This commit is contained in:
Thomas Stromberg 2022-10-13 09:11:17 -04:00
parent 26ee658c4a
commit e785c35614
Failed to extract signature
44 changed files with 305 additions and 2 deletions

2
.gitignore vendored
View File

@ -10,6 +10,6 @@
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
out/
# Dependency directories (remove the comment below to include it)
# vendor/

18
Makefile Normal file
View File

@ -0,0 +1,18 @@
out/odk-detection.sql:
mkdir -p out
osqtool pack detection/ > out/odk-detection.conf
out/odk-policy.sql:
mkdir -p out
osqtool pack policy/ > out/odk-policy.conf
out/odk-incident_response.sql:
mkdir -p out
osqtool pack incident_response/ > out/odk-incident_response.conf
packs: out/odk-detection.sql out/odk-policy.sql out/odk-incident_response.sql
out/odk-packs.zip: packs
cd out && zip odk-packs.zip *.conf
all: out/odk-packs.zip

View File

@ -2,6 +2,8 @@
Real-world queries for using osquery as part of your detection & response pipeline.
![osquery-defense-kit](images/logo-small.png?raw=true "osquery-defense-kit logo")
## Organization
* `detection/` - Threat detection queries suitable for alerting.
@ -67,3 +69,7 @@ Here is a partial list of what stages would have been detected by particular que
* `c2/unexpected-talkers-macos.sql`
* `execution/exotic-command-events.sql`
* `execution/unexpected-executable-directory-macos.sql`
## Local pack generation
Run `make packs`

View File

@ -3,7 +3,7 @@
-- references:
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
--
-- platform: linux
-- platform: darwin
SELECT
pof.pid,
pof.path AS device,

BIN
images/logo-small.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 92 KiB

BIN
images/logo.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

View File

@ -0,0 +1,8 @@
-- Retrieves the configuration values for the Application Layer Firewall for OSX.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select * from alf;

View File

@ -0,0 +1,8 @@
-- Retrieves the exceptions for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select * from alf_exceptions;

View File

@ -0,0 +1,8 @@
-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select * from alf_explicit_auths;

View File

@ -0,0 +1,8 @@
-- Retrieves the services for the Application Layer Firewall in OSX.
--
-- interval: 3600
-- platform: darwin
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select * from alf_services;

View File

@ -0,0 +1,8 @@
-- Retrieves the list of application scheme/protocol-based IPC handlers.
--
-- interval: 86400
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select * from app_schemes;

View File

@ -0,0 +1,7 @@
-- Retrieves the ARP cache values in the target system.
--
-- interval: 3600
-- value: Determine if MITM in progress.
-- version: 1.4.5
select * from arp_cache;

View File

@ -0,0 +1,8 @@
-- Retrieves all the jobs scheduled in crontab in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select * from crontab;

View File

@ -0,0 +1,8 @@
-- Retrieves the current disk encryption status for the target system.
--
-- interval: 86400
-- platform: posix
-- value: Identifies a system potentially vulnerable to disk cloning.
-- version: 1.4.5
select * from disk_encryption;

View File

@ -0,0 +1,8 @@
-- Retrieves all the entries in the target system /etc/hosts file.
--
-- interval: 86400
-- platform: posix
-- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
-- version: 1.4.5
select * from etc_hosts;

View File

@ -0,0 +1,8 @@
-- Retrieves all the currently installed applications in the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware, adware, or vulnerable packages that are installed as an application.
-- version: 1.4.5
select * from apps;

View File

@ -0,0 +1,8 @@
-- Retrieves the current status of IP/IPv6 forwarding.
--
-- interval: 3600
-- platform: posix
-- value: Identify if a machine is being used as relay.
-- version: 1.4.5
select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';

View File

@ -0,0 +1,8 @@
-- Retrieves the current filters and chains per filter in the target system.
--
-- interval: 3600
-- platform: linux
-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
-- version: 1.4.5
select * from iptables;

View File

@ -0,0 +1,8 @@
-- Retrieves all the information for the current kernel modules in the target Linux system.
--
-- interval: 3600
-- platform: linux
-- value: Identify malware that has a kernel module component.
-- version: 1.4.5
select * from kernel_modules;

View File

@ -0,0 +1,8 @@
-- Retrieves all the information about the current kernel extensions for the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware that has a kernel extension component.
-- version: 1.4.5
select * from kernel_extensions;

View File

@ -0,0 +1,8 @@
-- Retrieves the list of the latest logins with PID, username and timestamp.
--
-- interval: 3600
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select * from last;

View File

@ -0,0 +1,8 @@
-- Retrieves all the daemons that will run in the start of the target OSX system.
--
-- interval: 3600
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select * from launchd;

View File

@ -0,0 +1,8 @@
-- Retrieves all the listening ports in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
-- version: 1.4.5
select * from listening_ports;

View File

@ -0,0 +1,8 @@
-- Retrieves the list of all the currently logged in users in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
-- version: 1.4.5
select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;

View File

@ -0,0 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';

View File

@ -0,0 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';

View File

@ -0,0 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';

View File

@ -0,0 +1,8 @@
-- Retrieves all the values for the loginwindow process in the target OSX system.
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at system boot
-- version: 1.4.5
select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';

View File

@ -0,0 +1,8 @@
-- Retrieves the current list of mounted drives in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select * from mounts;

View File

@ -0,0 +1,8 @@
-- Retrieves the current list of Network File System mounted shares.
--
-- interval: 3600
-- platform: darwin
-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
-- version: 1.4.5
select * from nfs_shares;

View File

@ -0,0 +1,8 @@
-- Retrieves all the open files per process in the target system.
--
-- interval: 86400
-- platform: posix
-- value: Identify processes accessing sensitive files they shouldn't
-- version: 1.4.5
select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');

View File

@ -0,0 +1,8 @@
-- Retrieves all the open sockets per process in the target system.
--
-- interval: 86400
-- platform: posix
-- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
-- version: 1.4.5
select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';

View File

@ -0,0 +1,8 @@
-- Retrieves all the environment variables per process in the target system.
--
-- interval: 86400
-- platform: posix
-- value: Insight into the process data: Where was it started from, was it preloaded...
-- version: 1.4.5
select * from process_envs;

View File

@ -0,0 +1,8 @@
-- Retrieves the memory map per process in the target Linux system.
--
-- interval: 86400
-- platform: linux
-- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
-- version: 1.4.5
select * from process_memory_map;

View File

@ -0,0 +1,8 @@
-- Retrieves all the ramdisk currently mounted in the target system.
--
-- interval: 3600
-- platform: posix
-- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
-- version: 1.4.5
select * from block_devices where type = 'Virtual Interface';

View File

@ -0,0 +1,8 @@
-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
--
-- interval: 86400
-- platform: darwin
-- value: Identify recently accessed items. Useful for compromised hosts.
-- version: 1.4.5
select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';

View File

@ -0,0 +1,8 @@
-- Lists the application bundle that owns a sandbox label.
--
-- interval: 86400
-- platform: darwin
-- value: Post-priori hijack detection, detect potential sensitive information leakage.
-- version: 1.4.7
select * from sandboxes;

View File

@ -0,0 +1,8 @@
-- Retrieves the command history, per user, by parsing the shell history files.
--
-- interval: 86400
-- platform: posix
-- value: Identify actions taken. Useful for compromised hosts.
-- version: 1.4.5
select * from users join shell_history using (uid);

View File

@ -0,0 +1,8 @@
-- Retrieve all the items that will load when the target OSX system starts.
--
-- interval: 86400
-- platform: darwin
-- value: Identify malware that uses this persistence mechanism to launch at a given interval
-- version: 1.4.5
select * from startup_items;

View File

@ -0,0 +1,8 @@
-- Retrieves all the files in the target system that are setuid enabled.
--
-- interval: 3600
-- platform: posix
-- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
-- version: 1.4.5
select * from suid_bin;

View File

@ -0,0 +1,8 @@
-- Retrieves all the remembered wireless network that the target machine has connected to.
--
-- interval: 3600
-- platform: darwin
-- value: Identifies connections to rogue access points.
-- version: 1.6.0
select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;