osquery-defense-kit/detection/persistence/fake-apple-launchd.sql

-- Find launchd entries which purport to be by Apple, but are not signed by Apple.
--
-- references:
--   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
--   * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
--
-- false positives:
--   * none have been observed
--
-- platform: darwin
-- tags: persistent launchd state
select
  *
FROM
  signature s
  JOIN launchd d ON d.program_arguments = s.path
WHERE
  d.name LIKE 'com.apple.%'
  AND (
    signed = 0
    OR authority != 'Software Signing'
  )
  AND d.run_at_load = 1;
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`-- Find launchd entries which purport to be by Apple, but are not signed by Apple.`
			`--`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- references:`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa`
			`--`
			`-- false positives:`
			`-- * none have been observed`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`--`
			`-- platform: darwin`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- tags: persistent launchd state`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`select`
			`*`
			`FROM`
			`signature s`
			`JOIN launchd d ON d.program_arguments = s.path`
			`WHERE`
			`d.name LIKE 'com.apple.%'`
			`AND (`
			`signed = 0`
			`OR authority != 'Software Signing'`
			`)`
			`AND d.run_at_load = 1;`