RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/exfil/spotlight-database-export-m...

23 lines
716 B
SQL
Raw Blame History

-- Find database exports. Will need tuning based on your table names.
SELECT f.path,
f.size,
datetime(f.btime, "unixepoch") AS file_created,
magic.data
FROM file f
JOIN mdfind ON mdfind.path = f.path
LEFT JOIN magic ON f.path = magic.path
WHERE (
(
mdfind.query = "kMDItemFSName == '*enforce*' && kMDItemTextContent == 'CREATE TABLE'"
)
OR (
mdfind.query = "kMDItemFSName == '*iam*' && kMDItemTextContent == 'CREATE TABLE'"
)
OR (
mdfind.query = "kMDItemFSName == '*tenant*' && kMDItemTextContent == 'CREATE TABLE'"
)
)
AND f.path NOT LIKE "%.json"
AND f.path NOT LIKE "%.log"
AND f.size > 32768
Reference in New Issue View Git Blame Copy Permalink