RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-12 09:04:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
551d7dbb8c
osquery-defense-kit/detection/evasion/unexpected-kernel-extensions-macos.sql
Ian Brown 551d7dbb8c
fpr: Fujitsu, vmware, objective-see, paragon, etc 
Signed-off-by: Ian Brown <ian@zestysoft.com>
2023-02-18 12:02:40 -08:00

23 lines
970 B
SQL
Raw Blame History

-- Find unexpected 3rd-party kernel extensions
--
-- false positives:
-- * none known
--
-- platform: darwin
-- tags: persistent seldom kernel
SELECT
linked_against, name, path, size, version,
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
FROM
kernel_extensions
WHERE
path NOT LIKE '/System/Library/Extensions/%'
AND NOT (
idx = 0
AND name = '__kernel__'
)
AND exception_key NOT IN ('/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>')
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'
Reference in New Issue View Git Blame Copy Permalink