RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New queries: excessive Google Drive exports

This commit is contained in:
Thomas Stromberg 2023-06-02 18:01:10 -04:00
parent eba289f996
commit c2ce0ce7d7
2 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
detection/collection/excess-google-drive-downloads-macos.sql Normal file
View File

@ -0,0 +1,26 @@
-- Surface when a machine has downloaded an unusual number of files from Google Drive
--
-- platform: darwin
-- tags: persistent filesystem spotlight
-- interval: 3600
SELECT
COUNT(DISTINCT file.path) AS num_downloads,
GROUP_CONCAT(DISTINCT file.path) AS paths,
SUM(file.size) AS total_size,
MIN(file.btime) AS first_btime,
MAX(file.atime) AS last_atime
FROM
mdfind
JOIN file ON mdfind.path = file.path
JOIN extended_attributes ea ON mdfind.path = ea.path
AND ea.key = "where_from"
WHERE
query = "kMDItemFSCreationDate >= $time.now(-604800)"
-- For some reason relying on kMDItemWhereFroms omitted download word docs, so
-- this does it the slow way.
AND ea.value LIKE "https://doc-%googleusercontent.com%"
-- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800)
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
GROUP BY ea.key
HAVING total_size > (100*1024*1024) OR num_downloads > 5

23
detection/collection/excess-google-drive-folder-exports-macos.sql Normal file
View File

@ -0,0 +1,23 @@
-- Surface when a machine has downloaded an unusual number of zip exports from Google Drive
--
-- platform: darwin
-- tags: persistent filesystem spotlight
-- interval: 3600
SELECT
COUNT(DISTINCT file.path) AS num_exports,
GROUP_CONCAT(DISTINCT file.path) AS paths,
SUM(file.size) AS total_size,
MIN(file.btime) AS first_btime,
MAX(file.atime) AS last_atime
FROM
mdfind
JOIN file ON mdfind.path = file.path
JOIN hash ON file.path = hash.path
JOIN extended_attributes ea ON mdfind.path = ea.path
WHERE
mdfind.query = "kMDItemWhereFroms == 'https://*-drive-data-export.googleusercontent.com*' AND 'kMDItemFSCreationDate >= $time.now(-604800)'"
-- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800)
-- "GROUP BY" should be unnecessary, but Kolide seems to require it
GROUP BY ea.key
HAVING total_size > (100*1024*1024) OR num_exports > 2