osquery-defense-kit/detection/initial_access/unexpected-diskimage-name-macos.sql

46 lines
1.3 KiB
SQL

-- Surface ISO/DMG disk images that have suspicious names
--
-- references:
-- * https://objective-see.org/blog/blog_0x4E.html
--
-- false positives:
-- * unknown
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
signature.identifier,
signature.authority,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
)
AND ea.key = 'where_from'
AND file.btime > (strftime('%s', 'now') -86400)
AND (
file.filename LIKE 'Installer.%'
OR file.filename LIKE '%Player.%'
OR file.filename LIKE '% AIR %'
OR file.filename LIKE '%Flash%'
OR file.filename LIKE '%Resume%'
)
GROUP BY
ea.value