macos-githubactions

CTI, DFIR, OSX

Finding specific indicators of compromise (IOCs) in memory or on disk; Facebook has provided the queries which detect Hacking Team’s OSX backdoor by querying for specific persistent mechanisms and file system activity on OSX

select * from file where path = '/dev/ptmx0';
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';

macos_osquery 
https://gist.github.com/githubfoam/6753b5efad8e5ab8fa2ca29ce7b29988
windows_osquery 
https://gist.github.com/githubfoam/afeb4fbbee731c427d645382e59b7948
linux_osquery 
https://gist.github.com/githubfoam/0babb95da5845b8d4ee41f5711de637a

predefined tables
<https://osquery.io/schema/4.1.1>

# https://osquery.readthedocs.io/en/stable/installation/install-linux/

https://github.com/google/santa
https://github.com/groob/moroz
https://github.com/zentralopensource/zentral

https://github.com/actions/runner-images

About

macos osquery

dfir java macos matrix osquery

GNU General Public License v3.0

Languages

Language:Shell 100.0%