This artifact checks for mounted disk images using the hdiutil command.
name: MacOS.System.MountedDiskImages
description: |
This artifact checks for mounted disk images using the `hdiutil` command.
author: Wes Lambert -- @therealwlambert|@weslambert@infosec.exchange
required_permissions:
- EXECVE
sources:
- query: |
LET MountedDMGs <= SELECT * FROM execve(argv=['/usr/bin/hdiutil', 'info', '-plist'])
SELECT _value.`image-path` AS Image,
_value.`system-entities`.`mount-point`[0] AS MountPoint,
_value AS ImageDetails
FROM items(item=plist(accessor="data", file=MountedDMGs.Stdout).images)