RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Finish out the incident_response refactor

This commit is contained in:
Thomas Stromberg 2022-10-19 16:19:53 -04:00
parent 9b868bfaf5
commit cee1710f74
Failed to extract signature
60 changed files with 469 additions and 472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
detection/evasion/ssh-notty.sql
View File

@ -5,9 +5,12 @@
--
-- tags: transient process state
-- platform: posix
SELECT *
FROM (
SELECT p.pid,
SELECT
*
FROM
(
SELECT
p.pid,
p.name,
p.cmdline AS cmd,
cp.name AS child_name,
@ -15,23 +18,26 @@ FROM (
gcp.name AS grandchild_name,
gcp.cmdline AS grandchild_cmd,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM processes p
FROM
processes p
LEFT JOIN process_open_files pof ON p.pid = pof.pid
LEFT JOIN processes cp ON p.pid = cp.parent
LEFT JOIN processes gcp ON cp.pid = gcp.parent
WHERE p.name = 'sshd'
GROUP BY p.pid
WHERE
p.name = 'sshd'
GROUP BY
p.pid
)
WHERE (
WHERE
(
INSTR(cmd, '@notty') > 0
OR (
open_files != '/dev/null'
AND INSTR(open_files, '/dev/ptmx') = 0
)
)
-- You must specifically check for NULL here, or risk inadvertently filtering everything out.
AND (
grandchild_name IS NULL
OR grandchild_name != 'zfs'
grandchild_name IS NULL
OR grandchild_name != 'zfs'
)

11
detection/evasion/unexpected-hidden-system-folders.sql
View File

@ -8,7 +8,8 @@
--
-- platform: posix
-- tags: persistent filesystem state
SELECT file.path,
SELECT
file.path,
file.directory,
uid,
gid,
@ -19,10 +20,12 @@ SELECT file.path,
size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'
@ -119,4 +122,4 @@ WHERE (
AND file.gid = 0
AND file.mode IN ('0755', '0700')
AND file.size = 4
)
)

17
detection/execution/recently-created-executables-linux.sql
View File

@ -5,7 +5,8 @@
--
-- tags: transient process state often
-- platform: linux
SELECT p.pid,
SELECT
p.pid,
p.path,
p.name,
p.cmdline,
@ -24,19 +25,18 @@ SELECT p.pid,
pp.euid AS parent_euid,
ch.sha256 AS child_sha256,
ph.sha256 AS parent_sha256
FROM processes p
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash AS ch ON p.path = ch.path
LEFT JOIN hash AS ph ON pp.path = ph.path
WHERE p.start_time > 0
WHERE
p.start_time > 0
AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
AND p.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN (
'/usr/lib/firefox',
'/usr/local/kolide-k2/bin'
) -- Typically daemons or long-running desktop apps
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
AND NOT p.path IN (
'',
'/opt/google/chrome/chrome',
@ -87,4 +87,5 @@ WHERE p.start_time > 0
AND f.uid = p.uid
AND p.cmdline LIKE './%'
)
GROUP BY p.pid
GROUP BY
p.pid

59
detection/impact/evenly-timestomped.sql
View File

@ -5,31 +5,34 @@
--
-- tags: persistent seldom filesystem
-- platform: linux
SELECT file.path,
DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
file.inode,
hash.sha256,
magic.data
FROM file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
file.path LIKE "/bin/%%"
OR file.path LIKE "/etc/%%"
OR file.path LIKE "/sbin/%%"
OR file.path LIKE "/lib/%%"
OR file.path LIKE "/usr/%%"
)
-- This timestamp is in UTC
AND file.mtime > (strftime('%s', 'now') - (86400*720))
AND file.mtime%3600 = 0
-- Narrow down to specific offsets in the users local timezone (there should be a better way!)
AND (
mod_time LIKE "% 12:00:00"
OR mod_time LIKE "% 00:00:00"
)
-- false positives
AND file.path NOT IN ('/etc/master.passwd')
AND file.path NOT LIKE '%/lynis%'
AND file.path NOT LIKE '%/yelp-xsl%'
SELECT
file.path,
DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
file.inode,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.path LIKE "/bin/%%"
OR file.path LIKE "/etc/%%"
OR file.path LIKE "/sbin/%%"
OR file.path LIKE "/lib/%%"
OR file.path LIKE "/usr/%%"
)
-- This timestamp is in UTC
AND file.mtime > (strftime('%s', 'now') - (86400 * 720))
AND file.mtime % 3600 = 0
-- Narrow down to specific offsets in the users local timezone (there should be a better way!)
AND (
mod_time LIKE "% 12:00:00"
OR mod_time LIKE "% 00:00:00"
)
-- false positives
AND file.path NOT IN ('/etc/master.passwd')
AND file.path NOT LIKE '%/lynis%'
AND file.path NOT LIKE '%/yelp-xsl%'

256
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -8,129 +8,133 @@
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
)
AND ea.key = 'where_from'
AND file.btime > (strftime('%s', 'now') -86400)
AND domain NOT IN (
'adobe.com',
'alfredapp.com',
'android.com',
'apple.com',
'download.prss.microsoft.com',
'arc.net',
'balsamiq.com',
'brave.com',
'digidesign.com',
'digidesign.com',
'gaomon.net',
'epson.com',
'fcix.net',
'xtom.com',
'gaomon.net',
'oracle.com',
'akmedia.digidesign.com',
'canon.co.uk',
'cdn.mozilla.net',
'charlesproxy.com',
'csclub.uwaterloo.ca',
'docker.com',
'duckduckgo.com',
'eclipse.org',
'gimp.org',
'github.io',
'githubusercontent.com',
'grammarly.com',
'integodownload.com',
'jetbrains.com',
'libreoffice.org',
'loom.com',
'microsoft.com',
'minecraft.net',
'mirrorservice.org',
'mojang.com',
'mozilla.org',
'mysql.com',
'ocf.berkeley.edu',
'oobesaas.adobe.com',
'osuosl.org',
'pqrs.org',
'steampowered.com',
'c-wss.com',
'irccloud.com',
'discordapp.net',
'getutm.app',
'dogado.de',
'vc.logitech.com',
'steampowered.com',
'discord.com',
'logitech.com',
'skype.com',
'remarkable.com',
'balena.io',
'signal.org',
'prusa3d.com',
'google.ca',
'zsa.io',
'slack-edge.com',
'tableplus.com',
'ubuntu.com',
'umd.edu',
'virtualbox.org',
'warp.dev',
'webex.com'
)
AND host NOT IN (
'dl.google.com',
'www.google.com',
'warp-releases.storage.googleapis.com',
'mail.google.com',
'github.com',
'ubuntu.com',
'balsamiq.com',
'tableplus.com',
'discord.com',
'dl.discordapp.net',
'obsproject.com',
'www.messenger.com',
'brave.com',
'emacsformacosx.com',
'store.steampowered.com',
'wavebox.io',
'manual.canon',
'dygma.com',
'duckduckgo.com',
'obsidian.md'
)
-- Yes, these are meant to be fairly broad.
AND host NOT LIKE 'download%'
AND host NOT LIKE 'cdn%'
AND host NOT LIKE '%.edu'
AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
AND host NOT LIKE '%.org'
AND host NOT LIKE 'dl.%'
AND host NOT LIKE 'dl-%'
AND host NOT LIKE 'mirror%'
AND host NOT LIKE 'driver.%'
AND host NOT LIKE 'support%'
AND host NOT LIKE 'software%'
AND host NOT LIKE 'www.google.%'
AND host NOT LIKE '%release%.storage.googleapis.com'
AND NOT (
host LIKE '%.fbcdn.net'
AND file.filename LIKE 'Messenger.%.dmg'
)
GROUP BY ea.value
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
)
AND ea.key = 'where_from'
AND file.btime > (strftime('%s', 'now') -86400)
AND domain NOT IN (
'adobe.com',
'alfredapp.com',
'android.com',
'apple.com',
'download.prss.microsoft.com',
'arc.net',
'balsamiq.com',
'brave.com',
'digidesign.com',
'digidesign.com',
'gaomon.net',
'epson.com',
'fcix.net',
'xtom.com',
'gaomon.net',
'oracle.com',
'akmedia.digidesign.com',
'canon.co.uk',
'cdn.mozilla.net',
'charlesproxy.com',
'csclub.uwaterloo.ca',
'docker.com',
'duckduckgo.com',
'eclipse.org',
'gimp.org',
'github.io',
'githubusercontent.com',
'grammarly.com',
'integodownload.com',
'jetbrains.com',
'libreoffice.org',
'loom.com',
'microsoft.com',
'minecraft.net',
'mirrorservice.org',
'mojang.com',
'mozilla.org',
'mysql.com',
'ocf.berkeley.edu',
'oobesaas.adobe.com',
'osuosl.org',
'pqrs.org',
'steampowered.com',
'c-wss.com',
'irccloud.com',
'discordapp.net',
'getutm.app',
'dogado.de',
'vc.logitech.com',
'steampowered.com',
'discord.com',
'logitech.com',
'skype.com',
'remarkable.com',
'balena.io',
'signal.org',
'prusa3d.com',
'google.ca',
'zsa.io',
'slack-edge.com',
'tableplus.com',
'ubuntu.com',
'umd.edu',
'virtualbox.org',
'warp.dev',
'webex.com'
)
AND host NOT IN (
'dl.google.com',
'www.google.com',
'warp-releases.storage.googleapis.com',
'mail.google.com',
'github.com',
'ubuntu.com',
'balsamiq.com',
'tableplus.com',
'discord.com',
'dl.discordapp.net',
'obsproject.com',
'www.messenger.com',
'brave.com',
'emacsformacosx.com',
'store.steampowered.com',
'wavebox.io',
'manual.canon',
'dygma.com',
'duckduckgo.com',
'obsidian.md'
)
-- Yes, these are meant to be fairly broad.
AND host NOT LIKE 'download%'
AND host NOT LIKE 'cdn%'
AND host NOT LIKE '%.edu'
AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
AND host NOT LIKE '%.org'
AND host NOT LIKE 'dl.%'
AND host NOT LIKE 'dl-%'
AND host NOT LIKE 'mirror%'
AND host NOT LIKE 'driver.%'
AND host NOT LIKE 'support%'
AND host NOT LIKE 'software%'
AND host NOT LIKE 'www.google.%'
AND host NOT LIKE '%release%.storage.googleapis.com'
AND NOT (
host LIKE '%.fbcdn.net'
AND file.filename LIKE 'Messenger.%.dmg'
)
GROUP BY
ea.value

109
detection/initial_access/unexpected-webmail-downloads.sql
View File

@ -5,56 +5,59 @@
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
LOWER(
REGEX_MATCH(RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
) AS extension
FROM mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN hash ON file.path = hash.path
WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
AND file.btime > (strftime('%s', 'now') -86400)
-- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
AND extension NOT IN (
'bz2',
'cer',
'csv',
'doc',
'docx',
'eml',
'gif',
'gz',
'htm',
'html',
'icloud',
'jpeg',
'jpg',
'mp3',
'mp4',
'mpeg',
'mpg',
'ods',
'odt',
'pdf',
'pem',
'pgp',
'png',
'ppt',
'pptx',
'pub',
'tar',
'tif',
'tiff',
'txt',
'wav',
'xls',
'xlsm',
'xlsx',
'zip',
'zstd'
)
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
LOWER(
REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
) AS extension
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN hash ON file.path = hash.path
WHERE
mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
AND file.btime > (strftime('%s', 'now') -86400)
-- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
AND extension NOT IN (
'bz2',
'cer',
'csv',
'doc',
'docx',
'eml',
'gif',
'gz',
'htm',
'html',
'icloud',
'jpeg',
'jpg',
'mp3',
'mp4',
'mpeg',
'mpg',
'ods',
'odt',
'pdf',
'pem',
'pgp',
'png',
'ppt',
'pptx',
'pub',
'tar',
'tif',
'tiff',
'txt',
'wav',
'xls',
'xlsm',
'xlsx',
'zip',
'zstd'
)

5
incident_response/README.md Normal file
View File

@ -0,0 +1,5 @@
The `incident_response` queries originate from the upstream osquery project:
<https://github.com/osquery/osquery/blob/master/packs/incident-response.conf>
Additional tables have been added and the intervals have been modified.

8
incident_response/alf.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the configuration values for the Application Layer Firewall for OSX.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
alf;

10
incident_response/alf_exceptions.sql
View File

@ -1,10 +0,0 @@
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
*
from
alf_exceptions;

7
incident_response/alf_exceptions_macos.sql Normal file
View File

@ -0,0 +1,7 @@
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
--
-- tags: postmortem
SELECT
*
FROM
alf_exceptions;

10
incident_response/alf_explicit_auths.sql
View File

@ -1,10 +0,0 @@
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
*
from
alf_explicit_auths;

8
incident_response/alf_explicit_auths_macos.sql Normal file
View File

@ -0,0 +1,8 @@
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
alf_explicit_auths;

9
incident_response/alf_services.sql
View File

@ -1,10 +1,7 @@
-- Retrieves the services for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
alf_services;

8
incident_response/app_schemes.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the list of application scheme/protocol-based IPC handlers.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select
SELECT
*
from
FROM
app_schemes;

8
incident_response/apps.sql Normal file
View File

@ -0,0 +1,8 @@
-- Retrieves all the currently installed applications in the target OSX system.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
apps;

9
incident_response/arp_cache.sql
View File

@ -1,9 +0,0 @@
-- Retrieves the ARP cache values in the target system.
--
-- interval: 3600
-- value: Determine if MITM in progress.
-- version: 1.4.5
select
*
from
arp_cache;

7
incident_response/block_devices.sql Normal file
View File

@ -0,0 +1,7 @@
-- Retrieves all block devices known to the system
-- platform: posix
-- tags: postmortem seldom
SELECT
*
FROM
block_devices

12
incident_response/crontab.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the jobs scheduled in crontab in the target system.
-- Crontab entries
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select
SELECT
*
from
crontab;
FROM
crontab

8
incident_response/disk_encryption.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the current disk encryption status for the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identifies a system potentially vulnerable to disk cloning.
-- version: 1.4.5
select
SELECT
*
from
FROM
disk_encryption;

8
incident_response/dns_resolvers.sql Normal file
View File

@ -0,0 +1,8 @@
-- Return the list of configured DNS servers on this system
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
dns_resolvers

8
incident_response/docker_containers.sql Normal file
View File

@ -0,0 +1,8 @@
-- Return the list of running Docker containers on this machine
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
docker_containers

8
incident_response/docker_image_history.sql Normal file
View File

@ -0,0 +1,8 @@
-- Return the Docker image history on a machine
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
docker_image_history

8
incident_response/etc_hosts.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the entries in the target system /etc/hosts file.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
-- version: 1.4.5
select
SELECT
*
from
FROM
etc_hosts;

8
incident_response/event_taps_macos.sql Normal file
View File

@ -0,0 +1,8 @@
-- Retrieves software packages with access to listening in on keyboard/mouse events
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
event_taps;

22
incident_response/gatekeeper_macos.sql Normal file
View File

@ -0,0 +1,22 @@
-- Retrieves all the gatekeeper exceptions on a macOS host
--
-- tags: postmortem
-- platform: darwin
SELECT
gap.ctime,
gap.mtime,
gap.path,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
signature.identifier,
signature.authority
FROM
gatekeeper_approved_apps AS gap
LEFT JOIN file ON gap.path = file.path
LEFT JOIN hash ON gap.path = hash.path
LEFT JOIN signature ON gap.path = signature.path
GROUP BY
gap.requirement

10
incident_response/installed_applications.sql
View File

@ -1,10 +0,0 @@
-- Retrieves all the currently installed applications in the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware, adware, or vulnerable packages that are installed as an application.
-- version: 1.4.5
select
*
from
apps;

18
incident_response/ip_forwarding.sql
View File

@ -1,19 +1,17 @@
-- Retrieves the current status of IP/IPv6 forwarding.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Identify if a machine is being used as relay.
-- version: 1.4.5
select
SELECT
*
from
FROM
system_controls
where
WHERE
oid = '4.30.41.1'
union
select
UNION
SELECT
*
from
FROM
system_controls
where
WHERE
oid = '4.2.0.1';

8
incident_response/iptables.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the current filters and chains per filter in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: linux
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
iptables;

8
incident_response/kernel_modules.sql → incident_response/kernel_modules_linux.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the information for the current kernel modules in the target Linux system.
--
-- interval: 3600
-- tags: postmortem
-- platform: linux
-- value: Identify malware that has a kernel module component.
-- version: 1.4.5
select
SELECT
*
from
FROM
kernel_modules;

8
incident_response/kextstat.sql → incident_response/kextstat_macos.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the information about the current kernel extensions for the target OSX system.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that has a kernel extension component.
-- version: 1.4.5
select
SELECT
*
from
FROM
kernel_extensions;

8
incident_response/last.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the list of the latest logins with PID, username and timestamp.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select
SELECT
*
from
FROM
last;

10
incident_response/launchd.sql
View File

@ -1,10 +0,0 @@
-- Retrieves all the daemons that will run in the start of the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
*
from
launchd;

0
incident_response/persistence/launchd.sql → incident_response/launchd_macos.sql
View File

8
incident_response/listening_ports.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the listening ports in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
-- version: 1.4.5
select
SELECT
*
from
FROM
listening_ports;

10
incident_response/logged_in_users.sql
View File

@ -1,17 +1,15 @@
-- Retrieves the list of all the currently logged in users in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select
SELECT
liu.*,
p.name,
p.cmdline,
p.cwd,
p.root
from
FROM
logged_in_users liu,
processes p
where
WHERE
liu.pid = p.pid;

5
incident_response/loginwindow1.sql
View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
key,
subkey,

5
incident_response/loginwindow2.sql
View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
key,
subkey,

5
incident_response/loginwindow3.sql
View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
username,
key,

4
incident_response/loginwindow4.sql
View File

@ -1,9 +1,7 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
username,
key,

8
incident_response/mounts.sql
View File

@ -1,10 +1,8 @@
-- Retrieves the current list of mounted drives in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select
SELECT
*
from
FROM
mounts;

10
incident_response/nfs_shares.sql
View File

@ -1,10 +0,0 @@
-- Retrieves the current list of Network File System mounted shares.
--
-- interval: 3600
-- platform: darwin
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select
*
from
nfs_shares;

25
incident_response/open_files.sql
View File

@ -1,15 +1,16 @@
-- Retrieves all the open files per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify processes accessing sensitive files they shouldn't
-- version: 1.4.5
select distinct
pid,
path
from
process_open_files
where
path not like '/private/var/folders%'
and path not like '/System/Library/%'
and path not in ('/dev/null', '/dev/urandom', '/dev/random');
SELECT DISTINCT
pof.pid,
pof.path,
p.name,
p.cmdline
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
WHERE
pof.path NOT LIKE '/private/var/folders%'
AND pof.path NOT LIKE '/System/Library/%'
AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');

8
incident_response/persistence/crontab.sql
View File

@ -1,8 +0,0 @@
-- Crontab entries
--
-- interval: 3600
-- platform: posix
SELECT
*
FROM
crontab

9
incident_response/process_env.sql
View File

@ -1,10 +1,7 @@
-- Retrieves all the environment variables per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Insight into the process data: Where was it started from, was it preloaded...
-- version: 1.4.5
select
SELECT
*
from
FROM
process_envs;

0
incident_response/execution/process_events.sql → incident_response/process_events.sql
View File

10
incident_response/process_memory.sql
View File

@ -1,10 +0,0 @@
-- Retrieves the memory map per process in the target Linux system.
--
-- interval: 86400
-- platform: linux
-- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
-- version: 1.4.5
select
*
from
process_memory_map;

7
incident_response/process_memory_map.sql Normal file
View File

@ -0,0 +1,7 @@
-- Retrieves the memory map per process
-- platform: posix
-- tags: postmortem
SELECT
*
FROM
process_memory_map;

10
incident_response/open_sockets.sql → incident_response/process_open_sockets.sql
View File

@ -1,10 +1,8 @@
-- Retrieves all the open sockets per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
-- version: 1.4.5
select distinct
SELECT DISTINCT
pid,
family,
protocol,
@ -13,8 +11,8 @@ select distinct
remote_address,
remote_port,
path
from
FROM
process_open_sockets
where
WHERE
path <> ''
or remote_address <> '';

0
incident_response/execution/processes.sql → incident_response/processes.sql
View File

12
incident_response/ramdisk.sql
View File

@ -1,12 +0,0 @@
-- Retrieves all the ramdisk currently mounted in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
-- version: 1.4.5
select
*
from
block_devices
where
type = 'Virtual Interface';

5
incident_response/recent_items.sql → incident_response/recent_items_macos.sql
View File

@ -1,9 +1,6 @@
-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Identify recently accessed items. Useful for compromised hosts.
-- version: 1.4.5
select
username,
key,

10
incident_response/sandboxes.sql
View File

@ -1,10 +0,0 @@
-- Lists the application bundle that owns a sandbox label.
--
-- interval: 86400
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select
*
from
sandboxes;

8
incident_response/sandboxes_macos.sql Normal file
View File

@ -0,0 +1,8 @@
-- Lists the application bundle that owns a sandbox label.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
sandboxes;

10
incident_response/shell_history.sql
View File

@ -1,11 +1,9 @@
-- Retrieves the command history, per user, by parsing the shell history files.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify actions taken. Useful for compromised hosts.
-- version: 1.4.5
select
SELECT
*
from
FROM
users
join shell_history using (uid);
JOIN shell_history USING (uid);

11
incident_response/startup_items.sql
View File

@ -1,10 +1,7 @@
-- Retrieve all the items that will load when the target OSX system starts.
-- Retrieve most programs that are part of a systems startup (multi-platform)
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select
-- tags: postmortem
SELECT
*
from
FROM
startup_items;

9
incident_response/suid_bin.sql
View File

@ -1,9 +1,8 @@
-- Retrieves all the files in the target system that are setuid enabled.
-- Retrieves setuid-enabled executables in well-known paths
--
-- platform: posix
-- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
-- version: 1.4.5
select
-- tags: postmortem
SELECT
*
from
FROM
suid_bin;

8
incident_response/systemd_units.sql Normal file
View File

@ -0,0 +1,8 @@
-- Returns a list of systemd units
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
systemd_units;

8
incident_response/users.sql Normal file
View File

@ -0,0 +1,8 @@
-- Returns a list of users
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
users

9
incident_response/wireless_networks.sql → incident_response/wireless_networks_macos.sql
View File

@ -1,10 +1,5 @@
-- Retrieves all the remembered wireless network that the target machine has connected to.
--
-- interval: 3600
-- platform: darwin
-- value: Identifies connections to rogue access points.
-- version: 1.6.0
select
SELECT
ssid,
network_name,
security_type,
@ -13,5 +8,5 @@ select
possibly_hidden,
roaming,
roaming_profile
from
FROM
wifi_networks;

8
incident_response/xprotect_reports.sql Normal file
View File

@ -0,0 +1,8 @@
-- Returns a list of malware matches from macOS XProtect
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
xprotect_reports;