RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Optimize performance with Google Chrome image mounted

This commit is contained in:
Thomas Stromberg 2024-01-08 18:47:36 -05:00
parent 1304d66783
commit c2c29a1a52
Failed to extract signature
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -36,7 +36,7 @@ FROM
WHERE
file.path IN (
SELECT
file.path
DISTINCT file.path
FROM
block_devices
JOIN mounts ON mounts.device = block_devices.name
@ -52,6 +52,11 @@ WHERE
AND mounts.path LIKE "/Volumes/%"
-- osquery will traverse symlinks, this prevents following symlinks to /Applications (poorly)
AND file.path NOT LIKE "/Volumes/%/Applications/%"
AND file.path NOT LIKE "/Volumes/%/ /%"
AND NOT (
file.type != "regular"
AND file.directory LIKE '%/Contents/Resources/'
)
)
AND (
-- Rule 0. App binaries that are hidden, like WnBJLaF/1302.app/Contents/MacOS/1302 (1302.app)