2022-10-19 20:56:32 +00:00
|
|
|
-- Reveal launchd services which are located in a hidden directory.
|
|
|
|
|
--
|
|
|
|
|
-- This query was written because osquery can't see these entries currently.
|
2022-10-10 14:42:06 +00:00
|
|
|
-- See https://github.com/osquery/osquery/issues/7703
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
2022-10-19 20:56:32 +00:00
|
|
|
-- references:
|
|
|
|
|
-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
|
|
|
|
|
-- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
|
|
|
|
|
--
|
2022-10-13 18:59:32 +00:00
|
|
|
-- platform: darwin
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent daemon
|
2022-10-17 23:06:17 +00:00
|
|
|
SELECT
|
|
|
|
|
file.path,
|
|
|
|
|
file.type,
|
|
|
|
|
file.filename,
|
|
|
|
|
file.size,
|
|
|
|
|
file.mtime,
|
|
|
|
|
file.uid,
|
|
|
|
|
file.ctime,
|
|
|
|
|
file.gid,
|
|
|
|
|
hash.sha256,
|
|
|
|
|
signature.identifier,
|
|
|
|
|
signature.authority
|
|
|
|
|
FROM
|
|
|
|
|
file
|
|
|
|
|
LEFT JOIN signature ON file.path = signature.path
|
|
|
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
|
|
|
WHERE
|
|
|
|
|
(
|
|
|
|
|
file.path LIKE '/Library/LaunchAgents/.%'
|
|
|
|
|
OR file.path LIKE '/Users/%/Library/LaunchAgents/.%'
|
|
|
|
|
OR file.path LIKE '/Users/%/Library/LaunchDaemons/.%'
|
|
|
|
|
)
|
|
|
|
|
AND file.filename NOT IN ('.', '..', '.DS_Store')
|
|
|
|
|
AND NOT (
|
|
|
|
|
file.filename = '.DS_Store'
|
|
|
|
|
AND hash.sha256 = 'd65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3'
|
|
|
|
|
)
|
