35 lines
884 B
SQL
35 lines
884 B
SQL
-- Find database exports. Will need tuning based on your table names.
|
|
--
|
|
-- false positives:
|
|
-- * none observed
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1530/ (Data from Cloud Storage Object )
|
|
--
|
|
-- platform: darwin
|
|
-- tags: persistent filesystem spotlight
|
|
SELECT
|
|
f.path,
|
|
f.size,
|
|
datetime(f.btime, 'unixepoch') AS file_created,
|
|
magic.data
|
|
FROM
|
|
file f
|
|
JOIN mdfind ON mdfind.path = f.path
|
|
LEFT JOIN magic ON f.path = magic.path
|
|
WHERE
|
|
(
|
|
(
|
|
mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE'''
|
|
)
|
|
OR (
|
|
mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE'''
|
|
)
|
|
OR (
|
|
mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE'''
|
|
)
|
|
)
|
|
AND f.path NOT LIKE '%.json'
|
|
AND f.path NOT LIKE '%.log'
|
|
AND f.size > 32768
|