osquery-defense-kit/detection/execution/unexpected-gatekeeper-appro...

47 lines
1.5 KiB
MySQL
Raw Normal View History

-- Gatekeeper exceptions are exceptions for downloaded binaries
2022-10-14 18:19:13 +00:00
--
-- references:
-- * https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
--
-- false positives:
-- * developers downloading binaries from Github
--
-- platform: darwin
2022-10-14 18:19:13 +00:00
-- tags: persistent filesystem state gatekeeper
SELECT
gap.ctime,
gap.mtime,
gap.path,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
signature.identifier,
signature.authority
FROM
gatekeeper_approved_apps AS gap
LEFT JOIN file ON gap.path = file.path
LEFT JOIN hash ON gap.path = hash.path
LEFT JOIN signature ON gap.path = signature.path
WHERE
gap.path NOT LIKE '/Users/%/bin/%'
AND gap.path NOT LIKE '/Users/%/%-darwin-a%64'
AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
AND gap.path NOT LIKE '/Users/%/Downloads/missp'
AND gap.path NOT LIKE '/Users/%/bom'
AND gap.path NOT LIKE '/Users/%/configure'
AND gap.path NOT LIKE '/Users/%/cosign-%'
AND gap.path NOT LIKE '/Users/%/crane'
AND gap.path NOT LIKE '/Users/%/rekor-cli'
AND gap.path NOT LIKE '/Users/%/trivy'
AND gap.path NOT LIKE '/usr/local/bin/%'
2024-06-28 14:08:04 +00:00
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer'
AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%'
AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%'
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
GROUP BY
gap.requirement