osquery-defense-kit/detection/execution/unexpected-mounts.sql
2022-10-13 14:59:32 -04:00

10 lines
241 B
SQL

-- Detect weird mounts, like mounting the EFI partition
-- See https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
SELECT
*
FROM
mounts
WHERE
device = '/dev/disk0s1'
AND type = 'msdos';