RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing files

This commit is contained in:
Thomas Stromberg 2022-10-19 16:56:43 -04:00
parent ab94de7770
commit d8e91bac63
Failed to extract signature
3 changed files with 166 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
detection/collection/high-disk-bytes-written.sql Normal file
View File

@ -0,0 +1,114 @@
-- Programs which are writing an unusually large amount of data
--
-- Can be used to detect ransomware
--
-- false positives:
-- * Package managers
-- * Backup software
--
-- references:
-- * https://attack.mitre.org/tactics/TA0009/ (Collection)
--
-- tags: transient process
SELECT
p.name,
p.path,
p.pid,
p.cmdline,
p.on_disk,
p.parent,
p.start_time,
hash.sha256,
p.disk_bytes_written,
p.cwd,
(strftime('%s', 'now') - start_time) AS age,
disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second
FROM
processes p
LEFT JOIN hash ON p.path = hash.path
WHERE
bytes_per_second > 2500000
AND age > 120
AND pid > 2
AND p.path NOT IN (
'/bin/bash',
'/opt/homebrew/bin/qemu-system-aarch64',
'/usr/bin/aptd',
'/usr/bin/bash',
'/usr/bin/bwrap',
'/usr/bin/curl',
'/usr/bin/dockerd',
'/usr/bin/fish',
'/usr/bin/gnome-shell',
'/usr/bin/make',
'/usr/bin/melange',
'/usr/bin/qemu-system-x86_64',
'/usr/bin/yay',
'/usr/bin/zsh',
'/usr/lib64/thunderbird/thunderbird',
'/usr/libexec/coreduetd',
'/usr/libexec/packagekitd',
'/usr/libexec/rosetta/oahd',
'/usr/libexec/secd',
'/usr/libexec/sharingd',
'/usr/lib/flatpak-system-helper',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-journald',
'/usr/sbin/screencapture'
)
AND NOT (
name LIKE 'jbd%/dm-%'
AND on_disk = -1
)
AND NOT (
name = 'bindfs'
AND cmdline LIKE 'bindfs -f -o fsname=%'
)
AND NOT (
name = 'btrfs-transaction'
AND on_disk = -1
)
AND NOT (
name = 'kernel_task'
AND p.path = ''
AND parent IN (0, 1)
AND on_disk = -1
)
AND NOT (
name = 'launchd'
AND p.path = '/sbin/launchd'
AND parent = 0
)
AND NOT (
name = 'logd'
AND cmdline = '/usr/libexec/logd'
AND parent = 1
)
AND NOT (
name = 'aptd'
AND cmdline = '/usr/bin/python3 /usr/sbin/aptd'
)
AND NOT name IN (
'chrome',
'com.apple.MobileSoftwareUpdate.UpdateBrainService',
'containerd',
'esbuild',
'firefox',
'go',
'goland',
'java',
'launcher',
'gopls',
'jetbrains-toolb',
'slack',
'slack',
'wineserver'
)
AND p.path NOT LIKE '/Applications/%.app/Contents/%'
AND p.path NOT LIKE '/home/%/.local/share/Steam'
AND p.path NOT LIKE '/nix/store/%/bin/%sh'
AND p.path NOT LIKE '/nix/store/%/bin/nix'
AND p.path NOT LIKE '/System/Applications/%'
AND p.path NOT LIKE '/System/Library/%'
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'

34
detection/collection/spotlight-database-export-macos.sql Normal file
View File

@ -0,0 +1,34 @@
-- Find database exports. Will need tuning based on your table names.
--
-- false positives:
-- * none observed
--
-- references:
-- * https://attack.mitre.org/techniques/T1530/ (Data from Cloud Storage Object )
--
-- platform: darwin
-- tags: persistent filesystem spotlight
SELECT
f.path,
f.size,
datetime(f.btime, 'unixepoch') AS file_created,
magic.data
FROM
file f
JOIN mdfind ON mdfind.path = f.path
LEFT JOIN magic ON f.path = magic.path
WHERE
(
(
mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE'''
)
OR (
mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE'''
)
OR (
mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE'''
)
)
AND f.path NOT LIKE '%.json'
AND f.path NOT LIKE '%.log'
AND f.size > 32768

18
incident_response/open_sockets.sql Normal file
View File

@ -0,0 +1,18 @@
-- Retrieves all the open sockets per process in the target system.
--
-- tags: postmortem
-- platform: posix
SELECT DISTINCT
pid,
family,
protocol,
local_address,
local_port,
remote_address,
remote_port,
path
FROM
process_open_sockets
WHERE
path <> ''
or remote_address <> '';