osquery-defense-kit/detection/persistence/unexpected-kernel-extensions.sql

-- Display a list of non-Apple kernel extensions, which are exceedingly rare.
-- platform: darwin
SELECT
  *
FROM
  kernel_extensions
WHERE
  path NOT LIKE '/System/Library/Extensions/%'
  AND NOT (
    idx = 0
    AND name = '__kernel__'
  );
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`-- Display a list of non-Apple kernel extensions, which are exceedingly rare.`
			`-- platform: darwin`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`*`
			`FROM`
			`kernel_extensions`
			`WHERE`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`path NOT LIKE '/System/Library/Extensions/%'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT (`
			`idx = 0`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND name = '__kernel__'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`);`