osquery-defense-kit/detection/initial_access/unexpected-diskimage-name-m...

-- Surface ISO/DMG disk images that have suspicious names
--
-- references:
--   * https://objective-see.org/blog/blog_0x4E.html
--
-- false positives:
--   * unknown
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT
  file.path,
  file.size,
  datetime(file.btime, 'unixepoch') AS file_created,
  magic.data,
  hash.sha256,
  signature.identifier,
  signature.authority,
  ea.value AS url,
  REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
  REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM
  mdfind
  LEFT JOIN file ON mdfind.path = file.path
  LEFT JOIN hash ON mdfind.path = hash.path
  LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
  LEFT JOIN magic ON mdfind.path = magic.path
  LEFT JOIN signature ON mdfind.path = signature.path
WHERE
  (
    mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
  )
  AND ea.key = 'where_from'
  AND file.btime > (strftime('%s', 'now') -86400)
  AND (
    file.filename LIKE 'Installer.%'
    OR file.filename LIKE '%Player.%'
    OR file.filename LIKE '% AIR %'
    OR file.filename LIKE '%Flash%'
    OR file.filename LIKE '%Resume%'
  )
GROUP BY
  ea.value
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`-- Surface ISO/DMG disk images that have suspicious names`
			`--`
			`-- references:`
			`-- * https://objective-see.org/blog/blog_0x4E.html`
			`--`
			`-- false positives:`
			`-- * unknown`
			`--`
			`-- platform: darwin`
			`-- tags: persistent filesystem spotlight`
			`SELECT`
			`file.path,`
			`file.size,`
			`datetime(file.btime, 'unixepoch') AS file_created,`
			`magic.data,`
			`hash.sha256,`
			`signature.identifier,`
			`signature.authority,`
			`ea.value AS url,`
			`REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,`
			`REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host`
			`FROM`
			`mdfind`
			`LEFT JOIN file ON mdfind.path = file.path`
			`LEFT JOIN hash ON mdfind.path = hash.path`
			`LEFT JOIN extended_attributes ea ON mdfind.path = ea.path`
			`LEFT JOIN magic ON mdfind.path = magic.path`
			`LEFT JOIN signature ON mdfind.path = signature.path`
			`WHERE`
			`(`
			`mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"`
			`OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"`
			`OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"`
			`)`
			`AND ea.key = 'where_from'`
			`AND file.btime > (strftime('%s', 'now') -86400)`
			`AND (`
			`file.filename LIKE 'Installer.%'`
			`OR file.filename LIKE '%Player.%'`
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 21:30:14 +00:00			`OR file.filename LIKE '% AIR %'`
Refactor process_events queries for more accurate parenting 2023-01-26 16:40:54 +00:00			`OR file.filename LIKE '%Flash%'`
			`OR file.filename LIKE '%Resume%'`
			`)`
			`GROUP BY`
			`ea.value`