https://github.com/osquery/osquery logo
Title
m

MaxosxOsquery

10/12/2020, 11:11 AM
I saw this tweet which is related to MacOs ransomware https://twitter.com/lordx64/status/1314614366361264130 ..
does anyone know how we can detect the ransomware related activity using osquery for macos or linux . Like identify any spike in file creation, renaming or deletions by a specific user or process.. ofcourse it requires good amount of baselining .. but would like to start with some basic query structure ?
s

sundsta

10/12/2020, 5:35 PM
Honestly, I’d just alert on a process_event for
disktuil apfs addVolume
. It should be quite rare for most users.
a

allister

10/13/2020, 2:25 AM
if you detect ascii skulls I'd think that would work too