valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
96b6956b76
osquery-1/packs/incident-response.conf

300 lines
15 KiB
Plaintext
Raw Normal View History

Query packs files
2015-07-17 21:42:05 +00:00
{
"queries": {
"launchd": {
"query" : "select * from launchd;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the daemons that will run in the start of the target OSX system.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"startup_items": {
"query" : "select * from startup_items;",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieve all the items that will load when the target OSX system starts.",
"value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
},
"crontab": {
"query" : "select * from crontab;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves all the jobs scheduled in crontab in the target system.",
"value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
},
"loginwindow1": {
"query" : "select key, subkey, value from preferences where path = '/Library/Preferences/com.apple.loginwindow.plist';",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"loginwindow2": {
"query" : "select key, subkey, value from preferences where path = '/Library/Preferences/loginwindow.plist';",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"loginwindow3": {
"query" : "select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"loginwindow4": {
"query" : "select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"alf": {
"query" : "select * from alf;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
},
"alf_exceptions": {
"query" : "select * from alf_exceptions;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",
"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
},
"alf_services": {
"query" : "select * from alf_services;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the services for the Application Layer Firewall in OSX.",
"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
},
"alf_explicit_auths": {
"query" : "select * from alf_explicit_auths;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",
"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
},
"etc_hosts": {
"query" : "select * from etc_hosts;",
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves all the entries in the target system /etc/hosts file.",
"value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled"
},
"kextstat": {
"query" : "select * from kernel_extensions;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
"value" : "Identify malware that has a kernel extension component."
},
"kernel_modules": {
"query" : "select * from kernel_modules;",
"interval" : "3600",
"platform" : "linux",
"version" : "1.4.5",
"description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
"value" : "Identify malware that has a kernel module component."
},
"last": {
"query" : "select * from last;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves the list of the latest logins with PID, username and timestamp.",
"value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
},
"installed_applications": {
"query" : "select * from apps;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the currently installed applications in the target OSX system.",
"value" : "Identify malware, adware, or vulnerable packages that are installed as an application."
},
"open_sockets": {
[Fix #1369] Limit IOKit HID events
2015-07-23 16:54:38 +00:00
"query" : "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';",
Query packs files
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves all the open sockets per process in the target system.",
"value" : "Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings"
},
"open_files": {
[Fix #1369] Limit IOKit HID events
2015-07-23 16:54:38 +00:00
"query" : "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');",
Query packs files
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves all the open files per process in the target system.",
"value" : "Identify processes accessing sensitive files they shouldn't"
},
"logged_in_users": {
Update an error in the incident response pack #1398
2015-07-27 18:38:51 +00:00
"query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",
Query packs files
2015-07-17 21:42:05 +00:00
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves the list of all the currently logged in users in the target system.",
"value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
},
"ip_forwarding": {
"query" : "select * from system_controls where name = 'net.inet.ip.forwarding';",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves the current status of IP forwarding.",
"value" : "Identify if a machine is being used as relay"
},
"startup_items": {
"query" : "select * from startup_items;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieve all the items that will load when the target OSX system starts.",
"value" : "Identify malware that uses this persistence mechanism to launch at system boot"
},
"process_env": {
"query" : "select * from process_envs;",
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves all the environment variables per process in the target system.",
"value" : "Insight into the process data: Where was it started from, was it preloaded..."
},
"mounts": {
"query" : "select * from mounts;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves the current list of mounted drives in the target system.",
"value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
},
"nfs_shares": {
"query" : "select * from nfs_shares;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the current list of Network File System mounted shares.",
"value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
},
"shell_history": {
"query" : "select * from shell_history;",
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves the command history, per user, by parsing the shell history files.",
"value" : "Identify actions taken. Useful for compromised hosts."
},
"recent_items": {
"query" : "select username, key, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves the list of recent items opened in OSX by parsing the plist per user.",
"value" : "Identify recently accessed items. Useful for compromised hosts."
},
"ramdisk": {
"query" : "select * from block_devices where type = 'Virtual Interface';",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves all the ramdisk currently mounted in the target system.",
"value" : "Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes"
},
"listening_ports": {
"query" : "select * from listening_ports;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves all the listening ports in the target system.",
"value" : "Detect if a listening port iis not mapped to a known process. Find backdoors."
},
"suid_bin": {
"query" : "select * from suid_bin;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves all the files in the target system that are setuid enabled.",
"value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build."
},
"keychain_items": {
"query" : "select * from keychain_items;",
"interval" : "3600",
"platform" : "darwin",
"version" : "1.4.5",
"description" : "Retrieves all the items contained in the keychain in the target OSX system.",
"value" : "Determine what access the user had, identify accounts to be remediated."
},
"hardware_events": {
[Fix #1369] Limit IOKit HID events
2015-07-23 16:54:38 +00:00
"query" : "select distinct * from hardware_events where path <> '' or model <> '';",
Query packs files
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves all the hardware related events in the target OSX system.",
"value" : "Determine if a third party device was attached to the system, include in scope for identification/mitigation/future detection."
},
"passwd_changes": {
"query" : "select * from passwd_changes;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves all the password changes in the target system.",
"value" : "Detect trojanized system accounts,ie, password change for 'bin'. New attacker owned accounts."
},
"process_memory": {
"query" : "select * from process_memory_map;",
"interval" : "86400",
"platform" : "linux",
"version" : "1.4.5",
"description" : "Retrieves the memory map per process in the target Linux system.",
"value" : "Ability to compare with known good. Identify mapped regions corresponding with or containing injected code."
},
"arp_cache": {
"query" : "select * from arp_cache;",
"interval" : "3600",
"version" : "1.4.5",
"description" : "Retrieves the ARP cache values in the target system.",
"value" : "Determine if MITM in progress."
},
"wireless_networks": {
Update wireless_networks in IR pack to use wifi_networks table
2015-11-22 08:44:06 +00:00
"query" : "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;",
Query packs files
2015-07-17 21:42:05 +00:00
"interval" : "3600",
"platform" : "darwin",
Update wireless_networks in IR pack to use wifi_networks table
2015-11-22 08:44:06 +00:00
"version" : "1.6.0",
Query packs files
2015-07-17 21:42:05 +00:00
"description" : "Retrieves all the remembered wireless network that the target machine has connected to.",
"value" : "Identifies connections to rogue access points."
},
"disk_encryption": {
"query" : "select * from disk_encryption;",
"interval" : "86400",
"version" : "1.4.5",
"description" : "Retrieves the current disk encryption status for the target system.",
"value" : "Identifies a system potentially vulnerable to disk cloning."
},
"iptables": {
"query" : "select * from iptables;",
"interval" : "3600",
"platform" : "linux",
"version" : "1.4.5",
"description" : "Retrieves the current filters and chains per filter in the target system.",
"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
},
"app_schemes": {
"query" : "select * from app_schemes;",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.7",
"description" : "Retreives the list of application scheme/protocol-based IPC handlers.",
"value" : "Post-priori hijack detection, detect potential sensitive information leakage."
},
"sandboxes": {
"query" : "select * from sandboxes;",
"interval" : "86400",
"platform" : "darwin",
"version" : "1.4.7",
"description" : "Lists the application bundle that owns a sandbox label.",
"value" : "Post-priori hijack detection, detect potential sensitive information leakage."
}
}
}
Reference in New Issue Copy Permalink