mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-11 08:34:34 +00:00
82 lines
2.1 KiB
SQL
82 lines
2.1 KiB
SQL
-- Find unexpected files in /Users/Shared
|
|
--
|
|
-- references:
|
|
-- * https://www.elastic.co/security-labs/inital-research-of-jokerspy
|
|
--
|
|
-- false positives:
|
|
-- * programs which create Shared files
|
|
--
|
|
-- tags: persistent state filesystem seldom
|
|
-- platform: darwin
|
|
SELECT
|
|
file.path,
|
|
file.type,
|
|
file.size,
|
|
file.mtime,
|
|
file.uid,
|
|
file.btime,
|
|
file.mode,
|
|
file.ctime,
|
|
file.gid,
|
|
hash.sha256,
|
|
magic.data,
|
|
RTRIM(
|
|
COALESCE(
|
|
REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
|
|
file.directory
|
|
),
|
|
"/"
|
|
) AS top3_dir
|
|
FROM
|
|
file
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
LEFT JOIN magic ON file.path = magic.path
|
|
WHERE
|
|
(
|
|
file.path LIKE '/Users/Shared/%%'
|
|
OR file.path LIKE '/Users/Shared/.%'
|
|
OR file.path LIKE '/Users/Shared/.%/%%'
|
|
OR file.path LIKE '/Users/Shared/%/.%'
|
|
)
|
|
AND NOT (
|
|
file.type = 'directory'
|
|
OR file.path LIKE '%/../%'
|
|
OR file.path LIKE '%/./%'
|
|
OR file.path IN (
|
|
'/Users/Shared/.BetaEnrollmentData.plist',
|
|
'/Users/Shared/.betamigrated',
|
|
'/Users/Shared/.DS_Store',
|
|
'/Users/Shared/.ks.intego_metrics_2.pli',
|
|
'/Users/Shared/.localized',
|
|
'/Users/Shared/CleanMyMac X/.licence',
|
|
'/Users/Shared/LogiTuneInstallerStarted.txt',
|
|
'/Users/Shared/.NSVolumeHeap',
|
|
'/Users/Shared/.SeedEnrollment.plist'
|
|
)
|
|
OR top3_dir IN (
|
|
'/Users/Shared/Adobe',
|
|
'/Users/Shared/AdobeGCData',
|
|
'/Users/Shared/AdobeGCInfo',
|
|
'/Users/Shared/Audiority',
|
|
'/Users/Shared/Canon_Inc_IC',
|
|
'/Users/Shared/LGHUB',
|
|
'/Users/Shared/logi',
|
|
'/Users/Shared/LogioptionsPlus',
|
|
'/Users/Shared/LogiOptionsPlus',
|
|
'/Users/Shared/.logishrd',
|
|
'/Users/Shared/logitune',
|
|
'/Users/Shared/macenhance',
|
|
'/Users/Shared/Parallels',
|
|
'/Users/Shared/PPN',
|
|
'/Users/Shared/Previously Relocated Items',
|
|
'/Users/Shared/Red Giant',
|
|
'/Users/Shared/Relocated Items',
|
|
'/Users/Shared/TechSmith'
|
|
)
|
|
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
|
|
OR (
|
|
file.path LIKE "%.plist"
|
|
AND magic.data = 'XML 1.0 document, ASCII text'
|
|
)
|
|
)
|