osquery-defense-kit/detection/evasion/unexpected-kernel-extension...

29 lines
986 B
MySQL
Raw Normal View History

2022-10-14 18:19:13 +00:00
-- Find unexpected 3rd-party kernel extensions
--
-- false positives:
-- * none known
--
2022-10-14 14:18:23 +00:00
-- platform: darwin
2022-10-14 18:19:13 +00:00
-- tags: persistent seldom kernel
2022-10-14 14:18:23 +00:00
SELECT
2023-05-08 17:20:47 +00:00
linked_against,
name,
path,
size,
version,
2023-02-09 22:54:41 +00:00
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
2022-10-14 14:18:23 +00:00
FROM
kernel_extensions
WHERE
path NOT LIKE '/System/Library/Extensions/%'
AND NOT (
idx = 0
AND name = '__kernel__'
2023-02-09 22:54:41 +00:00
)
2023-05-08 17:20:47 +00:00
AND exception_key NOT IN (
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>'
)
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'