The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS Kernel Extensions + Hashes

Description: This gets all non-Apple (non /System/Library/Extensions) kernel extensions, and then hashes them for upload to VirusTotal (MD5)

What The Data Shows: Malicious kernel extensions are rare, but here's a way to expand your

SQL:

WITH kext_bins as (SELECT path FROM file     
WHERE directory IN
        (SELECT path || '/Contents/MacOS/'        
FROM kernel_extensions        
WHERE path NOT LIKE '/System/Library/%') )
SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5
FROM signature s JOIN hash h USING (path)
WHERE path IN kext_bins AND s.hash_resources = 0 AND s.arch != '';

 

0 Votes
10 Comments
esullivan
Carbon Black Employee

hello @Magneto thank you for your contribution.  Once we vet your query, if it runs as expected we'll mark it as CB Approved.

Thanks again!

Magneto
New Contributor II

Great, thanks. I'd actually update this to replace the last select line with:

SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5

which just formats the output of the developer ID a bit nicer (sans the repetitive bit).

 

 

jnelson
Carbon Black Employee
Status changed to: Under Review

@Magneto can you please add a semicolon to the end of your query?

Magneto
New Contributor II

Sure! I am unable to find an edit button for my original post, so here's the (updated, fixed) query with a semicolon:

 

WITH kext_bins as (SELECT path FROM file
    WHERE directory IN
        (SELECT path || '/Contents/MacOS/'
        FROM kernel_extensions
        WHERE path NOT LIKE '/System/Library/%')
)
SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5
FROM signature s JOIN hash h USING (path)
WHERE path IN kext_bins AND s.hash_resources = 0 AND s.arch != '';
esullivan
Carbon Black Employee

@Magneto  -- thanks for the heads up; I will get this addressed so the edit button appears when clicking the three circles to the right of your original post.

 

esullivan
Carbon Black Employee

@Magneto  - just an FYI that I made the update to your submission per your comment above.

Also, you should now have edit access on your query.  If not, pls let me know.  If you are able to edit, can you please choose a category for your query?  I assigned it Vulnerability Management as a place holder.

Somehow those label fields were not displaying when you originally submitted.

Thanks again!!

jnelson
Carbon Black Employee
Status changed to: Approved
 
Jay_J
New Contributor

Hello,

I have installed CB Predictive Security Cloud version  3.3.2.58  on macOS Catalina 10.15 and after a while I noticed the status of the CB agent shows "disabled".

I have uninstalled and re-installed it since and the same thing happens over and over again.

CB is allowed through Security & Privacy and also under accessibility. 

Is there a way to manually enable this setting on macOS? If yes, how? (GUI or CLI)

Any help is appreciated.

esullivan
Carbon Black Employee

Hello @Jay_J - you would have better luck getting an answer if you posted this in our PSC forum; https://community.carbonblack.com/t5/CB-Predictive-Security-Cloud/bd-p/cb-predictive-security-cloud-....

Jay_J
New Contributor

I tried to post there. But, I am getting an access denied message.