Description: Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
What The Data Shows: Known Back-doored Python Packages
SQL:
select
case cnt
when 0 then "NONE_INSTALLED"
else "INSTALLED"
end as "Malicious Python Packages",
package_name,package_version
from (select count(name) as cnt,
name as package_name,
version as package_version,
path as package_path
from python_packages
where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));
Credit: https://www.alibabacloud.com/blog/server-endpoint-security-with-osquery_594950