RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make reformat

This commit is contained in:
Thomas Stromberg 2023-05-08 13:20:47 -04:00
parent 778d53b169
commit 41d83350a1
Failed to extract signature
73 changed files with 392 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/c2/unexpected-https-macos.sql
View File

@ -22,7 +22,7 @@ SELECT
s.authority,
',',
s.identifier
) AS exception_key,
) AS exception_key,
CONCAT (
MIN(p0.euid, 500),
',',
@ -99,7 +99,7 @@ WHERE
AND p0.path NOT LIKE '/usr/libexec/%'
AND p0.path NOT LIKE '/usr/sbin/%'
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/%'
AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%'
AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%'
-- Apple programs running from weird places, like the UpdateBrainService
AND NOT (
s.identifier LIKE 'com.apple.%'

144
detection/c2/unexpected-libcurl-user-linux.sql
View File

@ -6,73 +6,77 @@
--
-- platform: linux
-- tags: persistent state process seldom
SELECT CONCAT (
p0.name,
',',
REPLACE(
p0.path,
COALESCE(
REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1),
"3.11"
),
"__VERSION__"
),
',',
p0.euid,
',',
CONCAT (
SPLIT (p0.cgroup_path, "/", 0),
",",
SPLIT (p0.cgroup_path, "/", 1)
),
',',
f.mode
) AS exception_key,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
LEFT JOIN file f ON p0.path = f.path
JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE p0.euid = 0
AND pmm.path LIKE '%libcurl%'
AND NOT exception_key IN (
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755'
)
GROUP BY p0.pid
SELECT
CONCAT (
p0.name,
',',
REPLACE(
p0.path,
COALESCE(
REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1),
"3.11"
),
"__VERSION__"
),
',',
p0.euid,
',',
CONCAT (
SPLIT (p0.cgroup_path, "/", 0),
",",
SPLIT (p0.cgroup_path, "/", 1)
),
',',
f.mode
) AS exception_key,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.euid = 0
AND pmm.path LIKE '%libcurl%'
AND NOT exception_key IN (
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755'
)
GROUP BY
p0.pid

18
detection/c2/unexpected-talkers-macos.sql
View File

@ -5,7 +5,8 @@
--
-- tags: transient state net often
-- platform: macos
SELECT pos.protocol,
SELECT
pos.protocol,
pos.local_port,
pos.remote_port,
pos.remote_address,
@ -66,7 +67,8 @@ SELECT pos.protocol,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM process_open_sockets pos
FROM
process_open_sockets pos
LEFT JOIN processes p0 ON pos.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
@ -75,7 +77,8 @@ FROM process_open_sockets pos
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN signature s ON p0.path = s.path
WHERE pos.protocol > 0
WHERE
pos.protocol > 0
AND NOT (
pos.remote_port IN (53, 443)
AND pos.protocol IN (6, 17)
@ -143,7 +146,6 @@ WHERE pos.protocol > 0
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
'500,6,999,Opera Helper,Opera Helper,Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
) -- Useful for unsigned binaries
AND NOT alt_exception_key IN (
'500,6,22,ssh,ssh,0u,500g',
@ -151,8 +153,7 @@ WHERE pos.protocol > 0
'500,6,22,ssh,ssh,500u,20g',
'500,6,22,ssh,ssh,500u,80g',
'500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g',
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g'
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g' '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
'500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g'
)
AND NOT (
@ -172,7 +173,7 @@ WHERE pos.protocol > 0
) -- Known Web Browsers
AND NOT (
(
pos.remote_port IN (80,999)
pos.remote_port IN (80, 999)
OR pos.remote_port > 3000
)
AND id_exception_key IN (
@ -186,4 +187,5 @@ WHERE pos.protocol > 0
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper'
)
)
GROUP BY p0.cmdline
GROUP BY
p0.cmdline

5
detection/discovery/unexpected-netutil-calls-linux.sql
View File

@ -92,7 +92,10 @@ WHERE
'zsh'
)
)
AND NOT p1_cmd IN ('/bin/sh /etc/network/if-up.d/avahi-autoipd', '/usr/bin/libvirtd --timeout 120')
AND NOT p1_cmd IN (
'/bin/sh /etc/network/if-up.d/avahi-autoipd',
'/usr/bin/libvirtd --timeout 120'
)
AND NOT p1_path IN ('/usr/libexec/gvfsd')
AND NOT p0_cmd LIKE '%ip route add % dev % metric 1000 scope link'
AND NOT p0_cmd LIKE '%ip link set lo netns -1'

6
detection/evasion/hidden-home-libappsupport.sql
View File

@ -78,7 +78,11 @@ WHERE
file.mode = "0666"
AND size > 2000
AND size < 4000
AND REGEX_MATCH(".085520434CB685DE008C8DBAB6A46215", "^(\.[0-9A-Z]{32})$", 0) != ""
AND REGEX_MATCH (
".085520434CB685DE008C8DBAB6A46215",
"^(\.[0-9A-Z]{32})$",
0
) != ""
)
GROUP BY
file.path

2
detection/evasion/missing-from-disk-linux.sql
View File

@ -49,4 +49,4 @@ WHERE
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
AND p.path NOT IN ('/usr/bin/python3.10')
AND p.path NOT IN ('/usr/bin/python3.10')

55
detection/evasion/pid-hidden-by-rootkit.sql
View File

@ -10,28 +10,37 @@
--
-- tags: persistent kernel state
-- platform: linux
WITH RECURSIVE cnt(x) AS (
SELECT 1
WITH RECURSIVE
cnt (x) AS (
SELECT
1
UNION ALL
SELECT x + 1
FROM cnt
LIMIT 32768
)
SELECT p.*
FROM cnt
JOIN processes p ON x = p.pid
WHERE x NOT IN (
SELECT pid
FROM processes
SELECT
x + 1
FROM
cnt
LIMIT
32768
)
SELECT
p.*
FROM
cnt
JOIN processes p ON x = p.pid
WHERE
x NOT IN (
SELECT
pid
FROM
processes
)
AND p.start_time < (strftime('%s', 'now') - 1) -- Improve how we filter tasks out.
-- This is not very precise. What we really want to do is verify that
-- this pid is not listed as a task of any other pid
AND (
p.pgroup = p.pid
OR (
p.pid = p.parent
AND p.threads = 1
)
AND p.start_time < (strftime('%s', 'now') - 1) -- Improve how we filter tasks out.
-- This is not very precise. What we really want to do is verify that
-- this pid is not listed as a task of any other pid
AND (
p.pgroup = p.pid
OR (
p.pid = p.parent
AND p.threads = 1
)
)
)

11
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -8,7 +8,8 @@
--
-- platform: posix
-- tags: persistent filesystem state
SELECT file.path,
SELECT
file.path,
file.inode,
file.directory,
uid,
@ -21,10 +22,12 @@ SELECT file.path,
size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
@ -187,4 +190,4 @@ WHERE (
AND NOT (
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)
)

10
detection/evasion/unexpected-kernel-extensions-macos.sql
View File

@ -6,7 +6,11 @@
-- platform: darwin
-- tags: persistent seldom kernel
SELECT
linked_against, name, path, size, version,
linked_against,
name,
path,
size,
version,
path || ',' || name || ',' || version || ',' || linked_against AS exception_key
FROM
kernel_extensions
@ -16,7 +20,9 @@ WHERE
idx = 0
AND name = '__kernel__'
)
AND exception_key NOT IN ('/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>')
AND exception_key NOT IN (
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>'
)
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'

29
detection/evasion/unusually-tainted-kernel-linux.sql
View File

@ -14,16 +14,19 @@
--
-- 12289 is an unsigned, out of tree, proprietary driver
-- 4097 is a signed, out of tree, proprietary driver
SELECT current_value AS value,
current_value & 65536 AS is_aux,
current_value & 8192 is_unsigned,
current_value & 4096 AS out_of_tree,
current_value & 512 AS kernel_warning,
current_value & 614 AS requested_by_userspace,
current_value & 8 AS force_unloaded,
current_value & 4 AS out_of_spec,
current_value & 2 AS force_loaded,
current_value & 1 AS proprietary
FROM system_controls
WHERE name = "kernel.tainted"
AND current_value NOT IN (0, 512, 12289, 12352, 4097)
SELECT
current_value AS value,
current_value & 65536 AS is_aux,
current_value & 8192 is_unsigned,
current_value & 4096 AS out_of_tree,
current_value & 512 AS kernel_warning,
current_value & 614 AS requested_by_userspace,
current_value & 8 AS force_unloaded,
current_value & 4 AS out_of_spec,
current_value & 2 AS force_loaded,
current_value & 1 AS proprietary
FROM
system_controls
WHERE
name = "kernel.tainted"
AND current_value NOT IN (0, 512, 12289, 12352, 4097)

5
detection/execution/exotic-command-events-macos.sql
View File

@ -199,7 +199,4 @@ WHERE
AND NOT p0_cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
AND NOT p0_name IN ('cc1', 'compile')
AND NOT exception_key IN (
'dd,500,zsh,login',
'git,500,zsh,goland'
)
AND NOT exception_key IN ('dd,500,zsh,login', 'git,500,zsh,goland')

2
detection/execution/recently-created-executables-linux.sql
View File

@ -32,7 +32,7 @@ SELECT
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path

18
detection/execution/recently-created-executables-macos.sql
View File

@ -5,7 +5,8 @@
--
-- tags: transient process state often
-- platform: darwin
SELECT f.ctime,
SELECT
f.ctime,
f.btime,
f.mtime,
p0.start_time,
@ -41,7 +42,8 @@ SELECT f.ctime,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
FROM
processes p0
LEFT JOIN signature s ON p0.path = s.path
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN users u ON f.uid = u.uid
@ -50,10 +52,14 @@ FROM processes p0
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE p0.pid IN (
SELECT pid
FROM processes
WHERE start_time > 0
WHERE
p0.pid IN (
SELECT
pid
FROM
processes
WHERE
start_time > 0
AND start_time > (strftime('%s', 'now') - 7200)
AND pid > 0
AND path != ""

2
detection/execution/sketchy-fetcher-events.sql
View File

@ -189,4 +189,4 @@ WHERE
OR ip LIKE '127.%'
)
)
AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %'
AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %'

21
detection/execution/unexpected-execdir-events-linux.sql
View File

@ -41,7 +41,8 @@ SELECT -- Child
'.*/(.*)',
1
) AS p2_name
FROM process_events pe
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = pe.pid -- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
@ -55,10 +56,14 @@ FROM process_events pe
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
WHERE pe.pid IN (
SELECT pid
FROM process_events
WHERE time > (strftime('%s', 'now') -300)
WHERE
pe.pid IN (
SELECT
pid
FROM
process_events
WHERE
time > (strftime('%s', 'now') -300)
AND (
INSTR(path, "/bin") != 1
AND INSTR(path, "/sbin/") != 1
@ -82,7 +87,8 @@ WHERE pe.pid IN (
AND INSTR(path, "/.terraform/") > 0
)
AND syscall = "execve" -- REGEX_MATCH performed terribly. INSTR and LIKE are very very close.
GROUP BY path
GROUP BY
path
)
AND pe.time > (strftime('%s', 'now') -300)
AND pe.syscall = "execve"
@ -90,4 +96,5 @@ WHERE pe.pid IN (
AND p.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
GROUP BY pe.pid
GROUP BY
pe.pid

2
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -25,7 +25,7 @@ SELECT
u.directory AS user_home_dir,
s.identifier AS s_id,
s.authority AS s_auth,
-- Child
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,

4
detection/exfil/high_disk_bytes_read.sql
View File

@ -177,7 +177,9 @@ WHERE
AND p1.name = "nvim"
)
AND NOT p0_cmd LIKE '%/gcloud.py components update'
AND NOT (p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
AND NOT (
p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java'
)
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY
p0.pid

2
detection/initial_access/unexpected-volume-contents.sql
View File

@ -128,4 +128,4 @@ WHERE
AND NOT (
magic.data = 'AppleDouble encoded Macintosh file'
AND basename LIKE '._%'
)
)

3
detection/persistence/unexpected-launchd-program-macos.sql
View File

@ -49,4 +49,5 @@ WHERE
AND program_identifier IN ('com.apple.ln', 'com.apple.link')
AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock'
)
GROUP BY l.path
GROUP BY
l.path

47
detection/persistence/unexpected-ssh-authorized-keys.sql
View File

@ -8,25 +8,28 @@
--
-- tags: persistent state filesystem
-- platform: posix
SELECT file.path,
file.uid,
file.gid,
file.atime,
file.mtime,
file.ctime,
file.size,
hash.sha256,
users.username,
users.uid AS u_uid
FROM users
JOIN file ON file.path = users.directory || "/.ssh/authorized_keys"
JOIN hash ON file.path = hash.path
WHERE file.size > 0
AND (
file.uid != u_uid
OR file.uid < 500
OR (
file.path NOT LIKE '/home/%'
AND file.path NOT LIKE '/Users/%'
)
)
SELECT
file.path,
file.uid,
file.gid,
file.atime,
file.mtime,
file.ctime,
file.size,
hash.sha256,
users.username,
users.uid AS u_uid
FROM
users
JOIN file ON file.path = users.directory || "/.ssh/authorized_keys"
JOIN hash ON file.path = hash.path
WHERE
file.size > 0
AND (
file.uid != u_uid
OR file.uid < 500
OR (
file.path NOT LIKE '/home/%'
AND file.path NOT LIKE '/Users/%'
)
)

2
detection/privesc/setxid-cmdline-overflow-attempt.sql
View File

@ -60,4 +60,4 @@ WHERE
AND file.mode NOT LIKE '0%'
AND pe.cmdline_size > 2048
AND p0_cmd NOT LIKE '%sudo dpkg %'
AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%'
AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%'

2
detection/privesc/unexpected-privilege-escalation_linux.sql
View File

@ -87,4 +87,4 @@ WHERE
AND NOT (
p0.path = '/usr/libexec/xdg-permission-store'
AND p1.path = '/usr/lib/systemd/systemd'
)
)

2
detection/privesc/unexpected-privilege-escalation_macos.sql
View File

@ -62,4 +62,4 @@ WHERE
AND NOT (
p0.path LIKE '/var/folders/%/T/CanonOFI_TEMP/Data/Software/Install/UniversalInstaller.app/Contents/Frameworks/UIx.framework/Resources/relay'
AND s.authority = 'Developer ID Application: Canon Inc. (XE2XNRRXZ5)'
)
)

2
incident_response/account_policy_data-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
account_policy_data;
account_policy_data;

2
incident_response/authorization_mechanisms-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
authorization_mechanisms;
authorization_mechanisms;

2
incident_response/authorizations-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
authorizations;
authorizations;

6
incident_response/authorized_keys.sql
View File

@ -2,4 +2,8 @@
--
-- tags: postmortem
-- platform: posix
SELECT authorized_keys.* FROM users JOIN authorized_keys ON users.uid = authorized_keys.uid;
SELECT
authorized_keys.*
FROM
users
JOIN authorized_keys ON users.uid = authorized_keys.uid;

5
incident_response/certificates.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: posix
SELECT * FROM certificates;
SELECT
*
FROM
certificates;

8
incident_response/chrome_extension_content_scripts.sql
View File

@ -1,6 +1,8 @@
-- Retrieves chrome extension cotent scripts that execute on a broad set of URLs.
-- tags: postmortem
-- platform: posix
SELECT chrome_extension_content_scripts.*
FROM users
JOIN chrome_extension_content_scripts ON users.uid = chrome_extension_content_scripts.uid
SELECT
chrome_extension_content_scripts.*
FROM
users
JOIN chrome_extension_content_scripts ON users.uid = chrome_extension_content_scripts.uid

8
incident_response/chrome_extensions.sql
View File

@ -1,6 +1,8 @@
-- Retrieves chrome extensions that execute on a broad set of URLs.
-- tags: postmortem
-- platform: posix
SELECT chrome_extensions.*
FROM users
JOIN chrome_extensions ON users.uid = chrome_extensions.uid
SELECT
chrome_extensions.*
FROM
users
JOIN chrome_extensions ON users.uid = chrome_extensions.uid

5
incident_response/deb_packages.sql
View File

@ -1,4 +1,7 @@
-- Retrieves a list of debian packages
-- tags: postmortem
-- platform: Linux
SELECT * FROM deb_packages;
SELECT
*
FROM
deb_packages;

10
incident_response/docker_container_processes.sql
View File

@ -2,7 +2,9 @@
--
-- tags: postmortem
-- platform: linux
SELECT docker_container_processes.*,
docker_containers.name
FROM docker_containers
JOIN docker_container_processes ON docker_containers.id = docker_container_processes.id;
SELECT
docker_container_processes.*,
docker_containers.name
FROM
docker_containers
JOIN docker_container_processes ON docker_containers.id = docker_container_processes.id;

5
incident_response/docker_images.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: linux
SELECT * FROM docker_images;
SELECT
*
FROM
docker_images;

6
incident_response/es_process_events.sql
View File

@ -1,5 +1,7 @@
-- Dump a list of process execution events from EndpointSecurity
--
-- platform: darwin
SELECT * FROM es_process_events;
SELECT
*
FROM
es_process_events;

2
incident_response/file_events.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
file_events;
file_events;

11
incident_response/files-etc.sql
View File

@ -2,7 +2,10 @@
--
-- tags: postmortem
-- platform: posix
SELECT *
FROM file
JOIN hash ON file.path = hash.path
WHERE file.path LIKE "/etc/%%";
SELECT
*
FROM
file
JOIN hash ON file.path = hash.path
WHERE
file.path LIKE "/etc/%%";

8
incident_response/firefox_addons.sql
View File

@ -2,6 +2,8 @@
--
-- tags: postmortem
-- platform: posix
SELECT firefox_addons.*
FROM users
JOIN firefox_addons ON users.uid = firefox_addons.uid;
SELECT
firefox_addons.*
FROM
users
JOIN firefox_addons ON users.uid = firefox_addons.uid;

2
incident_response/hardware_events.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
hardware_events;
hardware_events;

2
incident_response/homebrew-packages-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
homebrew_packages;
homebrew_packages;

2
incident_response/interface_addresses.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
interface_addresses;
interface_addresses;

2
incident_response/interface_details.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
interface_details
interface_details

2
incident_response/interface_ipv6.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
interface_ipv6;
interface_ipv6;

2
incident_response/iokit-registry-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
iokit_registry;
iokit_registry;

3
incident_response/kernel_info.sql
View File

@ -1,7 +1,6 @@
-- Return basic kernel information
-- tags: postmortem
SELECT
*
FROM
kernel_info;
kernel_info;

2
incident_response/kernel_panics-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
kernel_panics;
kernel_panics;

8
incident_response/known_hosts.sql
View File

@ -1,6 +1,8 @@
-- Retrieves chrome extensions that execute on a broad set of URLs.
-- tags: postmortem
-- platform: posix
SELECT known_hosts.*
FROM users
JOIN known_hosts ON users.uid = known_hosts.uid
SELECT
known_hosts.*
FROM
users
JOIN known_hosts ON users.uid = known_hosts.uid

2
incident_response/launchd_overrides_macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
launchd_overrides;
launchd_overrides;

5
incident_response/listening_ports.sql
View File

@ -3,7 +3,10 @@
-- tags: postmortem
-- platform: posix
SELECT
lp.*, p.name AS p_name, p.path AS p_path, p.euid AS p_euid
lp.*,
p.name AS p_name,
p.path AS p_path,
p.euid AS p_euid
FROM
listening_ports AS lp
LEFT JOIN processes p ON lp.pid = p.pid;

2
incident_response/memory_map.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
memory_map;
memory_map;

2
incident_response/npm_packages.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
npm_packages;
npm_packages;

2
incident_response/nvram-macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
nvram;
nvram;

2
incident_response/os_version.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
os_version;
os_version;

2
incident_response/package_install_history_macos.sql
View File

@ -4,4 +4,4 @@
SELECT
*
FROM
package_install_history;
package_install_history;

2
incident_response/platform_info.sql
View File

@ -4,4 +4,4 @@
SELECT
*
FROM
platform_info
platform_info

2
incident_response/preferences_macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
preferences;
preferences;

22
incident_response/process-files.sql
View File

@ -2,12 +2,16 @@
--
-- tags: postmortem
-- platform: linux
SELECT GROUP_CONCAT(processes.pid) AS processes,
GROUP_CONCAT(processes.name) AS names,
file.*, hash.sha256,
magic.data
FROM processes
LEFT JOIN file ON processes.path = file.path
LEFT JOIN hash ON processes.path = hash.path
LEFT JOIN magic ON processes.path = magic.path
GROUP BY processes.path
SELECT
GROUP_CONCAT(processes.pid) AS processes,
GROUP_CONCAT(processes.name) AS names,
file.*,
hash.sha256,
magic.data
FROM
processes
LEFT JOIN file ON processes.path = file.path
LEFT JOIN hash ON processes.path = hash.path
LEFT JOIN magic ON processes.path = magic.path
GROUP BY
processes.path

20
incident_response/process_memory_map.sql
View File

@ -1,17 +1,23 @@
-- Retrieves the memory map per process
-- platform: posix
-- tags: postmortem
SELECT pid,
SELECT
pid,
permissions,
offset,
offset
,
inode,
path,
pseudo
FROM process_memory_map
WHERE path != ""
GROUP BY pid,
FROM
process_memory_map
WHERE
path != ""
GROUP BY
pid,
permissions,
offset,
offset
,
inode,
path,
pseudo;
pseudo;

11
incident_response/process_open_files.sql
View File

@ -2,7 +2,10 @@
--
-- tags: postmortem
-- platform: posix
SELECT p.path AS p_path, p.name AS p_name,
pof.*
FROM process_open_files AS pof
LEFT JOIN processes p ON pof.pid = p.pid;
SELECT
p.path AS p_path,
p.name AS p_name,
pof.*
FROM
process_open_files AS pof
LEFT JOIN processes p ON pof.pid = p.pid;

11
incident_response/process_open_sockets.sql
View File

@ -2,7 +2,10 @@
--
-- tags: postmortem
-- platform: posix
SELECT p.path AS p_path, p.name AS p_name,
pos.*
FROM process_open_sockets AS pos
LEFT JOIN processes p ON pos.pid = p.pid;
SELECT
p.path AS p_path,
p.name AS p_name,
pos.*
FROM
process_open_sockets AS pos
LEFT JOIN processes p ON pos.pid = p.pid;

5
incident_response/rpm_packages.sql
View File

@ -1,4 +1,7 @@
-- Retrieves a list of RPM packages
-- tags: postmortem
-- platform: Linux
SELECT * FROM rpm_packages;
SELECT
*
FROM
rpm_packages;

2
incident_response/running_apps_macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
running_apps;
running_apps;

8
incident_response/safari_extensions_macos.sql
View File

@ -2,6 +2,8 @@
--
-- tags: postmortem
-- platform: darwin
SELECT safari_extensions.*
FROM users
JOIN safari_extensions ON users.uid = safari_extensions.uid;
SELECT
safari_extensions.*
FROM
users
JOIN safari_extensions ON users.uid = safari_extensions.uid;

5
incident_response/selinux_events.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: linux
SELECT * FROM selinux_events;
SELECT
*
FROM
selinux_events;

7
incident_response/shadow.sql
View File

@ -1,7 +1,8 @@
-- Return user data from /etc/shadow
--
-- tags: postmortem
-- platform: linux
SELECT * FROM shadow;
SELECT
*
FROM
shadow;

12
incident_response/shared_memory.sql
View File

@ -2,8 +2,10 @@
--
-- tags: postmortem
-- platform: linux
SELECT shm.*,
p.name AS p_name,
p.path AS p_path
FROM shared_memory AS shm
LEFT JOIN processes p ON shm.pid = p.pid;
SELECT
shm.*,
p.name AS p_name,
p.path AS p_path
FROM
shared_memory AS shm
LEFT JOIN processes p ON shm.pid = p.pid;

2
incident_response/sip_config.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
sip_config;
sip_config;

5
incident_response/socket_events.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: linux
SELECT * FROM socket_events;
SELECT
*
FROM
socket_events;

5
incident_response/syslog_events.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: linux
SELECT * FROM syslog_events;
SELECT
*
FROM
syslog_events;

5
incident_response/system_controls.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: posix
SELECT * FROM system_controls;
SELECT
*
FROM
system_controls;

2
incident_response/unified_log_macos.sql
View File

@ -5,4 +5,4 @@
SELECT
*
FROM
unified_log;
unified_log;

5
incident_response/usb_devices.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: posix
SELECT * FROM usb_devices;
SELECT
*
FROM
usb_devices;

5
incident_response/user_events.sql
View File

@ -2,4 +2,7 @@
--
-- tags: postmortem
-- platform: linux
SELECT * FROM user_events;
SELECT
*
FROM
user_events;

6
policy/unexpected-rsa-keys-mdfind.sql
View File

@ -14,7 +14,8 @@ FROM
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from'
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
AND ea.key = 'where_from'
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
@ -30,4 +31,5 @@ WHERE
) == 1
-- Common filenames that are non-controversial
AND NOT file.filename LIKE '%example.com%'
GROUP BY file.path
GROUP BY
file.path