Finish out the incident_response refactor

This commit is contained in:
Thomas Stromberg 2022-10-19 16:19:53 -04:00
parent 9b868bfaf5
commit cee1710f74
Failed to extract signature
60 changed files with 469 additions and 472 deletions

View File

@ -5,9 +5,12 @@
--
-- tags: transient process state
-- platform: posix
SELECT *
FROM (
SELECT p.pid,
SELECT
*
FROM
(
SELECT
p.pid,
p.name,
p.cmdline AS cmd,
cp.name AS child_name,
@ -15,21 +18,24 @@ FROM (
gcp.name AS grandchild_name,
gcp.cmdline AS grandchild_cmd,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM processes p
FROM
processes p
LEFT JOIN process_open_files pof ON p.pid = pof.pid
LEFT JOIN processes cp ON p.pid = cp.parent
LEFT JOIN processes gcp ON cp.pid = gcp.parent
WHERE p.name = 'sshd'
GROUP BY p.pid
WHERE
p.name = 'sshd'
GROUP BY
p.pid
)
WHERE (
WHERE
(
INSTR(cmd, '@notty') > 0
OR (
open_files != '/dev/null'
AND INSTR(open_files, '/dev/ptmx') = 0
)
)
-- You must specifically check for NULL here, or risk inadvertently filtering everything out.
AND (
grandchild_name IS NULL

View File

@ -8,7 +8,8 @@
--
-- platform: posix
-- tags: persistent filesystem state
SELECT file.path,
SELECT
file.path,
file.directory,
uid,
gid,
@ -19,10 +20,12 @@ SELECT file.path,
size,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
file.path LIKE '/lib/.%'
OR file.path LIKE '/.%'
OR file.path LIKE '/bin/%/.%'

View File

@ -5,7 +5,8 @@
--
-- tags: transient process state often
-- platform: linux
SELECT p.pid,
SELECT
p.pid,
p.path,
p.name,
p.cmdline,
@ -24,19 +25,18 @@ SELECT p.pid,
pp.euid AS parent_euid,
ch.sha256 AS child_sha256,
ph.sha256 AS parent_sha256
FROM processes p
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash AS ch ON p.path = ch.path
LEFT JOIN hash AS ph ON pp.path = ph.path
WHERE p.start_time > 0
WHERE
p.start_time > 0
AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
AND p.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN (
'/usr/lib/firefox',
'/usr/local/kolide-k2/bin'
) -- Typically daemons or long-running desktop apps
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
AND NOT p.path IN (
'',
'/opt/google/chrome/chrome',
@ -87,4 +87,5 @@ WHERE p.start_time > 0
AND f.uid = p.uid
AND p.cmdline LIKE './%'
)
GROUP BY p.pid
GROUP BY
p.pid

View File

@ -5,16 +5,19 @@
--
-- tags: persistent seldom filesystem
-- platform: linux
SELECT file.path,
SELECT
file.path,
DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
file.inode,
hash.sha256,
magic.data
FROM file
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
file.path LIKE "/bin/%%"
OR file.path LIKE "/etc/%%"
OR file.path LIKE "/sbin/%%"

View File

@ -8,18 +8,21 @@
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT file.path,
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM mdfind
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
WHERE
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
)
@ -133,4 +136,5 @@ WHERE (
host LIKE '%.fbcdn.net'
AND file.filename LIKE 'Messenger.%.dmg'
)
GROUP BY ea.value
GROUP BY
ea.value

View File

@ -5,7 +5,8 @@
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT file.path,
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
@ -13,11 +14,13 @@ SELECT file.path,
LOWER(
REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
) AS extension
FROM mdfind
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN hash ON file.path = hash.path
WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
WHERE
mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
AND file.btime > (strftime('%s', 'now') -86400)
-- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
AND extension NOT IN (

View File

@ -0,0 +1,5 @@
The `incident_response` queries originate from the upstream osquery project:
<https://github.com/osquery/osquery/blob/master/packs/incident-response.conf>
Additional tables have been added and the intervals have been modified.

View File

@ -1,10 +1,8 @@
-- Retrieves the configuration values for the Application Layer Firewall for OSX.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
alf;

View File

@ -1,10 +0,0 @@
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
*
from
alf_exceptions;

View File

@ -0,0 +1,7 @@
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
--
-- tags: postmortem
SELECT
*
FROM
alf_exceptions;

View File

@ -1,10 +0,0 @@
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
*
from
alf_explicit_auths;

View File

@ -0,0 +1,8 @@
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
alf_explicit_auths;

View File

@ -1,10 +1,7 @@
-- Retrieves the services for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
alf_services;

View File

@ -1,10 +1,8 @@
-- Retrieves the list of application scheme/protocol-based IPC handlers.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select
SELECT
*
from
FROM
app_schemes;

View File

@ -0,0 +1,8 @@
-- Retrieves all the currently installed applications in the target OSX system.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
apps;

View File

@ -1,9 +0,0 @@
-- Retrieves the ARP cache values in the target system.
--
-- interval: 3600
-- value: Determine if MITM in progress.
-- version: 1.4.5
select
*
from
arp_cache;

View File

@ -0,0 +1,7 @@
-- Retrieves all block devices known to the system
-- platform: posix
-- tags: postmortem seldom
SELECT
*
FROM
block_devices

View File

@ -1,10 +1,8 @@
-- Retrieves all the jobs scheduled in crontab in the target system.
-- Crontab entries
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select
SELECT
*
from
crontab;
FROM
crontab

View File

@ -1,10 +1,8 @@
-- Retrieves the current disk encryption status for the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identifies a system potentially vulnerable to disk cloning.
-- version: 1.4.5
select
SELECT
*
from
FROM
disk_encryption;

View File

@ -0,0 +1,8 @@
-- Return the list of configured DNS servers on this system
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
dns_resolvers

View File

@ -0,0 +1,8 @@
-- Return the list of running Docker containers on this machine
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
docker_containers

View File

@ -0,0 +1,8 @@
-- Return the Docker image history on a machine
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
docker_image_history

View File

@ -1,10 +1,8 @@
-- Retrieves all the entries in the target system /etc/hosts file.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
-- version: 1.4.5
select
SELECT
*
from
FROM
etc_hosts;

View File

@ -0,0 +1,8 @@
-- Retrieves software packages with access to listening in on keyboard/mouse events
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
event_taps;

View File

@ -0,0 +1,22 @@
-- Retrieves all the gatekeeper exceptions on a macOS host
--
-- tags: postmortem
-- platform: darwin
SELECT
gap.ctime,
gap.mtime,
gap.path,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
signature.identifier,
signature.authority
FROM
gatekeeper_approved_apps AS gap
LEFT JOIN file ON gap.path = file.path
LEFT JOIN hash ON gap.path = hash.path
LEFT JOIN signature ON gap.path = signature.path
GROUP BY
gap.requirement

View File

@ -1,10 +0,0 @@
-- Retrieves all the currently installed applications in the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware, adware, or vulnerable packages that are installed as an application.
-- version: 1.4.5
select
*
from
apps;

View File

@ -1,19 +1,17 @@
-- Retrieves the current status of IP/IPv6 forwarding.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Identify if a machine is being used as relay.
-- version: 1.4.5
select
SELECT
*
from
FROM
system_controls
where
WHERE
oid = '4.30.41.1'
union
select
UNION
SELECT
*
from
FROM
system_controls
where
WHERE
oid = '4.2.0.1';

View File

@ -1,10 +1,8 @@
-- Retrieves the current filters and chains per filter in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: linux
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select
SELECT
*
from
FROM
iptables;

View File

@ -1,10 +1,8 @@
-- Retrieves all the information for the current kernel modules in the target Linux system.
--
-- interval: 3600
-- tags: postmortem
-- platform: linux
-- value: Identify malware that has a kernel module component.
-- version: 1.4.5
select
SELECT
*
from
FROM
kernel_modules;

View File

@ -1,10 +1,8 @@
-- Retrieves all the information about the current kernel extensions for the target OSX system.
--
-- interval: 3600
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that has a kernel extension component.
-- version: 1.4.5
select
SELECT
*
from
FROM
kernel_extensions;

View File

@ -1,10 +1,8 @@
-- Retrieves the list of the latest logins with PID, username and timestamp.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select
SELECT
*
from
FROM
last;

View File

@ -1,10 +0,0 @@
-- Retrieves all the daemons that will run in the start of the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
*
from
launchd;

View File

@ -1,10 +1,8 @@
-- Retrieves all the listening ports in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
-- version: 1.4.5
select
SELECT
*
from
FROM
listening_ports;

View File

@ -1,17 +1,15 @@
-- Retrieves the list of all the currently logged in users in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select
SELECT
liu.*,
p.name,
p.cmdline,
p.cwd,
p.root
from
FROM
logged_in_users liu,
processes p
where
WHERE
liu.pid = p.pid;

View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
key,
subkey,

View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
key,
subkey,

View File

@ -1,9 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
--
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
username,
key,

View File

@ -1,9 +1,7 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select
username,
key,

View File

@ -1,10 +1,8 @@
-- Retrieves the current list of mounted drives in the target system.
--
-- interval: 3600
-- tags: postmortem
-- platform: posix
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select
SELECT
*
from
FROM
mounts;

View File

@ -1,10 +0,0 @@
-- Retrieves the current list of Network File System mounted shares.
--
-- interval: 3600
-- platform: darwin
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select
*
from
nfs_shares;

View File

@ -1,15 +1,16 @@
-- Retrieves all the open files per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify processes accessing sensitive files they shouldn't
-- version: 1.4.5
select distinct
pid,
path
from
process_open_files
where
path not like '/private/var/folders%'
and path not like '/System/Library/%'
and path not in ('/dev/null', '/dev/urandom', '/dev/random');
SELECT DISTINCT
pof.pid,
pof.path,
p.name,
p.cmdline
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
WHERE
pof.path NOT LIKE '/private/var/folders%'
AND pof.path NOT LIKE '/System/Library/%'
AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');

View File

@ -1,8 +0,0 @@
-- Crontab entries
--
-- interval: 3600
-- platform: posix
SELECT
*
FROM
crontab

View File

@ -1,10 +1,7 @@
-- Retrieves all the environment variables per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Insight into the process data: Where was it started from, was it preloaded...
-- version: 1.4.5
select
SELECT
*
from
FROM
process_envs;

View File

@ -1,10 +0,0 @@
-- Retrieves the memory map per process in the target Linux system.
--
-- interval: 86400
-- platform: linux
-- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
-- version: 1.4.5
select
*
from
process_memory_map;

View File

@ -0,0 +1,7 @@
-- Retrieves the memory map per process
-- platform: posix
-- tags: postmortem
SELECT
*
FROM
process_memory_map;

View File

@ -1,10 +1,8 @@
-- Retrieves all the open sockets per process in the target system.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
-- version: 1.4.5
select distinct
SELECT DISTINCT
pid,
family,
protocol,
@ -13,8 +11,8 @@ select distinct
remote_address,
remote_port,
path
from
FROM
process_open_sockets
where
WHERE
path <> ''
or remote_address <> '';

View File

@ -1,12 +0,0 @@
-- Retrieves all the ramdisk currently mounted in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
-- version: 1.4.5
select
*
from
block_devices
where
type = 'Virtual Interface';

View File

@ -1,9 +1,6 @@
-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
--
-- interval: 86400
-- tags: postmortem
-- platform: darwin
-- value: Identify recently accessed items. Useful for compromised hosts.
-- version: 1.4.5
select
username,
key,

View File

@ -1,10 +0,0 @@
-- Lists the application bundle that owns a sandbox label.
--
-- interval: 86400
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select
*
from
sandboxes;

View File

@ -0,0 +1,8 @@
-- Lists the application bundle that owns a sandbox label.
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
sandboxes;

View File

@ -1,11 +1,9 @@
-- Retrieves the command history, per user, by parsing the shell history files.
--
-- interval: 86400
-- tags: postmortem
-- platform: posix
-- value: Identify actions taken. Useful for compromised hosts.
-- version: 1.4.5
select
SELECT
*
from
FROM
users
join shell_history using (uid);
JOIN shell_history USING (uid);

View File

@ -1,10 +1,7 @@
-- Retrieve all the items that will load when the target OSX system starts.
-- Retrieve most programs that are part of a systems startup (multi-platform)
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select
-- tags: postmortem
SELECT
*
from
FROM
startup_items;

View File

@ -1,9 +1,8 @@
-- Retrieves all the files in the target system that are setuid enabled.
-- Retrieves setuid-enabled executables in well-known paths
--
-- platform: posix
-- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
-- version: 1.4.5
select
-- tags: postmortem
SELECT
*
from
FROM
suid_bin;

View File

@ -0,0 +1,8 @@
-- Returns a list of systemd units
--
-- tags: postmortem
-- platform: linux
SELECT
*
FROM
systemd_units;

View File

@ -0,0 +1,8 @@
-- Returns a list of users
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
users

View File

@ -1,10 +1,5 @@
-- Retrieves all the remembered wireless network that the target machine has connected to.
--
-- interval: 3600
-- platform: darwin
-- value: Identifies connections to rogue access points.
-- version: 1.6.0
select
SELECT
ssid,
network_name,
security_type,
@ -13,5 +8,5 @@ select
possibly_hidden,
roaming,
roaming_profile
from
FROM
wifi_networks;

View File

@ -0,0 +1,8 @@
-- Returns a list of malware matches from macOS XProtect
--
-- tags: postmortem
-- platform: darwin
SELECT
*
FROM
xprotect_reports;