osquery-defense-kit/fs/unexpected-volume-contents.sql

-- EXPERIMENTAL --
-- Scan removable volumes for sketchy files
-- TODO: combine with disk_events table
-- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
SELECT RTRIM(file.path, "/") AS trimpath,
    uid,
    filename,
    gid,
    mode,
    REGEX_MATCH(file.path, "(.*)/", 1) AS dirname,
    REGEX_MATCH(RTRIM(file.path, "/"), ".*/(.*?)$", 1) AS basename,
    REGEX_MATCH(RTRIM(file.path, "/"), ".*\.(.*?)$", 1) AS extension,
    mtime,
    ctime,
    symlink,
    type,
    size,
    hash.sha256,
    magic.data,
    signature.identifier,
    signature.authority
FROM file
    LEFT JOIN hash on file.path = hash.path
    LEFT JOIN magic ON file.path = magic.path
    LEFT JOIN signature ON file.path = signature.path
WHERE (
        file.path LIKE "/Volumes/%/%"
        OR file.path LIKE "/Volumes/%/.%"
    )
    AND file.path NOT LIKE "/Volumes/Macintosh HD%"
    AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"
    AND (
        extension IN (
            'command',
            'lnk',
            'mpkg',
            -- Enable later once we know this query works well
            --             'pkg',
            'scpt',
            'dmg',
            'iso',
            'gz',
            'sh',
            'sql'
        )
        OR file.symlink != 0
        OR basename LIKE ".%"
        OR basename LIKE "%.sql%"
        OR basename LIKE "%Chrome%"
        OR basename LIKE "%Extension%"
        OR basename LIKE "%enforce%"
        OR basename LIKE "%hidden%"
        OR basename LIKE "%Installer%"
        OR basename LIKE "%mono%"
        OR basename LIKE "%secret%"
        OR basename LIKE "%sql%"
        OR basename LIKE "%guard%"
        OR basename LIKE "cg%"
    ) -- exceptions go here
    AND basename NOT IN (
        '.',
        '..',
        '.vol',
        '.VolumeIcon.icns',
        '.background',
        '.file',
        '.Trashes',
        '.TemporaryItems',
        '.file-revisions-by-id',
        '.shortcut-targets-by-id',
        '.DS_Store'
    )
    AND authority NOT IN (
        'Developer ID Application: Google LLC (EQHXZ8M8AV)'
    ) -- Unsigned programs here
    AND trimpath NOT IN (
        '/Volumes/Google Chrome/.keystone_install',
        '/Volumes/Google Chrome Canary/.keystone_install',
        '/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg'
    )
Add unexpected volume contents (experimental) 2022-09-23 14:36:11 +00:00			`-- EXPERIMENTAL --`
			`-- Scan removable volumes for sketchy files`
			`-- TODO: combine with disk_events table`
			`-- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/`
			`SELECT RTRIM(file.path, "/") AS trimpath,`
			`uid,`
			`filename,`
			`gid,`
			`mode,`
			`REGEX_MATCH(file.path, "(.*)/", 1) AS dirname,`
			`REGEX_MATCH(RTRIM(file.path, "/"), "./(.?)$", 1) AS basename,`
			`REGEX_MATCH(RTRIM(file.path, "/"), ".\.(.?)$", 1) AS extension,`
			`mtime,`
			`ctime,`
			`symlink,`
			`type,`
			`size,`
			`hash.sha256,`
			`magic.data,`
			`signature.identifier,`
			`signature.authority`
			`FROM file`
			`LEFT JOIN hash on file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
			`LEFT JOIN signature ON file.path = signature.path`
			`WHERE (`
			`file.path LIKE "/Volumes/%/%"`
			`OR file.path LIKE "/Volumes/%/.%"`
			`)`
			`AND file.path NOT LIKE "/Volumes/Macintosh HD%"`
			`AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"`
			`AND (`
			`extension IN (`
			`'command',`
			`'lnk',`
			`'mpkg',`
			`-- Enable later once we know this query works well`
			`-- 'pkg',`
			`'scpt',`
			`'dmg',`
			`'iso',`
			`'gz',`
			`'sh',`
			`'sql'`
			`)`
			`OR file.symlink != 0`
			`OR basename LIKE ".%"`
			`OR basename LIKE "%.sql%"`
			`OR basename LIKE "%Chrome%"`
			`OR basename LIKE "%Extension%"`
			`OR basename LIKE "%enforce%"`
			`OR basename LIKE "%hidden%"`
			`OR basename LIKE "%Installer%"`
			`OR basename LIKE "%mono%"`
			`OR basename LIKE "%secret%"`
			`OR basename LIKE "%sql%"`
			`OR basename LIKE "%guard%"`
			`OR basename LIKE "cg%"`
			`) -- exceptions go here`
			`AND basename NOT IN (`
			`'.',`
			`'..',`
			`'.vol',`
			`'.VolumeIcon.icns',`
			`'.background',`
			`'.file',`
			`'.Trashes',`
			`'.TemporaryItems',`
			`'.file-revisions-by-id',`
			`'.shortcut-targets-by-id',`
			`'.DS_Store'`
			`)`
			`AND authority NOT IN (`
			`'Developer ID Application: Google LLC (EQHXZ8M8AV)'`
			`) -- Unsigned programs here`
			`AND trimpath NOT IN (`
			`'/Volumes/Google Chrome/.keystone_install',`
			`'/Volumes/Google Chrome Canary/.keystone_install',`
			`'/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg'`
			`)`