mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-16 02:54:36 +00:00
46 lines
1.3 KiB
SQL
46 lines
1.3 KiB
SQL
-- Surface ISO/DMG disk images that have suspicious names
|
|
--
|
|
-- references:
|
|
-- * https://objective-see.org/blog/blog_0x4E.html
|
|
--
|
|
-- false positives:
|
|
-- * unknown
|
|
--
|
|
-- platform: darwin
|
|
-- tags: persistent filesystem spotlight
|
|
SELECT
|
|
file.path,
|
|
file.size,
|
|
datetime(file.btime, 'unixepoch') AS file_created,
|
|
magic.data,
|
|
hash.sha256,
|
|
signature.identifier,
|
|
signature.authority,
|
|
ea.value AS url,
|
|
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
|
|
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
|
|
FROM
|
|
mdfind
|
|
LEFT JOIN file ON mdfind.path = file.path
|
|
LEFT JOIN hash ON mdfind.path = hash.path
|
|
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
|
|
LEFT JOIN magic ON mdfind.path = magic.path
|
|
LEFT JOIN signature ON mdfind.path = signature.path
|
|
WHERE
|
|
(
|
|
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
|
|
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
|
|
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
|
|
)
|
|
AND ea.key = 'where_from'
|
|
AND file.btime > (strftime('%s', 'now') -86400)
|
|
AND (
|
|
file.filename LIKE 'Installer.%'
|
|
OR file.filename LIKE '%Player.%'
|
|
OR file.filename LIKE '% AIR %'
|
|
OR file.filename LIKE '%Flash%'
|
|
OR file.filename LIKE '%Resume%'
|
|
)
|
|
GROUP BY
|
|
ea.value
|