osquery-defense-kit/fs/unexpected-volume-contents.sql

-- EXPERIMENTAL --
-- Scan removable volumes for sketchy files
-- TODO: combine with disk_events table
-- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
SELECT
  RTRIM(file.path, "/") AS trimpath,
  uid,
  filename,
  gid,
  mode,
  REGEX_MATCH (file.path, "(.*)/", 1) AS dirname,
  REGEX_MATCH (RTRIM(file.path, "/"), ".*/(.*?)$", 1) AS basename,
  REGEX_MATCH (RTRIM(file.path, "/"), ".*\.(.*?)$", 1) AS extension,
  mtime,
  ctime,
  symlink,
  type,
  size,
  hash.sha256,
  magic.data,
  signature.identifier,
  signature.authority
FROM
  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
  LEFT JOIN signature ON file.path = signature.path
WHERE
  (
    file.path LIKE "/Volumes/%/%"
    OR file.path LIKE "/Volumes/%/.%"
  )
  AND file.path NOT LIKE "/Volumes/Macintosh HD%"
  AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"
  AND (
    extension IN (
      "command",
      "lnk",
      "mpkg",
      -- Enable later once we know this query works well
      --             "pkg",
      "scpt",
      "dmg",
      "iso",
      "gz",
      "sh",
      "sql"

    )
    OR file.symlink != 0
    OR basename LIKE ".%"
    OR basename LIKE "%.sql%"
    OR basename LIKE "%Chrome%"
    OR basename LIKE "%Extension%"
    OR basename LIKE "%enforce%"
    OR basename LIKE "%hidden%"
    OR basename LIKE "%Installer%"
    OR basename LIKE "%mono%"
    OR basename LIKE "%secret%"
    OR basename LIKE "%sql%"
    OR basename LIKE "%guard%"
    OR basename LIKE "cg%"
  ) -- exceptions go here
  AND basename NOT IN (
    "..",
    ".",
    ".background",
    ".disk_label_2x",
    ".disk_label",
    ".DS_Store",
    ".iotest",
    ".file-revisions-by-id",
    ".file",
    ".metadata_never_index_unless_rootfs",
    ".shortcut-targets-by-id",
    ".TemporaryItems",
    ".Trashes",
    ".vol",
    ".apdisk",
    "._.Trashes",
    "._.TemporaryItems",
    "._.apdisk",
    ".VolumeIcon.icns"
  )
  AND authority NOT IN (
    "Developer ID Application: Google LLC (EQHXZ8M8AV)"
  ) -- Unsigned programs here
  AND trimpath NOT IN (
    "/Volumes/Google Chrome/.keystone_install",
    "/Volumes/Google Chrome Canary/.keystone_install",
    "/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg"
  )
Add unexpected volume contents (experimental) 2022-09-23 14:36:11 +00:00			`-- EXPERIMENTAL --`
			`-- Scan removable volumes for sketchy files`
			`-- TODO: combine with disk_events table`
			`-- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`RTRIM(file.path, "/") AS trimpath,`
			`uid,`
			`filename,`
			`gid,`
			`mode,`
			`REGEX_MATCH (file.path, "(.*)/", 1) AS dirname,`
			`REGEX_MATCH (RTRIM(file.path, "/"), "./(.?)$", 1) AS basename,`
			`REGEX_MATCH (RTRIM(file.path, "/"), ".\.(.?)$", 1) AS extension,`
			`mtime,`
			`ctime,`
			`symlink,`
			`type,`
			`size,`
			`hash.sha256,`
			`magic.data,`
			`signature.identifier,`
			`signature.authority`
			`FROM`
			`file`
			`LEFT JOIN hash on file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
			`LEFT JOIN signature ON file.path = signature.path`
			`WHERE`
			`(`
			`file.path LIKE "/Volumes/%/%"`
			`OR file.path LIKE "/Volumes/%/.%"`
			`)`
			`AND file.path NOT LIKE "/Volumes/Macintosh HD%"`
			`AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"`
			`AND (`
			`extension IN (`
False positive purge, including Ventura additions 2022-10-03 20:27:56 +00:00			`"command",`
			`"lnk",`
			`"mpkg",`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`-- Enable later once we know this query works well`
False positive purge, including Ventura additions 2022-10-03 20:27:56 +00:00			`-- "pkg",`
			`"scpt",`
			`"dmg",`
			`"iso",`
			`"gz",`
			`"sh",`
			`"sql"`
Remove numerous false positives 2022-09-26 22:27:43 +00:00
Add unexpected volume contents (experimental) 2022-09-23 14:36:11 +00:00			`)`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`OR file.symlink != 0`
			`OR basename LIKE ".%"`
			`OR basename LIKE "%.sql%"`
			`OR basename LIKE "%Chrome%"`
			`OR basename LIKE "%Extension%"`
			`OR basename LIKE "%enforce%"`
			`OR basename LIKE "%hidden%"`
			`OR basename LIKE "%Installer%"`
			`OR basename LIKE "%mono%"`
			`OR basename LIKE "%secret%"`
			`OR basename LIKE "%sql%"`
			`OR basename LIKE "%guard%"`
			`OR basename LIKE "cg%"`
			`) -- exceptions go here`
			`AND basename NOT IN (`
False positive purge, including Ventura additions 2022-10-03 20:27:56 +00:00			`"..",`
			`".",`
			`".background",`
			`".disk_label_2x",`
			`".disk_label",`
			`".DS_Store",`
			`".iotest",`
			`".file-revisions-by-id",`
			`".file",`
			`".metadata_never_index_unless_rootfs",`
			`".shortcut-targets-by-id",`
			`".TemporaryItems",`
			`".Trashes",`
			`".vol",`
			`".apdisk",`
			`"._.Trashes",`
			`"._.TemporaryItems",`
			`"._.apdisk",`
			`".VolumeIcon.icns"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`
			`AND authority NOT IN (`
False positive purge, including Ventura additions 2022-10-03 20:27:56 +00:00			`"Developer ID Application: Google LLC (EQHXZ8M8AV)"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`) -- Unsigned programs here`
			`AND trimpath NOT IN (`
False positive purge, including Ventura additions 2022-10-03 20:27:56 +00:00			`"/Volumes/Google Chrome/.keystone_install",`
			`"/Volumes/Google Chrome Canary/.keystone_install",`
			`"/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg"`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`