Add support for .pkg files

2025-02-02 18:51:37 +00:00 · 2023-01-13 13:47:02 -05:00 · 2023-01-13 13:47:02 -05:00 · dd3149a34b
commit dd3149a34b
parent 1bd030a2f2
1 changed files with 1 additions and 0 deletions
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -27,6 +27,7 @@ WHERE
  (
    mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
+    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
  )
  AND ea.key = 'where_from'
  AND file.btime > (strftime('%s', 'now') -86400)