Collect more file data

2023-05-12 16:17:10 -04:00 · 2023-05-12 16:17:10 -04:00 · 6303ee76b6
parent 2645fa41f7
commit 6303ee76b6
4 changed files with 57 additions and 2 deletions
--- a/incident_response/files-downloads.sql
+++ b/incident_response/files-downloads.sql
@ -0,0 +1,15 @@
+-- Returns a list of file information from Downloads directories
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  file.*,
+  magic.data,
+  hash.sha256
+FROM
+  file
+  LEFT JOIN magic ON file.path = magic.path
+  LEFT JOIN hash ON file.path = hash.path
+WHERE
+  file.path LIKE "/home/%/Downloads/%%"
+  OR file.path LIKE "/Users/%/Downloads/%%"
--- a/incident_response/files-recently-written.sql
+++ b/incident_response/files-recently-written.sql
@ -0,0 +1,38 @@
+-- Returns a list of recently written files
+--
+-- tags: postmortem
+-- platform: posix
+-- interval: 3600
+SELECT *
+FROM file
+WHERE (
+        path LIKE "/var/tmp/%%"
+        OR path LIKE "/Applications/%%"
+        OR path LIKE "/home/%/%%"
+        OR path LIKE "/home/%/.%/%%"
+        OR path LIKE "/home/%/.config/%%"
+        OR path LIKE "/Library/%%"
+        OR path LIKE "/Library/.%"
+        OR path LIKE "/Library/Application Support/%"
+        OR path LIKE "/Library/Application Support/.%"
+        OR path LIKE "/tmp/%%"
+        OR path LIKE "/tmp/.%/%%"
+        OR path LIKE "/Users/%/%%"
+        OR path LIKE "/Users/%/.%/%%"
+        OR path LIKE "/Users/Library/%%"
+        OR path LIKE "/Users/Library/.%"
+        OR path LIKE "/Users/Library/Application Support/%%"
+        OR path LIKE "/Users/Library/Application Support/.%"
+        OR path LIKE "/var/%%"
+    )
+    AND (
+        mtime > (strftime('%s', 'now') -3600)
+        OR (
+            atime > (strftime('%s', 'now') -3600)
+            AND file.type = "regular"
+        )
+        OR ctime > (strftime('%s', 'now') -3600)
+        OR btime > (strftime('%s', 'now') -3600)
+    )
+    AND NOT path LIKE "%/../%"
+GROUP BY inode;
--- a/incident_response/process_events.sql
+++ b/incident_response/process_events.sql
@ -1,6 +1,6 @@
 -- Recently executed programs
 --
-- interval: 900
+-- interval: 600
 -- platform: posix
 SELECT
  pe.*,
@ -14,7 +14,7 @@ FROM
  LEFT JOIN processes p ON pe.pid = p.pid
  LEFT JOIN processes pp ON pe.parent = pp.pid
 WHERE
-  pe.time > (strftime('%s', 'now') -900)
+  pe.time > (strftime('%s', 'now') -600)
  -- Filter out commands generated by osquery/kolide
  AND pe.cmdline NOT LIKE '/bin/ps -x -o%'
  AND parent_path NOT LIKE '/usr/local/kolide-k2/%/launcher'
--- a/incident_response/socket_events.sql
+++ b/incident_response/socket_events.sql
@ -2,7 +2,9 @@
 --
 -- tags: postmortem
 -- platform: posix
+-- interval: 600
 SELECT
  *
 FROM
  socket_events;
+WHERE time > (strftime('%s', 'now') -600)