mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-09 05:56:54 +00:00
35 lines
884 B
MySQL
35 lines
884 B
MySQL
|
-- Find database exports. Will need tuning based on your table names.
|
||
|
|
--
|
||
|
|
-- false positives:
|
||
|
|
-- * none observed
|
||
|
|
--
|
||
|
|
-- references:
|
||
|
|
-- * https://attack.mitre.org/techniques/T1530/ (Data from Cloud Storage Object )
|
||
|
|
--
|
||
|
|
-- platform: darwin
|
||
|
|
-- tags: persistent filesystem spotlight
|
||
|
|
SELECT
|
||
|
|
f.path,
|
||
|
|
f.size,
|
||
|
|
datetime(f.btime, 'unixepoch') AS file_created,
|
||
|
|
magic.data
|
||
|
|
FROM
|
||
|
|
file f
|
||
|
|
JOIN mdfind ON mdfind.path = f.path
|
||
|
|
LEFT JOIN magic ON f.path = magic.path
|
||
|
|
WHERE
|
||
|
|
(
|
||
|
|
(
|
||
|
|
mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE'''
|
||
|
|
)
|
||
|
|
OR (
|
||
|
|
mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE'''
|
||
|
|
)
|
||
|
|
OR (
|
||
|
|
mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE'''
|
||
|
|
)
|
||
|
|
)
|
||
|
|
AND f.path NOT LIKE '%.json'
|
||
|
|
AND f.path NOT LIKE '%.log'
|
||
|
|
AND f.size > 32768
|