RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
97343fc348
osquery-defense-kit/detection/exfil/spotlight-database-export-macos.sql

26 lines
662 B
SQL
Raw Blame History

-- Find database exports. Will need tuning based on your table names.
SELECT
f.path,
f.size,
datetime(f.btime, "unixepoch") AS file_created,
magic.data
FROM
file f
JOIN mdfind ON mdfind.path = f.path
LEFT JOIN magic ON f.path = magic.path
WHERE
(
(
mdfind.query = "kMDItemFSName == '*enforce*' && kMDItemTextContent == 'CREATE TABLE'"
)
OR (
mdfind.query = "kMDItemFSName == '*iam*' && kMDItemTextContent == 'CREATE TABLE'"
)
OR (
mdfind.query = "kMDItemFSName == '*tenant*' && kMDItemTextContent == 'CREATE TABLE'"
)
)
AND f.path NOT LIKE "%.json"
AND f.path NOT LIKE "%.log"
AND f.size > 32768
Reference in New Issue View Git Blame Copy Permalink