Unexpected Diskimage Name Macos

Surface ISO/DMG disk images that have suspicious names

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Surface ISO/DMG disk images that have suspicious names
--
-- references:
--   * https://objective-see.org/blog/blog_0x4E.html
--
-- false positives:
--   * unknown
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT
  file.path,
  file.size,
  datetime(file.btime, 'unixepoch') AS file_created,
  magic.data,
  hash.sha256,
  signature.identifier,
  signature.authority,
  ea.value AS url,
  REGEX_MATCH (ea.value, '/[\\w_-]+\\.([\\w\\._-]+)[:/]', 1) AS domain,
  REGEX_MATCH (ea.value, '/([\\w_-]+\\.[\\w\\._-]+)[:/]', 1) AS host
FROM
  mdfind
  LEFT JOIN file ON mdfind.path = file.path
  LEFT JOIN hash ON mdfind.path = hash.path
  LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
  LEFT JOIN magic ON mdfind.path = magic.path
  LEFT JOIN signature ON mdfind.path = signature.path
WHERE
  (
    mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
  )
  AND ea.key = 'where_from'
  AND file.btime > (strftime('%s', 'now') -86400)
  AND (
    file.filename LIKE 'Installer.%'
    OR file.filename LIKE '%Player.%'
    OR file.filename LIKE '% AIR %'
    OR file.filename LIKE '%Flash%'
    OR file.filename LIKE '%Resume%'
  )
GROUP BY
  ea.value

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit