Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I saw this tweet which is related to MacOs ransomware <https://twitter.com/lordx64/status/1314614366361264130> ..

does anyone know how we can detect the ransomware related activity using osquery for macos or linux . Like identify any spike in file creation, renaming or deletions by a specific user or process.. ofcourse it requires good amount of baselining .. but would like to start with some basic query structure ?

Honestly, I’d just alert on a process_event for `disktuil apfs addVolume` . It should be quite rare for most users.

if you detect ascii skulls I'd think that would work too