth noting that on macOS,

on_disk

does not distinguish between "is the original executable on disk" and "does some file exist at the same path the executable was once located at". It could be a 0-byte file for all it cares. That said, I haven't seen any examples of malware that replaces itself with a 0-byte file or other arbitrary content yet.

Yea, I’m thinking about what more could be done to verify a program in memory matches the file on the disk, but the very action of loading an executable into memory does also transform it. And verification can’t require a signed executable since many are still not signed

yeah, my intended use was for detecting malware that hides its tracks, but i couldn't narrow it down to something deterministic and repeatable