diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql new file mode 100644 index 0000000..8854262 --- /dev/null +++ b/detection/collection/high-disk-bytes-written.sql @@ -0,0 +1,114 @@ +-- Programs which are writing an unusually large amount of data +-- +-- Can be used to detect ransomware +-- +-- false positives: +-- * Package managers +-- * Backup software +-- +-- references: +-- * https://attack.mitre.org/tactics/TA0009/ (Collection) +-- +-- tags: transient process +SELECT + p.name, + p.path, + p.pid, + p.cmdline, + p.on_disk, + p.parent, + p.start_time, + hash.sha256, + p.disk_bytes_written, + p.cwd, + (strftime('%s', 'now') - start_time) AS age, + disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second +FROM + processes p + LEFT JOIN hash ON p.path = hash.path +WHERE + bytes_per_second > 2500000 + AND age > 120 + AND pid > 2 + AND p.path NOT IN ( + '/bin/bash', + '/opt/homebrew/bin/qemu-system-aarch64', + '/usr/bin/aptd', + '/usr/bin/bash', + '/usr/bin/bwrap', + '/usr/bin/curl', + '/usr/bin/dockerd', + '/usr/bin/fish', + '/usr/bin/gnome-shell', + '/usr/bin/make', + '/usr/bin/melange', + '/usr/bin/qemu-system-x86_64', + '/usr/bin/yay', + '/usr/bin/zsh', + '/usr/lib64/thunderbird/thunderbird', + '/usr/libexec/coreduetd', + '/usr/libexec/packagekitd', + '/usr/libexec/rosetta/oahd', + '/usr/libexec/secd', + '/usr/libexec/sharingd', + '/usr/lib/flatpak-system-helper', + '/usr/lib/systemd/systemd', + '/usr/lib/systemd/systemd-journald', + '/usr/sbin/screencapture' + ) + AND NOT ( + name LIKE 'jbd%/dm-%' + AND on_disk = -1 + ) + AND NOT ( + name = 'bindfs' + AND cmdline LIKE 'bindfs -f -o fsname=%' + ) + AND NOT ( + name = 'btrfs-transaction' + AND on_disk = -1 + ) + AND NOT ( + name = 'kernel_task' + AND p.path = '' + AND parent IN (0, 1) + AND on_disk = -1 + ) + AND NOT ( + name = 'launchd' + AND p.path = '/sbin/launchd' + AND parent = 0 + ) + AND NOT ( + name = 'logd' + AND cmdline = '/usr/libexec/logd' + AND parent = 1 + ) + AND NOT ( + name = 'aptd' + AND cmdline = '/usr/bin/python3 /usr/sbin/aptd' + ) + AND NOT name IN ( + 'chrome', + 'com.apple.MobileSoftwareUpdate.UpdateBrainService', + 'containerd', + 'esbuild', + 'firefox', + 'go', + 'goland', + 'java', + 'launcher', + 'gopls', + 'jetbrains-toolb', + 'slack', + 'slack', + 'wineserver' + ) + AND p.path NOT LIKE '/Applications/%.app/Contents/%' + AND p.path NOT LIKE '/home/%/.local/share/Steam' + AND p.path NOT LIKE '/nix/store/%/bin/%sh' + AND p.path NOT LIKE '/nix/store/%/bin/nix' + AND p.path NOT LIKE '/System/Applications/%' + AND p.path NOT LIKE '/System/Library/%' + AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher' diff --git a/detection/collection/spotlight-database-export-macos.sql b/detection/collection/spotlight-database-export-macos.sql new file mode 100644 index 0000000..d7e7338 --- /dev/null +++ b/detection/collection/spotlight-database-export-macos.sql @@ -0,0 +1,34 @@ +-- Find database exports. Will need tuning based on your table names. +-- +-- false positives: +-- * none observed +-- +-- references: +-- * https://attack.mitre.org/techniques/T1530/ (Data from Cloud Storage Object ) +-- +-- platform: darwin +-- tags: persistent filesystem spotlight +SELECT + f.path, + f.size, + datetime(f.btime, 'unixepoch') AS file_created, + magic.data +FROM + file f + JOIN mdfind ON mdfind.path = f.path + LEFT JOIN magic ON f.path = magic.path +WHERE + ( + ( + mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE''' + ) + OR ( + mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE''' + ) + OR ( + mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE''' + ) + ) + AND f.path NOT LIKE '%.json' + AND f.path NOT LIKE '%.log' + AND f.size > 32768 diff --git a/incident_response/open_sockets.sql b/incident_response/open_sockets.sql new file mode 100644 index 0000000..8b09e2d --- /dev/null +++ b/incident_response/open_sockets.sql @@ -0,0 +1,18 @@ +-- Retrieves all the open sockets per process in the target system. +-- +-- tags: postmortem +-- platform: posix +SELECT DISTINCT + pid, + family, + protocol, + local_address, + local_port, + remote_address, + remote_port, + path +FROM + process_open_sockets +WHERE + path <> '' + or remote_address <> '';