RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/initial_access/sketchy-download-name.sql

74 lines
2.6 KiB
SQL
Raw Blame History

-- Look for sketchy download files based on keywords
--
-- references:
-- - https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/
--
-- tags: persistent filesystem
-- platform: darwin
SELECT
file.filename,
REGEX_MATCH (file.filename, '.*\.(.*?)$', 1) AS extension,
magic.data,
hash.sha256,
ea.value AS download_url,
signature.authority AS s_auth,
signature.identifier AS s_id
FROM
file
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN extended_attributes ea ON file.path = ea.path
AND ea.key = "where_from"
LEFT JOIN signature ON file.path = signature.path
WHERE
file.path LIKE "/Users/%/Downloads/%"
-- Frequently targetted extension for InfoStealer attacks
AND extension IN ('dmg', 'exe', 'rar', 'pkg')
AND (
file.filename LIKE "%Adobe Photoshop%"
OR file.filename LIKE "%.app%"
OR file.filename LIKE "%Advertising%"
OR file.filename LIKE "%agreement%"
OR file.filename LIKE "%animated%"
OR file.filename LIKE "%Brief%"
OR file.filename LIKE "%confidentiality%"
OR file.filename LIKE "%conract%"
OR file.filename LIKE "%contract%"
OR file.filename LIKE "%cover%"
OR file.filename LIKE "%crack%"
OR file.filename LIKE "%description%"
OR file.filename LIKE "%Flash%"
OR file.filename LIKE "%resume%"
OR file.filename LIKE "cv%"
OR file.filename LIKE "%cv"
OR file.filename LIKE "%curriculum%"
OR file.filename LIKE "%freyavr%"
OR file.filename LIKE "%game%"
OR file.filename LIKE "%immediate%"
OR file.filename LIKE "%logos%"
OR file.filename LIKE "%official%"
OR file.filename LIKE "%pdf%"
OR file.filename LIKE "%Player%"
OR file.filename LIKE "%poster%"
OR file.filename LIKE "%presentation%"
OR file.filename LIKE "%receipt%"
OR file.filename LIKE "%reference%"
OR file.filename LIKE "%terms%"
OR file.filename LIKE "%secret%"
OR file.filename LIKE "%confidential%"
OR file.filename LIKE "%trading%"
OR file.filename LIKE "%Update%"
OR file.filename LIKE "%weed%"
)
-- False positives
AND NOT (
file.filename LIKE "LogiPresentation%.dmg"
OR file.filename = "googlesoftwareupdate.dmg"
OR file.filename LIKE "pdftk_server-%-win-setup.exe"
OR file.filename LIKE "PioneerDriveUpdaterBDR%.dmg"
OR file.filename LIKE "%MacVim%.dmg"
OR file.filename LIKE 'CalDigit_%_PD_Firmware_Updater_v%_Mac.dmg'
OR file.filename LIKE 'TS%-Thunderbolt-Firmware-Updater-Uninstaller.dmg'
OR file.filename LIKE 'PA Lottery Player Location Check%.dmg'
)
Reference in New Issue View Git Blame Copy Permalink