osquery-defense-kit/detection/execution/unexpected-mounts.sql

15 lines
317 B
MySQL
Raw Normal View History

-- Detect weird mounts, like mounting the EFI partition
2022-10-14 18:19:13 +00:00
--
-- references:
-- * https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
--
-- platform: linux
-- tags: transient filesystem state
SELECT
*
FROM
mounts
WHERE
device = '/dev/disk0s1'
AND type = 'msdos';