osquery-defense-kit/detection/evasion/unexpected-user-shared-entr...

88 lines
2.5 KiB
MySQL
Raw Normal View History

2023-06-30 19:38:56 +00:00
-- Find unexpected files in /Users/Shared
--
-- references:
-- * https://www.elastic.co/security-labs/inital-research-of-jokerspy
--
-- false positives:
-- * programs which create Shared files
--
-- tags: persistent state filesystem seldom
-- platform: darwin
2024-08-27 22:40:43 +00:00
SELECT file.path,
2023-06-30 19:38:56 +00:00
file.type,
file.size,
file.mtime,
file.uid,
file.btime,
file.mode,
file.ctime,
file.gid,
hash.sha256,
magic.data,
RTRIM(
COALESCE(
REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
file.directory
),
"/"
) AS top3_dir
2024-08-27 22:40:43 +00:00
FROM file
2023-06-30 19:38:56 +00:00
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
2024-08-27 22:40:43 +00:00
WHERE (
2023-06-30 19:38:56 +00:00
file.path LIKE '/Users/Shared/%%'
OR file.path LIKE '/Users/Shared/.%'
OR file.path LIKE '/Users/Shared/.%/%%'
OR file.path LIKE '/Users/Shared/%/.%'
)
AND NOT (
file.type = 'directory'
OR file.size = 0
2023-06-30 19:38:56 +00:00
OR file.path LIKE '%/../%'
OR file.path LIKE '%/./%'
OR file.path IN (
'/Users/Shared/.BetaEnrollmentData.plist',
'/Users/Shared/.betamigrated',
2023-09-01 21:09:47 +00:00
'/Users/Shared/.com.intego.reporting.plist',
2023-06-30 19:38:56 +00:00
'/Users/Shared/.DS_Store',
2024-06-28 14:08:04 +00:00
'/Users/Shared/Plugin Loading.log',
'/Users/Shared/.ks.intego_metrics_2.plist',
2023-06-30 19:38:56 +00:00
'/Users/Shared/.localized',
'/Users/Shared/.userfonts.cachedb',
'/Users/Shared/CleanMyMac X/.licence',
2023-06-30 19:38:56 +00:00
'/Users/Shared/LogiTuneInstallerStarted.txt',
'/Users/Shared/.NSVolumeHeap',
'/Users/Shared/.SeedEnrollment.plist'
)
OR top3_dir IN (
'/Users/Shared/Adobe',
'/Users/Shared/AdobeGCData',
'/Users/Shared/AdobeGCInfo',
'/Users/Shared/Audiority',
2023-09-01 21:09:47 +00:00
'/Users/Shared/UnrealEngine',
2023-06-30 19:38:56 +00:00
'/Users/Shared/Canon_Inc_IC',
'/Users/Shared/CleanMyMac X',
'/Users/Shared/CleanMyMac X Menu',
2023-06-30 19:38:56 +00:00
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
2024-08-27 22:40:43 +00:00
' /Users/Shared/Maxon',
2024-06-28 14:08:04 +00:00
'/Users/Shared/AdobeInstalledCodecsTier2',
2023-06-30 19:38:56 +00:00
'/Users/Shared/LogioptionsPlus',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/.logishrd',
'/Users/Shared/logitune',
'/Users/Shared/macenhance',
'/Users/Shared/Parallels',
'/Users/Shared/PPN',
'/Users/Shared/Previously Relocated Items',
'/Users/Shared/Red Giant',
'/Users/Shared/Relocated Items',
'/Users/Shared/TechSmith'
)
OR file.path LIKE '/Users/Shared/Epic Games/%'
2023-06-30 19:38:56 +00:00
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
OR (
file.path LIKE "%.plist"
AND magic.data = 'XML 1.0 document, ASCII text'
)
2024-08-27 22:40:43 +00:00
)