From cee1710f749a81b955658e96d528bb2295163675 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 19 Oct 2022 16:19:53 -0400 Subject: [PATCH] Finish out the incident_response refactor --- detection/evasion/ssh-notty.sql | 26 +- .../unexpected-hidden-system-folders.sql | 11 +- .../recently-created-executables-linux.sql | 17 +- detection/impact/evenly-timestomped.sql | 59 ++-- .../unexpected-diskimage-source-macos.sql | 256 +++++++++--------- .../unexpected-webmail-downloads.sql | 109 ++++---- incident_response/README.md | 5 + incident_response/alf.sql | 8 +- incident_response/alf_exceptions.sql | 10 - incident_response/alf_exceptions_macos.sql | 7 + incident_response/alf_explicit_auths.sql | 10 - .../alf_explicit_auths_macos.sql | 8 + incident_response/alf_services.sql | 9 +- incident_response/app_schemes.sql | 8 +- incident_response/apps.sql | 8 + incident_response/arp_cache.sql | 9 - incident_response/block_devices.sql | 7 + incident_response/crontab.sql | 12 +- incident_response/disk_encryption.sql | 8 +- incident_response/dns_resolvers.sql | 8 + incident_response/docker_containers.sql | 8 + incident_response/docker_image_history.sql | 8 + incident_response/etc_hosts.sql | 8 +- incident_response/event_taps_macos.sql | 8 + incident_response/gatekeeper_macos.sql | 22 ++ incident_response/installed_applications.sql | 10 - incident_response/ip_forwarding.sql | 18 +- incident_response/iptables.sql | 8 +- ...l_modules.sql => kernel_modules_linux.sql} | 8 +- .../{kextstat.sql => kextstat_macos.sql} | 8 +- incident_response/last.sql | 8 +- incident_response/launchd.sql | 10 - .../launchd.sql => launchd_macos.sql} | 0 incident_response/listening_ports.sql | 8 +- incident_response/logged_in_users.sql | 10 +- incident_response/loginwindow1.sql | 5 +- incident_response/loginwindow2.sql | 5 +- incident_response/loginwindow3.sql | 5 +- incident_response/loginwindow4.sql | 4 +- incident_response/mounts.sql | 8 +- incident_response/nfs_shares.sql | 10 - incident_response/open_files.sql | 25 +- incident_response/persistence/crontab.sql | 8 - incident_response/process_env.sql | 9 +- .../{execution => }/process_events.sql | 0 incident_response/process_memory.sql | 10 - incident_response/process_memory_map.sql | 7 + ...n_sockets.sql => process_open_sockets.sql} | 10 +- .../{execution => }/processes.sql | 0 incident_response/ramdisk.sql | 12 - ...ecent_items.sql => recent_items_macos.sql} | 5 +- incident_response/sandboxes.sql | 10 - incident_response/sandboxes_macos.sql | 8 + incident_response/shell_history.sql | 10 +- incident_response/startup_items.sql | 11 +- incident_response/suid_bin.sql | 9 +- incident_response/systemd_units.sql | 8 + incident_response/users.sql | 8 + ...tworks.sql => wireless_networks_macos.sql} | 9 +- incident_response/xprotect_reports.sql | 8 + 60 files changed, 469 insertions(+), 472 deletions(-) create mode 100644 incident_response/README.md delete mode 100644 incident_response/alf_exceptions.sql create mode 100644 incident_response/alf_exceptions_macos.sql delete mode 100644 incident_response/alf_explicit_auths.sql create mode 100644 incident_response/alf_explicit_auths_macos.sql create mode 100644 incident_response/apps.sql delete mode 100644 incident_response/arp_cache.sql create mode 100644 incident_response/block_devices.sql create mode 100644 incident_response/dns_resolvers.sql create mode 100644 incident_response/docker_containers.sql create mode 100644 incident_response/docker_image_history.sql create mode 100644 incident_response/event_taps_macos.sql create mode 100644 incident_response/gatekeeper_macos.sql delete mode 100644 incident_response/installed_applications.sql rename incident_response/{kernel_modules.sql => kernel_modules_linux.sql} (55%) rename incident_response/{kextstat.sql => kextstat_macos.sql} (55%) delete mode 100644 incident_response/launchd.sql rename incident_response/{persistence/launchd.sql => launchd_macos.sql} (100%) delete mode 100644 incident_response/nfs_shares.sql delete mode 100644 incident_response/persistence/crontab.sql rename incident_response/{execution => }/process_events.sql (100%) delete mode 100644 incident_response/process_memory.sql create mode 100644 incident_response/process_memory_map.sql rename incident_response/{open_sockets.sql => process_open_sockets.sql} (58%) rename incident_response/{execution => }/processes.sql (100%) delete mode 100644 incident_response/ramdisk.sql rename incident_response/{recent_items.sql => recent_items_macos.sql} (74%) delete mode 100644 incident_response/sandboxes.sql create mode 100644 incident_response/sandboxes_macos.sql create mode 100644 incident_response/systemd_units.sql create mode 100644 incident_response/users.sql rename incident_response/{wireless_networks.sql => wireless_networks_macos.sql} (64%) create mode 100644 incident_response/xprotect_reports.sql diff --git a/detection/evasion/ssh-notty.sql b/detection/evasion/ssh-notty.sql index cc2154f..dcacef9 100644 --- a/detection/evasion/ssh-notty.sql +++ b/detection/evasion/ssh-notty.sql @@ -5,9 +5,12 @@ -- -- tags: transient process state -- platform: posix -SELECT * -FROM ( - SELECT p.pid, +SELECT + * +FROM + ( + SELECT + p.pid, p.name, p.cmdline AS cmd, cp.name AS child_name, @@ -15,23 +18,26 @@ FROM ( gcp.name AS grandchild_name, gcp.cmdline AS grandchild_cmd, GROUP_CONCAT(DISTINCT pof.path) AS open_files - FROM processes p + FROM + processes p LEFT JOIN process_open_files pof ON p.pid = pof.pid LEFT JOIN processes cp ON p.pid = cp.parent LEFT JOIN processes gcp ON cp.pid = gcp.parent - WHERE p.name = 'sshd' - GROUP BY p.pid + WHERE + p.name = 'sshd' + GROUP BY + p.pid ) -WHERE ( +WHERE + ( INSTR(cmd, '@notty') > 0 OR ( open_files != '/dev/null' AND INSTR(open_files, '/dev/ptmx') = 0 ) ) - -- You must specifically check for NULL here, or risk inadvertently filtering everything out. AND ( - grandchild_name IS NULL - OR grandchild_name != 'zfs' + grandchild_name IS NULL + OR grandchild_name != 'zfs' ) diff --git a/detection/evasion/unexpected-hidden-system-folders.sql b/detection/evasion/unexpected-hidden-system-folders.sql index d5498cc..42e23a5 100644 --- a/detection/evasion/unexpected-hidden-system-folders.sql +++ b/detection/evasion/unexpected-hidden-system-folders.sql @@ -8,7 +8,8 @@ -- -- platform: posix -- tags: persistent filesystem state -SELECT file.path, +SELECT + file.path, file.directory, uid, gid, @@ -19,10 +20,12 @@ SELECT file.path, size, hash.sha256, magic.data -FROM file +FROM + file LEFT JOIN hash ON file.path = hash.path LEFT JOIN magic ON file.path = magic.path -WHERE ( +WHERE + ( file.path LIKE '/lib/.%' OR file.path LIKE '/.%' OR file.path LIKE '/bin/%/.%' @@ -119,4 +122,4 @@ WHERE ( AND file.gid = 0 AND file.mode IN ('0755', '0700') AND file.size = 4 - ) \ No newline at end of file + ) diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index 0e80f68..0722aa2 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -5,7 +5,8 @@ -- -- tags: transient process state often -- platform: linux -SELECT p.pid, +SELECT + p.pid, p.path, p.name, p.cmdline, @@ -24,19 +25,18 @@ SELECT p.pid, pp.euid AS parent_euid, ch.sha256 AS child_sha256, ph.sha256 AS parent_sha256 -FROM processes p +FROM + processes p LEFT JOIN file f ON p.path = f.path LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash AS ch ON p.path = ch.path LEFT JOIN hash AS ph ON pp.path = ph.path -WHERE p.start_time > 0 +WHERE + p.start_time > 0 AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes AND (p.start_time - MAX(f.ctime, f.btime)) < 180 AND p.start_time >= MAX(f.ctime, f.ctime) - AND NOT f.directory IN ( - '/usr/lib/firefox', - '/usr/local/kolide-k2/bin' - ) -- Typically daemons or long-running desktop apps + AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps AND NOT p.path IN ( '', '/opt/google/chrome/chrome', @@ -87,4 +87,5 @@ WHERE p.start_time > 0 AND f.uid = p.uid AND p.cmdline LIKE './%' ) -GROUP BY p.pid \ No newline at end of file +GROUP BY + p.pid diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index ef8094b..23797d1 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -5,31 +5,34 @@ -- -- tags: persistent seldom filesystem -- platform: linux -SELECT file.path, - DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time, - DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time, - file.inode, - hash.sha256, - magic.data -FROM file - LEFT JOIN hash ON file.path = hash.path - LEFT JOIN magic ON file.path = magic.path -WHERE ( - file.path LIKE "/bin/%%" - OR file.path LIKE "/etc/%%" - OR file.path LIKE "/sbin/%%" - OR file.path LIKE "/lib/%%" - OR file.path LIKE "/usr/%%" - ) - -- This timestamp is in UTC - AND file.mtime > (strftime('%s', 'now') - (86400*720)) - AND file.mtime%3600 = 0 - -- Narrow down to specific offsets in the users local timezone (there should be a better way!) - AND ( - mod_time LIKE "% 12:00:00" - OR mod_time LIKE "% 00:00:00" - ) - -- false positives - AND file.path NOT IN ('/etc/master.passwd') - AND file.path NOT LIKE '%/lynis%' - AND file.path NOT LIKE '%/yelp-xsl%' +SELECT + file.path, + DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time, + DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time, + file.inode, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE + ( + file.path LIKE "/bin/%%" + OR file.path LIKE "/etc/%%" + OR file.path LIKE "/sbin/%%" + OR file.path LIKE "/lib/%%" + OR file.path LIKE "/usr/%%" + ) + -- This timestamp is in UTC + AND file.mtime > (strftime('%s', 'now') - (86400 * 720)) + AND file.mtime % 3600 = 0 + -- Narrow down to specific offsets in the users local timezone (there should be a better way!) + AND ( + mod_time LIKE "% 12:00:00" + OR mod_time LIKE "% 00:00:00" + ) + -- false positives + AND file.path NOT IN ('/etc/master.passwd') + AND file.path NOT LIKE '%/lynis%' + AND file.path NOT LIKE '%/yelp-xsl%' diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 96f7bdc..e6009b3 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -8,129 +8,133 @@ -- -- platform: darwin -- tags: persistent filesystem spotlight -SELECT file.path, - file.size, - datetime(file.btime, 'unixepoch') AS file_created, - magic.data, - ea.value AS url, - REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain, - REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host -FROM mdfind - LEFT JOIN file ON mdfind.path = file.path - LEFT JOIN extended_attributes ea ON mdfind.path = ea.path - LEFT JOIN magic ON file.path = magic.path -WHERE ( - mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'" - OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'" - ) - AND ea.key = 'where_from' - AND file.btime > (strftime('%s', 'now') -86400) - AND domain NOT IN ( - 'adobe.com', - 'alfredapp.com', - 'android.com', - 'apple.com', - 'download.prss.microsoft.com', - 'arc.net', - 'balsamiq.com', - 'brave.com', - 'digidesign.com', - 'digidesign.com', - 'gaomon.net', - 'epson.com', - 'fcix.net', - 'xtom.com', - 'gaomon.net', - 'oracle.com', - 'akmedia.digidesign.com', - 'canon.co.uk', - 'cdn.mozilla.net', - 'charlesproxy.com', - 'csclub.uwaterloo.ca', - 'docker.com', - 'duckduckgo.com', - 'eclipse.org', - 'gimp.org', - 'github.io', - 'githubusercontent.com', - 'grammarly.com', - 'integodownload.com', - 'jetbrains.com', - 'libreoffice.org', - 'loom.com', - 'microsoft.com', - 'minecraft.net', - 'mirrorservice.org', - 'mojang.com', - 'mozilla.org', - 'mysql.com', - 'ocf.berkeley.edu', - 'oobesaas.adobe.com', - 'osuosl.org', - 'pqrs.org', - 'steampowered.com', - 'c-wss.com', - 'irccloud.com', - 'discordapp.net', - 'getutm.app', - 'dogado.de', - 'vc.logitech.com', - 'steampowered.com', - 'discord.com', - 'logitech.com', - 'skype.com', - 'remarkable.com', - 'balena.io', - 'signal.org', - 'prusa3d.com', - 'google.ca', - 'zsa.io', - 'slack-edge.com', - 'tableplus.com', - 'ubuntu.com', - 'umd.edu', - 'virtualbox.org', - 'warp.dev', - 'webex.com' - ) - AND host NOT IN ( - 'dl.google.com', - 'www.google.com', - 'warp-releases.storage.googleapis.com', - 'mail.google.com', - 'github.com', - 'ubuntu.com', - 'balsamiq.com', - 'tableplus.com', - 'discord.com', - 'dl.discordapp.net', - 'obsproject.com', - 'www.messenger.com', - 'brave.com', - 'emacsformacosx.com', - 'store.steampowered.com', - 'wavebox.io', - 'manual.canon', - 'dygma.com', - 'duckduckgo.com', - 'obsidian.md' - ) - -- Yes, these are meant to be fairly broad. - AND host NOT LIKE 'download%' - AND host NOT LIKE 'cdn%' - AND host NOT LIKE '%.edu' - AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com' - AND host NOT LIKE '%.org' - AND host NOT LIKE 'dl.%' - AND host NOT LIKE 'dl-%' - AND host NOT LIKE 'mirror%' - AND host NOT LIKE 'driver.%' - AND host NOT LIKE 'support%' - AND host NOT LIKE 'software%' - AND host NOT LIKE 'www.google.%' - AND host NOT LIKE '%release%.storage.googleapis.com' - AND NOT ( - host LIKE '%.fbcdn.net' - AND file.filename LIKE 'Messenger.%.dmg' - ) -GROUP BY ea.value \ No newline at end of file +SELECT + file.path, + file.size, + datetime(file.btime, 'unixepoch') AS file_created, + magic.data, + ea.value AS url, + REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain, + REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host +FROM + mdfind + LEFT JOIN file ON mdfind.path = file.path + LEFT JOIN extended_attributes ea ON mdfind.path = ea.path + LEFT JOIN magic ON file.path = magic.path +WHERE + ( + mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'" + OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'" + ) + AND ea.key = 'where_from' + AND file.btime > (strftime('%s', 'now') -86400) + AND domain NOT IN ( + 'adobe.com', + 'alfredapp.com', + 'android.com', + 'apple.com', + 'download.prss.microsoft.com', + 'arc.net', + 'balsamiq.com', + 'brave.com', + 'digidesign.com', + 'digidesign.com', + 'gaomon.net', + 'epson.com', + 'fcix.net', + 'xtom.com', + 'gaomon.net', + 'oracle.com', + 'akmedia.digidesign.com', + 'canon.co.uk', + 'cdn.mozilla.net', + 'charlesproxy.com', + 'csclub.uwaterloo.ca', + 'docker.com', + 'duckduckgo.com', + 'eclipse.org', + 'gimp.org', + 'github.io', + 'githubusercontent.com', + 'grammarly.com', + 'integodownload.com', + 'jetbrains.com', + 'libreoffice.org', + 'loom.com', + 'microsoft.com', + 'minecraft.net', + 'mirrorservice.org', + 'mojang.com', + 'mozilla.org', + 'mysql.com', + 'ocf.berkeley.edu', + 'oobesaas.adobe.com', + 'osuosl.org', + 'pqrs.org', + 'steampowered.com', + 'c-wss.com', + 'irccloud.com', + 'discordapp.net', + 'getutm.app', + 'dogado.de', + 'vc.logitech.com', + 'steampowered.com', + 'discord.com', + 'logitech.com', + 'skype.com', + 'remarkable.com', + 'balena.io', + 'signal.org', + 'prusa3d.com', + 'google.ca', + 'zsa.io', + 'slack-edge.com', + 'tableplus.com', + 'ubuntu.com', + 'umd.edu', + 'virtualbox.org', + 'warp.dev', + 'webex.com' + ) + AND host NOT IN ( + 'dl.google.com', + 'www.google.com', + 'warp-releases.storage.googleapis.com', + 'mail.google.com', + 'github.com', + 'ubuntu.com', + 'balsamiq.com', + 'tableplus.com', + 'discord.com', + 'dl.discordapp.net', + 'obsproject.com', + 'www.messenger.com', + 'brave.com', + 'emacsformacosx.com', + 'store.steampowered.com', + 'wavebox.io', + 'manual.canon', + 'dygma.com', + 'duckduckgo.com', + 'obsidian.md' + ) + -- Yes, these are meant to be fairly broad. + AND host NOT LIKE 'download%' + AND host NOT LIKE 'cdn%' + AND host NOT LIKE '%.edu' + AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com' + AND host NOT LIKE '%.org' + AND host NOT LIKE 'dl.%' + AND host NOT LIKE 'dl-%' + AND host NOT LIKE 'mirror%' + AND host NOT LIKE 'driver.%' + AND host NOT LIKE 'support%' + AND host NOT LIKE 'software%' + AND host NOT LIKE 'www.google.%' + AND host NOT LIKE '%release%.storage.googleapis.com' + AND NOT ( + host LIKE '%.fbcdn.net' + AND file.filename LIKE 'Messenger.%.dmg' + ) +GROUP BY + ea.value diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql index 6305576..03650f9 100644 --- a/detection/initial_access/unexpected-webmail-downloads.sql +++ b/detection/initial_access/unexpected-webmail-downloads.sql @@ -5,56 +5,59 @@ -- -- platform: darwin -- tags: persistent filesystem spotlight -SELECT file.path, - file.size, - datetime(file.btime, 'unixepoch') AS file_created, - magic.data, - hash.sha256, - LOWER( - REGEX_MATCH(RTRIM(file.path, '/'), '.*\.(.*?)$', 1) - ) AS extension -FROM mdfind - LEFT JOIN file ON mdfind.path = file.path - LEFT JOIN magic ON file.path = magic.path - LEFT JOIN hash ON file.path = hash.path -WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*''' - AND file.btime > (strftime('%s', 'now') -86400) - -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe) - AND extension NOT IN ( - 'bz2', - 'cer', - 'csv', - 'doc', - 'docx', - 'eml', - 'gif', - 'gz', - 'htm', - 'html', - 'icloud', - 'jpeg', - 'jpg', - 'mp3', - 'mp4', - 'mpeg', - 'mpg', - 'ods', - 'odt', - 'pdf', - 'pem', - 'pgp', - 'png', - 'ppt', - 'pptx', - 'pub', - 'tar', - 'tif', - 'tiff', - 'txt', - 'wav', - 'xls', - 'xlsm', - 'xlsx', - 'zip', - 'zstd' - ) \ No newline at end of file +SELECT + file.path, + file.size, + datetime(file.btime, 'unixepoch') AS file_created, + magic.data, + hash.sha256, + LOWER( + REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) + ) AS extension +FROM + mdfind + LEFT JOIN file ON mdfind.path = file.path + LEFT JOIN magic ON file.path = magic.path + LEFT JOIN hash ON file.path = hash.path +WHERE + mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*''' + AND file.btime > (strftime('%s', 'now') -86400) + -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe) + AND extension NOT IN ( + 'bz2', + 'cer', + 'csv', + 'doc', + 'docx', + 'eml', + 'gif', + 'gz', + 'htm', + 'html', + 'icloud', + 'jpeg', + 'jpg', + 'mp3', + 'mp4', + 'mpeg', + 'mpg', + 'ods', + 'odt', + 'pdf', + 'pem', + 'pgp', + 'png', + 'ppt', + 'pptx', + 'pub', + 'tar', + 'tif', + 'tiff', + 'txt', + 'wav', + 'xls', + 'xlsm', + 'xlsx', + 'zip', + 'zstd' + ) diff --git a/incident_response/README.md b/incident_response/README.md new file mode 100644 index 0000000..4ab6e49 --- /dev/null +++ b/incident_response/README.md @@ -0,0 +1,5 @@ +The `incident_response` queries originate from the upstream osquery project: + + + +Additional tables have been added and the intervals have been modified. diff --git a/incident_response/alf.sql b/incident_response/alf.sql index 0294792..c0d4bf5 100644 --- a/incident_response/alf.sql +++ b/incident_response/alf.sql @@ -1,10 +1,8 @@ -- Retrieves the configuration values for the Application Layer Firewall for OSX. -- --- interval: 3600 +-- tags: postmortem -- platform: darwin --- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans --- version: 1.4.5 -select +SELECT * -from +FROM alf; diff --git a/incident_response/alf_exceptions.sql b/incident_response/alf_exceptions.sql deleted file mode 100644 index 391e3f6..0000000 --- a/incident_response/alf_exceptions.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves the exceptions for the Application Layer Firewall in OSX. --- --- interval: 3600 --- platform: darwin --- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans --- version: 1.4.5 -select - * -from - alf_exceptions; diff --git a/incident_response/alf_exceptions_macos.sql b/incident_response/alf_exceptions_macos.sql new file mode 100644 index 0000000..504a2d8 --- /dev/null +++ b/incident_response/alf_exceptions_macos.sql @@ -0,0 +1,7 @@ +-- Retrieves the exceptions for the Application Layer Firewall in OSX. +-- +-- tags: postmortem +SELECT + * +FROM + alf_exceptions; diff --git a/incident_response/alf_explicit_auths.sql b/incident_response/alf_explicit_auths.sql deleted file mode 100644 index 0495858..0000000 --- a/incident_response/alf_explicit_auths.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves the list of processes with explicit authorization for the Application Layer Firewall. --- --- interval: 3600 --- platform: darwin --- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans --- version: 1.4.5 -select - * -from - alf_explicit_auths; diff --git a/incident_response/alf_explicit_auths_macos.sql b/incident_response/alf_explicit_auths_macos.sql new file mode 100644 index 0000000..1aa6d69 --- /dev/null +++ b/incident_response/alf_explicit_auths_macos.sql @@ -0,0 +1,8 @@ +-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall. +-- +-- tags: postmortem +-- platform: darwin +SELECT + * +FROM + alf_explicit_auths; diff --git a/incident_response/alf_services.sql b/incident_response/alf_services.sql index 82a67e1..2695a67 100644 --- a/incident_response/alf_services.sql +++ b/incident_response/alf_services.sql @@ -1,10 +1,7 @@ -- Retrieves the services for the Application Layer Firewall in OSX. --- --- interval: 3600 +-- tags: postmortem -- platform: darwin --- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans --- version: 1.4.5 -select +SELECT * -from +FROM alf_services; diff --git a/incident_response/app_schemes.sql b/incident_response/app_schemes.sql index 2fbdfde..cce8a61 100644 --- a/incident_response/app_schemes.sql +++ b/incident_response/app_schemes.sql @@ -1,10 +1,8 @@ -- Retrieves the list of application scheme/protocol-based IPC handlers. -- --- interval: 86400 +-- tags: postmortem -- platform: darwin --- value: Post-priori hijack detection, detect potential sensitive information leakage. --- version: 1.4.7 -select +SELECT * -from +FROM app_schemes; diff --git a/incident_response/apps.sql b/incident_response/apps.sql new file mode 100644 index 0000000..d532ccf --- /dev/null +++ b/incident_response/apps.sql @@ -0,0 +1,8 @@ +-- Retrieves all the currently installed applications in the target OSX system. +-- +-- tags: postmortem +-- platform: darwin +SELECT + * +FROM + apps; diff --git a/incident_response/arp_cache.sql b/incident_response/arp_cache.sql deleted file mode 100644 index 4005c8d..0000000 --- a/incident_response/arp_cache.sql +++ /dev/null @@ -1,9 +0,0 @@ --- Retrieves the ARP cache values in the target system. --- --- interval: 3600 --- value: Determine if MITM in progress. --- version: 1.4.5 -select - * -from - arp_cache; diff --git a/incident_response/block_devices.sql b/incident_response/block_devices.sql new file mode 100644 index 0000000..9ac38c3 --- /dev/null +++ b/incident_response/block_devices.sql @@ -0,0 +1,7 @@ +-- Retrieves all block devices known to the system +-- platform: posix +-- tags: postmortem seldom +SELECT + * +FROM + block_devices diff --git a/incident_response/crontab.sql b/incident_response/crontab.sql index d092916..fa1e9ee 100644 --- a/incident_response/crontab.sql +++ b/incident_response/crontab.sql @@ -1,10 +1,8 @@ --- Retrieves all the jobs scheduled in crontab in the target system. +-- Crontab entries -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Identify malware that uses this persistence mechanism to launch at a given interval --- version: 1.4.5 -select +SELECT * -from - crontab; +FROM + crontab diff --git a/incident_response/disk_encryption.sql b/incident_response/disk_encryption.sql index 31f9775..6c4009b 100644 --- a/incident_response/disk_encryption.sql +++ b/incident_response/disk_encryption.sql @@ -1,10 +1,8 @@ -- Retrieves the current disk encryption status for the target system. -- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Identifies a system potentially vulnerable to disk cloning. --- version: 1.4.5 -select +SELECT * -from +FROM disk_encryption; diff --git a/incident_response/dns_resolvers.sql b/incident_response/dns_resolvers.sql new file mode 100644 index 0000000..986cce5 --- /dev/null +++ b/incident_response/dns_resolvers.sql @@ -0,0 +1,8 @@ +-- Return the list of configured DNS servers on this system +-- +-- tags: postmortem +-- platform: posix +SELECT + * +FROM + dns_resolvers diff --git a/incident_response/docker_containers.sql b/incident_response/docker_containers.sql new file mode 100644 index 0000000..8054ec8 --- /dev/null +++ b/incident_response/docker_containers.sql @@ -0,0 +1,8 @@ +-- Return the list of running Docker containers on this machine +-- +-- tags: postmortem +-- platform: linux +SELECT + * +FROM + docker_containers diff --git a/incident_response/docker_image_history.sql b/incident_response/docker_image_history.sql new file mode 100644 index 0000000..6db0aef --- /dev/null +++ b/incident_response/docker_image_history.sql @@ -0,0 +1,8 @@ +-- Return the Docker image history on a machine +-- +-- tags: postmortem +-- platform: linux +SELECT + * +FROM + docker_image_history diff --git a/incident_response/etc_hosts.sql b/incident_response/etc_hosts.sql index e53932a..71f78eb 100644 --- a/incident_response/etc_hosts.sql +++ b/incident_response/etc_hosts.sql @@ -1,10 +1,8 @@ -- Retrieves all the entries in the target system /etc/hosts file. -- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled --- version: 1.4.5 -select +SELECT * -from +FROM etc_hosts; diff --git a/incident_response/event_taps_macos.sql b/incident_response/event_taps_macos.sql new file mode 100644 index 0000000..6be540c --- /dev/null +++ b/incident_response/event_taps_macos.sql @@ -0,0 +1,8 @@ +-- Retrieves software packages with access to listening in on keyboard/mouse events +-- +-- tags: postmortem +-- platform: darwin +SELECT + * +FROM + event_taps; diff --git a/incident_response/gatekeeper_macos.sql b/incident_response/gatekeeper_macos.sql new file mode 100644 index 0000000..16348a9 --- /dev/null +++ b/incident_response/gatekeeper_macos.sql @@ -0,0 +1,22 @@ +-- Retrieves all the gatekeeper exceptions on a macOS host +-- +-- tags: postmortem +-- platform: darwin +SELECT + gap.ctime, + gap.mtime, + gap.path, + file.mtime, + file.uid, + file.ctime, + file.gid, + hash.sha256, + signature.identifier, + signature.authority +FROM + gatekeeper_approved_apps AS gap + LEFT JOIN file ON gap.path = file.path + LEFT JOIN hash ON gap.path = hash.path + LEFT JOIN signature ON gap.path = signature.path +GROUP BY + gap.requirement diff --git a/incident_response/installed_applications.sql b/incident_response/installed_applications.sql deleted file mode 100644 index 868397a..0000000 --- a/incident_response/installed_applications.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves all the currently installed applications in the target OSX system. --- --- interval: 3600 --- platform: darwin --- value: Identify malware, adware, or vulnerable packages that are installed as an application. --- version: 1.4.5 -select - * -from - apps; diff --git a/incident_response/ip_forwarding.sql b/incident_response/ip_forwarding.sql index 431f423..448e0d7 100644 --- a/incident_response/ip_forwarding.sql +++ b/incident_response/ip_forwarding.sql @@ -1,19 +1,17 @@ -- Retrieves the current status of IP/IPv6 forwarding. -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Identify if a machine is being used as relay. --- version: 1.4.5 -select +SELECT * -from +FROM system_controls -where +WHERE oid = '4.30.41.1' -union -select +UNION +SELECT * -from +FROM system_controls -where +WHERE oid = '4.2.0.1'; diff --git a/incident_response/iptables.sql b/incident_response/iptables.sql index a57d1ea..1ff58ed 100644 --- a/incident_response/iptables.sql +++ b/incident_response/iptables.sql @@ -1,10 +1,8 @@ -- Retrieves the current filters and chains per filter in the target system. -- --- interval: 3600 +-- tags: postmortem -- platform: linux --- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans --- version: 1.4.5 -select +SELECT * -from +FROM iptables; diff --git a/incident_response/kernel_modules.sql b/incident_response/kernel_modules_linux.sql similarity index 55% rename from incident_response/kernel_modules.sql rename to incident_response/kernel_modules_linux.sql index e08cfd0..282d631 100644 --- a/incident_response/kernel_modules.sql +++ b/incident_response/kernel_modules_linux.sql @@ -1,10 +1,8 @@ -- Retrieves all the information for the current kernel modules in the target Linux system. -- --- interval: 3600 +-- tags: postmortem -- platform: linux --- value: Identify malware that has a kernel module component. --- version: 1.4.5 -select +SELECT * -from +FROM kernel_modules; diff --git a/incident_response/kextstat.sql b/incident_response/kextstat_macos.sql similarity index 55% rename from incident_response/kextstat.sql rename to incident_response/kextstat_macos.sql index b64c383..c70592d 100644 --- a/incident_response/kextstat.sql +++ b/incident_response/kextstat_macos.sql @@ -1,10 +1,8 @@ -- Retrieves all the information about the current kernel extensions for the target OSX system. -- --- interval: 3600 +-- tags: postmortem -- platform: darwin --- value: Identify malware that has a kernel extension component. --- version: 1.4.5 -select +SELECT * -from +FROM kernel_extensions; diff --git a/incident_response/last.sql b/incident_response/last.sql index 7ab0ff4..60b9bdb 100644 --- a/incident_response/last.sql +++ b/incident_response/last.sql @@ -1,10 +1,8 @@ -- Retrieves the list of the latest logins with PID, username and timestamp. -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise. --- version: 1.4.5 -select +SELECT * -from +FROM last; diff --git a/incident_response/launchd.sql b/incident_response/launchd.sql deleted file mode 100644 index c05ef6c..0000000 --- a/incident_response/launchd.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves all the daemons that will run in the start of the target OSX system. --- --- interval: 3600 --- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at system boot --- version: 1.4.5 -select - * -from - launchd; diff --git a/incident_response/persistence/launchd.sql b/incident_response/launchd_macos.sql similarity index 100% rename from incident_response/persistence/launchd.sql rename to incident_response/launchd_macos.sql diff --git a/incident_response/listening_ports.sql b/incident_response/listening_ports.sql index bf9737a..66c7bcc 100644 --- a/incident_response/listening_ports.sql +++ b/incident_response/listening_ports.sql @@ -1,10 +1,8 @@ -- Retrieves all the listening ports in the target system. -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Detect if a listening port iis not mapped to a known process. Find backdoors. --- version: 1.4.5 -select +SELECT * -from +FROM listening_ports; diff --git a/incident_response/logged_in_users.sql b/incident_response/logged_in_users.sql index 2f2c0ce..c90791c 100644 --- a/incident_response/logged_in_users.sql +++ b/incident_response/logged_in_users.sql @@ -1,17 +1,15 @@ -- Retrieves the list of all the currently logged in users in the target system. -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise. --- version: 1.4.5 -select +SELECT liu.*, p.name, p.cmdline, p.cwd, p.root -from +FROM logged_in_users liu, processes p -where +WHERE liu.pid = p.pid; diff --git a/incident_response/loginwindow1.sql b/incident_response/loginwindow1.sql index b7eee02..f2e7c13 100644 --- a/incident_response/loginwindow1.sql +++ b/incident_response/loginwindow1.sql @@ -1,9 +1,8 @@ -- Retrieves all the values for the loginwindow process in the target OSX system. -- --- interval: 86400 +-- +-- tags: postmortem -- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at system boot --- version: 1.4.5 select key, subkey, diff --git a/incident_response/loginwindow2.sql b/incident_response/loginwindow2.sql index 545bfe5..f2c694d 100644 --- a/incident_response/loginwindow2.sql +++ b/incident_response/loginwindow2.sql @@ -1,9 +1,8 @@ -- Retrieves all the values for the loginwindow process in the target OSX system. -- --- interval: 86400 +-- +-- tags: postmortem -- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at system boot --- version: 1.4.5 select key, subkey, diff --git a/incident_response/loginwindow3.sql b/incident_response/loginwindow3.sql index d03260a..f0e465b 100644 --- a/incident_response/loginwindow3.sql +++ b/incident_response/loginwindow3.sql @@ -1,9 +1,8 @@ -- Retrieves all the values for the loginwindow process in the target OSX system. -- --- interval: 86400 +-- +-- tags: postmortem -- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at system boot --- version: 1.4.5 select username, key, diff --git a/incident_response/loginwindow4.sql b/incident_response/loginwindow4.sql index 133fad1..86e6f98 100644 --- a/incident_response/loginwindow4.sql +++ b/incident_response/loginwindow4.sql @@ -1,9 +1,7 @@ -- Retrieves all the values for the loginwindow process in the target OSX system. -- --- interval: 86400 +-- tags: postmortem -- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at system boot --- version: 1.4.5 select username, key, diff --git a/incident_response/mounts.sql b/incident_response/mounts.sql index a9d8de1..417f809 100644 --- a/incident_response/mounts.sql +++ b/incident_response/mounts.sql @@ -1,10 +1,8 @@ -- Retrieves the current list of mounted drives in the target system. -- --- interval: 3600 +-- tags: postmortem -- platform: posix --- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors. --- version: 1.4.5 -select +SELECT * -from +FROM mounts; diff --git a/incident_response/nfs_shares.sql b/incident_response/nfs_shares.sql deleted file mode 100644 index f69af51..0000000 --- a/incident_response/nfs_shares.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves the current list of Network File System mounted shares. --- --- interval: 3600 --- platform: darwin --- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors. --- version: 1.4.5 -select - * -from - nfs_shares; diff --git a/incident_response/open_files.sql b/incident_response/open_files.sql index 611dd59..de089e3 100644 --- a/incident_response/open_files.sql +++ b/incident_response/open_files.sql @@ -1,15 +1,16 @@ -- Retrieves all the open files per process in the target system. -- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Identify processes accessing sensitive files they shouldn't --- version: 1.4.5 -select distinct - pid, - path -from - process_open_files -where - path not like '/private/var/folders%' - and path not like '/System/Library/%' - and path not in ('/dev/null', '/dev/urandom', '/dev/random'); +SELECT DISTINCT + pof.pid, + pof.path, + p.name, + p.cmdline +FROM + process_open_files pof + LEFT JOIN processes p ON pof.pid = p.pid +WHERE + pof.path NOT LIKE '/private/var/folders%' + AND pof.path NOT LIKE '/System/Library/%' + AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random'); diff --git a/incident_response/persistence/crontab.sql b/incident_response/persistence/crontab.sql deleted file mode 100644 index d00643f..0000000 --- a/incident_response/persistence/crontab.sql +++ /dev/null @@ -1,8 +0,0 @@ --- Crontab entries --- --- interval: 3600 --- platform: posix -SELECT - * -FROM - crontab diff --git a/incident_response/process_env.sql b/incident_response/process_env.sql index 24976f4..aff8f3e 100644 --- a/incident_response/process_env.sql +++ b/incident_response/process_env.sql @@ -1,10 +1,7 @@ -- Retrieves all the environment variables per process in the target system. --- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Insight into the process data: Where was it started from, was it preloaded... --- version: 1.4.5 -select +SELECT * -from +FROM process_envs; diff --git a/incident_response/execution/process_events.sql b/incident_response/process_events.sql similarity index 100% rename from incident_response/execution/process_events.sql rename to incident_response/process_events.sql diff --git a/incident_response/process_memory.sql b/incident_response/process_memory.sql deleted file mode 100644 index f256e7d..0000000 --- a/incident_response/process_memory.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Retrieves the memory map per process in the target Linux system. --- --- interval: 86400 --- platform: linux --- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code. --- version: 1.4.5 -select - * -from - process_memory_map; diff --git a/incident_response/process_memory_map.sql b/incident_response/process_memory_map.sql new file mode 100644 index 0000000..8cb00ab --- /dev/null +++ b/incident_response/process_memory_map.sql @@ -0,0 +1,7 @@ +-- Retrieves the memory map per process +-- platform: posix +-- tags: postmortem +SELECT + * +FROM + process_memory_map; diff --git a/incident_response/open_sockets.sql b/incident_response/process_open_sockets.sql similarity index 58% rename from incident_response/open_sockets.sql rename to incident_response/process_open_sockets.sql index 2058030..8b09e2d 100644 --- a/incident_response/open_sockets.sql +++ b/incident_response/process_open_sockets.sql @@ -1,10 +1,8 @@ -- Retrieves all the open sockets per process in the target system. -- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings --- version: 1.4.5 -select distinct +SELECT DISTINCT pid, family, protocol, @@ -13,8 +11,8 @@ select distinct remote_address, remote_port, path -from +FROM process_open_sockets -where +WHERE path <> '' or remote_address <> ''; diff --git a/incident_response/execution/processes.sql b/incident_response/processes.sql similarity index 100% rename from incident_response/execution/processes.sql rename to incident_response/processes.sql diff --git a/incident_response/ramdisk.sql b/incident_response/ramdisk.sql deleted file mode 100644 index 1fbd95a..0000000 --- a/incident_response/ramdisk.sql +++ /dev/null @@ -1,12 +0,0 @@ --- Retrieves all the ramdisk currently mounted in the target system. --- --- interval: 3600 --- platform: posix --- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes --- version: 1.4.5 -select - * -from - block_devices -where - type = 'Virtual Interface'; diff --git a/incident_response/recent_items.sql b/incident_response/recent_items_macos.sql similarity index 74% rename from incident_response/recent_items.sql rename to incident_response/recent_items_macos.sql index 1b846a5..c02a0f9 100644 --- a/incident_response/recent_items.sql +++ b/incident_response/recent_items_macos.sql @@ -1,9 +1,6 @@ -- Retrieves the list of recent items opened in OSX by parsing the plist per user. --- --- interval: 86400 +-- tags: postmortem -- platform: darwin --- value: Identify recently accessed items. Useful for compromised hosts. --- version: 1.4.5 select username, key, diff --git a/incident_response/sandboxes.sql b/incident_response/sandboxes.sql deleted file mode 100644 index 51f98d8..0000000 --- a/incident_response/sandboxes.sql +++ /dev/null @@ -1,10 +0,0 @@ --- Lists the application bundle that owns a sandbox label. --- --- interval: 86400 --- platform: darwin --- value: Post-priori hijack detection, detect potential sensitive information leakage. --- version: 1.4.7 -select - * -from - sandboxes; diff --git a/incident_response/sandboxes_macos.sql b/incident_response/sandboxes_macos.sql new file mode 100644 index 0000000..7f7f786 --- /dev/null +++ b/incident_response/sandboxes_macos.sql @@ -0,0 +1,8 @@ +-- Lists the application bundle that owns a sandbox label. +-- +-- tags: postmortem +-- platform: darwin +SELECT + * +FROM + sandboxes; diff --git a/incident_response/shell_history.sql b/incident_response/shell_history.sql index fc0e5cb..ff10ac2 100644 --- a/incident_response/shell_history.sql +++ b/incident_response/shell_history.sql @@ -1,11 +1,9 @@ -- Retrieves the command history, per user, by parsing the shell history files. -- --- interval: 86400 +-- tags: postmortem -- platform: posix --- value: Identify actions taken. Useful for compromised hosts. --- version: 1.4.5 -select +SELECT * -from +FROM users - join shell_history using (uid); + JOIN shell_history USING (uid); diff --git a/incident_response/startup_items.sql b/incident_response/startup_items.sql index 7ec7f05..eb208ff 100644 --- a/incident_response/startup_items.sql +++ b/incident_response/startup_items.sql @@ -1,10 +1,7 @@ --- Retrieve all the items that will load when the target OSX system starts. +-- Retrieve most programs that are part of a systems startup (multi-platform) -- --- interval: 86400 --- platform: darwin --- value: Identify malware that uses this persistence mechanism to launch at a given interval --- version: 1.4.5 -select +-- tags: postmortem +SELECT * -from +FROM startup_items; diff --git a/incident_response/suid_bin.sql b/incident_response/suid_bin.sql index 9e37d4a..33bff51 100644 --- a/incident_response/suid_bin.sql +++ b/incident_response/suid_bin.sql @@ -1,9 +1,8 @@ --- Retrieves all the files in the target system that are setuid enabled. +-- Retrieves setuid-enabled executables in well-known paths -- -- platform: posix --- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build. --- version: 1.4.5 -select +-- tags: postmortem +SELECT * -from +FROM suid_bin; diff --git a/incident_response/systemd_units.sql b/incident_response/systemd_units.sql new file mode 100644 index 0000000..7436a6e --- /dev/null +++ b/incident_response/systemd_units.sql @@ -0,0 +1,8 @@ +-- Returns a list of systemd units +-- +-- tags: postmortem +-- platform: linux +SELECT + * +FROM + systemd_units; \ No newline at end of file diff --git a/incident_response/users.sql b/incident_response/users.sql new file mode 100644 index 0000000..27da601 --- /dev/null +++ b/incident_response/users.sql @@ -0,0 +1,8 @@ +-- Returns a list of users +-- +-- tags: postmortem +-- platform: posix +SELECT + * +FROM + users \ No newline at end of file diff --git a/incident_response/wireless_networks.sql b/incident_response/wireless_networks_macos.sql similarity index 64% rename from incident_response/wireless_networks.sql rename to incident_response/wireless_networks_macos.sql index 06c86cc..c9db2c0 100644 --- a/incident_response/wireless_networks.sql +++ b/incident_response/wireless_networks_macos.sql @@ -1,10 +1,5 @@ -- Retrieves all the remembered wireless network that the target machine has connected to. --- --- interval: 3600 --- platform: darwin --- value: Identifies connections to rogue access points. --- version: 1.6.0 -select +SELECT ssid, network_name, security_type, @@ -13,5 +8,5 @@ select possibly_hidden, roaming, roaming_profile -from +FROM wifi_networks; diff --git a/incident_response/xprotect_reports.sql b/incident_response/xprotect_reports.sql new file mode 100644 index 0000000..57bbd2b --- /dev/null +++ b/incident_response/xprotect_reports.sql @@ -0,0 +1,8 @@ +-- Returns a list of malware matches from macOS XProtect +-- +-- tags: postmortem +-- platform: darwin +SELECT + * +FROM + xprotect_reports;