47 lines
1.5 KiB
SQL
47 lines
1.5 KiB
SQL
-- Gatekeeper exceptions are exceptions for downloaded binaries
|
|
--
|
|
-- references:
|
|
-- * https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
|
|
--
|
|
-- false positives:
|
|
-- * developers downloading binaries from Github
|
|
--
|
|
-- platform: darwin
|
|
-- tags: persistent filesystem state gatekeeper
|
|
SELECT
|
|
gap.ctime,
|
|
gap.mtime,
|
|
gap.path,
|
|
file.mtime,
|
|
file.uid,
|
|
file.ctime,
|
|
file.gid,
|
|
hash.sha256,
|
|
signature.identifier,
|
|
signature.authority
|
|
FROM
|
|
gatekeeper_approved_apps AS gap
|
|
LEFT JOIN file ON gap.path = file.path
|
|
LEFT JOIN hash ON gap.path = hash.path
|
|
LEFT JOIN signature ON gap.path = signature.path
|
|
WHERE
|
|
gap.path NOT LIKE '/Users/%/bin/%'
|
|
AND gap.path NOT LIKE '/Users/%/%-darwin-a%64'
|
|
AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/missp'
|
|
AND gap.path NOT LIKE '/Users/%/bom'
|
|
AND gap.path NOT LIKE '/Users/%/configure'
|
|
AND gap.path NOT LIKE '/Users/%/cosign-%'
|
|
AND gap.path NOT LIKE '/Users/%/crane'
|
|
AND gap.path NOT LIKE '/Users/%/rekor-cli'
|
|
AND gap.path NOT LIKE '/Users/%/trivy'
|
|
AND gap.path NOT LIKE '/usr/local/bin/%'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%'
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%'
|
|
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
|
|
GROUP BY
|
|
gap.requirement
|