RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/startup/fake-apple-launchd.sql

14 lines
278 B
SQL
Raw Blame History

-- https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
select
*
FROM
signature s
JOIN launchd d ON d.program_arguments = s.path
WHERE
d.name LIKE 'com.apple.%'
AND (
signed = 0
OR authority != 'Software Signing'
)
AND d.run_at_load = 1;
Reference in New Issue View Git Blame Copy Permalink