Add events and extra tags to relevant event-based queries
This commit is contained in:
Thomas Stromberg
parent
d6b17a0534
commit
6aab8fdfb6
|
|
@ -3,7 +3,7 @@
|
|||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
||||
--
|
||||
-- tags: transient state net extra
|
||||
-- tags: transient state net extra events
|
||||
-- interval: 601
|
||||
-- platform: posix
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
-- refs:
|
||||
-- * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery)
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- tags: transient process state often extra events
|
||||
-- platform: linux
|
||||
-- interval: 300
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
-- refs:
|
||||
-- * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery)
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- tags: transient process state often extra events
|
||||
-- platform: darwin
|
||||
-- interval: 600
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
|
||||
--
|
||||
-- tags: transient extra
|
||||
-- tags: transient extra events
|
||||
-- platform: linux
|
||||
-- interval: 600
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
--
|
||||
-- interval: 900
|
||||
-- platform: darwin
|
||||
-- tags: filesystem events
|
||||
-- tags: filesystem events extra
|
||||
SELECT
|
||||
s.identifier AS s_id,
|
||||
s.authority AS s_auth,
|
||||
|
|
|
|||
|
|
@ -103,6 +103,9 @@ WHERE
|
|||
AND syscall = "execve"
|
||||
AND (
|
||||
cmdline LIKE '%chmod% 7%'
|
||||
OR cmdline LIKE '%chmod 5%'
|
||||
OR cmdline LIKE '%chmod 1%'
|
||||
OR cmdline LIKE '%chmod +%x'
|
||||
OR cmdline LIKE '%chmod% +rwx%'
|
||||
OR cmdline LIKE '%chmod% +x%'
|
||||
OR cmdline LIKE '%chmod% u+x%'
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
--
|
||||
-- interval: 300
|
||||
-- platform: linux
|
||||
-- tags: process events
|
||||
-- tags: process events extra
|
||||
SELECT -- Child
|
||||
pe.path AS p0_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
-- refs:
|
||||
-- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- tags: transient process state often extra events
|
||||
-- platform: posix
|
||||
-- interval: 450
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -1,79 +0,0 @@
|
|||
-- Detect commands used to bless a file as executable
|
||||
--
|
||||
-- false positives:
|
||||
-- * none observed, but they are expected
|
||||
--
|
||||
-- interval: 600
|
||||
-- platform: posix
|
||||
-- tags: process events
|
||||
SELECT
|
||||
-- Child
|
||||
pe.path AS p0_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
|
||||
TRIM(pe.cmdline) AS p0_cmd,
|
||||
pe.cwd AS p0_cwd,
|
||||
pe.time AS p0_time,
|
||||
pe.euid AS p0_euid,
|
||||
pe.pid AS p0_pid,
|
||||
p.cgroup_path AS p0_cgroup,
|
||||
-- Parent
|
||||
pe.parent AS p1_pid,
|
||||
p1.cgroup_path AS p1_cgroup,
|
||||
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
|
||||
COALESCE(p1.path, pe1.path) AS p1_path,
|
||||
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
|
||||
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
|
||||
-- Grandparent
|
||||
COALESCE(p1.parent, pe1.parent) AS p2_pid,
|
||||
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
|
||||
TRIM(
|
||||
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
|
||||
) AS p2_cmd,
|
||||
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
|
||||
COALESCE(
|
||||
p1_p2_hash.path,
|
||||
pe1_p2_hash.path,
|
||||
pe1_pe2_hash.path
|
||||
) AS p2_hash,
|
||||
REGEX_MATCH (
|
||||
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
|
||||
'.*/(.*)',
|
||||
1
|
||||
) AS p2_name,
|
||||
-- Extra fields
|
||||
REGEX_MATCH (TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path
|
||||
FROM
|
||||
process_events pe,
|
||||
uptime
|
||||
LEFT JOIN processes p ON pe.pid = p.pid
|
||||
-- Parents (via two paths)
|
||||
LEFT JOIN processes p1 ON pe.parent = p1.pid
|
||||
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
|
||||
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
|
||||
AND pe1.cmdline != ''
|
||||
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
|
||||
-- Grandparents (via 3 paths)
|
||||
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
|
||||
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
|
||||
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
|
||||
AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
|
||||
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
|
||||
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
|
||||
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
|
||||
WHERE
|
||||
pe.time > (strftime('%s', 'now') -600)
|
||||
AND pe.cmdline != ''
|
||||
AND pe.path IN ('/bin/chmod', '/usr/bin/chmod')
|
||||
AND (
|
||||
p0_cmd LIKE '%chmod 7%'
|
||||
OR p0_cmd LIKE '%chmod 5%'
|
||||
OR p0_cmd LIKE '%chmod 1%'
|
||||
OR p0_cmd LIKE '%chmod +%x'
|
||||
)
|
||||
AND p0_cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
|
||||
AND p0_cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config'
|
||||
AND p0_cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle'
|
||||
AND p0_cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates')
|
||||
AND NOT p0_cgroup LIKE '/system.slice/docker-%'
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
--
|
||||
-- interval: 300
|
||||
-- platform: darwin
|
||||
-- tags: process events
|
||||
-- tags: process events extra
|
||||
SELECT
|
||||
-- Child
|
||||
pe.path AS p0_path,
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
--
|
||||
-- platform: darwin
|
||||
-- interval: 900
|
||||
-- tags: transient seldom process state
|
||||
-- tags: transient seldom events extra
|
||||
-- Canonical example of including process parents from process_events
|
||||
SELECT
|
||||
f.directory AS dir,
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
-- Unexpected calls to sysctl (event-based)
|
||||
-- Unexpected calls to system utilities (event-based)
|
||||
--
|
||||
-- refs:
|
||||
-- * https://attack.mitre.org/techniques/T1497/001/ (Virtualization/Sandbox Evasion: System Checks)
|
||||
--
|
||||
-- platform: linux
|
||||
-- interval: 600
|
||||
-- tags: events extra
|
||||
SELECT -- Child
|
||||
pe.path AS p0_path,
|
||||
pe.time AS p0_time,
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
--
|
||||
-- platform: darwin
|
||||
-- interval: 900
|
||||
-- tags: events extra
|
||||
SELECT
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
|
||||
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
--
|
||||
-- interval: 300
|
||||
-- platform: darwin
|
||||
-- tags: process events
|
||||
-- tags: process events extra
|
||||
SELECT
|
||||
-- Child
|
||||
pe.path AS p0_path,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
|
||||
-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
|
||||
--
|
||||
-- tags: process events
|
||||
-- tags: process events extra
|
||||
-- interval: 300
|
||||
-- platform: posix
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
--
|
||||
-- platform: posix
|
||||
-- interval: 300
|
||||
-- tags: events
|
||||
SELECT
|
||||
file.mode AS p0_binary_mode,
|
||||
pe.cmdline_size AS p0_cmd_size,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Retrieves disk image (DMG) events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
-- Dump a list of process execution events from EndpointSecurity
|
||||
--
|
||||
-- platform: darwin
|
||||
-- tags: events extra
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of watched file events (must be configured)
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: posix
|
||||
-- interval: 900
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return hardware events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: posix
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
--
|
||||
-- interval: 600
|
||||
-- platform: posix
|
||||
-- tags: events extra
|
||||
SELECT
|
||||
pe.*,
|
||||
-- pe.cwd is often blank
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of seccomp events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of SELinux events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of socket events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events extra
|
||||
-- platform: posix
|
||||
-- interval: 600
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of syslog events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
-- Return the list of audit user events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem events
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
|
|
|
|||
Loading…
Reference in New Issue