reformat SQL queries

2022-10-20 09:11:29 -04:00 · 2022-10-20 09:11:29 -04:00 · 1c38ef430e
parent 56b1af7b14
commit 1c38ef430e
6 changed files with 203 additions and 185 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -8,64 +8,72 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT s.remote_address,
-    p.name,
-    p.path,
-    p.cmdline AS child_cmd,
-    p.cwd,
-    pp.path AS parent_path,
-    p.parent AS parent_pid,
-    pp.cmdline AS parent_cmd,
-    s.state,
-    hash.sha256,
-    -- This intentionally avoids file.path, as it won't join across mount namespaces
-    CONCAT (
-        MIN(p.euid, 500),
-        ',',
-        REPLACE(REGEX_MATCH(p.path, '(/.*?)/', 1), '/nix', '/usr'),
-        '/',
-        REGEX_MATCH(p.path, '.*/(.*?)$', 1),
-        ',',
-        MIN(f.uid, 500),
-        'u,',
-        MIN(f.gid, 500),
-        'g,',
-        p.name
-    ) AS exception_key
-FROM process_open_sockets s
-    LEFT JOIN processes p ON s.pid = p.pid
-    LEFT JOIN processes pp ON p.parent = pp.pid
-    LEFT JOIN file f ON p.path = f.path
-    LEFT JOIN hash ON p.path = hash.path
-WHERE protocol IN (6, 17)
-    AND s.remote_port = 443
-    AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
-    AND s.remote_address NOT LIKE 'fe80:%'
-    AND s.remote_address NOT LIKE '127.%'
-    AND s.remote_address NOT LIKE '192.168.%'
-    AND s.remote_address NOT LIKE '172.1%'
-    AND s.remote_address NOT LIKE '172.2%'
-    AND s.remote_address NOT LIKE '172.30.%'
-    AND s.remote_address NOT LIKE '172.31.%'
-    AND s.remote_address NOT LIKE '::ffff:172.%'
-    AND s.remote_address NOT LIKE '10.%'
-    AND s.remote_address NOT LIKE '::ffff:10.%'
-    AND s.remote_address NOT LIKE 'fc00:%'
-    AND p.path != ''
-    AND NOT exception_key IN (
-        '0,/usr/launcher,0u,0g,launcher',
-        '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
-        '500,/app/slack,u,g,slack',
-        '500,/ko-app/controlplane,u,g,controlplane',
-        '500,/opt/chrome,0u,0g,chrome',
-        '500,/opt/spotify,0u,0g,spotify',
-        '500,/usr/chrome,0u,0g,chrome',
-        '500,/usr/code,0u,0g,code',
-        '500,/usr/firefox,0u,0g,firefox',
-        '500,/usr/firefox,0u,0g,.firefox-wrappe',
-        '500,/usr/geoclue,0u,0g,geoclue',
-        '500,/usr/gnome-software,0u,0g,gnome-software',
-        '500,/usr/slack,0u,0g,slack',
-        '500,/usr/syncthing,0u,0g,syncthing'
-    )
-GROUP BY p.cmdline
+SELECT
+  s.remote_address,
+  p.name,
+  p.path,
+  p.cmdline AS child_cmd,
+  p.cwd,
+  pp.path AS parent_path,
+  p.parent AS parent_pid,
+  pp.cmdline AS parent_cmd,
+  s.state,
+  hash.sha256,
+  -- This intentionally avoids file.path, as it won't join across mount namespaces
+  CONCAT (
+    MIN(p.euid, 500),
+    ',',
+    REPLACE(
+      REGEX_MATCH (p.path, '(/.*?)/', 1),
+      '/nix',
+      '/usr'
+    ),
+    '/',
+    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
+    ',',
+    MIN(f.uid, 500),
+    'u,',
+    MIN(f.gid, 500),
+    'g,',
+    p.name
+  ) AS exception_key
+FROM
+  process_open_sockets s
+  LEFT JOIN processes p ON s.pid = p.pid
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN file f ON p.path = f.path
+  LEFT JOIN hash ON p.path = hash.path
+WHERE
+  protocol IN (6, 17)
+  AND s.remote_port = 443
+  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
+  AND s.remote_address NOT LIKE 'fe80:%'
+  AND s.remote_address NOT LIKE '127.%'
+  AND s.remote_address NOT LIKE '192.168.%'
+  AND s.remote_address NOT LIKE '172.1%'
+  AND s.remote_address NOT LIKE '172.2%'
+  AND s.remote_address NOT LIKE '172.30.%'
+  AND s.remote_address NOT LIKE '172.31.%'
+  AND s.remote_address NOT LIKE '::ffff:172.%'
+  AND s.remote_address NOT LIKE '10.%'
+  AND s.remote_address NOT LIKE '::ffff:10.%'
+  AND s.remote_address NOT LIKE 'fc00:%'
+  AND p.path != ''
+  AND NOT exception_key IN (
+    '0,/usr/launcher,0u,0g,launcher',
+    '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
+    '500,/app/slack,u,g,slack',
+    '500,/ko-app/controlplane,u,g,controlplane',
+    '500,/opt/chrome,0u,0g,chrome',
+    '500,/opt/spotify,0u,0g,spotify',
+    '500,/usr/chrome,0u,0g,chrome',
+    '500,/usr/code,0u,0g,code',
+    '500,/usr/firefox,0u,0g,firefox',
+    '500,/usr/firefox,0u,0g,.firefox-wrappe',
+    '500,/usr/geoclue,0u,0g,geoclue',
+    '500,/usr/gnome-software,0u,0g,gnome-software',
+    '500,/usr/slack,0u,0g,slack',
+    '500,/usr/syncthing,0u,0g,syncthing'
+  )
+GROUP BY
+  p.cmdline
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -8,7 +8,8 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT s.remote_address,
+SELECT
+  s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
@ -27,12 +28,12 @@ SELECT s.remote_address,
    MIN(p.euid, 500),
    ',',
    REPLACE(
-      REGEX_MATCH(p.path, '(/.*?)/', 1),
+      REGEX_MATCH (p.path, '(/.*?)/', 1),
      '/nix',
      '/usr'
    ),
    '/',
-    REGEX_MATCH(p.path, '.*/(.*?)$', 1),
+    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
    'u,',
@ -40,12 +41,14 @@ SELECT s.remote_address,
    'g,',
    p.name
  ) AS exception_key
-FROM process_open_sockets s
+FROM
+  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
-WHERE protocol > 0
+WHERE
+  protocol > 0
  AND s.remote_port > 0
  -- See unexpected-https-client
  AND NOT (
@ -99,4 +102,5 @@ WHERE protocol > 0
    AND s.protocol = 6
    AND p.euid > 500
  )
-GROUP BY p.cmdline
+GROUP BY
+  p.cmdline
--- a/detection/evasion/unexpected-library-entries-macos.sql
+++ b/detection/evasion/unexpected-library-entries-macos.sql
@ -8,115 +8,118 @@
 --
 -- tags: persistent state filesystem seldom
 -- platform: darwin
-SELECT file.path,
-    file.type,
-    file.size,
-    file.mtime,
-    file.uid,
-    file.ctime,
-    file.gid,
-    hash.sha256,
-    magic.data
-FROM file
-    LEFT JOIN hash ON file.path = hash.path
-    LEFT JOIN magic ON file.path = magic.path
-WHERE (
-        file.path LIKE '/Library/%'
-        OR file.path LIKE '/Library/.%'
-        OR file.path LIKE '/Library/%/.%'
-        OR file.path LIKE '/Library/WebServer/%'
-        OR file.path LIKE '/Library/WebServer/Documents/%%'
-        OR file.path LIKE '/Library/WebServer/CGI-Executables/%%'
-    )
-    AND file.path NOT LIKE '%/../%'
-    AND file.path NOT LIKE '%/./%'
-    AND file.size > 1
-    AND file.path NOT IN (
-        '/Library/Apple/',
-        '/Library/Application Support/',
-        '/Library/Audio/',
-        '/Library/AutoBugCapture/',
-        '/Library/Bluetooth/',
-        '/Library/Caches/',
-        '/Library/Catacomb/',
-        '/Library/ColorPickers/',
-        '/Library/ColorSync/',
-        '/Library/Components/',
-        '/Library/Compositions/',
-        '/Library/Compositions/.localized',
-        '/Library/Contextual Menu Items/',
-        '/Library/CoreAnalytics/',
-        '/Library/CoreMediaIO/',
-        '/Library/Desktop Pictures/',
-        '/Library/Desktop Pictures/.localizations/',
-        '/Library/Desktop Pictures/.thumbnails/',
-        '/Library/Developer/',
-        '/Library/DirectoryServices/',
-        '/Library/Documentation/',
-        '/Library/DriverExtensions/',
-        '/Library/Extensions/',
-        '/Library/Filesystems/',
-        '/Library/Fonts/',
-        '/Library/Fonts/.uuid',
-        '/Library/Frameworks/',
-        '/Library/Google/',
-        '/Library/GPUBundles/',
-        '/Library/Graphics/',
-        '/Library/Image Capture/',
-        '/Library/Input Methods/',
-        '/Library/InstallerSandboxes/',
-        '/Library/InstallerSandboxes/.metadata_never_index',
-        '/Library/InstallerSandboxes/.PKInstallSandboxManager/',
-        '/Library/Internet Plug-Ins/',
-        '/Library/Java/',
-        '/Library/KernelCollections/',
-        '/Library/KernelCollections/.file',
-        '/Library/Keyboard Layouts/',
-        '/Library/Keychains/',
-        '/Library/LaunchAgents/',
-        '/Library/LaunchDaemons/',
-        '/Library/.localized',
-        '/Library/Logs/',
-        '/Library/Mail/',
-        '/Library/Managed Preferences/',
-        '/Library/Modem Scripts/',
-        '/Library/Nessus/',
-        '/Library/Objective-See/',
-        '/Library/OpenDirectory/',
-        '/Library/OSAnalytics/',
-        '/Library/Perl/',
-        '/Library/PreferencePanes/',
-        '/Library/Preferences/',
-        '/Library/Preferences/.GlobalPreferences.plist',
-        '/Library/Printers/',
-        '/Library/PrivilegedHelperTools/',
-        '/Library/QuickLook/',
-        '/Library/Receipts/',
-        '/Library/Ruby/',
-        '/Library/Sandbox/',
-        '/Library/Screen Savers/',
-        '/Library/ScriptingAdditions/',
-        '/Library/Scripts/',
-        '/Library/Security/',
-        '/Library/Services/',
-        '/Library/Speech/',
-        '/Library/Spotlight/',
-        '/Library/StagedDriverExtensions/',
-        '/Library/StagedExtensions/',
-        '/Library/StartupItems/',
-        '/Library/SystemExtensions/',
-        '/Library/SystemExtensions/.staging/',
-        '/Library/SystemMigration/',
-        '/Library/SystemProfiler/',
-        '/Library/TeX/',
-        '/Library/Updates/',
-        '/Library/User Pictures/',
-        '/Library/User Template/',
-        '/Library/Video/',
-        '/Library/WebServer/',
-        '/Library/WebServer/CGI-Executables/',
-        '/Library/WebServer/Documents/',
-        '/Library/WebServer/Documents/index.html.en',
-        '/Library/WebServer/share/'
-    )
-    AND NOT file.path LIKE '/Library/Caches/.00%'
+SELECT
+  file.path,
+  file.type,
+  file.size,
+  file.mtime,
+  file.uid,
+  file.ctime,
+  file.gid,
+  hash.sha256,
+  magic.data
+FROM
+  file
+  LEFT JOIN hash ON file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE
+  (
+    file.path LIKE '/Library/%'
+    OR file.path LIKE '/Library/.%'
+    OR file.path LIKE '/Library/%/.%'
+    OR file.path LIKE '/Library/WebServer/%'
+    OR file.path LIKE '/Library/WebServer/Documents/%%'
+    OR file.path LIKE '/Library/WebServer/CGI-Executables/%%'
+  )
+  AND file.path NOT LIKE '%/../%'
+  AND file.path NOT LIKE '%/./%'
+  AND file.size > 1
+  AND file.path NOT IN (
+    '/Library/Apple/',
+    '/Library/Application Support/',
+    '/Library/Audio/',
+    '/Library/AutoBugCapture/',
+    '/Library/Bluetooth/',
+    '/Library/Caches/',
+    '/Library/Catacomb/',
+    '/Library/ColorPickers/',
+    '/Library/ColorSync/',
+    '/Library/Components/',
+    '/Library/Compositions/',
+    '/Library/Compositions/.localized',
+    '/Library/Contextual Menu Items/',
+    '/Library/CoreAnalytics/',
+    '/Library/CoreMediaIO/',
+    '/Library/Desktop Pictures/',
+    '/Library/Desktop Pictures/.localizations/',
+    '/Library/Desktop Pictures/.thumbnails/',
+    '/Library/Developer/',
+    '/Library/DirectoryServices/',
+    '/Library/Documentation/',
+    '/Library/DriverExtensions/',
+    '/Library/Extensions/',
+    '/Library/Filesystems/',
+    '/Library/Fonts/',
+    '/Library/Fonts/.uuid',
+    '/Library/Frameworks/',
+    '/Library/Google/',
+    '/Library/GPUBundles/',
+    '/Library/Graphics/',
+    '/Library/Image Capture/',
+    '/Library/Input Methods/',
+    '/Library/InstallerSandboxes/',
+    '/Library/InstallerSandboxes/.metadata_never_index',
+    '/Library/InstallerSandboxes/.PKInstallSandboxManager/',
+    '/Library/Internet Plug-Ins/',
+    '/Library/Java/',
+    '/Library/KernelCollections/',
+    '/Library/KernelCollections/.file',
+    '/Library/Keyboard Layouts/',
+    '/Library/Keychains/',
+    '/Library/LaunchAgents/',
+    '/Library/LaunchDaemons/',
+    '/Library/.localized',
+    '/Library/Logs/',
+    '/Library/Mail/',
+    '/Library/Managed Preferences/',
+    '/Library/Modem Scripts/',
+    '/Library/Nessus/',
+    '/Library/Objective-See/',
+    '/Library/OpenDirectory/',
+    '/Library/OSAnalytics/',
+    '/Library/Perl/',
+    '/Library/PreferencePanes/',
+    '/Library/Preferences/',
+    '/Library/Preferences/.GlobalPreferences.plist',
+    '/Library/Printers/',
+    '/Library/PrivilegedHelperTools/',
+    '/Library/QuickLook/',
+    '/Library/Receipts/',
+    '/Library/Ruby/',
+    '/Library/Sandbox/',
+    '/Library/Screen Savers/',
+    '/Library/ScriptingAdditions/',
+    '/Library/Scripts/',
+    '/Library/Security/',
+    '/Library/Services/',
+    '/Library/Speech/',
+    '/Library/Spotlight/',
+    '/Library/StagedDriverExtensions/',
+    '/Library/StagedExtensions/',
+    '/Library/StartupItems/',
+    '/Library/SystemExtensions/',
+    '/Library/SystemExtensions/.staging/',
+    '/Library/SystemMigration/',
+    '/Library/SystemProfiler/',
+    '/Library/TeX/',
+    '/Library/Updates/',
+    '/Library/User Pictures/',
+    '/Library/User Template/',
+    '/Library/Video/',
+    '/Library/WebServer/',
+    '/Library/WebServer/CGI-Executables/',
+    '/Library/WebServer/Documents/',
+    '/Library/WebServer/Documents/index.html.en',
+    '/Library/WebServer/share/'
+  )
+  AND NOT file.path LIKE '/Library/Caches/.00%'
--- a/detection/evasion/unexpected-tmp-executables.sql
+++ b/detection/evasion/unexpected-tmp-executables.sql
@ -5,7 +5,8 @@
 --
 -- tags: persistent
 -- platform: posix
-SELECT file.path,
+SELECT
+  file.path,
  uid,
  gid,
  mode,
@ -13,10 +14,12 @@ SELECT file.path,
  file.size,
  hash.sha256,
  magic.data
-FROM file
+FROM
+  file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
    -- Recursive queries don't seem to work well with hidden directories :(
    file.path LIKE '/tmp/%%'
    OR file.path LIKE '/tmp/.%/%%'
@ -94,4 +97,4 @@ WHERE (
  AND NOT (
    file.type = 'regular'
    AND size < 10
-  )
+  )
--- a/incident_response/systemd_units.sql
+++ b/incident_response/systemd_units.sql
@ -5,4 +5,4 @@
 SELECT
  *
 FROM
-  systemd_units;
+  systemd_units;
--- a/incident_response/users.sql
+++ b/incident_response/users.sql
@ -5,4 +5,4 @@
 SELECT
  *
 FROM
-  users
+  users