Add a lot more mitre data

detection/c2/unexpected-listening-port-linux.sql

@@ -1,7 +1,7 @@
 -- Unexpected programs listening on a TCP port (state-based).
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1571/
+--   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
 --
 -- tags: persistent state net
 SELECT

detection/c2/unexpected-listening-port-macos.sql

@@ -1,7 +1,7 @@
 -- Unexpected programs listening on a TCP port.
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1571/
+--   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
 --
 -- tags: persistent state net low
 -- platform: darwin

detection/c2/unexpected-talkers-linux.sql

@@ -1,7 +1,7 @@
 -- Programs communicating over the network in unexpected ways (state-based)
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1071/
+--   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
 -- tags: transient state net rapid
 -- platform: linux

detection/c2/unexpected-talkers-macos.sql

@@ -1,7 +1,7 @@
 -- Programs communicating over the network in unexpected ways (state-based)
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1071/
+--   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
 -- tags: transient state net often
 -- platform: macos

detection/credentials/unexpected-sensitive-file-access-linux.sql

@@ -1,8 +1,12 @@
--- This query looks for exotic open file/process combinations
+-- Unexpected programs accessing sensitive data stores (state-based)
 --
--- It's unfortunately of limited use, as the query is slow (250ms)
+-- This query is unfortunately of limited use, as the query is slow (250ms)
 -- and it requires catching a program at the exact moment it has
--- the file open.
+-- the file open. An event-based version is advised.
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1555/ (Credentials from Password Stores)
+--
 -- tags: transient often state file access
 SELECT
   pof.pid,

detection/evasion/executables-from-the-future.sql

@@ -1,7 +1,7 @@
 -- Programs which claim to be from the future, based on (btime,ctime,mtime)
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1070/006/
+--   * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
 --
 -- false positives:
 --   * None observed

detection/evasion/hidden-cwd.sql

@@ -1,8 +1,11 @@
 -- Programs running with a hidden current working directory
 --
--- False positives:
+-- false positives:
 --   * Users rummaging through their configuration files
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
+--
 -- tags: transient often
 SELECT
   p.pid,

detection/evasion/hidden-launchd-files-macos.sql

@@ -1,6 +1,12 @@
--- osquery can't see hidden launch agents/daemons
+-- Reveal launchd services which are located in a hidden directory.
+--
+-- This query was written because osquery can't see these entries currently.
 -- See https://github.com/osquery/osquery/issues/7703
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
+--   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
+--
 -- platform: darwin
 -- tags: persistent daemon
 SELECT

detection/evasion/hidden-parent-pid.sql

@@ -2,6 +2,7 @@
 --
 -- references:
 --   * https://github.com/krisnova/boopkit
+--   * https://attack.mitre.org/techniques/T1014/ (Rootkit)
 --
 -- false positives:
 --   * None observed

detection/evasion/missing-from-disk-linux.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * none observed
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)
+--
 -- tags: persistent process state
 -- platform: linux
 SELECT

detection/evasion/missing-from-disk-macos.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * Self-updating programs that remain running
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)
+--
 -- platform: darwin
 -- tags: persistent process state
 SELECT

detection/evasion/name_path_mismatch.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * new software, particularly those using interpreted languages
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1036/004/ (Masquerade Task or Service)
+--
 -- tags: persistent daemon high
 SELECT
   p.name,

detection/evasion/old-binaries-running.sql

@@ -1,7 +1,10 @@
 -- Alert on programs running that are unusually old (poor timestomping)
 --
+-- false positive:
+--   * legimitely ancient programs. For instance, printer drivers.
+--
 -- references:
---   * https://attack.mitre.org/techniques/T1070/006/
+--   * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
 --
 -- tags: transient process state
 SELECT

detection/evasion/parent-missing-from-disk.sql

@@ -1,6 +1,17 @@
--- Parent PID is not on disk
+-- A program where the parent PID is not on disk
+--
 -- Reveals boopkit if a child is spawned
 -- TODO: Make mount namespace aware
+--
+-- false positives:
+--   * none observed
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion)
+--
+-- false positives:
+--   * none observed
+--
 -- tags: persistent daemon
 SELECT
   p.name AS child_name,

detection/evasion/ssh-notty.sql

@@ -3,6 +3,10 @@
 -- false positives:
 --   * ssh-driven automation which disables the terminal, such as Znapzend
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1021/004/ (Remote Services: SSH)
+--   * https://attack.mitre.org/techniques/T1564/ (Hide Artifacts)
+--
 -- tags: transient process state
 -- platform: posix
 SELECT

detection/evasion/touched-executable-linux.sql

@@ -2,7 +2,7 @@
 -- on Linux only generally occurs occurs if you run 'touch <bin>'
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1070/006/
+--   * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
 --
 -- tags: transient process state
 -- platform: linux

detection/evasion/touched-executable-macos.sql

@@ -6,6 +6,9 @@
 -- false positives:
 --   * Programs which are packaged weirdly and don't follow the typical Apple app layout
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
+--
 -- tags: transient seldom filesystem state
 -- platform: darwin
 SELECT

detection/exfil/high-disk-bytes-written.sql

@@ -1,111 +0,0 @@
--- Programs which are writing an unusually large amount of data
---
--- Can be used to detect ransomware
---
--- false positives:
---   * Package managers
---   * Backup software
---
--- tags: transient process
-SELECT
-  p.name,
-  p.path,
-  p.pid,
-  p.cmdline,
-  p.on_disk,
-  p.parent,
-  p.start_time,
-  hash.sha256,
-  p.disk_bytes_written,
-  p.cwd,
-  (strftime('%s', 'now') - start_time) AS age,
-  disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second
-FROM
-  processes p
-  LEFT JOIN hash ON p.path = hash.path
-WHERE
-  bytes_per_second > 2500000
-  AND age > 120
-  AND pid > 2
-  AND p.path NOT IN (
-    '/bin/bash',
-    '/opt/homebrew/bin/qemu-system-aarch64',
-    '/usr/bin/aptd',
-    '/usr/bin/bash',
-    '/usr/bin/bwrap',
-    '/usr/bin/curl',
-    '/usr/bin/dockerd',
-    '/usr/bin/fish',
-    '/usr/bin/gnome-shell',
-    '/usr/bin/make',
-    '/usr/bin/melange',
-    '/usr/bin/qemu-system-x86_64',
-    '/usr/bin/yay',
-    '/usr/bin/zsh',
-    '/usr/lib64/thunderbird/thunderbird',
-    '/usr/libexec/coreduetd',
-    '/usr/libexec/packagekitd',
-    '/usr/libexec/rosetta/oahd',
-    '/usr/libexec/secd',
-    '/usr/libexec/sharingd',
-    '/usr/lib/flatpak-system-helper',
-    '/usr/lib/systemd/systemd',
-    '/usr/lib/systemd/systemd-journald',
-    '/usr/sbin/screencapture'
-  )
-  AND NOT (
-    name LIKE 'jbd%/dm-%'
-    AND on_disk = -1
-  )
-  AND NOT (
-    name = 'bindfs'
-    AND cmdline LIKE 'bindfs -f -o fsname=%'
-  )
-  AND NOT (
-    name = 'btrfs-transaction'
-    AND on_disk = -1
-  )
-  AND NOT (
-    name = 'kernel_task'
-    AND p.path = ''
-    AND parent IN (0, 1)
-    AND on_disk = -1
-  )
-  AND NOT (
-    name = 'launchd'
-    AND p.path = '/sbin/launchd'
-    AND parent = 0
-  )
-  AND NOT (
-    name = 'logd'
-    AND cmdline = '/usr/libexec/logd'
-    AND parent = 1
-  )
-  AND NOT (
-    name = 'aptd'
-    AND cmdline = '/usr/bin/python3 /usr/sbin/aptd'
-  )
-  AND NOT name IN (
-    'chrome',
-    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
-    'containerd',
-    'esbuild',
-    'firefox',
-    'go',
-    'goland',
-    'java',
-    'launcher',
-    'gopls',
-    'jetbrains-toolb',
-    'slack',
-    'slack',
-    'wineserver'
-  )
-  AND p.path NOT LIKE '/Applications/%.app/Contents/%'
-  AND p.path NOT LIKE '/home/%/.local/share/Steam'
-  AND p.path NOT LIKE '/nix/store/%/bin/%sh'
-  AND p.path NOT LIKE '/nix/store/%/bin/nix'
-  AND p.path NOT LIKE '/System/Applications/%'
-  AND p.path NOT LIKE '/System/Library/%'
-  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
-  AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'

detection/exfil/high_disk_bytes_read.sql

@@ -6,6 +6,9 @@
 --   * Virtual Machine managers
 --   * Backup software
 --
+-- references:
+--   * https://attack.mitre.org/tactics/TA0010/ (Exfiltration)
+--
 -- tags: transient process
 SELECT
   p.name,

detection/exfil/spotlight-database-export-macos.sql

@@ -1,31 +0,0 @@
--- Find database exports. Will need tuning based on your table names.
---
--- false positives:
---   * none observed
---
--- platform: darwin
--- tags: persistent filesystem spotlight
-SELECT
-  f.path,
-  f.size,
-  datetime(f.btime, 'unixepoch') AS file_created,
-  magic.data
-FROM
-  file f
-  JOIN mdfind ON mdfind.path = f.path
-  LEFT JOIN magic ON f.path = magic.path
-WHERE
-  (
-    (
-      mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE'''
-    )
-    OR (
-      mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE'''
-    )
-    OR (
-      mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE'''
-    )
-  )
-  AND f.path NOT LIKE '%.json'
-  AND f.path NOT LIKE '%.log'
-  AND f.size > 32768

detection/impact/evenly-timestomped.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * 1 in 43200 chance per binary
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
+--
 -- tags: persistent seldom filesystem
 -- platform: linux
 SELECT

detection/impact/unexpected-etc-hosts.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * developers adding entries for their own use
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
+--
 -- tags: persistent seldom filesystem net
 SELECT
   *

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -1,6 +1,8 @@
 -- Surface ISO/DMG disk images that were downloaded from unexpected places
 --
 -- references:
+--   * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment)
+--   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --   * https://unit42.paloaltonetworks.com/chromeloader-malware/
 --
 -- false positives:

detection/initial_access/unexpected-shell-parents.sql

@@ -3,6 +3,10 @@
 -- false positives:
 --   * IDE's
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
+--   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
+--
 -- tags: transient process state
 -- platform: posix
 SELECT

detection/initial_access/unexpected-volume-contents.sql

@@ -4,6 +4,8 @@
 --   * Installer packages with hidden files
 --
 -- references:
+--   * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment)
+--   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --   * https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
 --
 -- tags: transient volume filesystem

detection/initial_access/unexpected-webmail-downloads.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * Files without an extension or extensions not explicitly added to the allow list
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment)
+--
 -- platform: darwin
 -- tags: persistent filesystem spotlight
 SELECT

detection/persistence/fake-apple-launchd.sql

@@ -1,6 +1,7 @@
 -- Find launchd entries which purport to be by Apple, but are not signed by Apple.
 --
 -- references:
+--   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
 --   * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
 --
 -- false positives:

detection/persistence/unexpected-active-systemd-units.sql

@@ -1,7 +1,7 @@
 -- Unexpected systemd units, may be evidence of persistence
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1543/002/
+--   * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service)
 --
 -- false positives:
 --   * System updates

detection/persistence/unexpected-chrome-extensions.sql

@@ -1,10 +1,10 @@
 -- Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1176/
+--   * https://attack.mitre.org/techniques/T1176/ (Browser Extensions)
 --
 -- false positives:
---   * anything that isn't on your whitelist
+--   * Almost unlimited: any extension that isn't on your whitelist
 --
 -- tags: persistent seldom browser
 SELECT

detection/persistence/unexpected-cron-entries.sql

@@ -1,7 +1,7 @@
 -- Unexpected crontab entries
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1053/003/
+--   * https://attack.mitre.org/techniques/T1053/003/ (Scheduled Task/Job: Cron)
 --
 -- false positives:
 --   * crontab entries added by the user

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -1,7 +1,7 @@
 -- Unexpected launchd scripts that use the 'program_arguments' field
-----
+--
 -- references:
---   * https://attack.mitre.org/techniques/T1543/004/
+--   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
 --
 -- false positives:
 --   * Software by new vendors which have not yet been added to the allow list

detection/persistence/unexpected-launchd-program.sql

@@ -1,7 +1,7 @@
 -- Unexpected launchd scripts that use the 'program' field
 --
 -- references:
---   * https://attack.mitre.org/techniques/T1543/004/
+--   * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
 --
 -- false positives:
 --   * Software by new vendors which have not yet been added to the allow list

detection/persistence/unexpected-small-udev-entry.sql

@@ -4,6 +4,8 @@
 --
 -- references:
 --   * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
+--   * https://attack.mitre.org/techniques/T1547/ (Boot or Logon Autostart Execution)
+--
 -- false positives:
 --   * rules installed by 3rd party software
 --

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * new software requiring escalated privileges
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/
+--
 -- tags: persistent process state
 -- platform: linux
 SELECT

detection/persistence/unexpected-uid0-daemon-macos.sql

@@ -3,6 +3,9 @@
 -- false positives:
 --   * new software requiring escalated privileges
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1543/
+--
 -- tags: persistent process state
 -- platform: darwin
 SELECT

detection/privesc/unexpected-privilege-escalation-events.sql

@@ -1,5 +1,14 @@
--- Designed for execution every 30 seconds (where the parent may still be around)
+-- Find processes that run with a lower effective UID than their parent (event-based)
 --
+-- references:
+--   * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
+--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
+--
+-- related:
+--   * unexpected-privilege-escalation.sql
+--
+-- tags: events process escalation
+-- platform: posix
 -- interval: 30
 SELECT
   p.pid AS child_pid,

detection/privesc/unexpected-privilege-escalation.sql

@@ -1,11 +1,14 @@
--- Find processes that run with a lower effective UID than their parent
+-- Find processes that run with a lower effective UID than their parent (state-based)
 --
--- Example Malware Threats detected:
---   * Shikitega
--- Related:
+-- references:
+--   * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
+--   * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
+--
+-- related:
 --   * unexpected-privilege-escalation-events.sql
 --
 -- tags: transient rapid state process escalation
+-- platform: posix
 SELECT
   p.pid AS child_pid,
   p.path AS child_path,

detection/privesc/unexpected-privileged-containers.sql

@@ -3,6 +3,10 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1611/
 --
+-- false-positives:
+--   * Nested Kubernetes Environments
+--   * Containerized builds
+--
 -- This query works on macOS as well, but is only an in-the-wild security problem on Linux,
 -- where the kernel namespaces can be shared. These kind of attacks tend to be
 --

detection/privesc/unexpected-setxid-process.sql

@@ -1,6 +1,13 @@
 -- Processes running that originate from setuid/setgid programs
 --
+-- false-positives:
+--   * an unlisted setuid binary
+--
+-- references:
+--   * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid)
+--
 -- tags: persistent state process escalation
+-- platform: posix
 SELECT
   p.pid,
   p.name,

incident_response/process_open_sockets.sql

@@ -1,18 +0,0 @@
--- Retrieves all the open sockets per process in the target system.
---
--- tags: postmortem
--- platform: posix
-SELECT DISTINCT
-  pid,
-  family,
-  protocol,
-  local_address,
-  local_port,
-  remote_address,
-  remote_port,
-  path
-FROM
-  process_open_sockets
-WHERE
-  path <> ''
-  or remote_address <> '';