osquery-defense-kit/detection/evasion/unexpected-kernel-extension...

-- Find unexpected 3rd-party kernel extensions
--
-- false positives:
--   * none known
--
-- platform: darwin
-- tags: persistent seldom kernel
SELECT
  *
FROM
  kernel_extensions
WHERE
  path NOT LIKE '/System/Library/Extensions/%'
  AND NOT (
    idx = 0
    AND name = '__kernel__'
  );
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Find unexpected 3rd-party kernel extensions`
			`--`
			`-- false positives:`
			`-- * none known`
			`--`
Give unexpected-modules a better name 2022-10-14 14:18:23 +00:00			`-- platform: darwin`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- tags: persistent seldom kernel`
Give unexpected-modules a better name 2022-10-14 14:18:23 +00:00			`SELECT`
			`*`
			`FROM`
			`kernel_extensions`
			`WHERE`
			`path NOT LIKE '/System/Library/Extensions/%'`
			`AND NOT (`
			`idx = 0`
			`AND name = '__kernel__'`
			`);`