Add many new incident response queries

2023-02-23 09:35:38 -05:00 · 2023-02-23 09:35:38 -05:00 · 4d626923cd
parent eeb8792ee8
commit 4d626923cd
60 changed files with 418 additions and 15 deletions
--- a/incident_response/account_policy_data-macos.sql
+++ b/incident_response/account_policy_data-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves account policy data, such as creation time
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  account_policy_data;
--- a/incident_response/authorization_mechanisms-macos.sql
+++ b/incident_response/authorization_mechanisms-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves entries from the macOS authorization mechanisms db
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  authorization_mechanisms;
--- a/incident_response/authorizations-macos.sql
+++ b/incident_response/authorizations-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves entries from the macOS authorization rights db
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  authorizations;
--- a/incident_response/authorized_keys.sql
+++ b/incident_response/authorized_keys.sql
@ -0,0 +1,5 @@
+-- Retrieves all the currently installed authorized keys on a system
+--
+-- tags: postmortem
+-- platform: posix
+SELECT authorized_keys.* FROM users JOIN authorized_keys ON users.uid = authorized_keys.uid;
--- a/incident_response/certificates.sql
+++ b/incident_response/certificates.sql
@ -0,0 +1,5 @@
+-- Retrieves all the currently installed certificates on a system
+--
+-- tags: postmortem
+-- platform: posix
+SELECT * FROM certificates;
--- a/incident_response/chrome_extension_content_scripts.sql
+++ b/incident_response/chrome_extension_content_scripts.sql
@ -0,0 +1,6 @@
+-- Retrieves chrome extension cotent scripts that execute on a broad set of URLs.
+-- tags: postmortem
+-- platform: posix
+SELECT chrome_extension_content_scripts.*
+FROM users
+    JOIN chrome_extension_content_scripts ON users.uid = chrome_extension_content_scripts.uid
--- a/incident_response/chrome_extensions.sql
+++ b/incident_response/chrome_extensions.sql
@ -0,0 +1,6 @@
+-- Retrieves chrome extensions that execute on a broad set of URLs.
+-- tags: postmortem
+-- platform: posix
+SELECT chrome_extensions.*
+FROM users
+    JOIN chrome_extensions ON users.uid = chrome_extensions.uid
--- a/incident_response/crashes-macos.sql
+++ b/incident_response/crashes-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves crash log info per user
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  users
+  JOIN crashes USING (uid);
--- a/incident_response/deb_packages.sql
+++ b/incident_response/deb_packages.sql
@ -0,0 +1,4 @@
+-- Retrieves a list of debian packages
+-- tags: postmortem
+-- platform: Linux
+SELECT * FROM deb_packages;
--- a/incident_response/disk_events_macos.sql
+++ b/incident_response/disk_events_macos.sql
@ -0,0 +1,8 @@
+-- Retrieves disk image (DMG) events
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  authorizations;
--- a/incident_response/docker_container_mounts.sql
+++ b/incident_response/docker_container_mounts.sql
@ -0,0 +1,8 @@
+-- Return the list of mounts for Docker containers
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  docker_container_mounts;
--- a/incident_response/docker_container_ports.sql
+++ b/incident_response/docker_container_ports.sql
@ -0,0 +1,8 @@
+-- Return the list of ports for Docker containers
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  docker_container_ports;
--- a/incident_response/docker_container_processes.sql
+++ b/incident_response/docker_container_processes.sql
@ -0,0 +1,8 @@
+-- Return the list of processes for Docker containers
+--
+-- tags: postmortem
+-- platform: linux
+SELECT docker_container_processes.*,
+    docker_containers.name
+FROM docker_containers
+    JOIN docker_container_processes ON docker_containers.id = docker_container_processes.id;
--- a/incident_response/docker_images.sql
+++ b/incident_response/docker_images.sql
@ -0,0 +1,5 @@
+-- Return the list of Docker images
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM docker_images;
--- a/incident_response/es_process_events.sql
+++ b/incident_response/es_process_events.sql
@ -0,0 +1,5 @@
+
+-- Dump a list of process execution events from EndpointSecurity
+--
+-- platform: darwin
+SELECT * FROM es_process_events;
--- a/incident_response/file_events.sql
+++ b/incident_response/file_events.sql
@ -0,0 +1,8 @@
+-- Return the list of watched file events (must be configured)
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  file_events;
--- a/incident_response/files-etc.sql
+++ b/incident_response/files-etc.sql
@ -0,0 +1,8 @@
+-- Returns a list of file information from /etc (non-hidden only)
+--
+-- tags: postmortem
+-- platform: posix
+SELECT *
+FROM file
+    JOIN hash ON file.path = hash.path
+WHERE file.path LIKE "/etc/%%";
--- a/incident_response/files-from-proc.sql
+++ b/incident_response/files-from-proc.sql
@ -0,0 +1,13 @@
+-- Returns a list of file information from / (non-hidden only)
+--
+-- tags: postmortem
+-- platform: linux
+SELECT GROUP_CONCAT(processes.pid) AS processes,
+GROUP_CONCAT(processes.name) AS names,
+file.*, hash.sha256,
+magic.*
+FROM processes
+LEFT JOIN file ON processes.path = file.path
+LEFT JOIN hash ON processes.path = hash.path
+LEFT JOIN magic ON processes.path = magic.path
+GROUP BY processes.path
--- a/incident_response/firefox_addons.sql
+++ b/incident_response/firefox_addons.sql
@ -0,0 +1,7 @@
+-- Return the list of installed Firefox addons
+--
+-- tags: postmortem
+-- platform: posix
+SELECT firefox_addons.*
+FROM users
+    JOIN firefox_addons ON users.uid = firefox_addons.uid;
--- a/incident_response/gatekeeper_approved_apps_macos.sql
+++ b/incident_response/gatekeeper_approved_apps_macos.sql
--- a/incident_response/groups.sql
+++ b/incident_response/groups.sql
@ -0,0 +1,8 @@
+-- Return the list of POSIX groups on the system
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  groups;
--- a/incident_response/hardware_events.sql
+++ b/incident_response/hardware_events.sql
@ -0,0 +1,8 @@
+-- Return hardware events
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  hardware_events;
--- a/incident_response/homebrew-packages-macos.sql
+++ b/incident_response/homebrew-packages-macos.sql
@ -0,0 +1,8 @@
+-- Dump a list of homebrew packages
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  homebrew_packages;
--- a/incident_response/interface_addresses.sql
+++ b/incident_response/interface_addresses.sql
@ -0,0 +1,8 @@
+-- Return the list of interface addresses
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  interface_addresses;
--- a/incident_response/interface_details.sql
+++ b/incident_response/interface_details.sql
@ -0,0 +1,8 @@
+-- Return stats on network interfaces
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  interface_details
--- a/incident_response/interface_ipv6.sql
+++ b/incident_response/interface_ipv6.sql
@ -0,0 +1,8 @@
+-- Return the list of interface addresses (IPv6)
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  interface_ipv6;
--- a/incident_response/iokit-registry-macos.sql
+++ b/incident_response/iokit-registry-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves IOKit registry
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  iokit_registry;
--- a/incident_response/kernel_info.sql
+++ b/incident_response/kernel_info.sql
@ -0,0 +1,7 @@
+-- Return basic kernel information
+
+-- tags: postmortem
+SELECT
+  *
+FROM
+  kernel_info;
--- a/incident_response/kernel_panics-macos.sql
+++ b/incident_response/kernel_panics-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves entries from the macOS kernel panic logs
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  kernel_panics;
--- a/incident_response/known_hosts.sql
+++ b/incident_response/known_hosts.sql
@ -0,0 +1,6 @@
+-- Retrieves chrome extensions that execute on a broad set of URLs.
+-- tags: postmortem
+-- platform: posix
+SELECT known_hosts.*
+FROM users
+    JOIN known_hosts ON users.uid = known_hosts.uid
--- a/incident_response/launchd_overrides_macos.sql
+++ b/incident_response/launchd_overrides_macos.sql
@ -0,0 +1,8 @@
+-- Retrieves launchd override keys per user
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  launchd_overrides;
--- a/incident_response/listening_ports.sql
+++ b/incident_response/listening_ports.sql
@ -3,6 +3,7 @@
 -- tags: postmortem
 -- platform: posix
 SELECT
-  *
+  lp.*, p.name AS p_name, p.path AS p_path, p.euid AS p_euid
 FROM
-  listening_ports;
+  listening_ports AS lp
+  LEFT JOIN processes p ON lp.pid = p.pid;
--- a/incident_response/memory_map.sql
+++ b/incident_response/memory_map.sql
@ -0,0 +1,8 @@
+-- Returns the OS memory region map.
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  memory_map;
--- a/incident_response/npm_packages.sql
+++ b/incident_response/npm_packages.sql
@ -0,0 +1,8 @@
+-- Return the list of npm packages
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  npm_packages;
--- a/incident_response/nvram-macos.sql
+++ b/incident_response/nvram-macos.sql
@ -0,0 +1,8 @@
+-- Retrieves entries from the macOS nvram database
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  nvram;
--- a/incident_response/os_version.sql
+++ b/incident_response/os_version.sql
@ -0,0 +1,8 @@
+-- Return the OS version including patch level
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  os_version;
--- a/incident_response/package_install_history_macos.sql
+++ b/incident_response/package_install_history_macos.sql
@ -0,0 +1,7 @@
+-- Return macOS package install history
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  package_install_history;
--- a/incident_response/package_receipts_macos.sql
+++ b/incident_response/package_receipts_macos.sql
@ -0,0 +1,7 @@
+-- Return macOS package receipts
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  package_receipts;
--- a/incident_response/platform_info.sql
+++ b/incident_response/platform_info.sql
@ -0,0 +1,7 @@
+-- Return hardware platform info (UEFI)
+--
+-- tags: postmortem seldom
+SELECT
+  *
+FROM
+  platform_info
--- a/incident_response/preferences_macos.sql
+++ b/incident_response/preferences_macos.sql
@ -0,0 +1,8 @@
+-- Retrieves entries from the macOS preferences database
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  preferences;
--- a/incident_response/process_memory_map.sql
+++ b/incident_response/process_memory_map.sql
@ -1,23 +1,17 @@
 -- Retrieves the memory map per process
 -- platform: posix
 -- tags: postmortem
-SELECT
-  pid,
+SELECT pid,
  permissions,
-offset
-,
+  offset,
  inode,
  path,
  pseudo
-FROM
-  process_memory_map
-WHERE
-  path != ""
-GROUP BY
-  pid,
+FROM process_memory_map
+WHERE path != ""
+GROUP BY pid,
  permissions,
-offset
-,
+  offset,
  inode,
  path,
-  pseudo;
+  pseudo;
--- a/incident_response/process_open_files.sql
+++ b/incident_response/process_open_files.sql
@ -0,0 +1,8 @@
+-- Return the list of open files by process
+--
+-- tags: postmortem
+-- platform: posix
+SELECT p.path AS p_path, p.name AS p_name,
+    pof.*
+FROM process_open_files AS pof
+    LEFT JOIN processes p ON pof.pid = p.pid;
--- a/incident_response/process_open_pipes.sql
+++ b/incident_response/process_open_pipes.sql
@ -0,0 +1,8 @@
+-- Return the list of interface addresses
+--
+-- tags: postmortem
+-- platform: posix
+SELECT p.path AS p_path, p.name AS p_name,
+    pop.*
+FROM process_open_pipes AS pop
+    LEFT JOIN processes p ON pop.pid = p.pid;
--- a/incident_response/process_open_sockets.sql
+++ b/incident_response/process_open_sockets.sql
@ -0,0 +1,8 @@
+-- Return the list of open sockets per process
+--
+-- tags: postmortem
+-- platform: posix
+SELECT p.path AS p_path, p.name AS p_name,
+    pos.*
+FROM process_open_sockets AS pos
+    LEFT JOIN processes p ON pos.pid = p.pid;
--- a/incident_response/rpm_packages.sql
+++ b/incident_response/rpm_packages.sql
@ -0,0 +1,4 @@
+-- Retrieves a list of RPM packages
+-- tags: postmortem
+-- platform: Linux
+SELECT * FROM rpm_packages;
--- a/incident_response/running_apps_macos.sql
+++ b/incident_response/running_apps_macos.sql
@ -0,0 +1,8 @@
+-- Retrieves currently running applications
+--
+-- tags: postmortem often
+-- platform: darwin
+SELECT
+  *
+FROM
+  running_apps;
--- a/incident_response/safari_extensions_macos.sql
+++ b/incident_response/safari_extensions_macos.sql
@ -0,0 +1,7 @@
+-- Return the list of installed Safari extensions
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT safari_extensions.*
+FROM users
+    JOIN safari_extensions ON users.uid = safari_extensions.uid;
--- a/incident_response/seccomp_events.sql
+++ b/incident_response/seccomp_events.sql
@ -0,0 +1,5 @@
+-- Return the list of seccomp events
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM seccomp_events;
--- a/incident_response/selinux_events.sql
+++ b/incident_response/selinux_events.sql
@ -0,0 +1,5 @@
+-- Return the list of SELinux events
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM selinux_events;
--- a/incident_response/shadow.sql
+++ b/incident_response/shadow.sql
@ -0,0 +1,7 @@
+
+-- Return user data from /etc/shadow
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM shadow;
+
--- a/incident_response/shared_memory.sql
+++ b/incident_response/shared_memory.sql
@ -0,0 +1,9 @@
+-- Return shared memory info
+--
+-- tags: postmortem
+-- platform: linux
+SELECT shm.*,
+    p.name AS p_name,
+    p.path AS p_path
+FROM shared_memory AS shm
+    LEFT JOIN processes p ON shm.pid = p.pid;
--- a/incident_response/sip_config.sql
+++ b/incident_response/sip_config.sql
@ -0,0 +1,8 @@
+-- Retrieves System Integrity Protection Settings data
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  sip_config;
--- a/incident_response/socket_events.sql
+++ b/incident_response/socket_events.sql
@ -0,0 +1,5 @@
+-- Return the list of socket events
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM socket_events;
--- a/incident_response/ssh_configs.sql
+++ b/incident_response/ssh_configs.sql
@ -0,0 +1,8 @@
+-- Retrieves the ssh configs per user
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  users
+  JOIN ssh_configs USING (uid);
--- a/incident_response/syslog_events.sql
+++ b/incident_response/syslog_events.sql
@ -0,0 +1,5 @@
+-- Return the list of syslog events
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM syslog_events;
--- a/incident_response/system_controls.sql
+++ b/incident_response/system_controls.sql
@ -0,0 +1,5 @@
+-- Return the list of sysctl values
+--
+-- tags: postmortem
+-- platform: posix
+SELECT * FROM system_controls;
--- a/incident_response/unified_log_macos.sql
+++ b/incident_response/unified_log_macos.sql
@ -0,0 +1,8 @@
+-- Retrieves recent entries from the macOS unified log
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  unified_log;
--- a/incident_response/usb_devices.sql
+++ b/incident_response/usb_devices.sql
@ -0,0 +1,5 @@
+-- Return the list of USB devices
+--
+-- tags: postmortem
+-- platform: posix
+SELECT * FROM usb_devices;
--- a/incident_response/user_events.sql
+++ b/incident_response/user_events.sql
@ -0,0 +1,5 @@
+-- Return the list of audit user events
+--
+-- tags: postmortem
+-- platform: linux
+SELECT * FROM user_events;
--- a/incident_response/user_ssh_keys.sql
+++ b/incident_response/user_ssh_keys.sql
@ -0,0 +1,8 @@
+-- Retrieves the ssh keys per user
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  users
+  JOIN user_ssh_keys USING (uid);