Add unexpected volume contents (experimental)

2025-01-10 07:39:26 +00:00 · 2022-09-23 10:36:11 -04:00 · 2022-09-23 10:36:11 -04:00 · c9dfaa8376
commit c9dfaa8376
parent 08554e752b
1 changed files with 81 additions and 0 deletions
--- a/fs/unexpected-volume-contents.sql
+++ b/fs/unexpected-volume-contents.sql
@ -0,0 +1,81 @@
+-- EXPERIMENTAL --
+-- Scan removable volumes for sketchy files
+-- TODO: combine with disk_events table
+-- Inspired by ChromeLoader: https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
+SELECT RTRIM(file.path, "/") AS trimpath,
+    uid,
+    filename,
+    gid,
+    mode,
+    REGEX_MATCH(file.path, "(.*)/", 1) AS dirname,
+    REGEX_MATCH(RTRIM(file.path, "/"), ".*/(.*?)$", 1) AS basename,
+    REGEX_MATCH(RTRIM(file.path, "/"), ".*\.(.*?)$", 1) AS extension,
+    mtime,
+    ctime,
+    symlink,
+    type,
+    size,
+    hash.sha256,
+    magic.data,
+    signature.identifier,
+    signature.authority
+FROM file
+    LEFT JOIN hash on file.path = hash.path
+    LEFT JOIN magic ON file.path = magic.path
+    LEFT JOIN signature ON file.path = signature.path
+WHERE (
+        file.path LIKE "/Volumes/%/%"
+        OR file.path LIKE "/Volumes/%/.%"
+    )
+    AND file.path NOT LIKE "/Volumes/Macintosh HD%"
+    AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"
+    AND (
+        extension IN (
+            'command',
+            'lnk',
+            'mpkg',
+            -- Enable later once we know this query works well
+            --             'pkg',
+            'scpt',
+            'zip',
+            'dmg',
+            'iso',
+            'gz',
+            'sh',
+            'sql'
+        )
+        OR file.symlink != 0
+        OR basename LIKE ".%"
+        OR basename LIKE "%.sql%"
+        OR basename LIKE "%Chrome%"
+        OR basename LIKE "%Extension%"
+        OR basename LIKE "%enforce%"
+        OR basename LIKE "%hidden%"
+        OR basename LIKE "%Installer%"
+        OR basename LIKE "%mono%"
+        OR basename LIKE "%secret%"
+        OR basename LIKE "%sql%"
+        OR basename LIKE "%guard%"
+        OR basename LIKE "cg%"
+    ) -- exceptions go here
+    AND basename NOT IN (
+        '.',
+        '..',
+        '.vol',
+        '.VolumeIcon.icns',
+        '.background',
+        '.file',
+        '.Trashes',
+        '.TemporaryItems',
+        '.file-revisions-by-id',
+        '.shortcut-targets-by-id',
+        '.DS_Store'
+    )
+    AND authority NOT IN (
+        'Developer ID Application: Google LLC (EQHXZ8M8AV)'
+    ) -- Unsigned programs here
+    AND trimpath NOT IN (
+        '/Volumes/Google Chrome/.keystone_install',
+        '/Volumes/Google Chrome Canary/.keystone_install',
+        '/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg'
+    )