osquery-defense-kit/detection/initial_access/unexpected-volume-names.sql

30 lines
778 B
SQL

-- Notices volumes with unusual names
--
-- references:
-- * https://objective-see.org/blog/blog_0x4E.html (Shlayer)
--
-- tags: transient volume filesystem often
-- platform: darwin
SELECT mounts.path,
mounts.device,
mounts.type,
REGEX_MATCH (mounts.path, '.*/(.*)', 1) AS vol_name,
block_devices.vendor,
block_devices.model,
block_devices.uuid
FROM mounts
LEFT JOIN block_devices ON mounts.device = block_devices.name
WHERE block_devices.type NOT IN ('Apple Fabric', 'PCI-Express')
AND vol_name NOT LIKE '%backup%'
AND vol_name NOT IN (
'Slack',
'Docker',
'Figma Agent Installer',
'WhatsApp Installer',
'Snagit',
'Bartender 4'
)
AND vol_name NOT LIKE 'Signal %-universal'
AND vol_name NOT LIKE 'Gephi %'
AND mounts.path NOT LIKE '/private/tmp/KSInstallAction.%'