Finish out the incident_response refactor

detection/evasion/ssh-notty.sql

@@ -5,9 +5,12 @@
 --
 -- tags: transient process state
 -- platform: posix
-SELECT *
+SELECT
-FROM (
+  *
-    SELECT p.pid,
+FROM
+  (
+    SELECT
+      p.pid,
       p.name,
       p.cmdline AS cmd,
       cp.name AS child_name,
@@ -15,23 +18,26 @@ FROM (
       gcp.name AS grandchild_name,
       gcp.cmdline AS grandchild_cmd,
       GROUP_CONCAT(DISTINCT pof.path) AS open_files
-    FROM processes p
+    FROM
+      processes p
       LEFT JOIN process_open_files pof ON p.pid = pof.pid
       LEFT JOIN processes cp ON p.pid = cp.parent
       LEFT JOIN processes gcp ON cp.pid = gcp.parent
-    WHERE p.name = 'sshd'
+    WHERE
-    GROUP BY p.pid
+      p.name = 'sshd'
+    GROUP BY
+      p.pid
   )
-WHERE (
+WHERE
+  (
     INSTR(cmd, '@notty') > 0
     OR (
       open_files != '/dev/null'
       AND INSTR(open_files, '/dev/ptmx') = 0
     )
   )
-
   -- You must specifically check for NULL here, or risk inadvertently filtering everything out.
   AND (
-      grandchild_name IS NULL
+    grandchild_name IS NULL
-      OR grandchild_name != 'zfs'
+    OR grandchild_name != 'zfs'
   )

detection/evasion/unexpected-hidden-system-folders.sql

@@ -8,7 +8,8 @@
 --
 -- platform: posix
 -- tags: persistent filesystem state
-SELECT file.path,
+SELECT
+  file.path,
   file.directory,
   uid,
   gid,
@@ -19,10 +20,12 @@ SELECT file.path,
   size,
   hash.sha256,
   magic.data
-FROM file
+FROM
+  file
   LEFT JOIN hash ON file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
     file.path LIKE '/lib/.%'
     OR file.path LIKE '/.%'
     OR file.path LIKE '/bin/%/.%'
@@ -119,4 +122,4 @@ WHERE (
     AND file.gid = 0
     AND file.mode IN ('0755', '0700')
     AND file.size = 4
-  )
+  )

detection/execution/recently-created-executables-linux.sql

@@ -5,7 +5,8 @@
 --
 -- tags: transient process state often
 -- platform: linux
-SELECT p.pid,
+SELECT
+  p.pid,
   p.path,
   p.name,
   p.cmdline,
@@ -24,19 +25,18 @@ SELECT p.pid,
   pp.euid AS parent_euid,
   ch.sha256 AS child_sha256,
   ph.sha256 AS parent_sha256
-FROM processes p
+FROM
+  processes p
   LEFT JOIN file f ON p.path = f.path
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash AS ch ON p.path = ch.path
   LEFT JOIN hash AS ph ON pp.path = ph.path
-WHERE p.start_time > 0
+WHERE
+  p.start_time > 0
   AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes
   AND (p.start_time - MAX(f.ctime, f.btime)) < 180
   AND p.start_time >= MAX(f.ctime, f.ctime)
-  AND NOT f.directory IN (
+  AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
-    '/usr/lib/firefox',
-    '/usr/local/kolide-k2/bin'
-  ) -- Typically daemons or long-running desktop apps
   AND NOT p.path IN (
     '',
     '/opt/google/chrome/chrome',
@@ -87,4 +87,5 @@ WHERE p.start_time > 0
     AND f.uid = p.uid
     AND p.cmdline LIKE './%'
   )
-GROUP BY p.pid
+GROUP BY
+  p.pid

detection/impact/evenly-timestomped.sql

@@ -5,31 +5,34 @@
 --
 -- tags: persistent seldom filesystem
 -- platform: linux
-SELECT file.path,
+SELECT
-    DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
+  file.path,
-    DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
+  DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
-    file.inode,
+  DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
-    hash.sha256,
+  file.inode,
-    magic.data
+  hash.sha256,
-FROM file
+  magic.data
-    LEFT JOIN hash ON file.path = hash.path
+FROM
-    LEFT JOIN magic ON file.path = magic.path
+  file
-WHERE (
+  LEFT JOIN hash ON file.path = hash.path
-        file.path LIKE "/bin/%%"
+  LEFT JOIN magic ON file.path = magic.path
-        OR file.path LIKE "/etc/%%"
+WHERE
-        OR file.path LIKE "/sbin/%%"
+  (
-        OR file.path LIKE "/lib/%%"
+    file.path LIKE "/bin/%%"
-        OR file.path LIKE "/usr/%%"
+    OR file.path LIKE "/etc/%%"
-    )
+    OR file.path LIKE "/sbin/%%"
-    -- This timestamp is in UTC
+    OR file.path LIKE "/lib/%%"
-    AND file.mtime > (strftime('%s', 'now') - (86400*720))
+    OR file.path LIKE "/usr/%%"
-    AND file.mtime%3600 = 0
+  )
-    -- Narrow down to specific offsets in the users local timezone (there should be a better way!)
+  -- This timestamp is in UTC
-    AND (
+  AND file.mtime > (strftime('%s', 'now') - (86400 * 720))
-        mod_time LIKE "% 12:00:00"
+  AND file.mtime % 3600 = 0
-        OR mod_time LIKE "% 00:00:00"
+  -- Narrow down to specific offsets in the users local timezone (there should be a better way!)
-    )
+  AND (
-    -- false positives
+    mod_time LIKE "% 12:00:00"
-    AND file.path NOT IN ('/etc/master.passwd')
+    OR mod_time LIKE "% 00:00:00"
-    AND file.path NOT LIKE '%/lynis%'
+  )
-    AND file.path NOT LIKE '%/yelp-xsl%'
+  -- false positives
+  AND file.path NOT IN ('/etc/master.passwd')
+  AND file.path NOT LIKE '%/lynis%'
+  AND file.path NOT LIKE '%/yelp-xsl%'

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -8,129 +8,133 @@
 --
 -- platform: darwin
 -- tags: persistent filesystem spotlight
-SELECT file.path,
+SELECT
-    file.size,
+  file.path,
-    datetime(file.btime, 'unixepoch') AS file_created,
+  file.size,
-    magic.data,
+  datetime(file.btime, 'unixepoch') AS file_created,
-    ea.value AS url,
+  magic.data,
-    REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
+  ea.value AS url,
-    REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
+  REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
-FROM mdfind
+  REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
-    LEFT JOIN file ON mdfind.path = file.path
+FROM
-    LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
+  mdfind
-    LEFT JOIN magic ON file.path = magic.path
+  LEFT JOIN file ON mdfind.path = file.path
-WHERE (
+  LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
-        mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
+  LEFT JOIN magic ON file.path = magic.path
-        OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
+WHERE
-    )
+  (
-    AND ea.key = 'where_from'
+    mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
-    AND file.btime > (strftime('%s', 'now') -86400)
+    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
-    AND domain NOT IN (
+  )
-        'adobe.com',
+  AND ea.key = 'where_from'
-        'alfredapp.com',
+  AND file.btime > (strftime('%s', 'now') -86400)
-        'android.com',
+  AND domain NOT IN (
-        'apple.com',
+    'adobe.com',
-        'download.prss.microsoft.com',
+    'alfredapp.com',
-        'arc.net',
+    'android.com',
-        'balsamiq.com',
+    'apple.com',
-        'brave.com',
+    'download.prss.microsoft.com',
-        'digidesign.com',
+    'arc.net',
-        'digidesign.com',
+    'balsamiq.com',
-        'gaomon.net',
+    'brave.com',
-        'epson.com',
+    'digidesign.com',
-        'fcix.net',
+    'digidesign.com',
-        'xtom.com',
+    'gaomon.net',
-        'gaomon.net',
+    'epson.com',
-        'oracle.com',
+    'fcix.net',
-        'akmedia.digidesign.com',
+    'xtom.com',
-        'canon.co.uk',
+    'gaomon.net',
-        'cdn.mozilla.net',
+    'oracle.com',
-        'charlesproxy.com',
+    'akmedia.digidesign.com',
-        'csclub.uwaterloo.ca',
+    'canon.co.uk',
-        'docker.com',
+    'cdn.mozilla.net',
-        'duckduckgo.com',
+    'charlesproxy.com',
-        'eclipse.org',
+    'csclub.uwaterloo.ca',
-        'gimp.org',
+    'docker.com',
-        'github.io',
+    'duckduckgo.com',
-        'githubusercontent.com',
+    'eclipse.org',
-        'grammarly.com',
+    'gimp.org',
-        'integodownload.com',
+    'github.io',
-        'jetbrains.com',
+    'githubusercontent.com',
-        'libreoffice.org',
+    'grammarly.com',
-        'loom.com',
+    'integodownload.com',
-        'microsoft.com',
+    'jetbrains.com',
-        'minecraft.net',
+    'libreoffice.org',
-        'mirrorservice.org',
+    'loom.com',
-        'mojang.com',
+    'microsoft.com',
-        'mozilla.org',
+    'minecraft.net',
-        'mysql.com',
+    'mirrorservice.org',
-        'ocf.berkeley.edu',
+    'mojang.com',
-        'oobesaas.adobe.com',
+    'mozilla.org',
-        'osuosl.org',
+    'mysql.com',
-        'pqrs.org',
+    'ocf.berkeley.edu',
-        'steampowered.com',
+    'oobesaas.adobe.com',
-        'c-wss.com',
+    'osuosl.org',
-        'irccloud.com',
+    'pqrs.org',
-        'discordapp.net',
+    'steampowered.com',
-        'getutm.app',
+    'c-wss.com',
-        'dogado.de',
+    'irccloud.com',
-        'vc.logitech.com',
+    'discordapp.net',
-        'steampowered.com',
+    'getutm.app',
-        'discord.com',
+    'dogado.de',
-        'logitech.com',
+    'vc.logitech.com',
-        'skype.com',
+    'steampowered.com',
-        'remarkable.com',
+    'discord.com',
-        'balena.io',
+    'logitech.com',
-        'signal.org',
+    'skype.com',
-        'prusa3d.com',
+    'remarkable.com',
-        'google.ca',
+    'balena.io',
-        'zsa.io',
+    'signal.org',
-        'slack-edge.com',
+    'prusa3d.com',
-        'tableplus.com',
+    'google.ca',
-        'ubuntu.com',
+    'zsa.io',
-        'umd.edu',
+    'slack-edge.com',
-        'virtualbox.org',
+    'tableplus.com',
-        'warp.dev',
+    'ubuntu.com',
-        'webex.com'
+    'umd.edu',
-    )
+    'virtualbox.org',
-    AND host NOT IN (
+    'warp.dev',
-        'dl.google.com',
+    'webex.com'
-        'www.google.com',
+  )
-        'warp-releases.storage.googleapis.com',
+  AND host NOT IN (
-        'mail.google.com',
+    'dl.google.com',
-        'github.com',
+    'www.google.com',
-        'ubuntu.com',
+    'warp-releases.storage.googleapis.com',
-        'balsamiq.com',
+    'mail.google.com',
-        'tableplus.com',
+    'github.com',
-        'discord.com',
+    'ubuntu.com',
-        'dl.discordapp.net',
+    'balsamiq.com',
-        'obsproject.com',
+    'tableplus.com',
-        'www.messenger.com',
+    'discord.com',
-        'brave.com',
+    'dl.discordapp.net',
-        'emacsformacosx.com',
+    'obsproject.com',
-        'store.steampowered.com',
+    'www.messenger.com',
-        'wavebox.io',
+    'brave.com',
-        'manual.canon',
+    'emacsformacosx.com',
-        'dygma.com',
+    'store.steampowered.com',
-        'duckduckgo.com',
+    'wavebox.io',
-        'obsidian.md'
+    'manual.canon',
-    )
+    'dygma.com',
-    -- Yes, these are meant to be fairly broad.
+    'duckduckgo.com',
-    AND host NOT LIKE 'download%'
+    'obsidian.md'
-    AND host NOT LIKE 'cdn%'
+  )
-    AND host NOT LIKE '%.edu'
+  -- Yes, these are meant to be fairly broad.
-    AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
+  AND host NOT LIKE 'download%'
-    AND host NOT LIKE '%.org'
+  AND host NOT LIKE 'cdn%'
-    AND host NOT LIKE 'dl.%'
+  AND host NOT LIKE '%.edu'
-    AND host NOT LIKE 'dl-%'
+  AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com'
-    AND host NOT LIKE 'mirror%'
+  AND host NOT LIKE '%.org'
-    AND host NOT LIKE 'driver.%'
+  AND host NOT LIKE 'dl.%'
-    AND host NOT LIKE 'support%'
+  AND host NOT LIKE 'dl-%'
-    AND host NOT LIKE 'software%'
+  AND host NOT LIKE 'mirror%'
-    AND host NOT LIKE 'www.google.%'
+  AND host NOT LIKE 'driver.%'
-    AND host NOT LIKE '%release%.storage.googleapis.com'
+  AND host NOT LIKE 'support%'
-    AND NOT (
+  AND host NOT LIKE 'software%'
-        host LIKE '%.fbcdn.net'
+  AND host NOT LIKE 'www.google.%'
-        AND file.filename LIKE 'Messenger.%.dmg'
+  AND host NOT LIKE '%release%.storage.googleapis.com'
-    )
+  AND NOT (
-GROUP BY ea.value
+    host LIKE '%.fbcdn.net'
+    AND file.filename LIKE 'Messenger.%.dmg'
+  )
+GROUP BY
+  ea.value

detection/initial_access/unexpected-webmail-downloads.sql

@@ -5,56 +5,59 @@
 --
 -- platform: darwin
 -- tags: persistent filesystem spotlight
-SELECT file.path,
+SELECT
-    file.size,
+  file.path,
-    datetime(file.btime, 'unixepoch') AS file_created,
+  file.size,
-    magic.data,
+  datetime(file.btime, 'unixepoch') AS file_created,
-    hash.sha256,
+  magic.data,
-    LOWER(
+  hash.sha256,
-        REGEX_MATCH(RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
+  LOWER(
-    ) AS extension
+    REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
-FROM mdfind
+  ) AS extension
-    LEFT JOIN file ON mdfind.path = file.path
+FROM
-    LEFT JOIN magic ON file.path = magic.path
+  mdfind
-    LEFT JOIN hash ON file.path = hash.path
+  LEFT JOIN file ON mdfind.path = file.path
-WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
+  LEFT JOIN magic ON file.path = magic.path
-    AND file.btime > (strftime('%s', 'now') -86400)
+  LEFT JOIN hash ON file.path = hash.path
-    -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
+WHERE
-    AND extension NOT IN (
+  mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
-        'bz2',
+  AND file.btime > (strftime('%s', 'now') -86400)
-        'cer',
+  -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
-        'csv',
+  AND extension NOT IN (
-        'doc',
+    'bz2',
-        'docx',
+    'cer',
-        'eml',
+    'csv',
-        'gif',
+    'doc',
-        'gz',
+    'docx',
-        'htm',
+    'eml',
-        'html',
+    'gif',
-        'icloud',
+    'gz',
-        'jpeg',
+    'htm',
-        'jpg',
+    'html',
-        'mp3',
+    'icloud',
-        'mp4',
+    'jpeg',
-        'mpeg',
+    'jpg',
-        'mpg',
+    'mp3',
-        'ods',
+    'mp4',
-        'odt',
+    'mpeg',
-        'pdf',
+    'mpg',
-        'pem',
+    'ods',
-        'pgp',
+    'odt',
-        'png',
+    'pdf',
-        'ppt',
+    'pem',
-        'pptx',
+    'pgp',
-        'pub',
+    'png',
-        'tar',
+    'ppt',
-        'tif',
+    'pptx',
-        'tiff',
+    'pub',
-        'txt',
+    'tar',
-        'wav',
+    'tif',
-        'xls',
+    'tiff',
-        'xlsm',
+    'txt',
-        'xlsx',
+    'wav',
-        'zip',
+    'xls',
-        'zstd'
+    'xlsm',
-    )
+    'xlsx',
+    'zip',
+    'zstd'
+  )

incident_response/README.md

@@ -0,0 +1,5 @@
+The `incident_response` queries originate from the upstream osquery project:
+
+<https://github.com/osquery/osquery/blob/master/packs/incident-response.conf>
+
+Additional tables have been added and the intervals have been modified.

incident_response/alf.sql

@@ -1,10 +1,8 @@
 -- Retrieves the configuration values for the Application Layer Firewall for OSX.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: darwin
--- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   alf;

incident_response/alf_exceptions.sql

@@ -1,10 +0,0 @@
--- Retrieves the exceptions for the Application Layer Firewall in OSX.
---
--- interval: 3600
--- platform: darwin
--- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
--- version: 1.4.5
-select
-  *
-from
-  alf_exceptions;

incident_response/alf_exceptions_macos.sql

@@ -0,0 +1,7 @@
+-- Retrieves the exceptions for the Application Layer Firewall in OSX.
+--
+-- tags: postmortem
+SELECT
+  *
+FROM
+  alf_exceptions;

incident_response/alf_explicit_auths.sql

@@ -1,10 +0,0 @@
--- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
---
--- interval: 3600
--- platform: darwin
--- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
--- version: 1.4.5
-select
-  *
-from
-  alf_explicit_auths;

incident_response/alf_explicit_auths_macos.sql

@@ -0,0 +1,8 @@
+-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  alf_explicit_auths;

incident_response/alf_services.sql

@@ -1,10 +1,7 @@
 -- Retrieves the services for the Application Layer Firewall in OSX.
---
+-- tags: postmortem
--- interval: 3600
 -- platform: darwin
--- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   alf_services;

incident_response/app_schemes.sql

@@ -1,10 +1,8 @@
 -- Retrieves the list of application scheme/protocol-based IPC handlers.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: darwin
--- value: Post-priori hijack detection, detect potential sensitive information leakage.
+SELECT
--- version: 1.4.7
-select
   *
-from
+FROM
   app_schemes;

incident_response/apps.sql

@@ -0,0 +1,8 @@
+-- Retrieves all the currently installed applications in the target OSX system.
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  apps;

incident_response/arp_cache.sql

@@ -1,9 +0,0 @@
--- Retrieves the ARP cache values in the target system.
---
--- interval: 3600
--- value: Determine if MITM in progress.
--- version: 1.4.5
-select
-  *
-from
-  arp_cache;

incident_response/block_devices.sql

@@ -0,0 +1,7 @@
+-- Retrieves all block devices known to the system
+-- platform: posix
+-- tags: postmortem seldom
+SELECT
+  *
+FROM
+  block_devices

incident_response/crontab.sql

@@ -1,10 +1,8 @@
--- Retrieves all the jobs scheduled in crontab in the target system.
+-- Crontab entries
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Identify malware that uses this persistence mechanism to launch at a given interval
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
-  crontab;
+  crontab

incident_response/disk_encryption.sql

@@ -1,10 +1,8 @@
 -- Retrieves the current disk encryption status for the target system.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: posix
--- value: Identifies a system potentially vulnerable to disk cloning.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   disk_encryption;

incident_response/dns_resolvers.sql

@@ -0,0 +1,8 @@
+-- Return the list of configured DNS servers on this system
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  dns_resolvers

incident_response/docker_containers.sql

@@ -0,0 +1,8 @@
+-- Return the list of running Docker containers on this machine
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  docker_containers

incident_response/docker_image_history.sql

@@ -0,0 +1,8 @@
+-- Return the Docker image history on a machine
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  docker_image_history

incident_response/etc_hosts.sql

@@ -1,10 +1,8 @@
 -- Retrieves all the entries in the target system /etc/hosts file.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: posix
--- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   etc_hosts;

incident_response/event_taps_macos.sql

@@ -0,0 +1,8 @@
+-- Retrieves software packages with access to listening in on keyboard/mouse events
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  event_taps;

incident_response/gatekeeper_macos.sql

@@ -0,0 +1,22 @@
+-- Retrieves all the gatekeeper exceptions on a macOS host
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  gap.ctime,
+  gap.mtime,
+  gap.path,
+  file.mtime,
+  file.uid,
+  file.ctime,
+  file.gid,
+  hash.sha256,
+  signature.identifier,
+  signature.authority
+FROM
+  gatekeeper_approved_apps AS gap
+  LEFT JOIN file ON gap.path = file.path
+  LEFT JOIN hash ON gap.path = hash.path
+  LEFT JOIN signature ON gap.path = signature.path
+GROUP BY
+  gap.requirement

incident_response/installed_applications.sql

@@ -1,10 +0,0 @@
--- Retrieves all the currently installed applications in the target OSX system.
---
--- interval: 3600
--- platform: darwin
--- value: Identify malware, adware, or vulnerable packages that are installed as an application.
--- version: 1.4.5
-select
-  *
-from
-  apps;

incident_response/ip_forwarding.sql

@@ -1,19 +1,17 @@
 -- Retrieves the current status of IP/IPv6 forwarding.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Identify if a machine is being used as relay.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   system_controls
-where
+WHERE
   oid = '4.30.41.1'
-union
+UNION
-select
+SELECT
   *
-from
+FROM
   system_controls
-where
+WHERE
   oid = '4.2.0.1';

incident_response/iptables.sql

@@ -1,10 +1,8 @@
 -- Retrieves the current filters and chains per filter in the target system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: linux
--- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   iptables;

incident_response/kernel_modules_linux.sql

@@ -1,10 +1,8 @@
 -- Retrieves all the information for the current kernel modules in the target Linux system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: linux
--- value: Identify malware that has a kernel module component.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   kernel_modules;

incident_response/kextstat_macos.sql

@@ -1,10 +1,8 @@
 -- Retrieves all the information about the current kernel extensions for the target OSX system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: darwin
--- value: Identify malware that has a kernel extension component.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   kernel_extensions;

incident_response/last.sql

@@ -1,10 +1,8 @@
 -- Retrieves the list of the latest logins with PID, username and timestamp.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   last;

incident_response/launchd.sql

@@ -1,10 +0,0 @@
--- Retrieves all the daemons that will run in the start of the target OSX system.
---
--- interval: 3600
--- platform: darwin
--- value: Identify malware that uses this persistence mechanism to launch at system boot
--- version: 1.4.5
-select
-  *
-from
-  launchd;

incident_response/listening_ports.sql

@@ -1,10 +1,8 @@
 -- Retrieves all the listening ports in the target system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   listening_ports;

incident_response/logged_in_users.sql

@@ -1,17 +1,15 @@
 -- Retrieves the list of all the currently logged in users in the target system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
+SELECT
--- version: 1.4.5
-select
   liu.*,
   p.name,
   p.cmdline,
   p.cwd,
   p.root
-from
+FROM
   logged_in_users liu,
   processes p
-where
+WHERE
   liu.pid = p.pid;

incident_response/loginwindow1.sql

@@ -1,9 +1,8 @@
 -- Retrieves all the values for the loginwindow process in the target OSX system.
 --
--- interval: 86400
+--
+-- tags: postmortem
 -- platform: darwin
--- value: Identify malware that uses this persistence mechanism to launch at system boot
--- version: 1.4.5
 select
   key,
   subkey,

incident_response/loginwindow2.sql

@@ -1,9 +1,8 @@
 -- Retrieves all the values for the loginwindow process in the target OSX system.
 --
--- interval: 86400
+--
+-- tags: postmortem
 -- platform: darwin
--- value: Identify malware that uses this persistence mechanism to launch at system boot
--- version: 1.4.5
 select
   key,
   subkey,

incident_response/loginwindow3.sql

@@ -1,9 +1,8 @@
 -- Retrieves all the values for the loginwindow process in the target OSX system.
 --
--- interval: 86400
+--
+-- tags: postmortem
 -- platform: darwin
--- value: Identify malware that uses this persistence mechanism to launch at system boot
--- version: 1.4.5
 select
   username,
   key,

incident_response/loginwindow4.sql

@@ -1,9 +1,7 @@
 -- Retrieves all the values for the loginwindow process in the target OSX system.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: darwin
--- value: Identify malware that uses this persistence mechanism to launch at system boot
--- version: 1.4.5
 select
   username,
   key,

incident_response/mounts.sql

@@ -1,10 +1,8 @@
 -- Retrieves the current list of mounted drives in the target system.
 --
--- interval: 3600
+-- tags: postmortem
 -- platform: posix
--- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   mounts;

incident_response/nfs_shares.sql

@@ -1,10 +0,0 @@
--- Retrieves the current list of Network File System mounted shares.
---
--- interval: 3600
--- platform: darwin
--- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
--- version: 1.4.5
-select
-  *
-from
-  nfs_shares;

incident_response/open_files.sql

@@ -1,15 +1,16 @@
 -- Retrieves all the open files per process in the target system.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: posix
--- value: Identify processes accessing sensitive files they shouldn't
+SELECT DISTINCT
--- version: 1.4.5
+  pof.pid,
-select distinct
+  pof.path,
-  pid,
+  p.name,
-  path
+  p.cmdline
-from
+FROM
-  process_open_files
+  process_open_files pof
-where
+  LEFT JOIN processes p ON pof.pid = p.pid
-  path not like '/private/var/folders%'
+WHERE
-  and path not like '/System/Library/%'
+  pof.path NOT LIKE '/private/var/folders%'
-  and path not in ('/dev/null', '/dev/urandom', '/dev/random');
+  AND pof.path NOT LIKE '/System/Library/%'
+  AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');

incident_response/persistence/crontab.sql

@@ -1,8 +0,0 @@
--- Crontab entries
---
--- interval: 3600
--- platform: posix
-SELECT
-  *
-FROM
-  crontab

incident_response/process_env.sql

@@ -1,10 +1,7 @@
 -- Retrieves all the environment variables per process in the target system.
---
+-- tags: postmortem
--- interval: 86400
 -- platform: posix
--- value: Insight into the process data: Where was it started from, was it preloaded...
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   process_envs;

incident_response/process_memory.sql

@@ -1,10 +0,0 @@
--- Retrieves the memory map per process in the target Linux system.
---
--- interval: 86400
--- platform: linux
--- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
--- version: 1.4.5
-select
-  *
-from
-  process_memory_map;

incident_response/process_memory_map.sql

@@ -0,0 +1,7 @@
+-- Retrieves the memory map per process
+-- platform: posix
+-- tags: postmortem
+SELECT
+  *
+FROM
+  process_memory_map;

incident_response/process_open_sockets.sql

@@ -1,10 +1,8 @@
 -- Retrieves all the open sockets per process in the target system.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: posix
--- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
+SELECT DISTINCT
--- version: 1.4.5
-select distinct
   pid,
   family,
   protocol,
@@ -13,8 +11,8 @@ select distinct
   remote_address,
   remote_port,
   path
-from
+FROM
   process_open_sockets
-where
+WHERE
   path <> ''
   or remote_address <> '';

incident_response/ramdisk.sql

@@ -1,12 +0,0 @@
--- Retrieves all the ramdisk currently mounted in the target system.
---
--- interval: 3600
--- platform: posix
--- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
--- version: 1.4.5
-select
-  *
-from
-  block_devices
-where
-  type = 'Virtual Interface';

incident_response/recent_items_macos.sql

@@ -1,9 +1,6 @@
 -- Retrieves the list of recent items opened in OSX by parsing the plist per user.
---
+-- tags: postmortem
--- interval: 86400
 -- platform: darwin
--- value: Identify recently accessed items. Useful for compromised hosts.
--- version: 1.4.5
 select
   username,
   key,

incident_response/sandboxes.sql

@@ -1,10 +0,0 @@
--- Lists the application bundle that owns a sandbox label.
---
--- interval: 86400
--- platform: darwin
--- value: Post-priori hijack detection, detect potential sensitive information leakage.
--- version: 1.4.7
-select
-  *
-from
-  sandboxes;

incident_response/sandboxes_macos.sql

@@ -0,0 +1,8 @@
+-- Lists the application bundle that owns a sandbox label.
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  sandboxes;

incident_response/shell_history.sql

@@ -1,11 +1,9 @@
 -- Retrieves the command history, per user, by parsing the shell history files.
 --
--- interval: 86400
+-- tags: postmortem
 -- platform: posix
--- value: Identify actions taken. Useful for compromised hosts.
+SELECT
--- version: 1.4.5
-select
   *
-from
+FROM
   users
-  join shell_history using (uid);
+  JOIN shell_history USING (uid);

incident_response/startup_items.sql

@@ -1,10 +1,7 @@
--- Retrieve all the items that will load when the target OSX system starts.
+-- Retrieve most programs that are part of a systems startup (multi-platform)
 --
--- interval: 86400
+-- tags: postmortem
--- platform: darwin
+SELECT
--- value: Identify malware that uses this persistence mechanism to launch at a given interval
--- version: 1.4.5
-select
   *
-from
+FROM
   startup_items;

incident_response/suid_bin.sql

@@ -1,9 +1,8 @@
--- Retrieves all the files in the target system that are setuid enabled.
+-- Retrieves setuid-enabled executables in well-known paths
 --
 -- platform: posix
--- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
+-- tags: postmortem
--- version: 1.4.5
+SELECT
-select
   *
-from
+FROM
   suid_bin;

incident_response/systemd_units.sql

@@ -0,0 +1,8 @@
+-- Returns a list of systemd units
+--
+-- tags: postmortem
+-- platform: linux
+SELECT
+  *
+FROM
+  systemd_units;

incident_response/users.sql

@@ -0,0 +1,8 @@
+-- Returns a list of users
+--
+-- tags: postmortem
+-- platform: posix
+SELECT
+  *
+FROM
+  users

incident_response/wireless_networks_macos.sql

@@ -1,10 +1,5 @@
 -- Retrieves all the remembered wireless network that the target machine has connected to.
---
+SELECT
--- interval: 3600
--- platform: darwin
--- value: Identifies connections to rogue access points.
--- version: 1.6.0
-select
   ssid,
   network_name,
   security_type,
@@ -13,5 +8,5 @@ select
   possibly_hidden,
   roaming,
   roaming_profile
-from
+FROM
   wifi_networks;

incident_response/xprotect_reports.sql

@@ -0,0 +1,8 @@
+-- Returns a list of malware matches from macOS XProtect
+--
+-- tags: postmortem
+-- platform: darwin
+SELECT
+  *
+FROM
+  xprotect_reports;