diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index d95e604..df3f807 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -3,7 +3,7 @@ -- references: -- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol) -- --- tags: transient state net extra +-- tags: transient state net extra events -- interval: 601 -- platform: posix SELECT diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql index 850477e..4e7e044 100644 --- a/detection/discovery/unexpected-netutil-calls-linux.sql +++ b/detection/discovery/unexpected-netutil-calls-linux.sql @@ -3,7 +3,7 @@ -- refs: -- * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery) -- --- tags: transient process state often +-- tags: transient process state often extra events -- platform: linux -- interval: 300 SELECT diff --git a/detection/discovery/unexpected-netutil-calls-macos.sql b/detection/discovery/unexpected-netutil-calls-macos.sql index 437890c..d8e8bc5 100644 --- a/detection/discovery/unexpected-netutil-calls-macos.sql +++ b/detection/discovery/unexpected-netutil-calls-macos.sql @@ -3,7 +3,7 @@ -- refs: -- * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery) -- --- tags: transient process state often +-- tags: transient process state often extra events -- platform: darwin -- interval: 600 SELECT diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql index 28a019a..41e38b4 100644 --- a/detection/evasion/hidden-cwd-events-linux.sql +++ b/detection/evasion/hidden-cwd-events-linux.sql @@ -9,7 +9,7 @@ -- references: -- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories) -- --- tags: transient extra +-- tags: transient extra events -- platform: linux -- interval: 600 SELECT diff --git a/detection/execution/exec-failed-launch-constraint-violation.sql b/detection/execution/exec-failed-launch-constraint-violation.sql index 6a99022..963702a 100644 --- a/detection/execution/exec-failed-launch-constraint-violation.sql +++ b/detection/execution/exec-failed-launch-constraint-violation.sql @@ -5,7 +5,7 @@ -- -- interval: 900 -- platform: darwin --- tags: filesystem events +-- tags: filesystem events extra SELECT s.identifier AS s_id, s.authority AS s_auth, diff --git a/detection/execution/unexpected-chmod-exec-event-linux.sql b/detection/execution/unexpected-chmod-exec-event-linux.sql index 1dddc2d..75fed55 100644 --- a/detection/execution/unexpected-chmod-exec-event-linux.sql +++ b/detection/execution/unexpected-chmod-exec-event-linux.sql @@ -103,6 +103,9 @@ WHERE AND syscall = "execve" AND ( cmdline LIKE '%chmod% 7%' + OR cmdline LIKE '%chmod 5%' + OR cmdline LIKE '%chmod 1%' + OR cmdline LIKE '%chmod +%x' OR cmdline LIKE '%chmod% +rwx%' OR cmdline LIKE '%chmod% +x%' OR cmdline LIKE '%chmod% u+x%' diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql index dfa8551..9a705f5 100644 --- a/detection/execution/unexpected-execdir-events-linux.sql +++ b/detection/execution/unexpected-execdir-events-linux.sql @@ -8,7 +8,7 @@ -- -- interval: 300 -- platform: linux --- tags: process events +-- tags: process events extra SELECT -- Child pe.path AS p0_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, diff --git a/detection/execution/unexpected-fetcher-parent-events.sql b/detection/execution/unexpected-fetcher-parent-events.sql index dce40e9..d87b283 100644 --- a/detection/execution/unexpected-fetcher-parent-events.sql +++ b/detection/execution/unexpected-fetcher-parent-events.sql @@ -3,7 +3,7 @@ -- refs: -- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer) -- --- tags: transient process state often +-- tags: transient process state often extra events -- platform: posix -- interval: 450 SELECT diff --git a/detection/execution/unexpected-file-made-executable.sql b/detection/execution/unexpected-file-made-executable.sql deleted file mode 100644 index 5256485..0000000 --- a/detection/execution/unexpected-file-made-executable.sql +++ /dev/null @@ -1,79 +0,0 @@ --- Detect commands used to bless a file as executable --- --- false positives: --- * none observed, but they are expected --- --- interval: 600 --- platform: posix --- tags: process events -SELECT - -- Child - pe.path AS p0_path, - REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, - TRIM(pe.cmdline) AS p0_cmd, - pe.cwd AS p0_cwd, - pe.time AS p0_time, - pe.euid AS p0_euid, - pe.pid AS p0_pid, - p.cgroup_path AS p0_cgroup, - -- Parent - pe.parent AS p1_pid, - p1.cgroup_path AS p1_cgroup, - TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd, - COALESCE(p1.path, pe1.path) AS p1_path, - COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash, - REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name, - -- Grandparent - COALESCE(p1.parent, pe1.parent) AS p2_pid, - COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup, - TRIM( - COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline) - ) AS p2_cmd, - COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path, - COALESCE( - p1_p2_hash.path, - pe1_p2_hash.path, - pe1_pe2_hash.path - ) AS p2_hash, - REGEX_MATCH ( - COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), - '.*/(.*)', - 1 - ) AS p2_name, - -- Extra fields - REGEX_MATCH (TRIM(pe.cmdline), ".* (.*?)$", 1) AS target_path -FROM - process_events pe, - uptime - LEFT JOIN processes p ON pe.pid = p.pid - -- Parents (via two paths) - LEFT JOIN processes p1 ON pe.parent = p1.pid - LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path - LEFT JOIN process_events pe1 ON pe.parent = pe1.pid - AND pe1.cmdline != '' - LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path - -- Grandparents (via 3 paths) - LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes - LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events - LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid - AND pe1_pe2.cmdline != '' -- Past grandparent via parent events - LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path - LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path - LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path -WHERE - pe.time > (strftime('%s', 'now') -600) - AND pe.cmdline != '' - AND pe.path IN ('/bin/chmod', '/usr/bin/chmod') - AND ( - p0_cmd LIKE '%chmod 7%' - OR p0_cmd LIKE '%chmod 5%' - OR p0_cmd LIKE '%chmod 1%' - OR p0_cmd LIKE '%chmod +%x' - ) - AND p0_cmd NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%' - AND p0_cmd NOT LIKE 'chmod 700 /home/%/snap/%/.config' - AND p0_cmd NOT LIKE 'chmod 755 /home/%/.gradle/wrapper/dists/gradle-%-bin/%bin/gradle' - AND p0_cmd NOT IN ('chmod 755 /usr/local/share/ca-certificates') - AND NOT p0_cgroup LIKE '/system.slice/docker-%' -GROUP BY - pe.pid diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index b2d8afa..82e4332 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -11,7 +11,7 @@ -- -- interval: 300 -- platform: darwin --- tags: process events +-- tags: process events extra SELECT -- Child pe.path AS p0_path, diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index 9a43790..9b2087d 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -2,7 +2,7 @@ -- -- platform: darwin -- interval: 900 --- tags: transient seldom process state +-- tags: transient seldom events extra -- Canonical example of including process parents from process_events SELECT f.directory AS dir, diff --git a/detection/execution/unexpected-sysutils-linux.sql b/detection/execution/unexpected-sysutils-linux.sql index eb520d7..e914d04 100644 --- a/detection/execution/unexpected-sysutils-linux.sql +++ b/detection/execution/unexpected-sysutils-linux.sql @@ -1,10 +1,11 @@ --- Unexpected calls to sysctl (event-based) +-- Unexpected calls to system utilities (event-based) -- -- refs: -- * https://attack.mitre.org/techniques/T1497/001/ (Virtualization/Sandbox Evasion: System Checks) -- -- platform: linux -- interval: 600 +-- tags: events extra SELECT -- Child pe.path AS p0_path, pe.time AS p0_time, diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql index b1a2f56..f4a2950 100644 --- a/detection/execution/unexpected-sysutils-macos.sql +++ b/detection/execution/unexpected-sysutils-macos.sql @@ -6,6 +6,7 @@ -- -- platform: darwin -- interval: 900 +-- tags: events extra SELECT REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH ( COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql index f10d962..600cdc3 100644 --- a/detection/execution/unexpected-xattr-calls-macos.sql +++ b/detection/execution/unexpected-xattr-calls-macos.sql @@ -5,7 +5,7 @@ -- -- interval: 300 -- platform: darwin --- tags: process events +-- tags: process events extra SELECT -- Child pe.path AS p0_path, diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 711fde7..d7e351c 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -7,7 +7,7 @@ -- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter) -- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) -- --- tags: process events +-- tags: process events extra -- interval: 300 -- platform: posix SELECT diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql index 69d9e28..c97088e 100644 --- a/detection/privesc/setxid-cmdline-overflow-attempt.sql +++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql @@ -2,6 +2,7 @@ -- -- platform: posix -- interval: 300 +-- tags: events SELECT file.mode AS p0_binary_mode, pe.cmdline_size AS p0_cmd_size, diff --git a/incident_response/disk_events_macos.sql b/incident_response/disk_events_macos.sql index c829d6e..460acaa 100644 --- a/incident_response/disk_events_macos.sql +++ b/incident_response/disk_events_macos.sql @@ -1,6 +1,6 @@ -- Retrieves disk image (DMG) events -- --- tags: postmortem +-- tags: postmortem events -- platform: darwin SELECT * diff --git a/incident_response/es_process_events.sql b/incident_response/es_process_events.sql index 4bcbfc1..5088455 100644 --- a/incident_response/es_process_events.sql +++ b/incident_response/es_process_events.sql @@ -1,6 +1,7 @@ -- Dump a list of process execution events from EndpointSecurity -- -- platform: darwin +-- tags: events extra SELECT * FROM diff --git a/incident_response/file_events.sql b/incident_response/file_events.sql index 319e677..57720a4 100644 --- a/incident_response/file_events.sql +++ b/incident_response/file_events.sql @@ -1,6 +1,6 @@ -- Return the list of watched file events (must be configured) -- --- tags: postmortem +-- tags: postmortem events -- platform: posix -- interval: 900 SELECT diff --git a/incident_response/hardware_events.sql b/incident_response/hardware_events.sql index da85200..a434a61 100644 --- a/incident_response/hardware_events.sql +++ b/incident_response/hardware_events.sql @@ -1,6 +1,6 @@ -- Return hardware events -- --- tags: postmortem +-- tags: postmortem events -- platform: posix SELECT * diff --git a/incident_response/process_events.sql b/incident_response/process_events.sql index 43ad256..fa05073 100644 --- a/incident_response/process_events.sql +++ b/incident_response/process_events.sql @@ -2,6 +2,7 @@ -- -- interval: 600 -- platform: posix +-- tags: events extra SELECT pe.*, -- pe.cwd is often blank diff --git a/incident_response/seccomp_events.sql b/incident_response/seccomp_events.sql index 715c5f4..4cfe284 100644 --- a/incident_response/seccomp_events.sql +++ b/incident_response/seccomp_events.sql @@ -1,6 +1,6 @@ -- Return the list of seccomp events -- --- tags: postmortem +-- tags: postmortem events -- platform: linux SELECT * diff --git a/incident_response/selinux_events.sql b/incident_response/selinux_events.sql index 223588e..6902a37 100644 --- a/incident_response/selinux_events.sql +++ b/incident_response/selinux_events.sql @@ -1,6 +1,6 @@ -- Return the list of SELinux events -- --- tags: postmortem +-- tags: postmortem events -- platform: linux SELECT * diff --git a/incident_response/socket_events.sql b/incident_response/socket_events.sql index 4d65a02..9613d8e 100644 --- a/incident_response/socket_events.sql +++ b/incident_response/socket_events.sql @@ -1,6 +1,6 @@ -- Return the list of socket events -- --- tags: postmortem +-- tags: postmortem events extra -- platform: posix -- interval: 600 SELECT diff --git a/incident_response/syslog_events.sql b/incident_response/syslog_events.sql index 390c2c5..3b6a8b9 100644 --- a/incident_response/syslog_events.sql +++ b/incident_response/syslog_events.sql @@ -1,6 +1,6 @@ -- Return the list of syslog events -- --- tags: postmortem +-- tags: postmortem events -- platform: linux SELECT * diff --git a/incident_response/user_events.sql b/incident_response/user_events.sql index 81aa7b3..a55c0a8 100644 --- a/incident_response/user_events.sql +++ b/incident_response/user_events.sql @@ -1,6 +1,6 @@ -- Return the list of audit user events -- --- tags: postmortem +-- tags: postmortem events -- platform: linux SELECT *