Unexpected Gatekeeper Approvals Macos
osquery
Gatekeeper exceptions are exceptions for downloaded binaries
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Gatekeeper exceptions are exceptions for downloaded binaries
--
-- references:
-- * https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
--
-- false positives:
-- * developers downloading binaries from Github
--
-- platform: darwin
-- tags: persistent filesystem state gatekeeper
SELECT
gap.ctime,
gap.mtime,
gap.path,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
signature.identifier,
signature.authority
FROM
gatekeeper_approved_apps AS gap
LEFT JOIN file ON gap.path = file.path
LEFT JOIN hash ON gap.path = hash.path
LEFT JOIN signature ON gap.path = signature.path
WHERE
gap.path NOT LIKE '/Users/%/bin/%'
AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
AND gap.path NOT LIKE '/Users/%/%-darwin-a%64'
AND gap.path NOT LIKE '/Users/%/bom'
AND gap.path NOT LIKE '/Users/%/configure'
AND gap.path NOT LIKE '/Users/%/cosign-%'
AND gap.path NOT LIKE '/Users/%/crane'
AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%'
AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%'
AND gap.path NOT LIKE '/Users/%/Downloads/missp'
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
AND gap.path NOT LIKE '/Users/%/Downloads/twistcli'
AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer'
AND gap.path NOT LIKE '/Users/%/rekor-cli'
AND gap.path NOT LIKE '/Users/%/trivy'
AND gap.path NOT LIKE '/usr/local/bin/%'
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
GROUP BY
gap.requirementtags: SStagSS