diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 6939f3e..14d3016 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -22,7 +22,7 @@ SELECT s.authority, ',', s.identifier - ) AS exception_key, + ) AS exception_key, CONCAT ( MIN(p0.euid, 500), ',', @@ -99,7 +99,7 @@ WHERE AND p0.path NOT LIKE '/usr/libexec/%' AND p0.path NOT LIKE '/usr/sbin/%' AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/%' - AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' + AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService AND NOT ( s.identifier LIKE 'com.apple.%' diff --git a/detection/c2/unexpected-libcurl-user-linux.sql b/detection/c2/unexpected-libcurl-user-linux.sql index e3ba209..e16c09b 100644 --- a/detection/c2/unexpected-libcurl-user-linux.sql +++ b/detection/c2/unexpected-libcurl-user-linux.sql @@ -6,73 +6,77 @@ -- -- platform: linux -- tags: persistent state process seldom -SELECT CONCAT ( - p0.name, - ',', - REPLACE( - p0.path, - COALESCE( - REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1), - REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1), - "3.11" - ), - "__VERSION__" - ), - ',', - p0.euid, - ',', - CONCAT ( - SPLIT (p0.cgroup_path, "/", 0), - ",", - SPLIT (p0.cgroup_path, "/", 1) - ), - ',', - f.mode - ) AS exception_key, - -- Child - p0.pid AS p0_pid, - p0.path AS p0_path, - p0.name AS p0_name, - p0.cmdline AS p0_cmd, - p0.cwd AS p0_cwd, - p0.cgroup_path AS p0_cgroup, - p0.euid AS p0_euid, - p0_hash.sha256 AS p0_sha256, - -- Parent - p0.parent AS p1_pid, - p1.path AS p1_path, - p1.name AS p1_name, - p1.euid AS p1_euid, - p1.cmdline AS p1_cmd, - p1_hash.sha256 AS p1_sha256, - -- Grandparent - p1.parent AS p2_pid, - p2.name AS p2_name, - p2.path AS p2_path, - p2.cmdline AS p2_cmd, - p2_hash.sha256 AS p2_sha256 -FROM processes p0 - LEFT JOIN file f ON p0.path = f.path - JOIN process_memory_map pmm ON p0.pid = pmm.pid - LEFT JOIN hash p0_hash ON p0.path = p0_hash.path - LEFT JOIN processes p1 ON p0.parent = p1.pid - LEFT JOIN hash p1_hash ON p1.path = p1_hash.path - LEFT JOIN processes p2 ON p1.parent = p2.pid - LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE p0.euid = 0 - AND pmm.path LIKE '%libcurl%' - AND NOT exception_key IN ( - 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', - 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', - 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', - 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', - 'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755', - 'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755', - 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', - 'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555', - 'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755', - 'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755', - 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', - 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755' - ) -GROUP BY p0.pid \ No newline at end of file +SELECT + CONCAT ( + p0.name, + ',', + REPLACE( + p0.path, + COALESCE( + REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1), + REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1), + "3.11" + ), + "__VERSION__" + ), + ',', + p0.euid, + ',', + CONCAT ( + SPLIT (p0.cgroup_path, "/", 0), + ",", + SPLIT (p0.cgroup_path, "/", 1) + ), + ',', + f.mode + ) AS exception_key, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 +FROM + processes p0 + LEFT JOIN file f ON p0.path = f.path + JOIN process_memory_map pmm ON p0.pid = pmm.pid + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path +WHERE + p0.euid = 0 + AND pmm.path LIKE '%libcurl%' + AND NOT exception_key IN ( + 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', + 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', + 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', + 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', + 'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755', + 'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755', + 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', + 'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555', + 'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755', + 'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755', + 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', + 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755' + ) +GROUP BY + p0.pid diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index dfed971..f98a9b9 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -5,7 +5,8 @@ -- -- tags: transient state net often -- platform: macos -SELECT pos.protocol, +SELECT + pos.protocol, pos.local_port, pos.remote_port, pos.remote_address, @@ -66,7 +67,8 @@ SELECT pos.protocol, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM process_open_sockets pos +FROM + process_open_sockets pos LEFT JOIN processes p0 ON pos.pid = p0.pid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid @@ -75,7 +77,8 @@ FROM process_open_sockets pos LEFT JOIN hash p2_hash ON p2.path = p2_hash.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN signature s ON p0.path = s.path -WHERE pos.protocol > 0 +WHERE + pos.protocol > 0 AND NOT ( pos.remote_port IN (53, 443) AND pos.protocol IN (6, 17) @@ -143,7 +146,6 @@ WHERE pos.protocol > 0 '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2', '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird' - '500,6,999,Opera Helper,Opera Helper,Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper', ) -- Useful for unsigned binaries AND NOT alt_exception_key IN ( '500,6,22,ssh,ssh,0u,500g', @@ -151,8 +153,7 @@ WHERE pos.protocol > 0 '500,6,22,ssh,ssh,500u,20g', '500,6,22,ssh,ssh,500u,80g', '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g', - '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g' - '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g', + '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g' '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g', '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g' ) AND NOT ( @@ -172,7 +173,7 @@ WHERE pos.protocol > 0 ) -- Known Web Browsers AND NOT ( ( - pos.remote_port IN (80,999) + pos.remote_port IN (80, 999) OR pos.remote_port > 3000 ) AND id_exception_key IN ( @@ -186,4 +187,5 @@ WHERE pos.protocol > 0 'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper' ) ) -GROUP BY p0.cmdline \ No newline at end of file +GROUP BY + p0.cmdline diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql index 60824c4..5e401f1 100644 --- a/detection/discovery/unexpected-netutil-calls-linux.sql +++ b/detection/discovery/unexpected-netutil-calls-linux.sql @@ -92,7 +92,10 @@ WHERE 'zsh' ) ) - AND NOT p1_cmd IN ('/bin/sh /etc/network/if-up.d/avahi-autoipd', '/usr/bin/libvirtd --timeout 120') + AND NOT p1_cmd IN ( + '/bin/sh /etc/network/if-up.d/avahi-autoipd', + '/usr/bin/libvirtd --timeout 120' + ) AND NOT p1_path IN ('/usr/libexec/gvfsd') AND NOT p0_cmd LIKE '%ip route add % dev % metric 1000 scope link' AND NOT p0_cmd LIKE '%ip link set lo netns -1' diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql index 374d4a1..4ae0c8e 100644 --- a/detection/evasion/hidden-home-libappsupport.sql +++ b/detection/evasion/hidden-home-libappsupport.sql @@ -78,7 +78,11 @@ WHERE file.mode = "0666" AND size > 2000 AND size < 4000 - AND REGEX_MATCH(".085520434CB685DE008C8DBAB6A46215", "^(\.[0-9A-Z]{32})$", 0) != "" + AND REGEX_MATCH ( + ".085520434CB685DE008C8DBAB6A46215", + "^(\.[0-9A-Z]{32})$", + 0 + ) != "" ) GROUP BY file.path diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql index 7dddb36..7420f4d 100644 --- a/detection/evasion/missing-from-disk-linux.sql +++ b/detection/evasion/missing-from-disk-linux.sql @@ -49,4 +49,4 @@ WHERE -- Snap packages? AND p.path NOT LIKE '/tmp/.mount_%' AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op' - AND p.path NOT IN ('/usr/bin/python3.10') \ No newline at end of file + AND p.path NOT IN ('/usr/bin/python3.10') diff --git a/detection/evasion/pid-hidden-by-rootkit.sql b/detection/evasion/pid-hidden-by-rootkit.sql index 87545da..d910887 100644 --- a/detection/evasion/pid-hidden-by-rootkit.sql +++ b/detection/evasion/pid-hidden-by-rootkit.sql @@ -10,28 +10,37 @@ -- -- tags: persistent kernel state -- platform: linux - -WITH RECURSIVE cnt(x) AS ( - SELECT 1 +WITH RECURSIVE + cnt (x) AS ( + SELECT + 1 UNION ALL - SELECT x + 1 - FROM cnt - LIMIT 32768 -) -SELECT p.* -FROM cnt - JOIN processes p ON x = p.pid -WHERE x NOT IN ( - SELECT pid - FROM processes + SELECT + x + 1 + FROM + cnt + LIMIT + 32768 + ) +SELECT + p.* +FROM + cnt + JOIN processes p ON x = p.pid +WHERE + x NOT IN ( + SELECT + pid + FROM + processes + ) + AND p.start_time < (strftime('%s', 'now') - 1) -- Improve how we filter tasks out. + -- This is not very precise. What we really want to do is verify that + -- this pid is not listed as a task of any other pid + AND ( + p.pgroup = p.pid + OR ( + p.pid = p.parent + AND p.threads = 1 ) - AND p.start_time < (strftime('%s', 'now') - 1) -- Improve how we filter tasks out. - -- This is not very precise. What we really want to do is verify that - -- this pid is not listed as a task of any other pid - AND ( - p.pgroup = p.pid - OR ( - p.pid = p.parent - AND p.threads = 1 - ) - ) \ No newline at end of file + ) diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 52f20da..21199dd 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -8,7 +8,8 @@ -- -- platform: posix -- tags: persistent filesystem state -SELECT file.path, +SELECT + file.path, file.inode, file.directory, uid, @@ -21,10 +22,12 @@ SELECT file.path, size, hash.sha256, magic.data -FROM file +FROM + file LEFT JOIN hash ON file.path = hash.path LEFT JOIN magic ON file.path = magic.path -WHERE ( +WHERE + ( file.path LIKE '/lib/.%' OR file.path LIKE '/.%' OR file.path LIKE '/bin/%/.%' @@ -187,4 +190,4 @@ WHERE ( AND NOT ( file.path = '/var/root/.oracle_jre_usage/' AND file.size = 96 - ) \ No newline at end of file + ) diff --git a/detection/evasion/unexpected-kernel-extensions-macos.sql b/detection/evasion/unexpected-kernel-extensions-macos.sql index 5dd245f..d76e0db 100644 --- a/detection/evasion/unexpected-kernel-extensions-macos.sql +++ b/detection/evasion/unexpected-kernel-extensions-macos.sql @@ -6,7 +6,11 @@ -- platform: darwin -- tags: persistent seldom kernel SELECT - linked_against, name, path, size, version, + linked_against, + name, + path, + size, + version, path || ',' || name || ',' || version || ',' || linked_against AS exception_key FROM kernel_extensions @@ -16,7 +20,9 @@ WHERE idx = 0 AND name = '__kernel__' ) - AND exception_key NOT IN ('/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>') + AND exception_key NOT IN ( + '/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>' + ) AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%' AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%' AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%' diff --git a/detection/evasion/unusually-tainted-kernel-linux.sql b/detection/evasion/unusually-tainted-kernel-linux.sql index fadc02c..e35e90a 100644 --- a/detection/evasion/unusually-tainted-kernel-linux.sql +++ b/detection/evasion/unusually-tainted-kernel-linux.sql @@ -14,16 +14,19 @@ -- -- 12289 is an unsigned, out of tree, proprietary driver -- 4097 is a signed, out of tree, proprietary driver -SELECT current_value AS value, - current_value & 65536 AS is_aux, - current_value & 8192 is_unsigned, - current_value & 4096 AS out_of_tree, - current_value & 512 AS kernel_warning, - current_value & 614 AS requested_by_userspace, - current_value & 8 AS force_unloaded, - current_value & 4 AS out_of_spec, - current_value & 2 AS force_loaded, - current_value & 1 AS proprietary -FROM system_controls -WHERE name = "kernel.tainted" - AND current_value NOT IN (0, 512, 12289, 12352, 4097) \ No newline at end of file +SELECT + current_value AS value, + current_value & 65536 AS is_aux, + current_value & 8192 is_unsigned, + current_value & 4096 AS out_of_tree, + current_value & 512 AS kernel_warning, + current_value & 614 AS requested_by_userspace, + current_value & 8 AS force_unloaded, + current_value & 4 AS out_of_spec, + current_value & 2 AS force_loaded, + current_value & 1 AS proprietary +FROM + system_controls +WHERE + name = "kernel.tainted" + AND current_value NOT IN (0, 512, 12289, 12352, 4097) diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 5744f73..55fa7c9 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -199,7 +199,4 @@ WHERE AND NOT p0_cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%' AND NOT p0_cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%' AND NOT p0_name IN ('cc1', 'compile') - AND NOT exception_key IN ( - 'dd,500,zsh,login', - 'git,500,zsh,goland' - ) + AND NOT exception_key IN ('dd,500,zsh,login', 'git,500,zsh,goland') diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index c5492b7..b86910c 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -32,7 +32,7 @@ SELECT p2_hash.sha256 AS p2_sha256 FROM processes p0 - LEFT JOIN file f ON p0.path = f.path + LEFT JOIN file f ON p0.path = f.path LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN hash p1_hash ON p1.path = p1_hash.path diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index 6acaa11..edb02de 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -5,7 +5,8 @@ -- -- tags: transient process state often -- platform: darwin -SELECT f.ctime, +SELECT + f.ctime, f.btime, f.mtime, p0.start_time, @@ -41,7 +42,8 @@ SELECT f.ctime, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM processes p0 +FROM + processes p0 LEFT JOIN signature s ON p0.path = s.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN users u ON f.uid = u.uid @@ -50,10 +52,14 @@ FROM processes p0 LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE p0.pid IN ( - SELECT pid - FROM processes - WHERE start_time > 0 +WHERE + p0.pid IN ( + SELECT + pid + FROM + processes + WHERE + start_time > 0 AND start_time > (strftime('%s', 'now') - 7200) AND pid > 0 AND path != "" diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index 33b699d..5448a8a 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -189,4 +189,4 @@ WHERE OR ip LIKE '127.%' ) ) - AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %' \ No newline at end of file + AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %' diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql index 9c31bc8..d4e7ec2 100644 --- a/detection/execution/unexpected-execdir-events-linux.sql +++ b/detection/execution/unexpected-execdir-events-linux.sql @@ -41,7 +41,8 @@ SELECT -- Child '.*/(.*)', 1 ) AS p2_name -FROM process_events pe +FROM + process_events pe LEFT JOIN processes p ON pe.pid = pe.pid -- Parents (via two paths) LEFT JOIN processes p1 ON pe.parent = p1.pid LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path @@ -55,10 +56,14 @@ FROM process_events pe LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path -WHERE pe.pid IN ( - SELECT pid - FROM process_events - WHERE time > (strftime('%s', 'now') -300) +WHERE + pe.pid IN ( + SELECT + pid + FROM + process_events + WHERE + time > (strftime('%s', 'now') -300) AND ( INSTR(path, "/bin") != 1 AND INSTR(path, "/sbin/") != 1 @@ -82,7 +87,8 @@ WHERE pe.pid IN ( AND INSTR(path, "/.terraform/") > 0 ) AND syscall = "execve" -- REGEX_MATCH performed terribly. INSTR and LIKE are very very close. - GROUP BY path + GROUP BY + path ) AND pe.time > (strftime('%s', 'now') -300) AND pe.syscall = "execve" @@ -90,4 +96,5 @@ WHERE pe.pid IN ( AND p.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%' AND p1.cgroup_path NOT LIKE '/system.slice/docker-%' AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%' -GROUP BY pe.pid \ No newline at end of file +GROUP BY + pe.pid diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 0c77925..eb4cfc9 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -25,7 +25,7 @@ SELECT u.directory AS user_home_dir, s.identifier AS s_id, s.authority AS s_auth, - -- Child + -- Child pe.path AS p0_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 7a07370..c2c45b6 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -177,7 +177,9 @@ WHERE AND p1.name = "nvim" ) AND NOT p0_cmd LIKE '%/gcloud.py components update' - AND NOT (p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java') + AND NOT ( + p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java' + ) AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' GROUP BY p0.pid diff --git a/detection/initial_access/unexpected-volume-contents.sql b/detection/initial_access/unexpected-volume-contents.sql index d45d39f..5379ccb 100644 --- a/detection/initial_access/unexpected-volume-contents.sql +++ b/detection/initial_access/unexpected-volume-contents.sql @@ -128,4 +128,4 @@ WHERE AND NOT ( magic.data = 'AppleDouble encoded Macintosh file' AND basename LIKE '._%' - ) \ No newline at end of file + ) diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql index 2a328d0..05994a9 100644 --- a/detection/persistence/unexpected-launchd-program-macos.sql +++ b/detection/persistence/unexpected-launchd-program-macos.sql @@ -49,4 +49,5 @@ WHERE AND program_identifier IN ('com.apple.ln', 'com.apple.link') AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock' ) - GROUP BY l.path \ No newline at end of file +GROUP BY + l.path diff --git a/detection/persistence/unexpected-ssh-authorized-keys.sql b/detection/persistence/unexpected-ssh-authorized-keys.sql index 89fd8ed..ba4344b 100644 --- a/detection/persistence/unexpected-ssh-authorized-keys.sql +++ b/detection/persistence/unexpected-ssh-authorized-keys.sql @@ -8,25 +8,28 @@ -- -- tags: persistent state filesystem -- platform: posix -SELECT file.path, - file.uid, - file.gid, - file.atime, - file.mtime, - file.ctime, - file.size, - hash.sha256, - users.username, - users.uid AS u_uid -FROM users - JOIN file ON file.path = users.directory || "/.ssh/authorized_keys" - JOIN hash ON file.path = hash.path -WHERE file.size > 0 - AND ( - file.uid != u_uid - OR file.uid < 500 - OR ( - file.path NOT LIKE '/home/%' - AND file.path NOT LIKE '/Users/%' - ) - ) \ No newline at end of file +SELECT + file.path, + file.uid, + file.gid, + file.atime, + file.mtime, + file.ctime, + file.size, + hash.sha256, + users.username, + users.uid AS u_uid +FROM + users + JOIN file ON file.path = users.directory || "/.ssh/authorized_keys" + JOIN hash ON file.path = hash.path +WHERE + file.size > 0 + AND ( + file.uid != u_uid + OR file.uid < 500 + OR ( + file.path NOT LIKE '/home/%' + AND file.path NOT LIKE '/Users/%' + ) + ) diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql index 9b98980..7272917 100644 --- a/detection/privesc/setxid-cmdline-overflow-attempt.sql +++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql @@ -60,4 +60,4 @@ WHERE AND file.mode NOT LIKE '0%' AND pe.cmdline_size > 2048 AND p0_cmd NOT LIKE '%sudo dpkg %' - AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%' \ No newline at end of file + AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%' diff --git a/detection/privesc/unexpected-privilege-escalation_linux.sql b/detection/privesc/unexpected-privilege-escalation_linux.sql index c2b0fc9..6b60959 100644 --- a/detection/privesc/unexpected-privilege-escalation_linux.sql +++ b/detection/privesc/unexpected-privilege-escalation_linux.sql @@ -87,4 +87,4 @@ WHERE AND NOT ( p0.path = '/usr/libexec/xdg-permission-store' AND p1.path = '/usr/lib/systemd/systemd' - ) \ No newline at end of file + ) diff --git a/detection/privesc/unexpected-privilege-escalation_macos.sql b/detection/privesc/unexpected-privilege-escalation_macos.sql index b104f22..6510bcc 100644 --- a/detection/privesc/unexpected-privilege-escalation_macos.sql +++ b/detection/privesc/unexpected-privilege-escalation_macos.sql @@ -62,4 +62,4 @@ WHERE AND NOT ( p0.path LIKE '/var/folders/%/T/CanonOFI_TEMP/Data/Software/Install/UniversalInstaller.app/Contents/Frameworks/UIx.framework/Resources/relay' AND s.authority = 'Developer ID Application: Canon Inc. (XE2XNRRXZ5)' - ) \ No newline at end of file + ) diff --git a/incident_response/account_policy_data-macos.sql b/incident_response/account_policy_data-macos.sql index fbb3b7b..64f6e73 100644 --- a/incident_response/account_policy_data-macos.sql +++ b/incident_response/account_policy_data-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - account_policy_data; \ No newline at end of file + account_policy_data; diff --git a/incident_response/authorization_mechanisms-macos.sql b/incident_response/authorization_mechanisms-macos.sql index b893927..d00c9d2 100644 --- a/incident_response/authorization_mechanisms-macos.sql +++ b/incident_response/authorization_mechanisms-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - authorization_mechanisms; \ No newline at end of file + authorization_mechanisms; diff --git a/incident_response/authorizations-macos.sql b/incident_response/authorizations-macos.sql index b5e8d7a..08df96b 100644 --- a/incident_response/authorizations-macos.sql +++ b/incident_response/authorizations-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - authorizations; \ No newline at end of file + authorizations; diff --git a/incident_response/authorized_keys.sql b/incident_response/authorized_keys.sql index 5c6b35c..0c0daae 100644 --- a/incident_response/authorized_keys.sql +++ b/incident_response/authorized_keys.sql @@ -2,4 +2,8 @@ -- -- tags: postmortem -- platform: posix -SELECT authorized_keys.* FROM users JOIN authorized_keys ON users.uid = authorized_keys.uid; +SELECT + authorized_keys.* +FROM + users + JOIN authorized_keys ON users.uid = authorized_keys.uid; diff --git a/incident_response/certificates.sql b/incident_response/certificates.sql index f566329..3513e70 100644 --- a/incident_response/certificates.sql +++ b/incident_response/certificates.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: posix -SELECT * FROM certificates; \ No newline at end of file +SELECT + * +FROM + certificates; diff --git a/incident_response/chrome_extension_content_scripts.sql b/incident_response/chrome_extension_content_scripts.sql index d81a15b..6503150 100644 --- a/incident_response/chrome_extension_content_scripts.sql +++ b/incident_response/chrome_extension_content_scripts.sql @@ -1,6 +1,8 @@ -- Retrieves chrome extension cotent scripts that execute on a broad set of URLs. -- tags: postmortem -- platform: posix -SELECT chrome_extension_content_scripts.* -FROM users - JOIN chrome_extension_content_scripts ON users.uid = chrome_extension_content_scripts.uid +SELECT + chrome_extension_content_scripts.* +FROM + users + JOIN chrome_extension_content_scripts ON users.uid = chrome_extension_content_scripts.uid diff --git a/incident_response/chrome_extensions.sql b/incident_response/chrome_extensions.sql index 1bbca3e..4a2ad19 100644 --- a/incident_response/chrome_extensions.sql +++ b/incident_response/chrome_extensions.sql @@ -1,6 +1,8 @@ -- Retrieves chrome extensions that execute on a broad set of URLs. -- tags: postmortem -- platform: posix -SELECT chrome_extensions.* -FROM users - JOIN chrome_extensions ON users.uid = chrome_extensions.uid +SELECT + chrome_extensions.* +FROM + users + JOIN chrome_extensions ON users.uid = chrome_extensions.uid diff --git a/incident_response/deb_packages.sql b/incident_response/deb_packages.sql index 7dfa7d2..9301d3e 100644 --- a/incident_response/deb_packages.sql +++ b/incident_response/deb_packages.sql @@ -1,4 +1,7 @@ -- Retrieves a list of debian packages -- tags: postmortem -- platform: Linux -SELECT * FROM deb_packages; \ No newline at end of file +SELECT + * +FROM + deb_packages; diff --git a/incident_response/docker_container_processes.sql b/incident_response/docker_container_processes.sql index b8c71e95..c314dbe 100644 --- a/incident_response/docker_container_processes.sql +++ b/incident_response/docker_container_processes.sql @@ -2,7 +2,9 @@ -- -- tags: postmortem -- platform: linux -SELECT docker_container_processes.*, - docker_containers.name -FROM docker_containers - JOIN docker_container_processes ON docker_containers.id = docker_container_processes.id; \ No newline at end of file +SELECT + docker_container_processes.*, + docker_containers.name +FROM + docker_containers + JOIN docker_container_processes ON docker_containers.id = docker_container_processes.id; diff --git a/incident_response/docker_images.sql b/incident_response/docker_images.sql index 1e44fb7..d07d9be 100644 --- a/incident_response/docker_images.sql +++ b/incident_response/docker_images.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM docker_images; \ No newline at end of file +SELECT + * +FROM + docker_images; diff --git a/incident_response/es_process_events.sql b/incident_response/es_process_events.sql index 434a92b..4bcbfc1 100644 --- a/incident_response/es_process_events.sql +++ b/incident_response/es_process_events.sql @@ -1,5 +1,7 @@ - -- Dump a list of process execution events from EndpointSecurity -- -- platform: darwin -SELECT * FROM es_process_events; +SELECT + * +FROM + es_process_events; diff --git a/incident_response/file_events.sql b/incident_response/file_events.sql index 072c95c..e78cdd9 100644 --- a/incident_response/file_events.sql +++ b/incident_response/file_events.sql @@ -5,4 +5,4 @@ SELECT * FROM - file_events; \ No newline at end of file + file_events; diff --git a/incident_response/files-etc.sql b/incident_response/files-etc.sql index 3e895a0..aac1159 100644 --- a/incident_response/files-etc.sql +++ b/incident_response/files-etc.sql @@ -2,7 +2,10 @@ -- -- tags: postmortem -- platform: posix -SELECT * -FROM file - JOIN hash ON file.path = hash.path -WHERE file.path LIKE "/etc/%%"; \ No newline at end of file +SELECT + * +FROM + file + JOIN hash ON file.path = hash.path +WHERE + file.path LIKE "/etc/%%"; diff --git a/incident_response/firefox_addons.sql b/incident_response/firefox_addons.sql index 0a8124c..8297697 100644 --- a/incident_response/firefox_addons.sql +++ b/incident_response/firefox_addons.sql @@ -2,6 +2,8 @@ -- -- tags: postmortem -- platform: posix -SELECT firefox_addons.* -FROM users - JOIN firefox_addons ON users.uid = firefox_addons.uid; \ No newline at end of file +SELECT + firefox_addons.* +FROM + users + JOIN firefox_addons ON users.uid = firefox_addons.uid; diff --git a/incident_response/hardware_events.sql b/incident_response/hardware_events.sql index 451386b..da85200 100644 --- a/incident_response/hardware_events.sql +++ b/incident_response/hardware_events.sql @@ -5,4 +5,4 @@ SELECT * FROM - hardware_events; \ No newline at end of file + hardware_events; diff --git a/incident_response/homebrew-packages-macos.sql b/incident_response/homebrew-packages-macos.sql index b081f2e..f218292 100644 --- a/incident_response/homebrew-packages-macos.sql +++ b/incident_response/homebrew-packages-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - homebrew_packages; \ No newline at end of file + homebrew_packages; diff --git a/incident_response/interface_addresses.sql b/incident_response/interface_addresses.sql index ac6ec2b..82f2c22 100644 --- a/incident_response/interface_addresses.sql +++ b/incident_response/interface_addresses.sql @@ -5,4 +5,4 @@ SELECT * FROM - interface_addresses; \ No newline at end of file + interface_addresses; diff --git a/incident_response/interface_details.sql b/incident_response/interface_details.sql index df5c4b5..4d64d71 100644 --- a/incident_response/interface_details.sql +++ b/incident_response/interface_details.sql @@ -5,4 +5,4 @@ SELECT * FROM - interface_details \ No newline at end of file + interface_details diff --git a/incident_response/interface_ipv6.sql b/incident_response/interface_ipv6.sql index 733c889..e74b221 100644 --- a/incident_response/interface_ipv6.sql +++ b/incident_response/interface_ipv6.sql @@ -5,4 +5,4 @@ SELECT * FROM - interface_ipv6; \ No newline at end of file + interface_ipv6; diff --git a/incident_response/iokit-registry-macos.sql b/incident_response/iokit-registry-macos.sql index a1b9f37..8ac41b4 100644 --- a/incident_response/iokit-registry-macos.sql +++ b/incident_response/iokit-registry-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - iokit_registry; \ No newline at end of file + iokit_registry; diff --git a/incident_response/kernel_info.sql b/incident_response/kernel_info.sql index c04fc59..f14f425 100644 --- a/incident_response/kernel_info.sql +++ b/incident_response/kernel_info.sql @@ -1,7 +1,6 @@ -- Return basic kernel information - -- tags: postmortem SELECT * FROM - kernel_info; \ No newline at end of file + kernel_info; diff --git a/incident_response/kernel_panics-macos.sql b/incident_response/kernel_panics-macos.sql index c7309e1..adfa9ca 100644 --- a/incident_response/kernel_panics-macos.sql +++ b/incident_response/kernel_panics-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - kernel_panics; \ No newline at end of file + kernel_panics; diff --git a/incident_response/known_hosts.sql b/incident_response/known_hosts.sql index 820c19b..23916a8 100644 --- a/incident_response/known_hosts.sql +++ b/incident_response/known_hosts.sql @@ -1,6 +1,8 @@ -- Retrieves chrome extensions that execute on a broad set of URLs. -- tags: postmortem -- platform: posix -SELECT known_hosts.* -FROM users - JOIN known_hosts ON users.uid = known_hosts.uid +SELECT + known_hosts.* +FROM + users + JOIN known_hosts ON users.uid = known_hosts.uid diff --git a/incident_response/launchd_overrides_macos.sql b/incident_response/launchd_overrides_macos.sql index c059a01..d23c40b 100644 --- a/incident_response/launchd_overrides_macos.sql +++ b/incident_response/launchd_overrides_macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - launchd_overrides; \ No newline at end of file + launchd_overrides; diff --git a/incident_response/listening_ports.sql b/incident_response/listening_ports.sql index 8bd64e6..94fd5cd 100644 --- a/incident_response/listening_ports.sql +++ b/incident_response/listening_ports.sql @@ -3,7 +3,10 @@ -- tags: postmortem -- platform: posix SELECT - lp.*, p.name AS p_name, p.path AS p_path, p.euid AS p_euid + lp.*, + p.name AS p_name, + p.path AS p_path, + p.euid AS p_euid FROM listening_ports AS lp LEFT JOIN processes p ON lp.pid = p.pid; diff --git a/incident_response/memory_map.sql b/incident_response/memory_map.sql index a31b8c9..307e795 100644 --- a/incident_response/memory_map.sql +++ b/incident_response/memory_map.sql @@ -5,4 +5,4 @@ SELECT * FROM - memory_map; \ No newline at end of file + memory_map; diff --git a/incident_response/npm_packages.sql b/incident_response/npm_packages.sql index 9c2b8c2..40e40e4 100644 --- a/incident_response/npm_packages.sql +++ b/incident_response/npm_packages.sql @@ -5,4 +5,4 @@ SELECT * FROM - npm_packages; \ No newline at end of file + npm_packages; diff --git a/incident_response/nvram-macos.sql b/incident_response/nvram-macos.sql index dab327d..6efbbdc 100644 --- a/incident_response/nvram-macos.sql +++ b/incident_response/nvram-macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - nvram; \ No newline at end of file + nvram; diff --git a/incident_response/os_version.sql b/incident_response/os_version.sql index 9cd70c4..4bffe2e 100644 --- a/incident_response/os_version.sql +++ b/incident_response/os_version.sql @@ -5,4 +5,4 @@ SELECT * FROM - os_version; \ No newline at end of file + os_version; diff --git a/incident_response/package_install_history_macos.sql b/incident_response/package_install_history_macos.sql index b880272..f75e0cc 100644 --- a/incident_response/package_install_history_macos.sql +++ b/incident_response/package_install_history_macos.sql @@ -4,4 +4,4 @@ SELECT * FROM - package_install_history; \ No newline at end of file + package_install_history; diff --git a/incident_response/platform_info.sql b/incident_response/platform_info.sql index 5ddd9b9..cdc6e25 100644 --- a/incident_response/platform_info.sql +++ b/incident_response/platform_info.sql @@ -4,4 +4,4 @@ SELECT * FROM - platform_info \ No newline at end of file + platform_info diff --git a/incident_response/preferences_macos.sql b/incident_response/preferences_macos.sql index 06c910e..eac8c28 100644 --- a/incident_response/preferences_macos.sql +++ b/incident_response/preferences_macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - preferences; \ No newline at end of file + preferences; diff --git a/incident_response/process-files.sql b/incident_response/process-files.sql index 1eb4389..d5d0d83 100644 --- a/incident_response/process-files.sql +++ b/incident_response/process-files.sql @@ -2,12 +2,16 @@ -- -- tags: postmortem -- platform: linux -SELECT GROUP_CONCAT(processes.pid) AS processes, -GROUP_CONCAT(processes.name) AS names, -file.*, hash.sha256, -magic.data -FROM processes -LEFT JOIN file ON processes.path = file.path -LEFT JOIN hash ON processes.path = hash.path -LEFT JOIN magic ON processes.path = magic.path -GROUP BY processes.path \ No newline at end of file +SELECT + GROUP_CONCAT(processes.pid) AS processes, + GROUP_CONCAT(processes.name) AS names, + file.*, + hash.sha256, + magic.data +FROM + processes + LEFT JOIN file ON processes.path = file.path + LEFT JOIN hash ON processes.path = hash.path + LEFT JOIN magic ON processes.path = magic.path +GROUP BY + processes.path diff --git a/incident_response/process_memory_map.sql b/incident_response/process_memory_map.sql index 0a2ef5a..ad07c2b 100644 --- a/incident_response/process_memory_map.sql +++ b/incident_response/process_memory_map.sql @@ -1,17 +1,23 @@ -- Retrieves the memory map per process -- platform: posix -- tags: postmortem -SELECT pid, +SELECT + pid, permissions, - offset, +offset +, inode, path, pseudo -FROM process_memory_map -WHERE path != "" -GROUP BY pid, +FROM + process_memory_map +WHERE + path != "" +GROUP BY + pid, permissions, - offset, +offset +, inode, path, - pseudo; \ No newline at end of file + pseudo; diff --git a/incident_response/process_open_files.sql b/incident_response/process_open_files.sql index 6791fb2..0905d76 100644 --- a/incident_response/process_open_files.sql +++ b/incident_response/process_open_files.sql @@ -2,7 +2,10 @@ -- -- tags: postmortem -- platform: posix -SELECT p.path AS p_path, p.name AS p_name, - pof.* -FROM process_open_files AS pof - LEFT JOIN processes p ON pof.pid = p.pid; +SELECT + p.path AS p_path, + p.name AS p_name, + pof.* +FROM + process_open_files AS pof + LEFT JOIN processes p ON pof.pid = p.pid; diff --git a/incident_response/process_open_sockets.sql b/incident_response/process_open_sockets.sql index 752e4a4..b2203e7 100644 --- a/incident_response/process_open_sockets.sql +++ b/incident_response/process_open_sockets.sql @@ -2,7 +2,10 @@ -- -- tags: postmortem -- platform: posix -SELECT p.path AS p_path, p.name AS p_name, - pos.* -FROM process_open_sockets AS pos - LEFT JOIN processes p ON pos.pid = p.pid; \ No newline at end of file +SELECT + p.path AS p_path, + p.name AS p_name, + pos.* +FROM + process_open_sockets AS pos + LEFT JOIN processes p ON pos.pid = p.pid; diff --git a/incident_response/rpm_packages.sql b/incident_response/rpm_packages.sql index 281701e..1164ddd 100644 --- a/incident_response/rpm_packages.sql +++ b/incident_response/rpm_packages.sql @@ -1,4 +1,7 @@ -- Retrieves a list of RPM packages -- tags: postmortem -- platform: Linux -SELECT * FROM rpm_packages; \ No newline at end of file +SELECT + * +FROM + rpm_packages; diff --git a/incident_response/running_apps_macos.sql b/incident_response/running_apps_macos.sql index aa2c029..15111af 100644 --- a/incident_response/running_apps_macos.sql +++ b/incident_response/running_apps_macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - running_apps; \ No newline at end of file + running_apps; diff --git a/incident_response/safari_extensions_macos.sql b/incident_response/safari_extensions_macos.sql index b05ddca..14f670f 100644 --- a/incident_response/safari_extensions_macos.sql +++ b/incident_response/safari_extensions_macos.sql @@ -2,6 +2,8 @@ -- -- tags: postmortem -- platform: darwin -SELECT safari_extensions.* -FROM users - JOIN safari_extensions ON users.uid = safari_extensions.uid; \ No newline at end of file +SELECT + safari_extensions.* +FROM + users + JOIN safari_extensions ON users.uid = safari_extensions.uid; diff --git a/incident_response/selinux_events.sql b/incident_response/selinux_events.sql index 42cc287..223588e 100644 --- a/incident_response/selinux_events.sql +++ b/incident_response/selinux_events.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM selinux_events; +SELECT + * +FROM + selinux_events; diff --git a/incident_response/shadow.sql b/incident_response/shadow.sql index 3258261..b294366 100644 --- a/incident_response/shadow.sql +++ b/incident_response/shadow.sql @@ -1,7 +1,8 @@ - -- Return user data from /etc/shadow -- -- tags: postmortem -- platform: linux -SELECT * FROM shadow; - +SELECT + * +FROM + shadow; diff --git a/incident_response/shared_memory.sql b/incident_response/shared_memory.sql index 1a67961..fd8c10a 100644 --- a/incident_response/shared_memory.sql +++ b/incident_response/shared_memory.sql @@ -2,8 +2,10 @@ -- -- tags: postmortem -- platform: linux -SELECT shm.*, - p.name AS p_name, - p.path AS p_path -FROM shared_memory AS shm - LEFT JOIN processes p ON shm.pid = p.pid; \ No newline at end of file +SELECT + shm.*, + p.name AS p_name, + p.path AS p_path +FROM + shared_memory AS shm + LEFT JOIN processes p ON shm.pid = p.pid; diff --git a/incident_response/sip_config.sql b/incident_response/sip_config.sql index 35fdbfa..6584363 100644 --- a/incident_response/sip_config.sql +++ b/incident_response/sip_config.sql @@ -5,4 +5,4 @@ SELECT * FROM - sip_config; \ No newline at end of file + sip_config; diff --git a/incident_response/socket_events.sql b/incident_response/socket_events.sql index f0bfe5b..3401c73 100644 --- a/incident_response/socket_events.sql +++ b/incident_response/socket_events.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM socket_events; +SELECT + * +FROM + socket_events; diff --git a/incident_response/syslog_events.sql b/incident_response/syslog_events.sql index 54207d5..390c2c5 100644 --- a/incident_response/syslog_events.sql +++ b/incident_response/syslog_events.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM syslog_events; +SELECT + * +FROM + syslog_events; diff --git a/incident_response/system_controls.sql b/incident_response/system_controls.sql index 92c7ddf..f49dc99 100644 --- a/incident_response/system_controls.sql +++ b/incident_response/system_controls.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: posix -SELECT * FROM system_controls; +SELECT + * +FROM + system_controls; diff --git a/incident_response/unified_log_macos.sql b/incident_response/unified_log_macos.sql index f4ec59c..c9545b6 100644 --- a/incident_response/unified_log_macos.sql +++ b/incident_response/unified_log_macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - unified_log; \ No newline at end of file + unified_log; diff --git a/incident_response/usb_devices.sql b/incident_response/usb_devices.sql index 5cf0abe..f2c44e8 100644 --- a/incident_response/usb_devices.sql +++ b/incident_response/usb_devices.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: posix -SELECT * FROM usb_devices; \ No newline at end of file +SELECT + * +FROM + usb_devices; diff --git a/incident_response/user_events.sql b/incident_response/user_events.sql index 6b7d186..81aa7b3 100644 --- a/incident_response/user_events.sql +++ b/incident_response/user_events.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM user_events; \ No newline at end of file +SELECT + * +FROM + user_events; diff --git a/policy/unexpected-rsa-keys-mdfind.sql b/policy/unexpected-rsa-keys-mdfind.sql index da2d179..0473484 100644 --- a/policy/unexpected-rsa-keys-mdfind.sql +++ b/policy/unexpected-rsa-keys-mdfind.sql @@ -14,7 +14,8 @@ FROM LEFT JOIN file ON mdfind.path = file.path LEFT JOIN users u ON file.uid = u.uid LEFT JOIN hash ON mdfind.path = hash.path - LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from' + LEFT JOIN extended_attributes ea ON mdfind.path = ea.path + AND ea.key = 'where_from' LEFT JOIN magic ON mdfind.path = magic.path LEFT JOIN signature ON mdfind.path = signature.path WHERE @@ -30,4 +31,5 @@ WHERE ) == 1 -- Common filenames that are non-controversial AND NOT file.filename LIKE '%example.com%' -GROUP BY file.path +GROUP BY + file.path