mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-13 09:34:34 +00:00
10 lines
241 B
SQL
10 lines
241 B
SQL
-- Detect weird mounts, like mounting the EFI partition
|
|
-- See https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
|
|
SELECT
|
|
*
|
|
FROM
|
|
mounts
|
|
WHERE
|
|
device = '/dev/disk0s1'
|
|
AND type = 'msdos';
|