mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-17 19:44:31 +00:00
Finish out the incident_response refactor
This commit is contained in:
parent
9b868bfaf5
commit
cee1710f74
@ -5,9 +5,12 @@
|
||||
--
|
||||
-- tags: transient process state
|
||||
-- platform: posix
|
||||
SELECT *
|
||||
FROM (
|
||||
SELECT p.pid,
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
(
|
||||
SELECT
|
||||
p.pid,
|
||||
p.name,
|
||||
p.cmdline AS cmd,
|
||||
cp.name AS child_name,
|
||||
@ -15,21 +18,24 @@ FROM (
|
||||
gcp.name AS grandchild_name,
|
||||
gcp.cmdline AS grandchild_cmd,
|
||||
GROUP_CONCAT(DISTINCT pof.path) AS open_files
|
||||
FROM processes p
|
||||
FROM
|
||||
processes p
|
||||
LEFT JOIN process_open_files pof ON p.pid = pof.pid
|
||||
LEFT JOIN processes cp ON p.pid = cp.parent
|
||||
LEFT JOIN processes gcp ON cp.pid = gcp.parent
|
||||
WHERE p.name = 'sshd'
|
||||
GROUP BY p.pid
|
||||
WHERE
|
||||
p.name = 'sshd'
|
||||
GROUP BY
|
||||
p.pid
|
||||
)
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
INSTR(cmd, '@notty') > 0
|
||||
OR (
|
||||
open_files != '/dev/null'
|
||||
AND INSTR(open_files, '/dev/ptmx') = 0
|
||||
)
|
||||
)
|
||||
|
||||
-- You must specifically check for NULL here, or risk inadvertently filtering everything out.
|
||||
AND (
|
||||
grandchild_name IS NULL
|
||||
|
@ -8,7 +8,8 @@
|
||||
--
|
||||
-- platform: posix
|
||||
-- tags: persistent filesystem state
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
file.directory,
|
||||
uid,
|
||||
gid,
|
||||
@ -19,10 +20,12 @@ SELECT file.path,
|
||||
size,
|
||||
hash.sha256,
|
||||
magic.data
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash ON file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
file.path LIKE '/lib/.%'
|
||||
OR file.path LIKE '/.%'
|
||||
OR file.path LIKE '/bin/%/.%'
|
||||
|
@ -5,7 +5,8 @@
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- platform: linux
|
||||
SELECT p.pid,
|
||||
SELECT
|
||||
p.pid,
|
||||
p.path,
|
||||
p.name,
|
||||
p.cmdline,
|
||||
@ -24,19 +25,18 @@ SELECT p.pid,
|
||||
pp.euid AS parent_euid,
|
||||
ch.sha256 AS child_sha256,
|
||||
ph.sha256 AS parent_sha256
|
||||
FROM processes p
|
||||
FROM
|
||||
processes p
|
||||
LEFT JOIN file f ON p.path = f.path
|
||||
LEFT JOIN processes pp ON p.parent = pp.pid
|
||||
LEFT JOIN hash AS ch ON p.path = ch.path
|
||||
LEFT JOIN hash AS ph ON pp.path = ph.path
|
||||
WHERE p.start_time > 0
|
||||
WHERE
|
||||
p.start_time > 0
|
||||
AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes
|
||||
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
|
||||
AND p.start_time >= MAX(f.ctime, f.ctime)
|
||||
AND NOT f.directory IN (
|
||||
'/usr/lib/firefox',
|
||||
'/usr/local/kolide-k2/bin'
|
||||
) -- Typically daemons or long-running desktop apps
|
||||
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
|
||||
AND NOT p.path IN (
|
||||
'',
|
||||
'/opt/google/chrome/chrome',
|
||||
@ -87,4 +87,5 @@ WHERE p.start_time > 0
|
||||
AND f.uid = p.uid
|
||||
AND p.cmdline LIKE './%'
|
||||
)
|
||||
GROUP BY p.pid
|
||||
GROUP BY
|
||||
p.pid
|
||||
|
@ -5,16 +5,19 @@
|
||||
--
|
||||
-- tags: persistent seldom filesystem
|
||||
-- platform: linux
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
|
||||
DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
|
||||
file.inode,
|
||||
hash.sha256,
|
||||
magic.data
|
||||
FROM file
|
||||
FROM
|
||||
file
|
||||
LEFT JOIN hash ON file.path = hash.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
file.path LIKE "/bin/%%"
|
||||
OR file.path LIKE "/etc/%%"
|
||||
OR file.path LIKE "/sbin/%%"
|
||||
|
@ -8,18 +8,21 @@
|
||||
--
|
||||
-- platform: darwin
|
||||
-- tags: persistent filesystem spotlight
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
file.size,
|
||||
datetime(file.btime, 'unixepoch') AS file_created,
|
||||
magic.data,
|
||||
ea.value AS url,
|
||||
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
|
||||
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
|
||||
FROM mdfind
|
||||
FROM
|
||||
mdfind
|
||||
LEFT JOIN file ON mdfind.path = file.path
|
||||
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
WHERE (
|
||||
WHERE
|
||||
(
|
||||
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
|
||||
OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.dmg'"
|
||||
)
|
||||
@ -133,4 +136,5 @@ WHERE (
|
||||
host LIKE '%.fbcdn.net'
|
||||
AND file.filename LIKE 'Messenger.%.dmg'
|
||||
)
|
||||
GROUP BY ea.value
|
||||
GROUP BY
|
||||
ea.value
|
||||
|
@ -5,7 +5,8 @@
|
||||
--
|
||||
-- platform: darwin
|
||||
-- tags: persistent filesystem spotlight
|
||||
SELECT file.path,
|
||||
SELECT
|
||||
file.path,
|
||||
file.size,
|
||||
datetime(file.btime, 'unixepoch') AS file_created,
|
||||
magic.data,
|
||||
@ -13,11 +14,13 @@ SELECT file.path,
|
||||
LOWER(
|
||||
REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
|
||||
) AS extension
|
||||
FROM mdfind
|
||||
FROM
|
||||
mdfind
|
||||
LEFT JOIN file ON mdfind.path = file.path
|
||||
LEFT JOIN magic ON file.path = magic.path
|
||||
LEFT JOIN hash ON file.path = hash.path
|
||||
WHERE mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
|
||||
WHERE
|
||||
mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
|
||||
AND file.btime > (strftime('%s', 'now') -86400)
|
||||
-- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
|
||||
AND extension NOT IN (
|
||||
|
5
incident_response/README.md
Normal file
5
incident_response/README.md
Normal file
@ -0,0 +1,5 @@
|
||||
The `incident_response` queries originate from the upstream osquery project:
|
||||
|
||||
<https://github.com/osquery/osquery/blob/master/packs/incident-response.conf>
|
||||
|
||||
Additional tables have been added and the intervals have been modified.
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the configuration values for the Application Layer Firewall for OSX.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
alf;
|
||||
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
alf_exceptions;
|
7
incident_response/alf_exceptions_macos.sql
Normal file
7
incident_response/alf_exceptions_macos.sql
Normal file
@ -0,0 +1,7 @@
|
||||
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
|
||||
--
|
||||
-- tags: postmortem
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
alf_exceptions;
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
alf_explicit_auths;
|
8
incident_response/alf_explicit_auths_macos.sql
Normal file
8
incident_response/alf_explicit_auths_macos.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
alf_explicit_auths;
|
@ -1,10 +1,7 @@
|
||||
-- Retrieves the services for the Application Layer Firewall in OSX.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
alf_services;
|
||||
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the list of application scheme/protocol-based IPC handlers.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
|
||||
-- version: 1.4.7
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
app_schemes;
|
||||
|
8
incident_response/apps.sql
Normal file
8
incident_response/apps.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Retrieves all the currently installed applications in the target OSX system.
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
apps;
|
@ -1,9 +0,0 @@
|
||||
-- Retrieves the ARP cache values in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- value: Determine if MITM in progress.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
arp_cache;
|
7
incident_response/block_devices.sql
Normal file
7
incident_response/block_devices.sql
Normal file
@ -0,0 +1,7 @@
|
||||
-- Retrieves all block devices known to the system
|
||||
-- platform: posix
|
||||
-- tags: postmortem seldom
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
block_devices
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the jobs scheduled in crontab in the target system.
|
||||
-- Crontab entries
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
crontab;
|
||||
FROM
|
||||
crontab
|
||||
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the current disk encryption status for the target system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identifies a system potentially vulnerable to disk cloning.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
disk_encryption;
|
||||
|
8
incident_response/dns_resolvers.sql
Normal file
8
incident_response/dns_resolvers.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Return the list of configured DNS servers on this system
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
dns_resolvers
|
8
incident_response/docker_containers.sql
Normal file
8
incident_response/docker_containers.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Return the list of running Docker containers on this machine
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
docker_containers
|
8
incident_response/docker_image_history.sql
Normal file
8
incident_response/docker_image_history.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Return the Docker image history on a machine
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
docker_image_history
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the entries in the target system /etc/hosts file.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
etc_hosts;
|
||||
|
8
incident_response/event_taps_macos.sql
Normal file
8
incident_response/event_taps_macos.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Retrieves software packages with access to listening in on keyboard/mouse events
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
event_taps;
|
22
incident_response/gatekeeper_macos.sql
Normal file
22
incident_response/gatekeeper_macos.sql
Normal file
@ -0,0 +1,22 @@
|
||||
-- Retrieves all the gatekeeper exceptions on a macOS host
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
gap.ctime,
|
||||
gap.mtime,
|
||||
gap.path,
|
||||
file.mtime,
|
||||
file.uid,
|
||||
file.ctime,
|
||||
file.gid,
|
||||
hash.sha256,
|
||||
signature.identifier,
|
||||
signature.authority
|
||||
FROM
|
||||
gatekeeper_approved_apps AS gap
|
||||
LEFT JOIN file ON gap.path = file.path
|
||||
LEFT JOIN hash ON gap.path = hash.path
|
||||
LEFT JOIN signature ON gap.path = signature.path
|
||||
GROUP BY
|
||||
gap.requirement
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves all the currently installed applications in the target OSX system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Identify malware, adware, or vulnerable packages that are installed as an application.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
apps;
|
@ -1,19 +1,17 @@
|
||||
-- Retrieves the current status of IP/IPv6 forwarding.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify if a machine is being used as relay.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
system_controls
|
||||
where
|
||||
WHERE
|
||||
oid = '4.30.41.1'
|
||||
union
|
||||
select
|
||||
UNION
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
system_controls
|
||||
where
|
||||
WHERE
|
||||
oid = '4.2.0.1';
|
||||
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the current filters and chains per filter in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: linux
|
||||
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
iptables;
|
||||
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the information for the current kernel modules in the target Linux system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: linux
|
||||
-- value: Identify malware that has a kernel module component.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
kernel_modules;
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the information about the current kernel extensions for the target OSX system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that has a kernel extension component.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
kernel_extensions;
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the list of the latest logins with PID, username and timestamp.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
last;
|
||||
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves all the daemons that will run in the start of the target OSX system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at system boot
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
launchd;
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the listening ports in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
listening_ports;
|
||||
|
@ -1,17 +1,15 @@
|
||||
-- Retrieves the list of all the currently logged in users in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
liu.*,
|
||||
p.name,
|
||||
p.cmdline,
|
||||
p.cwd,
|
||||
p.root
|
||||
from
|
||||
FROM
|
||||
logged_in_users liu,
|
||||
processes p
|
||||
where
|
||||
WHERE
|
||||
liu.pid = p.pid;
|
||||
|
@ -1,9 +1,8 @@
|
||||
-- Retrieves all the values for the loginwindow process in the target OSX system.
|
||||
--
|
||||
-- interval: 86400
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at system boot
|
||||
-- version: 1.4.5
|
||||
select
|
||||
key,
|
||||
subkey,
|
||||
|
@ -1,9 +1,8 @@
|
||||
-- Retrieves all the values for the loginwindow process in the target OSX system.
|
||||
--
|
||||
-- interval: 86400
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at system boot
|
||||
-- version: 1.4.5
|
||||
select
|
||||
key,
|
||||
subkey,
|
||||
|
@ -1,9 +1,8 @@
|
||||
-- Retrieves all the values for the loginwindow process in the target OSX system.
|
||||
--
|
||||
-- interval: 86400
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at system boot
|
||||
-- version: 1.4.5
|
||||
select
|
||||
username,
|
||||
key,
|
||||
|
@ -1,9 +1,7 @@
|
||||
-- Retrieves all the values for the loginwindow process in the target OSX system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at system boot
|
||||
-- version: 1.4.5
|
||||
select
|
||||
username,
|
||||
key,
|
||||
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves the current list of mounted drives in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
mounts;
|
||||
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves the current list of Network File System mounted shares.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
nfs_shares;
|
@ -1,15 +1,16 @@
|
||||
-- Retrieves all the open files per process in the target system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify processes accessing sensitive files they shouldn't
|
||||
-- version: 1.4.5
|
||||
select distinct
|
||||
pid,
|
||||
path
|
||||
from
|
||||
process_open_files
|
||||
where
|
||||
path not like '/private/var/folders%'
|
||||
and path not like '/System/Library/%'
|
||||
and path not in ('/dev/null', '/dev/urandom', '/dev/random');
|
||||
SELECT DISTINCT
|
||||
pof.pid,
|
||||
pof.path,
|
||||
p.name,
|
||||
p.cmdline
|
||||
FROM
|
||||
process_open_files pof
|
||||
LEFT JOIN processes p ON pof.pid = p.pid
|
||||
WHERE
|
||||
pof.path NOT LIKE '/private/var/folders%'
|
||||
AND pof.path NOT LIKE '/System/Library/%'
|
||||
AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');
|
||||
|
@ -1,8 +0,0 @@
|
||||
-- Crontab entries
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: posix
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
crontab
|
@ -1,10 +1,7 @@
|
||||
-- Retrieves all the environment variables per process in the target system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Insight into the process data: Where was it started from, was it preloaded...
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
process_envs;
|
||||
|
@ -1,10 +0,0 @@
|
||||
-- Retrieves the memory map per process in the target Linux system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- platform: linux
|
||||
-- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
process_memory_map;
|
7
incident_response/process_memory_map.sql
Normal file
7
incident_response/process_memory_map.sql
Normal file
@ -0,0 +1,7 @@
|
||||
-- Retrieves the memory map per process
|
||||
-- platform: posix
|
||||
-- tags: postmortem
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
process_memory_map;
|
@ -1,10 +1,8 @@
|
||||
-- Retrieves all the open sockets per process in the target system.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
|
||||
-- version: 1.4.5
|
||||
select distinct
|
||||
SELECT DISTINCT
|
||||
pid,
|
||||
family,
|
||||
protocol,
|
||||
@ -13,8 +11,8 @@ select distinct
|
||||
remote_address,
|
||||
remote_port,
|
||||
path
|
||||
from
|
||||
FROM
|
||||
process_open_sockets
|
||||
where
|
||||
WHERE
|
||||
path <> ''
|
||||
or remote_address <> '';
|
@ -1,12 +0,0 @@
|
||||
-- Retrieves all the ramdisk currently mounted in the target system.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: posix
|
||||
-- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
|
||||
-- version: 1.4.5
|
||||
select
|
||||
*
|
||||
from
|
||||
block_devices
|
||||
where
|
||||
type = 'Virtual Interface';
|
@ -1,9 +1,6 @@
|
||||
-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
-- value: Identify recently accessed items. Useful for compromised hosts.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
username,
|
||||
key,
|
@ -1,10 +0,0 @@
|
||||
-- Lists the application bundle that owns a sandbox label.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- platform: darwin
|
||||
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
|
||||
-- version: 1.4.7
|
||||
select
|
||||
*
|
||||
from
|
||||
sandboxes;
|
8
incident_response/sandboxes_macos.sql
Normal file
8
incident_response/sandboxes_macos.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Lists the application bundle that owns a sandbox label.
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
sandboxes;
|
@ -1,11 +1,9 @@
|
||||
-- Retrieves the command history, per user, by parsing the shell history files.
|
||||
--
|
||||
-- interval: 86400
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- value: Identify actions taken. Useful for compromised hosts.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
users
|
||||
join shell_history using (uid);
|
||||
JOIN shell_history USING (uid);
|
||||
|
@ -1,10 +1,7 @@
|
||||
-- Retrieve all the items that will load when the target OSX system starts.
|
||||
-- Retrieve most programs that are part of a systems startup (multi-platform)
|
||||
--
|
||||
-- interval: 86400
|
||||
-- platform: darwin
|
||||
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
|
||||
-- version: 1.4.5
|
||||
select
|
||||
-- tags: postmortem
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
startup_items;
|
||||
|
@ -1,9 +1,8 @@
|
||||
-- Retrieves all the files in the target system that are setuid enabled.
|
||||
-- Retrieves setuid-enabled executables in well-known paths
|
||||
--
|
||||
-- platform: posix
|
||||
-- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
|
||||
-- version: 1.4.5
|
||||
select
|
||||
-- tags: postmortem
|
||||
SELECT
|
||||
*
|
||||
from
|
||||
FROM
|
||||
suid_bin;
|
||||
|
8
incident_response/systemd_units.sql
Normal file
8
incident_response/systemd_units.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Returns a list of systemd units
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
systemd_units;
|
8
incident_response/users.sql
Normal file
8
incident_response/users.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Returns a list of users
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
users
|
@ -1,10 +1,5 @@
|
||||
-- Retrieves all the remembered wireless network that the target machine has connected to.
|
||||
--
|
||||
-- interval: 3600
|
||||
-- platform: darwin
|
||||
-- value: Identifies connections to rogue access points.
|
||||
-- version: 1.6.0
|
||||
select
|
||||
SELECT
|
||||
ssid,
|
||||
network_name,
|
||||
security_type,
|
||||
@ -13,5 +8,5 @@ select
|
||||
possibly_hidden,
|
||||
roaming,
|
||||
roaming_profile
|
||||
from
|
||||
FROM
|
||||
wifi_networks;
|
8
incident_response/xprotect_reports.sql
Normal file
8
incident_response/xprotect_reports.sql
Normal file
@ -0,0 +1,8 @@
|
||||
-- Returns a list of malware matches from macOS XProtect
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: darwin
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
xprotect_reports;
|
Loading…
Reference in New Issue
Block a user