osquery-defense-kit/detection/evasion/unexpected-user-shared-entr...

88 lines
2.3 KiB
SQL

-- Find unexpected files in /Users/Shared
--
-- references:
-- * https://www.elastic.co/security-labs/inital-research-of-jokerspy
--
-- false positives:
-- * programs which create Shared files
--
-- tags: persistent state filesystem seldom
-- platform: darwin
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.btime,
file.mode,
file.ctime,
file.gid,
hash.sha256,
magic.data,
RTRIM(
COALESCE(
REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
file.directory
),
"/"
) AS top3_dir
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE '/Users/Shared/%%'
OR file.path LIKE '/Users/Shared/.%'
OR file.path LIKE '/Users/Shared/.%/%%'
OR file.path LIKE '/Users/Shared/%/.%'
)
AND NOT (
file.type = 'directory'
OR file.size = 0
OR file.path LIKE '%/../%'
OR file.path LIKE '%/./%'
OR file.path IN (
'/Users/Shared/.BetaEnrollmentData.plist',
'/Users/Shared/.betamigrated',
'/Users/Shared/.com.intego.reporting.plist',
'/Users/Shared/.DS_Store',
'/Users/Shared/.ks.intego_metrics_2.plist',
'/Users/Shared/.localized',
'/Users/Shared/.userfonts.cachedb',
'/Users/Shared/CleanMyMac X/.licence',
'/Users/Shared/LogiTuneInstallerStarted.txt',
'/Users/Shared/.NSVolumeHeap',
'/Users/Shared/.SeedEnrollment.plist'
)
OR top3_dir IN (
'/Users/Shared/Adobe',
'/Users/Shared/AdobeGCData',
'/Users/Shared/AdobeGCInfo',
'/Users/Shared/Audiority',
'/Users/Shared/UnrealEngine',
'/Users/Shared/Canon_Inc_IC',
'/Users/Shared/CleanMyMac X',
'/Users/Shared/CleanMyMac X Menu',
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
'/Users/Shared/LogioptionsPlus',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/.logishrd',
'/Users/Shared/logitune',
'/Users/Shared/macenhance',
'/Users/Shared/Parallels',
'/Users/Shared/PPN',
'/Users/Shared/Previously Relocated Items',
'/Users/Shared/Red Giant',
'/Users/Shared/Relocated Items',
'/Users/Shared/TechSmith'
)
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
OR (
file.path LIKE "%.plist"
AND magic.data = 'XML 1.0 document, ASCII text'
)
)