zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
skills/incident-response/.category Normal file
View File

@@ -0,0 +1,5 @@
# Incident Response Skills
This directory contains skills for security incident response operations.
See the main [README.md](../../README.md) for usage and [CONTRIBUTE.md](../../CONTRIBUTE.md) for contribution guidelines.

505
skills/incident-response/detection-sigma/SKILL.md Normal file
View File

@@ -0,0 +1,505 @@
---
name: detection-sigma
description: >
Generic detection rule creation and management using Sigma, the universal SIEM rule format.
Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms.
Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between
SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized
detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to
MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.
version: 0.1.0
maintainer: SirAppSec
category: incident-response
tags: [sigma, detection, siem, threat-hunting, mitre-attack, detection-engineering, log-analysis]
frameworks: [MITRE-ATT&CK, NIST, ISO27001]
dependencies:
python: ">=3.8"
packages: [pysigma, pysigma-backend-splunk, pysigma-backend-elasticsearch, pyyaml]
references:
- https://github.com/SigmaHQ/sigma
- https://github.com/SigmaHQ/pySigma
- https://sigmahq.io/
---
# Sigma Detection Engineering
## Overview
Sigma is to log detection what Snort is to network traffic and YARA is to files - a universal signature format for describing security-relevant log events. This skill helps create, validate, and convert Sigma rules for deployment across multiple SIEM platforms, enabling detection-as-code workflows.
**Core capabilities**:
- Create detection rules using Sigma format
- Convert rules to 25+ SIEM/EDR backends (Splunk, Elastic, QRadar, Sentinel, etc.)
- Validate rule syntax and logic
- Map detections to MITRE ATT&CK framework
- Build threat hunting queries
- Implement compliance-based monitoring
## Quick Start
### Install Dependencies
```bash
pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch pyyaml
```
### Create a Basic Sigma Rule
```yaml
title: Suspicious PowerShell Execution
id: 7d6d30b8-5b91-4b90-a71e-4f5a3f5a3c3f
status: experimental
description: Detects suspicious PowerShell execution with encoded commands
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Your Name
date: YYYY/MM/DD
modified: YYYY/MM/DD
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: medium
```
### Convert Rule to Target SIEM
```bash
# Convert to Splunk
python scripts/sigma_convert.py rule.yml --backend splunk
# Convert to Elasticsearch
python scripts/sigma_convert.py rule.yml --backend elasticsearch
# Convert to Microsoft Sentinel
python scripts/sigma_convert.py rule.yml --backend sentinel
```
## Core Workflows
### Workflow 1: Detection Rule Development
Progress:
[ ] 1. Identify detection requirement from threat intelligence or compliance
[ ] 2. Research log sources and field mappings for target environment
[ ] 3. Create Sigma rule using standard template
[ ] 4. Validate rule syntax: `python scripts/sigma_validate.py rule.yml`
[ ] 5. Test rule against sample logs or historical data
[ ] 6. Convert to target SIEM format
[ ] 7. Deploy and tune based on false positive rate
[ ] 8. Document rule metadata and MITRE ATT&CK mapping
Work through each step systematically. Check off completed items.
### Workflow 2: Threat Hunting Rule Creation
For proactive threat hunting based on TTPs:
1. **Select MITRE ATT&CK Technique**
- Review threat intelligence for relevant TTPs
- Identify technique ID (e.g., T1059.001 - PowerShell)
- See [references/mitre-attack-mapping.md](references/mitre-attack-mapping.md) for common techniques
2. **Identify Log Sources**
- Determine which logs capture the technique
- Map log source categories (process_creation, network_connection, file_event)
- Verify log source availability in your environment
3. **Define Detection Logic**
- Create selection criteria matching suspicious patterns
- Add filters to reduce false positives
- Use field modifiers for robust matching (endswith, contains, re)
4. **Validate and Test**
- Run validation: `python scripts/sigma_validate.py hunting-rule.yml`
- Test against known-good and known-bad samples
- Tune detection logic based on results
5. **Document and Deploy**
- Add references to threat reports
- Document false positive scenarios
- Convert and deploy to production SIEM
### Workflow 3: Bulk Rule Conversion
When migrating between SIEM platforms:
```bash
# Validate all rules first
python scripts/sigma_validate.py --directory rules/ --report validation-report.json
# Convert entire rule set
python scripts/sigma_convert.py --directory rules/ --backend splunk --output converted/
# Generate deployment report
python scripts/sigma_convert.py --directory rules/ --backend splunk --report conversion-report.md
```
Review conversion report for:
- Successfully converted rules
- Rules requiring manual adjustment
- Unsupported field mappings
- Backend-specific limitations
### Workflow 4: Compliance-Based Detection
For implementing compliance monitoring (PCI-DSS, NIST, ISO 27001):
1. **Map Requirements to Detections**
- Identify compliance control requirements
- Determine required log monitoring
- See [references/compliance-mappings.md](references/compliance-mappings.md)
2. **Create Detection Rules**
- Use compliance rule templates from `assets/compliance-rules/`
- Tag rules with compliance framework (e.g., tags: [pci-dss.10.2.5])
- Set appropriate severity levels
3. **Validate Coverage**
- Run: `python scripts/compliance_coverage.py --framework pci-dss`
- Review coverage gaps
- Create additional rules as needed
4. **Generate Compliance Report**
- Document detection coverage by control
- Include sample queries and expected alerts
- Maintain audit trail for compliance evidence
## Rule Structure Reference
### Required Fields
```yaml
title: Human-readable rule name
id: UUID (generate with: python -c "import uuid; print(uuid.uuid4())")
status: stable|test|experimental|deprecated
description: Detailed description of what this detects
author: Your Name
date: YYYY/MM/DD
modified: YYYY/MM/DD
logsource:
category: process_creation|network_connection|file_event|...
product: windows|linux|macos|azure|aws|...
detection:
selection:
FieldName: value
condition: selection
level: informational|low|medium|high|critical
```
### Optional Fields
```yaml
references:
- https://attack.mitre.org/techniques/T1059/
tags:
- attack.execution
- attack.t1059.001
falsepositives:
- Legitimate use cases
fields:
- CommandLine
- User
- ParentImage
```
### Detection Conditions
```yaml
# Simple selection
detection:
selection:
Field: value
condition: selection
# Multiple conditions (AND)
detection:
selection:
Field1: value1
Field2: value2
condition: selection
# OR conditions
detection:
selection1:
Field: value1
selection2:
Field: value2
condition: selection1 or selection2
# NOT conditions
detection:
selection:
Field: suspicious_value
filter:
Field: legitimate_value
condition: selection and not filter
# Complex logic
detection:
selection:
EventID: 4688
suspicious_cmd:
CommandLine|contains:
- 'powershell'
- 'cmd.exe'
filter_legitimate:
ParentImage|endswith: '\explorer.exe'
condition: selection and suspicious_cmd and not filter_legitimate
```
### Field Modifiers
Common modifiers for flexible matching:
- `|contains` - Contains substring (case-insensitive)
- `|endswith` - Ends with string
- `|startswith` - Starts with string
- `|re` - Regular expression match
- `|all` - All values must match
- `|base64` - Base64-encoded value matching
- `|base64offset` - Base64 with offset variations
Example:
```yaml
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- '-enc'
Image|endswith: '\powershell.exe'
```
## Security Considerations
- **Sensitive Data Handling**: Sigma rules may reference sensitive field names or patterns. Store rules in version control with appropriate access controls. Avoid including actual sensitive data in example values.
- **Access Control**: Detection rules reveal defensive capabilities to adversaries. Implement role-based access for rule repositories. Limit rule modification to authorized detection engineers.
- **Audit Logging**: Log all rule deployments, modifications, and deletions. Track who deployed which rules to which systems. Maintain change history for compliance auditing.
- **Compliance**: Sigma rules support compliance monitoring (PCI-DSS 10.2, NIST SP 800-53 AU family, ISO 27001 A.12.4). Document rule-to-control mappings for audit evidence.
- **Safe Defaults**: Use conservative false positive filtering in production. Start rules at "experimental" status. Test thoroughly in test environment before production deployment.
## Bundled Resources
### Scripts
- `scripts/sigma_convert.py` - Convert Sigma rules to target SIEM backend formats
- `scripts/sigma_validate.py` - Validate Sigma rule syntax and detect common errors
- `scripts/compliance_coverage.py` - Analyze detection coverage for compliance frameworks
- `scripts/generate_rule_template.py` - Generate Sigma rule template with MITRE ATT&CK tags
### References
- `references/mitre-attack-mapping.md` - Common MITRE ATT&CK techniques and Sigma detection patterns
- `references/log-source-guide.md` - Log source categories, products, and field mappings
- `references/compliance-mappings.md` - Compliance framework to detection rule mappings
- `references/backend-support.md` - Supported SIEM backends and conversion capabilities
- `references/field-modifiers.md` - Comprehensive guide to Sigma field modifiers and regex patterns
### Assets
- `assets/rule-templates/` - Pre-built Sigma rule templates for common attack patterns
- `lateral-movement.yml` - Lateral movement detection template
- `privilege-escalation.yml` - Privilege escalation detection template
- `persistence.yml` - Persistence mechanism detection template
- `credential-access.yml` - Credential dumping detection template
- `assets/compliance-rules/` - Compliance-focused rule templates
- `pci-dss-monitoring.yml` - PCI-DSS monitoring requirements
- `nist-800-53-audit.yml` - NIST 800-53 audit logging requirements
- `iso27001-logging.yml` - ISO 27001 logging and monitoring
## Common Detection Patterns
### Pattern 1: Process Execution Monitoring
Detect suspicious process creation with command-line analysis:
```yaml
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Invoke-'
- 'IEX'
- 'FromBase64String'
```
### Pattern 2: Network Connection Monitoring
Detect suspicious outbound connections:
```yaml
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444
- 5555
- 8080
filter:
DestinationIp|startswith:
- '10.'
- '172.16.'
- '192.168.'
condition: selection and not filter
```
### Pattern 3: File Event Monitoring
Detect file creation in suspicious locations:
```yaml
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\Windows\Temp\'
- '\AppData\Roaming\'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ps1'
```
## Integration Points
### CI/CD Integration
Build detection-as-code pipelines:
```yaml
# .github/workflows/sigma-validation.yml
name: Sigma Rule Validation
on: [push, pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Validate Sigma Rules
run: |
pip install pysigma
python scripts/sigma_validate.py --directory rules/
- name: Convert to Production Format
run: |
python scripts/sigma_convert.py --directory rules/ --backend splunk --output converted/
```
### SIEM Deployment
Automated rule deployment:
- Splunk: Use Splunk REST API or `splunk-sdk` for savedsearches
- Elasticsearch: Convert to EQL and deploy via Kibana API
- Microsoft Sentinel: Convert to KQL and deploy via Azure API
- QRadar: Convert to AQL and deploy via QRadar API
See [references/backend-support.md](references/backend-support.md) for deployment examples.
### Threat Intelligence Integration
Enrich rules with threat intel:
- Tag rules with threat actor TTPs
- Reference threat reports and IOCs
- Map to MITRE ATT&CK techniques
- Track rule effectiveness against known threats
## Troubleshooting
### Issue: Conversion Fails for Specific Backend
**Solution**: Check backend compatibility and field mappings. Some backends have limitations:
- Review `references/backend-support.md` for known limitations
- Use `sigma_convert.py --backend <backend> --debug` for detailed error output
- Check if field names are supported in target backend
- Consider custom pipeline transformations for unsupported fields
### Issue: High False Positive Rate
**Solution**: Refine detection logic with additional filters:
1. Review false positive patterns
2. Add exclusion filters for legitimate use cases
3. Use more specific field modifiers (e.g., `|endswith` vs `|contains`)
4. Consider time-based correlation for behavioral detection
5. Test with historical data to validate tuning
### Issue: Rule Not Triggering in Target SIEM
**Solution**: Verify log source availability and field mappings:
1. Confirm log source is ingested: Check SIEM data sources
2. Verify field names match: Use `sigma_convert.py --show-fields` to see mapping
3. Test converted query directly in SIEM
4. Check for case sensitivity issues in field values
5. Validate time window and search scope in SIEM
## MITRE ATT&CK Integration
Tag rules with ATT&CK tactics and techniques:
```yaml
tags:
- attack.execution # Tactic
- attack.t1059.001 # Technique: PowerShell
- attack.defense_evasion # Additional tactic
- attack.t1027 # Technique: Obfuscated Files
```
Common tactic tags:
- `attack.initial_access`
- `attack.execution`
- `attack.persistence`
- `attack.privilege_escalation`
- `attack.defense_evasion`
- `attack.credential_access`
- `attack.discovery`
- `attack.lateral_movement`
- `attack.collection`
- `attack.exfiltration`
- `attack.command_and_control`
- `attack.impact`
For detailed technique mappings, see [references/mitre-attack-mapping.md](references/mitre-attack-mapping.md).
## Best Practices
1. **Start with Community Rules**: Use SigmaHQ repository (3000+ peer-reviewed rules) as foundation
2. **Version Control**: Store rules in Git with meaningful commit messages
3. **Test Before Deploy**: Validate against historical data in test environment
4. **Document Tuning**: Track false positive patterns and tuning decisions
5. **Map to Frameworks**: Tag all rules with MITRE ATT&CK and compliance mappings
6. **Automate Validation**: Use CI/CD to validate rules on every change
7. **Monitor Effectiveness**: Track rule trigger rates and true positive rates
8. **Regular Updates**: Review and update rules based on new threat intelligence
## References
- [Sigma Specification](https://github.com/SigmaHQ/sigma-specification)
- [SigmaHQ Rule Repository](https://github.com/SigmaHQ/sigma/tree/master/rules)
- [pySigma Documentation](https://github.com/SigmaHQ/pySigma)
- [Sigma Converter Web Tool](https://sigconverter.io/)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)

9
skills/incident-response/detection-sigma/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

110
skills/incident-response/detection-sigma/assets/compliance-rules/iso27001-logging.yml Normal file
View File

@@ -0,0 +1,110 @@
title: ISO 27001 A.12.4 - Event Logging and Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
Monitors user activities, exceptions, faults, and security events as
required by A.12.4.1 (Event logging).
references:
- https://www.iso.org/standard/54534.html
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- iso27001.a.12.4.1 # Event logging
- iso27001.a.12.4.3 # Administrator and operator logs
- iso27001.a.9.2.1 # User registration and de-registration
logsource:
category: authentication
product: windows
detection:
selection_user_activity:
EventID:
- 4624 # User logons
- 4625 # Failed logons
- 4634 # Logoffs
selection_admin_activity:
EventID:
- 4624 # Successful logon
TargetUserName|contains:
- 'admin'
- 'Administrator'
- 'root'
selection_account_mgmt:
EventID:
- 4720 # User account created
- 4726 # User account deleted
- 4738 # User account changed
condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
falsepositives:
- None - required logging per ISO 27001
level: informational
fields:
- UserID
- DateTime
- EventType
- SystemActivity
- DeviceIdentity
- Location
- Outcome
# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
#
# A.12.4.1 Event logging
# Event logs shall record:
# - User IDs
# - System activities
# - Dates, times and details of key events (e.g. log-on, log-off)
# - Device identity or location if possible
# - Records of successful and rejected system access attempts
# - Records of successful and rejected data and other resource access attempts
# - Changes to system configuration
# - Use of privileges
# - Use of system utilities and applications
# - Files accessed and the kind of access
# - Network addresses and protocols
# - Alarms raised by the access control system
# - Activation and de-activation of protection systems
#
# A.12.4.2 Protection of log information
# Detection for unauthorized log access/modification:
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\Logs\'
# EventType: 'Delete'
# tags:
# - iso27001.a.12.4.2
#
# A.12.4.3 Administrator and operator logs
# System administrator and operator activities shall be logged:
# logsource:
# category: process_creation
# detection:
# selection:
# User|contains:
# - 'admin'
# - 'root'
# tags:
# - iso27001.a.12.4.3
#
# A.9.2.1 User registration and de-registration
# logsource:
# category: authentication
# detection:
# selection:
# EventID:
# - 4720 # Account created
# - 4726 # Account deleted
# tags:
# - iso27001.a.9.2.1
#
# A.9.4.1 Information access restriction
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\Confidential\'
# tags:
# - iso27001.a.9.4.1

98
skills/incident-response/detection-sigma/assets/compliance-rules/nist-800-53-audit.yml Normal file
View File

@@ -0,0 +1,98 @@
title: NIST 800-53 AU-2/AU-12 - Audit Event Generation
id: GENERATE-NEW-UUID
status: stable
description: |
Implements NIST SP 800-53 Rev. 5 audit event generation requirements.
Monitors security-relevant events as defined in AU-2 (Audit Events) and
AU-12 (Audit Generation) controls.
references:
- https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- nist-800-53.au-2 # Audit Events
- nist-800-53.au-3 # Content of Audit Records
- nist-800-53.au-12 # Audit Generation
- nist-800-53.ac-2 # Account Management
- nist-800-53.ia-2 # Identification and Authentication
logsource:
category: authentication
product: windows
detection:
selection_authentication:
EventID:
- 4624 # Successful logon
- 4625 # Failed logon
- 4634 # Logoff
- 4648 # Logon using explicit credentials
selection_account_mgmt:
EventID:
- 4720 # Account created
- 4722 # Account enabled
- 4723 # Password change attempted
- 4724 # Password reset
- 4725 # Account disabled
- 4726 # Account deleted
- 4738 # Account modified
selection_privilege_use:
EventID:
- 4672 # Special privileges assigned
- 4673 # Sensitive privilege use
- 4674 # Privileged operation
condition: selection_authentication or selection_account_mgmt or selection_privilege_use
falsepositives:
- None - these are required audit events per NIST 800-53
level: low # Informational logging
fields:
- EventTime
- EventType
- Outcome
- SubjectIdentity
- ObjectIdentity
- SourceAddress
# NIST 800-53 Rev. 5 Audit Requirements:
#
# AU-2: Audit Events
# - Successful and unsuccessful account logon events
# - Account management events
# - Object access
# - Policy change
# - Privilege functions
# - Process tracking
# - System events
#
# AU-3: Content of Audit Records
# Required fields in each audit record:
# - Date and time of the event
# - Component where event occurred
# - Type of event
# - User/subject identity
# - Outcome (success/failure)
#
# AU-12: Audit Generation
# - Provide audit record generation for defined events
# - Allow authorized users to select events to be audited
# - Generate audit records for events with required content
#
# Additional NIST 800-53 Detection Rules:
#
# SI-4: System Monitoring
# logsource:
# category: process_creation
# detection:
# selection:
# CommandLine|contains:
# - 'mimikatz'
# - 'credential dump'
# tags:
# - nist-800-53.si-4
#
# AC-6: Least Privilege
# detection:
# selection:
# EventID: 4672 # Special privileges assigned
# PrivilegeList|contains: 'SeDebugPrivilege'
# tags:
# - nist-800-53.ac-6

72
skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml Normal file
View File

@@ -0,0 +1,72 @@
title: PCI-DSS 10.2 - Audit Trail Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
Implements PCI-DSS requirement 10.2 automated audit trails for security events.
Monitors critical security-relevant events required by PCI-DSS.
references:
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- pci-dss.10.2.1 # Access to cardholder data
- pci-dss.10.2.2 # Administrative actions
- pci-dss.10.2.4 # Invalid access attempts
- pci-dss.10.2.5 # Authentication mechanism use
- pci-dss.10.2.7 # System-level object creation/deletion
logsource:
category: authentication # Adjust based on specific requirement
product: windows
detection:
selection_failed_logon:
EventID: 4625 # Failed logon (10.2.4)
selection_admin_logon:
EventID: 4624 # Successful logon
TargetUserName|contains: # Administrative accounts (10.2.2)
- 'admin'
- 'Administrator'
selection_account_mgmt:
EventID: # Account management (10.2.5, 10.2.7)
- 4720 # Account created
- 4722 # Account enabled
- 4724 # Password reset
- 4726 # Account deleted
- 4738 # Account changed
condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
falsepositives:
- Legitimate administrative activity must be logged per PCI-DSS
level: medium
fields:
- ComputerName
- TargetUserName
- WorkstationName
- IpAddress
- Timestamp
# PCI-DSS 10.2 Requirements:
#
# 10.2.1 - All individual user accesses to cardholder data
# 10.2.2 - All actions taken by individuals with root or administrative privileges
# 10.2.3 - Access to all audit trails
# 10.2.4 - Invalid logical access attempts
# 10.2.5 - Use of identification and authentication mechanisms
# 10.2.6 - Initialization of audit logs
# 10.2.7 - Creation and deletion of system-level objects
#
# Additional PCI-DSS Detection Rules:
#
# File Access to Cardholder Data (10.2.1):
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\cardholder-data\'
#
# Service Creation (10.2.7):
# logsource:
# category: process_creation
# detection:
# selection:
# Image|endswith: '\sc.exe'
# CommandLine|contains: 'create'

73
skills/incident-response/detection-sigma/assets/rule-templates/credential-access.yml Normal file
View File

@@ -0,0 +1,73 @@
title: Credential Access via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects credential theft/dumping using [specific technique/tool]
references:
- https://attack.mitre.org/tactics/TA0006/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- attack.credential_access
- attack.t1003 # Replace with specific technique
logsource:
category: process_creation
product: windows
detection:
selection:
# Define your detection criteria
condition: selection
falsepositives:
- Legitimate password reset tools
- Security assessment tools (authorized)
level: critical
fields:
- User
- CommandLine
- TargetImage
- GrantedAccess
# Common Credential Access Techniques:
#
# T1003.001 - LSASS Memory Dump
# logsource:
# category: process_access
# detection:
# selection:
# TargetImage|endswith: '\lsass.exe'
# GrantedAccess|contains:
# - '0x1010'
# - '0x1410'
# - '0x147a'
# - '0x143a'
#
# T1003.002 - Security Account Manager (SAM)
# detection:
# selection:
# Image|endswith: '\reg.exe'
# CommandLine|contains|all:
# - 'save'
# - 'HKLM\SAM'
#
# T1558.003 - Kerberoasting
# logsource:
# category: authentication
# detection:
# selection:
# EventID: 4769
# ServiceName: '*$'
# TicketEncryptionType: '0x17'
#
# T1110 - Brute Force
# detection:
# selection:
# EventID: 4625 # Failed logon
# condition: selection | count(TargetUserName) by SourceIp > 10
#
# T1555 - Credentials from Password Stores
# detection:
# selection:
# Image|endswith:
# - '\vaultcmd.exe'
# - '\cmdkey.exe'
# CommandLine|contains: '/list'

69
skills/incident-response/detection-sigma/assets/rule-templates/lateral-movement.yml Normal file
View File

@@ -0,0 +1,69 @@
title: Lateral Movement via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects lateral movement activity using [specific technique/tool]
references:
- https://attack.mitre.org/tactics/TA0008/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- attack.lateral_movement
- attack.t1021 # Replace with specific technique
logsource:
category: process_creation # or network_connection, authentication
product: windows
detection:
selection:
# Define your detection criteria
# Examples:
# ParentImage|endswith: '\services.exe'
# CommandLine|contains: 'psexec'
# LogonType: 3 # Network logon
filter_legitimate:
# Add filters for known false positives
# User|contains: 'SVC_'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate administrative activity
- Scheduled tasks
- IT operations
level: high
fields:
- ComputerName
- User
- SourceIp
- DestinationIp
- CommandLine
# Common Lateral Movement Techniques:
#
# T1021.001 - Remote Desktop Protocol (RDP)
# detection:
# selection:
# EventID: 4624
# LogonType: 10 # RemoteInteractive
#
# T1021.002 - SMB/Windows Admin Shares
# detection:
# selection:
# EventID: 5140
# ShareName|endswith:
# - 'ADMIN$'
# - 'C$'
#
# T1021.006 - Windows Remote Management (WinRM)
# detection:
# selection:
# EventID: 4624
# LogonType: 3
# AuthenticationPackageName: 'Negotiate'
# ProcessName|endswith: '\wsmprovhost.exe'
#
# T1550.002 - Pass the Hash
# detection:
# selection:
# EventID: 4624
# LogonType: 3
# LogonProcessName: 'NtLmSsp'
# AuthenticationPackageName: 'NTLM'

68
skills/incident-response/detection-sigma/assets/rule-templates/persistence.yml Normal file
View File

@@ -0,0 +1,68 @@
title: Persistence Mechanism via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects persistence establishment using [specific technique]
references:
- https://attack.mitre.org/tactics/TA0003/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- attack.persistence
- attack.t1053 # Replace with specific technique
logsource:
category: process_creation # or registry_event, file_event
product: windows
detection:
selection:
# Define your detection criteria
condition: selection
falsepositives:
- Software installation
- System updates
- Legitimate scheduled tasks
level: medium
fields:
- User
- CommandLine
- Image
- TargetObject
# Common Persistence Techniques:
#
# T1053.005 - Scheduled Task
# logsource:
# category: process_creation
# detection:
# selection:
# Image|endswith: '\schtasks.exe'
# CommandLine|contains: '/create'
#
# T1547.001 - Registry Run Keys / Startup Folder
# logsource:
# category: registry_event
# detection:
# selection:
# TargetObject|contains:
# - '\Software\Microsoft\Windows\CurrentVersion\Run'
# - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
#
# T1543.003 - Windows Service
# detection:
# selection:
# Image|endswith: '\sc.exe'
# CommandLine|contains: 'create'
#
# T1547.004 - Winlogon Helper DLL
# logsource:
# category: registry_event
# detection:
# selection:
# TargetObject|contains:
# - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
# - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
#
# T1136.001 - Create Account (Local Account)
# detection:
# selection:
# EventID: 4720 # User account created

65
skills/incident-response/detection-sigma/assets/rule-templates/privilege-escalation.yml Normal file
View File

@@ -0,0 +1,65 @@
title: Privilege Escalation via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects privilege escalation attempts using [specific technique]
references:
- https://attack.mitre.org/tactics/TA0004/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- attack.privilege_escalation
- attack.t1068 # Replace with specific technique
logsource:
category: process_creation
product: windows
detection:
selection:
# Define your detection criteria
# IntegrityLevel: 'High'
# ParentIntegrityLevel: 'Medium'
condition: selection
falsepositives:
- Legitimate software updates
- System administration tools
level: high
fields:
- User
- IntegrityLevel
- CommandLine
- ParentImage
# Common Privilege Escalation Techniques:
#
# T1055 - Process Injection
# detection:
# selection:
# EventID: 8 # CreateRemoteThread
# TargetImage|endswith:
# - '\lsass.exe'
# - '\explorer.exe'
#
# T1134 - Access Token Manipulation
# detection:
# selection:
# EventID: 4703 # Token adjusted
# EnabledPrivilegeList|contains:
# - 'SeDebugPrivilege'
# - 'SeTakeOwnershipPrivilege'
#
# T1548.002 - Bypass User Account Control
# detection:
# selection:
# ParentImage|endswith:
# - '\fodhelper.exe'
# - '\eventvwr.exe'
# IntegrityLevel: 'High'
# ParentIntegrityLevel: 'Medium'
#
# T1068 - Exploitation for Privilege Escalation
# detection:
# selection:
# CommandLine|contains:
# - 'JuicyPotato'
# - 'PrintSpoofer'
# - 'GodPotato'

390
skills/incident-response/detection-sigma/references/backend-support.md Normal file
View File

@@ -0,0 +1,390 @@
# Sigma Backend Support Reference
## Supported SIEM/Security Platforms
### Splunk
**Backend**: `splunk`
**Query Language**: SPL (Search Processing Language)
**Installation**:
```bash
pip install pysigma-backend-splunk
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend splunk
```
**Output Format**:
```spl
index=windows EventID=4688 Image="*\\powershell.exe" CommandLine IN ("*-enc*", "*-EncodedCommand*", "*FromBase64String*")
```
**Deployment**:
- Save as saved search via Splunk Web UI
- Deploy via REST API: `/servicesNS/-/-/saved/searches`
- Use Splunk Enterprise Security correlation rules
**Field Mappings**:
- Sigma `Image` → Splunk `Image` (Sysmon)
- Sigma `CommandLine` → Splunk `CommandLine`
- Sigma `User` → Splunk `User`
### Elasticsearch
**Backend**: `elasticsearch` or `elastic`
**Query Language**: Elasticsearch Query DSL / Lucene
**Installation**:
```bash
pip install pysigma-backend-elasticsearch
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend elasticsearch
```
**Output Format**:
```json
{
"query": {
"bool": {
"must": [
{"wildcard": {"Image": "*\\powershell.exe"}},
{"terms": {"CommandLine": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
**Deployment**:
- Elastic Security Detection Rules
- Kibana Saved Searches
- ElastAlert rules
**Field Mappings** (ECS - Elastic Common Schema):
- Sigma `Image` → ECS `process.executable`
- Sigma `CommandLine` → ECS `process.command_line`
- Sigma `User` → ECS `user.name`
### Microsoft Sentinel (Azure Sentinel)
**Backend**: `sentinel` or `kusto`
**Query Language**: KQL (Kusto Query Language)
**Installation**:
```bash
pip install pysigma-backend-microsoft365defender
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend sentinel
```
**Output Format**:
```kql
SecurityEvent
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| where CommandLine contains "-enc" or CommandLine contains "-EncodedCommand"
```
**Deployment**:
- Azure Sentinel Analytics Rules
- Deploy via ARM templates
- Use Azure Sentinel API
**Field Mappings**:
- Sigma `Image` → Sentinel `ProcessName`
- Sigma `CommandLine` → Sentinel `CommandLine`
- Sigma `User` → Sentinel `AccountName`
### IBM QRadar
**Backend**: `qradar` or `aql`
**Query Language**: AQL (Ariel Query Language)
**Installation**:
```bash
pip install pysigma-backend-qradar
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend qradar
```
**Output Format**:
```sql
SELECT * FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
AND "EventID" = '4688'
AND "Image" ILIKE '%\\powershell.exe'
```
**Deployment**:
- QRadar Custom Rules
- Deploy via QRadar API
- AQL searches
### Elastic Security (EQL)
**Backend**: `eql`
**Query Language**: EQL (Event Query Language)
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend eql
```
**Output Format**:
```eql
process where process.name == "powershell.exe" and
(process.command_line like~ "*-enc*" or
process.command_line like~ "*-EncodedCommand*")
```
**Deployment**:
- Elastic Security Detection Rules
- EQL searches in Kibana
### Chronicle (Google)
**Backend**: `chronicle`
**Query Language**: YARA-L
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend chronicle
```
### Others
Additional backends available via pySigma plugins:
- **LimaCharlie**: EDR platform
- **OpenSearch**: Fork of Elasticsearch
- **LogPoint**: SIEM platform
- **ArcSight**: SIEM platform
- **Carbon Black**: EDR platform
- **CrowdStrike**: EDR platform (Falcon)
- **SentinelOne**: EDR platform
- **Datadog**: Cloud monitoring platform
- **Sumo Logic**: Cloud SIEM
## Backend Installation
### Core pySigma
```bash
pip install pysigma
```
### Backend Plugins
```bash
# Splunk
pip install pysigma-backend-splunk
# Elasticsearch
pip install pysigma-backend-elasticsearch
# Microsoft 365 Defender / Sentinel
pip install pysigma-backend-microsoft365defender
# QRadar
pip install pysigma-backend-qradar
# Multiple backends
pip install pysigma-backend-splunk pysigma-backend-elasticsearch
```
## Backend Limitations
### Field Mapping Gaps
Some backends may not support all Sigma field modifiers:
**Issue**: Backend doesn't support regex field modifier `|re`
**Solution**:
- Use alternative field modifiers (`contains`, `endswith`)
- Implement custom pipeline transformations
- Post-process in SIEM after conversion
### Unsupported Features
| Feature | Splunk | Elasticsearch | Sentinel | QRadar |
|---------|--------|---------------|----------|--------|
| Regex | ✓ | ✓ | ✓ | ✓ |
| Base64 decode | Limited | Limited | ✓ | Limited |
| CIDR matching | ✓ | ✓ | ✓ | ✓ |
| Wildcards | ✓ | ✓ | ✓ | ✓ |
### Data Source Availability
Not all log sources may be available in all backends:
**Check availability**:
1. Verify log source is ingested in your SIEM
2. Confirm field mappings match
3. Test converted query with sample data
## Custom Pipelines
pySigma supports custom processing pipelines for field transformations:
```python
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.backends.splunk import SplunkBackend
# Apply Sysmon field mappings before conversion
backend = SplunkBackend()
pipeline = sysmon_pipeline()
converted = backend.convert_rule(rule, pipeline)
```
## Deployment Automation
### Splunk Deployment
```python
import requests
# Splunk REST API
url = "https://splunk:8089/servicesNS/nobody/search/saved/searches"
auth = ("admin", "password")
data = {
"name": "Sigma - Suspicious PowerShell",
"search": converted_query,
"description": rule.description,
"cron_schedule": "*/5 * * * *", # Every 5 minutes
"actions": "email",
"action.email.to": "soc@company.com"
}
response = requests.post(url, auth=auth, data=data, verify=False)
```
### Elasticsearch Deployment
```python
from elasticsearch import Elasticsearch
es = Elasticsearch(["https://elasticsearch:9200"])
# Deploy as Elasticsearch detection rule
rule_doc = {
"name": rule.title,
"description": rule.description,
"query": converted_query,
"severity": rule.level,
"tags": rule.tags
}
es.index(index="detection-rules", document=rule_doc)
```
### Microsoft Sentinel Deployment
```bash
# ARM template deployment
az sentinel alert-rule create \
--resource-group myResourceGroup \
--workspace-name mySentinelWorkspace \
--rule-name "Sigma - Suspicious PowerShell" \
--query "$converted_query" \
--severity Medium \
--enabled true
```
## Testing Converted Queries
### Splunk
```spl
# Test in Splunk search
index=windows earliest=-24h
| eval match=case(
Image="*\\powershell.exe" AND (CommandLine LIKE "%enc%" OR CommandLine LIKE "%EncodedCommand%"), "MATCH",
1=1, "NO MATCH"
)
| stats count by match
```
### Elasticsearch
```json
POST /winlogbeat-*/_search
{
"query": {
"bool": {
"must": [
{"wildcard": {"process.executable": "*\\powershell.exe"}},
{"terms": {"process.command_line": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
### Sentinel
```kql
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| summarize count() by bin(TimeGenerated, 1h)
```
## Troubleshooting
### Conversion Fails
**Error**: `Unsupported field modifier for backend`
**Solution**:
```bash
# Use debug mode to see detailed error
python scripts/sigma_convert.py rule.yml --backend splunk --debug
```
Check `references/field-modifiers.md` for backend compatibility.
### Query Doesn't Return Expected Results
**Steps**:
1. Verify log source is ingested
2. Check field name mappings
3. Test with known-positive sample
4. Validate field value case sensitivity
5. Check time range in query
### Performance Issues
Large, complex queries may impact SIEM performance:
**Optimization**:
- Add index/sourcetype filters early
- Use specific time ranges
- Optimize field modifiers (prefer exact match over regex)
- Test query performance before deployment
## Resources
- [pySigma Documentation](https://github.com/SigmaHQ/pySigma)
- [pySigma Backend Plugins](https://github.com/SigmaHQ/pySigma/blob/main/Backends.md)
- [Sigma Converter Web Tool](https://sigconverter.io/)
- [Sigma GitHub Repository](https://github.com/SigmaHQ/sigma)

361
skills/incident-response/detection-sigma/references/compliance-mappings.md Normal file
View File

@@ -0,0 +1,361 @@
# Compliance Framework Mappings for Sigma Detection Rules
## PCI-DSS v3.2.1
### Requirement 10.2 - Implement automated audit trails
#### 10.2.1 - Access to cardholder data
**Detection Requirements**: Monitor all access to cardholder data environments
**Sigma Tags**: `pci-dss.10.2.1`
**Example Rules**:
- File access to cardholder data locations
- Database queries accessing payment card fields
- Application logs showing cardholder data retrieval
```yaml
tags:
- pci-dss.10.2.1
logsource:
category: file_event
detection:
selection:
TargetFilename|contains: '\cardholder-data\'
```
#### 10.2.2 - All actions taken by any individual with root or administrative privileges
**Sigma Tags**: `pci-dss.10.2.2`
**Example Rules**:
- Privileged account usage
- sudo/runas commands
- Administrative actions on critical systems
```yaml
tags:
- pci-dss.10.2.2
logsource:
category: process_creation
detection:
selection:
User|contains: 'admin'
```
#### 10.2.4 - Invalid logical access attempts
**Sigma Tags**: `pci-dss.10.2.4`
**Example Rules**:
- Failed authentication attempts
- Account lockouts
- Access denied events
```yaml
tags:
- pci-dss.10.2.4
logsource:
category: authentication
detection:
selection:
EventID: 4625 # Failed logon
```
#### 10.2.5 - Use of identification and authentication mechanisms
**Sigma Tags**: `pci-dss.10.2.5`
**Example Rules**:
- Account creation/deletion/modification
- Password changes
- Multi-factor authentication events
```yaml
tags:
- pci-dss.10.2.5
logsource:
category: authentication
detection:
selection:
EventID:
- 4720 # Account created
- 4724 # Password reset
```
#### 10.2.7 - Creation and deletion of system-level objects
**Sigma Tags**: `pci-dss.10.2.7`
**Example Rules**:
- System service creation
- Scheduled task creation
- New user account creation
```yaml
tags:
- pci-dss.10.2.7
logsource:
category: process_creation
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains: 'create'
```
## NIST SP 800-53 Rev. 5
### AU-2 - Event Logging
**Controls**: Organization defines auditable events
**Sigma Tags**: `nist-800-53.au-2`
**Coverage**:
- Security-relevant events
- Success and failure of events
- Actions by privileged users
### AU-3 - Content of Audit Records
**Controls**: Audit records contain sufficient information
**Sigma Tags**: `nist-800-53.au-3`
**Required Fields**:
- Event type, date/time, outcome
- Subject identity, object identity
- Data source
### AU-6 - Audit Review, Analysis, and Reporting
**Controls**: Review and analyze audit records
**Sigma Tags**: `nist-800-53.au-6`
**Detection Focus**:
- Automated scanning for anomalies
- Correlation of audit records
- Investigation and reporting
### AU-12 - Audit Generation
**Controls**: System provides audit record generation
**Sigma Tags**: `nist-800-53.au-12`
**Coverage**:
- Generate audit records for defined events
- Allow authorized users to select auditable events
- Privileged commands
### SI-4 - System Monitoring
**Controls**: Monitor the system to detect attacks and indicators
**Sigma Tags**: `nist-800-53.si-4`
**Detection Coverage**:
- Unauthorized access attempts
- Unauthorized use of privileges
- Malicious code detection
```yaml
tags:
- nist-800-53.si-4
- nist-800-53.au-12
logsource:
category: process_creation
detection:
selection:
CommandLine|contains: 'mimikatz'
```
### AC-2 - Account Management
**Controls**: Account creation, modification, removal
**Sigma Tags**: `nist-800-53.ac-2`
**Example Rules**:
- Account lifecycle events
- Privileged account monitoring
- Account attribute changes
### IA-2 - Identification and Authentication
**Controls**: Uniquely identify and authenticate users
**Sigma Tags**: `nist-800-53.ia-2`
**Example Rules**:
- Multi-factor authentication
- Authentication failures
- Session management
## ISO/IEC 27001:2013
### A.12.4.1 - Event logging
**Control**: Event logs recording user activities, exceptions, and security events
**Sigma Tags**: `iso27001.a.12.4.1`
**Requirements**:
- User IDs
- System activities
- Date, time, and details of key events
- Device identity or location
- Records of successful and rejected system access attempts
```yaml
tags:
- iso27001.a.12.4.1
logsource:
category: authentication
detection:
selection:
EventID:
- 4624 # Successful logon
- 4625 # Failed logon
```
### A.12.4.2 - Protection of log information
**Control**: Logging facilities and log information protected
**Sigma Tags**: `iso27001.a.12.4.2`
**Detection Focus**:
- Unauthorized access to logs
- Log deletion or modification
- Log integrity violations
### A.12.4.3 - Administrator and operator logs
**Control**: System administrator and operator activities logged
**Sigma Tags**: `iso27001.a.12.4.3`
**Example Rules**:
- Privileged command execution
- System configuration changes
- Administrative access
```yaml
tags:
- iso27001.a.12.4.3
logsource:
category: process_creation
detection:
selection:
User|contains:
- 'admin'
- 'root'
```
### A.9.2.1 - User registration and de-registration
**Control**: Account management processes
**Sigma Tags**: `iso27001.a.9.2.1`
**Example Rules**:
- Account creation
- Account deletion
- Account modification
### A.9.4.1 - Information access restriction
**Control**: Access to information and systems restricted
**Sigma Tags**: `iso27001.a.9.4.1`
**Detection Focus**:
- Unauthorized access attempts
- Privilege escalation
- Access control violations
## SOC 2 Trust Service Criteria
### CC6.1 - Logical and Physical Access Controls
**Criteria**: Restrict access to authorized users
**Detection Coverage**:
- Authentication monitoring
- Authorization violations
- Privileged access usage
### CC7.2 - System Monitoring
**Criteria**: Monitor system components
**Detection Coverage**:
- Security event monitoring
- Anomaly detection
- Threat detection
### CC7.3 - Evaluation and Response
**Criteria**: Evaluate events and respond
**Detection Focus**:
- Security incident detection
- Alert generation and escalation
- Response actions
## Tag Format
Use this format for compliance tags:
```yaml
tags:
- {framework}.{control-id}
```
**Examples**:
```yaml
tags:
- pci-dss.10.2.5
- nist-800-53.au-2
- iso27001.a.12.4.1
```
## Multi-Framework Mapping
Rules can map to multiple frameworks:
```yaml
title: Failed Authentication Monitoring
tags:
- attack.credential_access
- attack.t1110
- pci-dss.10.2.4
- pci-dss.10.2.5
- nist-800-53.au-2
- nist-800-53.au-12
- nist-800-53.ia-2
- iso27001.a.12.4.1
- iso27001.a.9.2.1
```
## Compliance Coverage Analysis
Use `compliance_coverage.py` script to analyze rule coverage:
```bash
# Analyze PCI-DSS coverage
python scripts/compliance_coverage.py --directory rules/ --framework pci-dss
# Generate coverage report
python scripts/compliance_coverage.py --directory rules/ --framework nist-800-53 --report coverage.md
```
## Resources
- [PCI DSS v3.2.1](https://www.pcisecuritystandards.org/)
- [NIST SP 800-53 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [ISO/IEC 27001:2013](https://www.iso.org/standard/54534.html)
- [SOC 2 Trust Service Criteria](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/trust-services-criteria)

426
skills/incident-response/detection-sigma/references/field-modifiers.md Normal file
View File

@@ -0,0 +1,426 @@
# Sigma Field Modifiers Reference
## Overview
Field modifiers transform field values during rule matching. Use pipe `|` syntax to apply modifiers to field names.
**Syntax**: `FieldName|modifier: value`
## String Modifiers
### contains
**Description**: Case-insensitive substring match
**Usage**:
```yaml
detection:
selection:
CommandLine|contains: 'powershell'
```
**Matches**:
- `C:\Windows\System32\WindowsPowerShell\powershell.exe -enc`
- `powershell -command "iex"`
- `POWERSHELL.EXE`
**Backend Support**: All backends
### startswith
**Description**: Case-insensitive prefix match
**Usage**:
```yaml
detection:
selection:
CommandLine|startswith: 'powershell'
```
**Matches**:
- `powershell -enc AAAA`
- `PowerShell.exe -command`
**Does Not Match**:
- `C:\Windows\System32\powershell.exe`
**Backend Support**: All backends
### endswith
**Description**: Case-insensitive suffix match
**Usage**:
```yaml
detection:
selection:
Image|endswith: '\powershell.exe'
```
**Matches**:
- `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`
- `powershell.exe`
**Backend Support**: All backends
### all
**Description**: All values in list must match
**Usage**:
```yaml
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- '-enc'
- 'FromBase64'
```
**Requires**: All three substrings present in CommandLine
**Backend Support**: Most backends (check specific backend documentation)
## Regular Expression Modifiers
### re
**Description**: Regular expression match
**Usage**:
```yaml
detection:
selection:
CommandLine|re: 'powershell(.exe)?\s+-enc.*'
```
**Matches**:
- `powershell -enc AAAABBBB`
- `powershell.exe -encodedcommand AAAA`
**Backend Support**: Varies by backend (Splunk ✓, Elasticsearch ✓, Sentinel ✓)
**Performance Note**: Regex can be slow on large datasets
### re (with case-insensitive flag)
**Usage**:
```yaml
detection:
selection:
CommandLine|re: '(?i)powershell.*-enc'
```
## Encoding Modifiers
### base64
**Description**: Match base64-encoded value
**Usage**:
```yaml
detection:
selection:
CommandLine|base64|contains: 'Invoke-Mimikatz'
```
**How it works**: Encodes search string to base64 before matching
**Encoded Value**: `SW52b2tlLU1pbWlrYXR6`
**Backend Support**: Limited (check backend documentation)
### base64offset
**Description**: Match base64 with offset variations
**Usage**:
```yaml
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
```
**Why**: Base64 encoding can vary based on string position. This checks all offset variations.
**Generates**:
- `SW52b2tlLU1pbWlrYXR6`
- `ludm9rZS1NaW1pa2F0e`
- `JbnZva2UtTWltaWthdH`
**Backend Support**: Limited
### wide
**Description**: Match UTF-16 wide character encoding
**Usage**:
```yaml
detection:
selection:
FileContent|wide|contains: 'malicious'
```
**Encoded**: `m\x00a\x00l\x00i\x00c\x00i\x00o\x00u\x00s\x00`
## Case Modifiers
### (default - case insensitive)
**Description**: By default, Sigma matches are case-insensitive
**Usage**:
```yaml
detection:
selection:
CommandLine|contains: 'powershell' # Matches PowerShell, POWERSHELL, etc.
```
## Type Conversion Modifiers
### lt / lte / gt / gte
**Description**: Numeric comparison (less than, less/equal, greater than, greater/equal)
**Usage**:
```yaml
detection:
selection:
EventID|gte: 4624
EventID|lte: 4634
```
**Backend Support**: Most backends
## Aggregation Modifiers (in condition)
### count
**Description**: Count occurrences
**Usage**:
```yaml
detection:
selection:
EventID: 4625 # Failed logon
condition: selection | count(TargetUserName) by SourceIp > 5
```
**Meaning**: More than 5 failed logons from same IP within timeframe
**Backend Support**: Varies (typically requires SIEM correlation capabilities)
### near
**Description**: Events occur within proximity
**Usage**:
```yaml
condition: selection1 and selection2 | near(timespan=30s)
```
**Meaning**: Both events occur within 30 seconds
**Backend Support**: Limited (backend-dependent)
## Chaining Modifiers
Modifiers can be chained:
```yaml
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
Image|endswith: '\powershell.exe'
```
**Order matters**: Apply modifiers left to right
**Example**: `|base64|contains` first encodes to base64, then checks contains
## Common Patterns
### Pattern 1: Flexible PowerShell Detection
```yaml
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- '-e '
```
### Pattern 2: Process Chain Detection
```yaml
detection:
selection:
ParentImage|endswith: '\winword.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
```
### Pattern 3: File Path Detection
```yaml
detection:
selection:
TargetFilename|contains: '\AppData\Roaming\'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ps1'
```
### Pattern 4: Encoded Command Detection
```yaml
detection:
selection:
CommandLine|base64offset|contains:
- 'Invoke-Expression'
- 'IEX'
- 'Net.WebClient'
```
## Backend Compatibility Matrix
| Modifier | Splunk | Elasticsearch | Sentinel | QRadar |
|----------|--------|---------------|----------|--------|
| contains | ✓ | ✓ | ✓ | ✓ |
| startswith | ✓ | ✓ | ✓ | ✓ |
| endswith | ✓ | ✓ | ✓ | ✓ |
| all | ✓ | ✓ | ✓ | Partial |
| re | ✓ | ✓ | ✓ | ✓ |
| base64 | Limited | Limited | ✓ | Limited |
| base64offset | Limited | Limited | Limited | No |
| wide | Limited | Limited | Limited | No |
| lt/gt/lte/gte | ✓ | ✓ | ✓ | ✓ |
**Legend**:
- ✓: Full support
- Limited: Partial support, may require workarounds
- No: Not supported
## Best Practices
### 1. Prefer Specific Modifiers
**Don't**:
```yaml
CommandLine|contains: 'powershell'
```
**Do**:
```yaml
Image|endswith: '\powershell.exe'
```
**Why**: More precise, better performance
### 2. Use `all` for Multiple Requirements
**Don't**:
```yaml
CommandLine|contains: 'powershell'
CommandLine|contains: '-enc'
```
**Do**:
```yaml
CommandLine|contains|all:
- 'powershell'
- '-enc'
```
**Why**: Clearer intent, single field evaluation
### 3. Avoid Excessive Regex
**Don't**:
```yaml
CommandLine|re: '.*powershell.*-enc.*'
```
**Do**:
```yaml
CommandLine|contains|all:
- 'powershell'
- '-enc'
```
**Why**: Regex is slower, harder to tune
### 4. Test Modifiers with Backend
Always test converted queries in target SIEM:
```bash
# Convert rule
python scripts/sigma_convert.py rule.yml --backend splunk
# Test in Splunk search interface
# Verify expected matches/non-matches
```
### 5. Document Complex Modifiers
When using `base64offset` or `wide`, document why:
```yaml
title: Encoded PowerShell Command Detection
description: |
Detects base64-encoded PowerShell commands with offset variations
to catch encoding attempts regardless of string position.
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
```
## Troubleshooting
### Modifier Not Supported in Backend
**Error**: `Field modifier 'base64offset' not supported by backend 'qradar'`
**Solutions**:
1. Use alternative modifier (`contains` instead of `base64offset`)
2. Implement custom pipeline transformation
3. Post-process in SIEM after ingestion
### No Matches Despite Known Positive Data
**Causes**:
- Case sensitivity (shouldn't be issue with Sigma, but check backend)
- Field name mismatch (check field mappings)
- Modifier not applied correctly
**Debug**:
```bash
# Check converted query
python scripts/sigma_convert.py rule.yml --backend splunk --debug
# Test simplified query without modifiers
# Add modifiers incrementally
```
### Performance Issues
**Problem**: Query with `|re` too slow
**Solution**:
- Replace regex with `contains`, `startswith`, `endswith`
- Add more specific filters (EventID, Image path)
- Limit time range
## Resources
- [Sigma Specification - Modifiers](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#field-modifiers)
- [pySigma Transformations](https://github.com/SigmaHQ/pySigma)
- [Regex Testing Tool](https://regex101.com/)

261
skills/incident-response/detection-sigma/references/log-source-guide.md Normal file
View File

@@ -0,0 +1,261 @@
# Sigma Log Source Reference
## Log Source Categories
### process_creation
**Description**: Process creation/execution events
**Common Products**: Windows (Sysmon Event ID 1), Linux (auditd), EDR platforms
**Key Fields**:
- `Image` - Full path to executable
- `CommandLine` - Full command line with arguments
- `ParentImage` - Parent process executable path
- `ParentCommandLine` - Parent process command line
- `User` - User account that created process
- `IntegrityLevel` - Process integrity level (Windows)
- `Hashes` - File hashes (MD5, SHA256)
**Example**:
```yaml
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-enc'
```
### network_connection
**Description**: Network connection events
**Common Products**: Sysmon Event ID 3, Firewall logs, EDR
**Key Fields**:
- `Image` - Process making connection
- `DestinationIp` - Remote IP address
- `DestinationPort` - Remote port
- `DestinationHostname` - Remote hostname
- `SourceIp` - Local IP address
- `SourcePort` - Local port
- `Initiated` - Connection initiated (true/false)
**Example**:
```yaml
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort: 4444
```
### file_event
**Description**: File creation, modification, deletion
**Common Products**: Sysmon Events 11/23, File integrity monitoring
**Key Fields**:
- `Image` - Process creating/modifying file
- `TargetFilename` - File path
- `CreationUtcTime` - File creation time
**Example**:
```yaml
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Windows\Temp\'
TargetFilename|endswith: '.exe'
```
### registry_event
**Description**: Registry key/value modifications
**Common Products**: Sysmon Events 12/13/14, Windows Event Logs
**Key Fields**:
- `TargetObject` - Registry key path
- `Details` - Registry value data
- `EventType` - SetValue, CreateKey, DeleteKey
**Example**:
```yaml
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\CurrentVersion\Run'
```
### image_load
**Description**: DLL/image load events
**Common Products**: Sysmon Event ID 7
**Key Fields**:
- `Image` - Process loading the image
- `ImageLoaded` - Path to loaded DLL/image
- `Signed` - Digital signature status
**Example**:
```yaml
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\evil.dll'
Signed: 'false'
```
### dns_query
**Description**: DNS query events
**Common Products**: Sysmon Event ID 22, DNS server logs, proxy logs
**Key Fields**:
- `QueryName` - DNS name queried
- `QueryResults` - DNS response IPs
- `Image` - Process making query
**Example**:
```yaml
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.onion'
```
### web_request
**Description**: HTTP/HTTPS requests
**Common Products**: Proxy logs, web server logs, WAF
**Key Fields**:
- `c-uri` - Requested URI
- `c-useragent` - User agent string
- `cs-method` - HTTP method
- `sc-status` - HTTP status code
### authentication
**Description**: Authentication events (success/failure)
**Common Products**: Windows Security Events 4624/4625, Linux auth.log
**Key Fields**:
- `EventID` - 4624 (success), 4625 (failure), 4768 (Kerberos)
- `LogonType` - Type of logon (2=Interactive, 3=Network, 10=RemoteInteractive)
- `TargetUserName` - Account being authenticated
- `WorkstationName` - Source workstation
- `IpAddress` - Source IP
**Example**:
```yaml
logsource:
category: authentication
product: windows
detection:
selection:
EventID: 4625 # Failed logon
```
## Products
Common product values:
- `windows` - Windows OS
- `linux` - Linux OS
- `macos` - macOS
- `azure` - Microsoft Azure
- `aws` - Amazon Web Services
- `gcp` - Google Cloud Platform
- `m365` - Microsoft 365
- `okta` - Okta identity platform
- `firewall` - Generic firewall
- `proxy` - Web proxy
## Service Definitions
For cloud services, use service field:
```yaml
logsource:
product: azure
service: azuread
```
Common services:
- `azuread` - Azure Active Directory
- `azureactivity` - Azure Activity Logs
- `cloudtrail` - AWS CloudTrail
- `cloudwatch` - AWS CloudWatch
- `gcp.audit` - GCP Audit Logs
## Field Naming Conventions
Sigma uses normalized field names:
### Process Fields
- `Image` - Full executable path
- `CommandLine` - Command line arguments
- `ParentImage` - Parent process path
- `User` - Username
- `ProcessId` - Process ID
### Network Fields
- `SourceIp` / `DestinationIp`
- `SourcePort` / `DestinationPort`
- `Protocol` - Network protocol
### File Fields
- `TargetFilename` - File path
- `SourceFilename` - Original file location (for copies/moves)
### Registry Fields
- `TargetObject` - Registry key path
- `Details` - Registry value data
## Backend-Specific Mappings
Each backend maps these generic fields to product-specific field names:
**Sigma Generic****Splunk Sysmon**:
- `Image``Image`
- `CommandLine``CommandLine`
- `ParentImage``ParentImage`
**Sigma Generic****Elasticsearch ECS**:
- `Image``process.executable`
- `CommandLine``process.command_line`
- `ParentImage``process.parent.executable`
## Log Source Discovery
To identify available log sources:
1. **Review SIEM data sources**: Check what logs are ingested
2. **Verify field mappings**: Ensure Sigma fields map correctly
3. **Test conversions**: Convert sample rules and validate output
4. **Check coverage**: Ensure critical log sources are available
## Resources
- [Sigma Log Sources](https://github.com/SigmaHQ/sigma/wiki/Log-Sources)
- [Sysmon Event IDs](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
- [Windows Security Events](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)

362
skills/incident-response/detection-sigma/references/mitre-attack-mapping.md Normal file
View File

@@ -0,0 +1,362 @@
# MITRE ATT&CK Mapping for Sigma Rules
## Table of Contents
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Command and Control](#command-and-control)
- [Exfiltration](#exfiltration)
- [Impact](#impact)
## Execution
### T1059.001 - PowerShell
**Description**: Adversaries abuse PowerShell for execution
**Log Sources**: process_creation (Windows)
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
- 'Invoke-Expression'
- 'IEX'
```
**Tags**:
```yaml
tags:
- attack.execution
- attack.t1059.001
```
### T1059.003 - Windows Command Shell
**Description**: Abuse of cmd.exe for execution
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c'
- '/k'
- '&'
- '|'
```
## Persistence
### T1053.005 - Scheduled Task
**Description**: Adversaries create scheduled tasks for persistence
**Log Sources**: process_creation, registry_event
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/create'
- '/sc minute'
```
### T1547.001 - Registry Run Keys
**Description**: Persistence via registry run keys
**Log Sources**: registry_event
**Detection Pattern**:
```yaml
logsource:
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
```
## Privilege Escalation
### T1055 - Process Injection
**Description**: Adversaries inject code into processes
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 8 # CreateRemoteThread
TargetImage|endswith:
- '\lsass.exe'
- '\explorer.exe'
```
### T1548.002 - Bypass User Account Control
**Description**: UAC bypass techniques
**Detection Pattern**:
```yaml
detection:
selection:
CommandLine|contains:
- 'eventvwr.exe'
- 'fodhelper.exe'
IntegrityLevel: 'High'
```
## Defense Evasion
### T1027 - Obfuscated Files or Information
**Description**: Files or information made difficult to discover or analyze
**Detection Pattern**:
```yaml
detection:
selection:
CommandLine|contains:
- '-enc'
- 'base64'
- 'FromBase64'
- 'convert]::FromBase64String'
```
### T1070.001 - Clear Windows Event Logs
**Description**: Clearing Windows event logs
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 1102 # Security log cleared
```
## Credential Access
### T1003.001 - LSASS Memory
**Description**: Credential dumping from LSASS memory
**Detection Pattern**:
```yaml
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x1410'
- '0x147a'
```
### T1558.003 - Kerberoasting
**Description**: Service principal name abuse for credential theft
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 4769
ServiceName|endswith: '$'
TicketEncryptionType: '0x17'
```
## Discovery
### T1087 - Account Discovery
**Description**: Adversaries enumerate account information
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains:
- 'user'
- 'group'
- 'localgroup administrators'
```
### T1082 - System Information Discovery
**Description**: System and hardware information gathering
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\systeminfo.exe'
- '\wmic.exe'
CommandLine|contains:
- 'os get'
- 'computersystem'
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
**Description**: Remote access via RDP
**Log Sources**: network_connection, authentication
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 4624
LogonType: 10 # RemoteInteractive
```
### T1021.002 - SMB/Windows Admin Shares
**Description**: Lateral movement via SMB
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 5140
ShareName|endswith:
- 'ADMIN$'
- 'C$'
- 'IPC$'
```
## Collection
### T1560 - Archive Collected Data
**Description**: Data archiving before exfiltration
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\rar.exe'
- '\7z.exe'
CommandLine|contains:
- ' a ' # Add to archive
- '-p' # Password
```
## Command and Control
### T1071.001 - Web Protocols
**Description**: C2 over HTTP/HTTPS
**Log Sources**: network_connection, proxy
**Detection Pattern**:
```yaml
detection:
selection:
DestinationPort:
- 80
- 443
Initiated: 'true'
filter:
DestinationIp|startswith:
- '10.'
- '172.16.'
- '192.168.'
condition: selection and not filter
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
**Description**: Data exfiltration via existing C2
**Detection Pattern**:
```yaml
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444
- 8080
- 8443
```
## Impact
### T1486 - Data Encrypted for Impact
**Description**: Ransomware encryption activity
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith:
- '.encrypted'
- '.locked'
- '.crypto'
condition: selection
```
## Tag Format
When tagging rules with MITRE ATT&CK, use this format:
```yaml
tags:
- attack.{tactic} # Lowercase tactic name
- attack.{technique_id} # Technique ID (T####) or sub-technique (T####.###)
```
**Example**:
```yaml
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
```
## Multiple Techniques
Rules can map to multiple tactics and techniques:
```yaml
tags:
- attack.execution # Primary tactic
- attack.t1059.001 # PowerShell
- attack.defense_evasion # Secondary tactic
- attack.t1027 # Obfuscation
- attack.t1140 # Deobfuscate/Decode Files
```
## Resources
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [Sigma ATT&CK Correlation](https://github.com/SigmaHQ/sigma/wiki/Tags)

492
skills/incident-response/forensics-osquery/SKILL.md Normal file
View File

@@ -0,0 +1,492 @@
---
name: forensics-osquery
description: >
SQL-powered forensic investigation and system interrogation using osquery to query
operating systems as relational databases. Enables rapid evidence collection, threat
hunting, and incident response across Linux, macOS, and Windows endpoints.
Use when: (1) Investigating security incidents and collecting forensic artifacts,
(2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running
processes, network connections, and persistence mechanisms, (4) Collecting system
state during incident response, (5) Querying file hashes, user activity, and system
configuration for compromise indicators, (6) Building detection queries for continuous
monitoring with osqueryd.
version: 0.1.0
maintainer: SirAppSec
category: incident-response
tags: [forensics, osquery, incident-response, threat-hunting, endpoint-detection, dfir, live-forensics, sql]
frameworks: [MITRE-ATT&CK, NIST]
dependencies:
tools: [osquery]
platforms: [linux, macos, windows]
references:
- https://github.com/osquery/osquery
- https://osquery.io/
- https://osquery.readthedocs.io/
---
# osquery Forensics & Incident Response
## Overview
osquery transforms operating systems into queryable relational databases, enabling security analysts to investigate compromises using SQL rather than traditional CLI tools. This skill provides forensic investigation workflows, common detection queries, and incident response patterns for rapid evidence collection across Linux, macOS, and Windows endpoints.
**Core capabilities**:
- SQL-based system interrogation for process, network, file, and user analysis
- Cross-platform forensic artifact collection (Linux, macOS, Windows)
- Live system analysis without deploying heavyweight forensic tools
- Threat hunting queries mapped to MITRE ATT&CK techniques
- Scheduled monitoring with osqueryd for continuous detection
- Integration with SIEM and incident response platforms
## Quick Start
### Interactive Investigation (osqueryi)
```bash
# Launch interactive shell
osqueryi
# Check running processes
SELECT pid, name, path, cmdline, uid FROM processes WHERE name LIKE '%suspicious%';
# Identify listening network services
SELECT DISTINCT processes.name, listening_ports.port, listening_ports.address, processes.pid, processes.path
FROM listening_ports
JOIN processes USING (pid)
WHERE listening_ports.address != '127.0.0.1';
# Find processes with deleted executables (potential malware)
SELECT name, path, pid, cmdline FROM processes WHERE on_disk = 0;
# Check persistence mechanisms (Linux/macOS cron jobs)
SELECT command, path FROM crontab;
```
### One-Liner Forensic Queries
```bash
# Single query execution
osqueryi --json "SELECT * FROM logged_in_users;"
# Export query results for analysis
osqueryi --json "SELECT * FROM processes;" > processes_snapshot.json
# Check for suspicious kernel modules (Linux)
osqueryi --line "SELECT name, used_by, status FROM kernel_modules WHERE name NOT IN (SELECT name FROM known_good_modules);"
```
## Core Workflows
### Workflow 1: Initial Incident Response Triage
For rapid assessment of potentially compromised systems:
Progress:
[ ] 1. Collect running processes and command lines
[ ] 2. Identify network connections and listening ports
[ ] 3. Check user accounts and recent logins
[ ] 4. Examine persistence mechanisms (scheduled tasks, startup items)
[ ] 5. Review suspicious file modifications and executions
[ ] 6. Document findings with timestamps and process ancestry
[ ] 7. Export evidence to JSON for preservation
Work through each step systematically. Use bundled triage script for automated collection.
**Execute triage**: `./scripts/osquery_triage.sh > incident_triage_$(date +%Y%m%d_%H%M%S).json`
### Workflow 2: Threat Hunting for Specific TTPs
When hunting for specific MITRE ATT&CK techniques:
1. **Select Target Technique**
- Identify technique from threat intelligence (e.g., T1055 - Process Injection)
- Map technique to observable system artifacts
- See [references/mitre-attack-queries.md](references/mitre-attack-queries.md) for pre-built queries
2. **Build Detection Query**
- Identify relevant osquery tables (processes, file_events, registry, etc.)
- Join tables to correlate related artifacts
- Use [references/table-guide.md](references/table-guide.md) for schema reference
3. **Execute Hunt**
```sql
-- Example: Hunt for credential dumping (T1003)
SELECT p.pid, p.name, p.cmdline, p.path, p.parent, pm.permissions
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE p.name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR p.cmdline LIKE '%sekurlsa%'
OR (pm.path = '/etc/shadow' OR pm.path LIKE '%SAM%');
```
4. **Analyze Results**
- Review process ancestry and command-line arguments
- Check file hashes against threat intelligence
- Document timeline of suspicious activity
5. **Pivot Investigation**
- Use findings to identify additional indicators
- Query related artifacts (network connections, files, registry)
- Expand hunt scope if compromise confirmed
### Workflow 3: Persistence Mechanism Analysis
Detecting persistence across platforms:
**Linux/macOS Persistence**:
```sql
-- Cron jobs
SELECT * FROM crontab;
-- Systemd services (Linux)
SELECT name, path, status, source FROM systemd_units WHERE source != '/usr/lib/systemd/system';
-- Launch Agents/Daemons (macOS)
SELECT name, path, program, run_at_load FROM launchd WHERE run_at_load = 1;
-- Bash profile modifications
SELECT * FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/home/*/.bashrc', '/home/*/.bash_profile');
```
**Windows Persistence**:
```sql
-- Registry Run keys
SELECT key, name, path, type FROM registry WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';
-- Scheduled tasks
SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1;
-- Services
SELECT name, display_name, status, path, start_type FROM services WHERE start_type = 'AUTO_START';
-- WMI event consumers
SELECT name, command_line_template FROM wmi_cli_event_consumers;
```
Review results for:
- Unusual executables in startup locations
- Base64-encoded or obfuscated commands
- Executables in temporary or user-writable directories
- Recently modified persistence mechanisms
### Workflow 4: Network Connection Analysis
Investigating suspicious network activity:
```sql
-- Active network connections with process details
SELECT p.name, p.pid, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0')
ORDER BY ps.remote_port;
-- Listening ports mapped to processes
SELECT DISTINCT p.name, lp.port, lp.address, lp.protocol, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;
-- DNS lookups (requires events table or process monitoring)
SELECT name, domains, pid FROM dns_resolvers;
```
**Investigation checklist**:
- [ ] Identify non-standard listening ports (not 80, 443, 22, 3389)
- [ ] Check processes with external connections
- [ ] Review destination IPs against threat intelligence
- [ ] Correlate connections with process execution timeline
- [ ] Validate legitimate business purpose for connections
### Workflow 5: File System Forensics
Analyzing file modifications and suspicious files:
```sql
-- Recently modified files in sensitive locations
SELECT path, filename, size, mtime, ctime, md5, sha256
FROM hash
WHERE path LIKE '/etc/%' OR path LIKE '/tmp/%' OR path LIKE 'C:\Windows\Temp\%'
AND mtime > (strftime('%s', 'now') - 86400); -- Last 24 hours
-- Executable files in unusual locations
SELECT path, filename, size, md5, sha256
FROM hash
WHERE (path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\Users\%\AppData\%')
AND (filename LIKE '%.exe' OR filename LIKE '%.sh' OR filename LIKE '%.py');
-- SUID/SGID binaries (Linux/macOS) - potential privilege escalation
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND path LIKE '/usr/%' OR path LIKE '/bin/%';
```
**File analysis workflow**:
1. Identify suspicious files by location and timestamp
2. Extract file hashes (MD5, SHA256) for threat intel lookup
3. Review file permissions and ownership
4. Check for living-off-the-land binaries (LOLBins) abuse
5. Document file metadata for forensic timeline
## Forensic Query Patterns
### Pattern 1: Process Analysis
Standard process investigation queries:
```sql
-- Processes with network connections
SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid;
-- Process tree (parent-child relationships)
SELECT p1.pid, p1.name AS process, p1.cmdline,
p2.pid AS parent_pid, p2.name AS parent_name, p2.cmdline AS parent_cmdline
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;
-- High-privilege processes (UID 0 / SYSTEM)
SELECT pid, name, path, cmdline, uid, euid FROM processes WHERE uid = 0 OR euid = 0;
```
### Pattern 2: User Activity Monitoring
Track user accounts and authentication:
```sql
-- Currently logged in users
SELECT user, tty, host, time, pid FROM logged_in_users;
-- User accounts with login shells
SELECT username, uid, gid, shell, directory FROM users WHERE shell NOT LIKE '%nologin%';
-- Recent authentication events (requires auditd/Windows Event Log integration)
SELECT * FROM user_events WHERE time > (strftime('%s', 'now') - 3600);
-- Sudo usage history (Linux/macOS)
SELECT username, command, time FROM sudo_usage_history ORDER BY time DESC LIMIT 50;
```
### Pattern 3: System Configuration Review
Identify configuration changes:
```sql
-- Kernel configuration and parameters (Linux)
SELECT name, value FROM kernel_info;
SELECT path, key, value FROM sysctl WHERE key LIKE 'kernel.%';
-- Installed packages (detect unauthorized software)
SELECT name, version, install_time FROM deb_packages ORDER BY install_time DESC LIMIT 20; -- Debian/Ubuntu
SELECT name, version, install_time FROM rpm_packages ORDER BY install_time DESC LIMIT 20; -- RHEL/CentOS
-- System information
SELECT hostname, computer_name, local_hostname FROM system_info;
```
## Security Considerations
- **Sensitive Data Handling**: osquery can access sensitive system information (password hashes, private keys, process memory). Limit access to forensic analysts and incident responders. Export query results to encrypted storage. Sanitize logs before sharing with third parties.
- **Access Control**: Requires root/administrator privileges on investigated systems. Use dedicated forensic user accounts with audit logging. Restrict osqueryd configuration files (osquery.conf) to prevent query tampering. Implement least-privilege access to query results.
- **Audit Logging**: Log all osquery executions for forensic chain-of-custody. Record analyst username, timestamp, queries executed, and systems queried. Maintain immutable audit logs for compliance and legal requirements. Use `osqueryd --audit` flag for detailed logging.
- **Compliance**: osquery supports NIST SP 800-53 AU (Audit and Accountability) controls and NIST Cybersecurity Framework detection capabilities. Enables evidence collection for GDPR data breach investigations (Article 33). Query results constitute forensic evidence - maintain integrity and chain-of-custody.
- **Safe Defaults**: Use read-only queries during investigations to avoid system modification. Test complex queries in lab environments before production use. Monitor osqueryd resource consumption to prevent denial of service. Disable dangerous tables (e.g., `curl`, `yara`) in osqueryd configurations unless explicitly needed.
## Bundled Resources
### Scripts
- `scripts/osquery_triage.sh` - Automated triage collection script for rapid incident response
- `scripts/osquery_hunt.py` - Threat hunting query executor with MITRE ATT&CK mapping
- `scripts/parse_osquery_json.py` - Parse and analyze osquery JSON output
- `scripts/osquery_to_timeline.py` - Generate forensic timelines from osquery results
### References
- `references/table-guide.md` - Comprehensive osquery table reference for forensic investigations
- `references/mitre-attack-queries.md` - Pre-built queries mapped to MITRE ATT&CK techniques
- `references/platform-differences.md` - Platform-specific tables and query variations (Linux/macOS/Windows)
- `references/osqueryd-deployment.md` - Deploy osqueryd for continuous monitoring and fleet management
### Assets
- `assets/osquery.conf` - Production osqueryd configuration template for security monitoring
- `assets/forensic-packs/` - Query packs for incident response scenarios
- `ir-triage.conf` - Initial triage queries
- `persistence-hunt.conf` - Persistence mechanism detection
- `lateral-movement.conf` - Lateral movement indicators
- `credential-access.conf` - Credential dumping detection
## Common Investigation Scenarios
### Scenario 1: Webshell Detection
Detect webshells on compromised web servers:
```sql
-- Check web server processes with suspicious child processes
SELECT p1.name AS webserver, p1.pid, p1.cmdline,
p2.name AS child, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'perl', 'python');
-- Files in web directories with recent modifications
SELECT path, filename, mtime, md5, sha256
FROM hash
WHERE path LIKE '/var/www/%' OR path LIKE 'C:\inetpub\wwwroot\%'
AND (filename LIKE '%.php' OR filename LIKE '%.asp' OR filename LIKE '%.jsp')
AND mtime > (strftime('%s', 'now') - 604800); -- Last 7 days
```
### Scenario 2: Ransomware Investigation
Identify ransomware indicators:
```sql
-- Processes writing to many files rapidly (potential encryption activity)
SELECT p.name, p.pid, p.cmdline, COUNT(fe.path) AS files_modified
FROM processes p
JOIN file_events fe ON p.pid = fe.pid
WHERE fe.action = 'WRITE' AND fe.time > (strftime('%s', 'now') - 300)
GROUP BY p.pid
HAVING files_modified > 100;
-- Look for ransom note files
SELECT path, filename FROM file
WHERE filename LIKE '%DECRYPT%' OR filename LIKE '%README%' OR filename LIKE '%RANSOM%';
-- Check for file extension changes (encrypted files)
SELECT path, filename FROM file
WHERE filename LIKE '%.locked' OR filename LIKE '%.encrypted' OR filename LIKE '%.crypto';
```
### Scenario 3: Privilege Escalation Detection
Detect privilege escalation attempts:
```sql
-- Processes running as root from non-standard paths
SELECT pid, name, path, cmdline, uid, euid FROM processes
WHERE (uid = 0 OR euid = 0)
AND path NOT LIKE '/usr/%'
AND path NOT LIKE '/sbin/%'
AND path NOT LIKE '/bin/%'
AND path NOT LIKE 'C:\Windows\%';
-- SUID binaries (Linux/macOS)
SELECT path, filename, uid, gid FROM file
WHERE mode LIKE '%4%' AND path NOT IN (SELECT path FROM known_suid_binaries);
-- Sudoers file modifications
SELECT * FROM file WHERE path = '/etc/sudoers' AND mtime > (strftime('%s', 'now') - 86400);
```
## Integration Points
### SIEM Integration
Forward osqueryd logs to SIEM platforms:
- **Splunk**: Use Splunk Add-on for osquery or universal forwarder
- **Elasticsearch**: Configure osqueryd to output JSON logs, ingest with Filebeat
- **Sentinel**: Stream logs via Azure Monitor Agent or custom ingestion
- **QRadar**: Use QRadar osquery app or log source extension
Configure osqueryd result logging:
```json
{
"options": {
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false
}
}
```
### EDR/XDR Integration
Combine with endpoint detection:
- Correlate osquery results with EDR alerts
- Use osquery for EDR alert enrichment and investigation
- Deploy osquery packs based on EDR threat intelligence
- Augment EDR telemetry with custom osquery tables
### Threat Intelligence Enrichment
Enrich findings with threat intel:
- Query file hashes against VirusTotal, MISP, or threat feeds
- Match network indicators with IOC databases
- Tag findings with MITRE ATT&CK techniques
- Generate hunting hypotheses from threat reports
## Troubleshooting
### Issue: osquery Not Finding Expected Results
**Solution**: Verify table availability and platform compatibility
- Check table schema: `osqueryi ".schema processes"`
- List available tables: `osqueryi ".tables"`
- Review platform-specific tables in [references/platform-differences.md](references/platform-differences.md)
- Some tables require specific osquery versions or kernel features
### Issue: High Resource Consumption
**Solution**: Optimize query performance and scheduling
- Use indexed columns in WHERE clauses (pid, uid, path)
- Avoid unbounded queries without filters
- Reduce osqueryd query frequency in osquery.conf
- Limit result set sizes with LIMIT clause
- Monitor with: `SELECT * FROM osquery_info; SELECT * FROM osquery_schedule;`
### Issue: Permission Denied Errors
**Solution**: Ensure proper privilege escalation
- Run osqueryi with sudo/admin privileges: `sudo osqueryi`
- Some tables require root access (kernel_modules, process_memory_map)
- Check file permissions on osqueryd configuration files
- Review SELinux/AppArmor policies blocking osquery
## Best Practices
1. **Document Queries**: Maintain query library with descriptions and expected results
2. **Test Before Production**: Validate queries in lab before running on production systems
3. **Minimize Scope**: Use WHERE clauses to limit query scope and reduce performance impact
4. **Export Results**: Save query output for evidence preservation (`--json` or `--csv` flags)
5. **Correlate Findings**: Join multiple tables for comprehensive artifact analysis
6. **Version Control**: Track osquery configuration and query packs in Git
7. **Monitor Performance**: Watch osqueryd CPU/memory usage during scheduled queries
8. **Update Regularly**: Keep osquery updated for latest table schemas and security patches
## MITRE ATT&CK Coverage
osquery enables detection and investigation of techniques across the ATT&CK matrix:
- **Initial Access**: Detect suspicious services and scheduled tasks (T1053)
- **Execution**: Monitor process creation and command-line arguments (T1059)
- **Persistence**: Identify registry modifications, cron jobs, startup items (T1547, T1053)
- **Privilege Escalation**: Find SUID binaries, sudo abuse, service creation (T1548, T1543)
- **Defense Evasion**: Detect process injection, file deletion, timestomping (T1055, T1070)
- **Credential Access**: Hunt for credential dumping tools and access (T1003, T1552)
- **Discovery**: Track system enumeration activities (T1082, T1083, T1057)
- **Lateral Movement**: Monitor remote service creation and authentication (T1021)
- **Collection**: Detect archive creation and data staging (T1560, T1074)
- **Exfiltration**: Identify unusual network connections and data transfers (T1041)
See [references/mitre-attack-queries.md](references/mitre-attack-queries.md) for technique-specific detection queries.
## References
- [osquery GitHub Repository](https://github.com/osquery/osquery)
- [osquery Schema Documentation](https://osquery.io/schema/)
- [osquery Deployment Guide](https://osquery.readthedocs.io/en/stable/deployment/)
- [osquery SQL Reference](https://osquery.readthedocs.io/en/stable/introduction/sql/)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)

9
skills/incident-response/forensics-osquery/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

104
skills/incident-response/forensics-osquery/assets/forensic-packs/credential-access.conf Normal file
View File

@@ -0,0 +1,104 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect credential dumping and credential access techniques",
"queries": {
"mimikatz_execution": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
"interval": 300,
"description": "Mimikatz execution detection",
"platform": "windows"
},
"lsass_process_access": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
"interval": 300,
"description": "LSASS memory dumping tools",
"platform": "windows"
},
"credential_file_access": {
"query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
"interval": 300,
"description": "Access to credential storage files"
},
"shadow_file_reads": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
"interval": 300,
"description": "Unauthorized /etc/shadow access",
"platform": "posix"
},
"sam_registry_access": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
"interval": 600,
"description": "SAM registry key access",
"platform": "windows"
},
"password_search": {
"query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
"interval": 300,
"description": "Searching for password files"
},
"credential_files": {
"query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
"interval": 3600,
"description": "Credential-related files"
},
"browser_credential_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
"interval": 300,
"description": "Browser credential database access"
},
"keychain_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
"interval": 300,
"description": "macOS Keychain access",
"platform": "darwin"
},
"dpapi_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
"interval": 300,
"description": "Windows DPAPI credential access",
"platform": "windows"
},
"ntds_dit_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
"interval": 300,
"description": "Active Directory database access",
"platform": "windows"
},
"kerberos_ticket_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
"interval": 300,
"description": "Kerberos ticket manipulation"
},
"sudo_without_password": {
"query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
"interval": 300,
"description": "Sudo usage potentially leveraging cached credentials",
"platform": "posix"
},
"sudoers_file_access": {
"query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
"interval": 3600,
"description": "Sudoers file modification monitoring",
"platform": "posix"
},
"ssh_private_keys": {
"query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
"interval": 3600,
"description": "SSH private key files",
"platform": "posix"
},
"powershell_credential_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
"interval": 300,
"description": "PowerShell credential access commands",
"platform": "windows"
},
"registry_credential_storage": {
"query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
"interval": 3600,
"description": "Credentials stored in registry",
"platform": "windows"
}
}
}

80
skills/incident-response/forensics-osquery/assets/forensic-packs/ir-triage.conf Normal file
View File

@@ -0,0 +1,80 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Incident response triage queries for rapid forensic collection",
"queries": {
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 0,
"snapshot": true,
"description": "Complete system information snapshot"
},
"users_snapshot": {
"query": "SELECT uid, gid, username, description, directory, shell FROM users;",
"interval": 0,
"snapshot": true,
"description": "All user accounts"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 300,
"description": "Currently logged-in users"
},
"last_logins": {
"query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
"interval": 600,
"description": "Recent login history"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
"interval": 300,
"description": "All running processes with metadata"
},
"processes_deleted_binary": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "Processes with deleted executables (malware indicator)"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 300,
"description": "Active external network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Network services listening on external interfaces"
},
"interface_addresses": {
"query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
"interval": 3600,
"description": "Network interface configuration"
},
"arp_cache": {
"query": "SELECT address, mac, interface, permanent FROM arp_cache;",
"interval": 600,
"description": "ARP cache entries"
},
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "Configured DNS resolvers"
},
"tmp_directory_files": {
"query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
"interval": 900,
"description": "Files in temporary directories",
"snapshot": true
},
"recent_file_modifications": {
"query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
"interval": 3600,
"description": "Recently modified system files (last 24 hours)"
},
"user_groups": {
"query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
"interval": 3600,
"description": "Users in privileged groups"
}
}
}

105
skills/incident-response/forensics-osquery/assets/forensic-packs/lateral-movement.conf Normal file
View File

@@ -0,0 +1,105 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect lateral movement and remote access indicators",
"queries": {
"ssh_outbound_connections": {
"query": "SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 22 AND p.name = 'ssh';",
"interval": 300,
"description": "Outbound SSH connections",
"platform": "posix"
},
"rdp_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 3389 OR p.name LIKE '%mstsc%' OR p.name LIKE '%rdp%';",
"interval": 300,
"description": "RDP connection attempts",
"platform": "windows"
},
"smb_connections": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%\\\\\\\\%\\\\admin$%' OR cmdline LIKE '%\\\\\\\\%\\\\c$%' OR cmdline LIKE '%net use%';",
"interval": 300,
"description": "SMB/Windows Admin Share connections",
"platform": "windows"
},
"psexec_indicators": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name LIKE '%psexec%' OR cmdline LIKE '%psexec%' OR path LIKE '%ADMIN$%';",
"interval": 300,
"description": "PsExec execution indicators",
"platform": "windows"
},
"remote_wmi_execution": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%/node:%';",
"interval": 300,
"description": "Remote WMI execution",
"platform": "windows"
},
"winrm_activity": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port IN (5985, 5986);",
"interval": 300,
"description": "WinRM connections",
"platform": "windows"
},
"unusual_login_locations": {
"query": "SELECT username, tty, host, time FROM logged_in_users WHERE host NOT IN ('localhost', '127.0.0.1', '') ORDER BY time DESC;",
"interval": 600,
"description": "Remote login sessions"
},
"multiple_ssh_sessions": {
"query": "SELECT user, COUNT(*) AS session_count, GROUP_CONCAT(host) AS hosts FROM logged_in_users WHERE tty LIKE 'pts/%' GROUP BY user HAVING session_count > 2;",
"interval": 600,
"description": "Users with multiple SSH sessions",
"platform": "posix"
},
"ssh_authorized_keys": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/authorized_keys' OR path LIKE '/root/.ssh/authorized_keys' OR path LIKE '/Users/%/.ssh/authorized_keys';",
"interval": 3600,
"description": "SSH authorized_keys file monitoring",
"platform": "posix"
},
"ssh_known_hosts": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/known_hosts' OR path LIKE '/root/.ssh/known_hosts' OR path LIKE '/Users/%/.ssh/known_hosts';",
"interval": 3600,
"description": "SSH known_hosts file monitoring",
"platform": "posix"
},
"smb_sessions": {
"query": "SELECT pid, name, cmdline, remote_address FROM process_open_sockets ps JOIN processes p ON ps.pid = p.pid WHERE ps.remote_port IN (445, 139);",
"interval": 300,
"description": "Active SMB connections"
},
"admin_shares_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ADMIN$%' OR cmdline LIKE '%IPC$%' OR cmdline LIKE '%C$%';",
"interval": 300,
"description": "Access to Windows admin shares",
"platform": "windows"
},
"remote_registry_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%reg%' AND cmdline LIKE '%\\\\\\\\%';",
"interval": 300,
"description": "Remote registry access attempts",
"platform": "windows"
},
"remote_scheduled_tasks": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%schtasks%' AND cmdline LIKE '%/s%';",
"interval": 300,
"description": "Remote scheduled task creation",
"platform": "windows"
},
"remote_service_creation": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%sc%' AND cmdline LIKE '%\\\\\\\\%' AND cmdline LIKE '%create%';",
"interval": 300,
"description": "Remote service creation",
"platform": "windows"
},
"vnc_connections": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port >= 5900 AND ps.remote_port <= 5999;",
"interval": 300,
"description": "VNC connection attempts"
},
"suspicious_network_tools": {
"query": "SELECT pid, name, path, cmdline FROM processes WHERE name IN ('nmap', 'masscan', 'nc', 'netcat', 'socat', 'proxychains') OR cmdline LIKE '%nmap%' OR cmdline LIKE '%nc %-%';",
"interval": 300,
"description": "Network reconnaissance tools"
}
}
}

113
skills/incident-response/forensics-osquery/assets/forensic-packs/persistence-hunt.conf Normal file
View File

@@ -0,0 +1,113 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Hunt for persistence mechanisms across all platforms",
"queries": {
"crontab_monitoring": {
"query": "SELECT event, minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;",
"interval": 3600,
"description": "Monitor cron jobs for persistence",
"platform": "posix"
},
"suspicious_cron_commands": {
"query": "SELECT * FROM crontab WHERE command LIKE '%curl%' OR command LIKE '%wget%' OR command LIKE '%/tmp/%' OR command LIKE '%bash -i%' OR command LIKE '%python%socket%' OR command LIKE '%nc%';",
"interval": 1800,
"description": "Detect suspicious cron job commands",
"platform": "posix"
},
"systemd_units": {
"query": "SELECT name, description, load_state, active_state, sub_state, fragment_path, source FROM systemd_units WHERE active_state = 'active';",
"interval": 3600,
"description": "Active systemd services",
"platform": "linux"
},
"non_standard_systemd": {
"query": "SELECT name, fragment_path, active_state FROM systemd_units WHERE active_state = 'active' AND fragment_path NOT LIKE '/usr/lib/systemd/system/%' AND fragment_path NOT LIKE '/lib/systemd/system/%';",
"interval": 1800,
"description": "Non-standard systemd units (potential persistence)",
"platform": "linux"
},
"launchd_monitoring": {
"query": "SELECT name, label, path, program, program_arguments, run_at_load, keep_alive FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "macOS launch agents and daemons",
"platform": "darwin"
},
"suspicious_launchd": {
"query": "SELECT * FROM launchd WHERE run_at_load = 1 AND (path LIKE '%/tmp/%' OR path LIKE '%/Users/%/Library/LaunchAgents/%' OR program LIKE '%curl%' OR program LIKE '%bash%');",
"interval": 1800,
"description": "Suspicious launch agents",
"platform": "darwin"
},
"startup_items_mac": {
"query": "SELECT name, path, args, type, source, status FROM startup_items;",
"interval": 3600,
"description": "macOS startup items",
"platform": "darwin"
},
"registry_run_keys": {
"query": "SELECT key, name, path, data, mtime FROM registry WHERE (key LIKE '%\\\\Run' OR key LIKE '%\\\\RunOnce') AND key NOT LIKE '%\\\\RunOnceEx';",
"interval": 1800,
"description": "Windows registry Run keys",
"platform": "windows"
},
"suspicious_registry_entries": {
"query": "SELECT key, name, path, data FROM registry WHERE (key LIKE '%Run%' OR key LIKE '%RunOnce%') AND (data LIKE '%AppData%' OR data LIKE '%Temp%' OR data LIKE '%ProgramData%' OR data LIKE '%.vbs' OR data LIKE '%.js');",
"interval": 1800,
"description": "Suspicious registry persistence entries",
"platform": "windows"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled, state, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Windows scheduled tasks",
"platform": "windows"
},
"suspicious_scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%powershell%' OR action LIKE '%cmd%' OR action LIKE '%wscript%' OR action LIKE '%mshta%' OR action LIKE '%AppData%' OR action LIKE '%Temp%');",
"interval": 1800,
"description": "Suspicious scheduled tasks",
"platform": "windows"
},
"windows_services": {
"query": "SELECT name, display_name, status, path, start_type, user_account FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START') ORDER BY status;",
"interval": 3600,
"description": "Windows services configuration",
"platform": "windows"
},
"wmi_event_consumers": {
"query": "SELECT name, command_line_template, executable_path, script_file_name FROM wmi_cli_event_consumers;",
"interval": 1800,
"description": "WMI event consumers (persistence mechanism)",
"platform": "windows"
},
"kernel_modules": {
"query": "SELECT name, size, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Loaded Linux kernel modules",
"platform": "linux"
},
"kernel_extensions_mac": {
"query": "SELECT name, version, path, linked_against FROM kernel_extensions WHERE loaded = 1;",
"interval": 3600,
"description": "Loaded macOS kernel extensions",
"platform": "darwin"
},
"bash_profile_modifications": {
"query": "SELECT path, filename, mtime, ctime, size FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/etc/zshrc') OR path LIKE '/home/%/.bashrc' OR path LIKE '/home/%/.bash_profile' OR path LIKE '/home/%/.zshrc' OR path LIKE '/Users/%/.bashrc' OR path LIKE '/Users/%/.bash_profile' OR path LIKE '/Users/%/.zshrc';",
"interval": 3600,
"description": "Shell profile file modifications",
"platform": "posix"
},
"browser_extensions_chrome": {
"query": "SELECT name, identifier, version, description, path, author FROM chrome_extensions;",
"interval": 3600,
"description": "Chrome browser extensions"
},
"browser_extensions_firefox": {
"query": "SELECT name, identifier, version, description, source_url, visible FROM firefox_addons WHERE visible = 1;",
"interval": 3600,
"description": "Firefox browser add-ons"
}
}
}

77
skills/incident-response/forensics-osquery/assets/osquery.conf Normal file
View File

@@ -0,0 +1,77 @@
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 4,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
"interval": 3600,
"description": "Collect basic system information"
},
"os_version": {
"query": "SELECT name, version, platform, build FROM os_version;",
"interval": 3600,
"description": "OS version information"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 600,
"description": "Currently logged-in users"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
"interval": 300,
"description": "Monitor running processes"
},
"suspicious_processes": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 600,
"description": "Active network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Listening network ports"
}
},
"packs": {
"ir-triage": "/etc/osquery/packs/ir-triage.conf",
"persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
"lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
"credential-access": "/etc/osquery/packs/credential-access.conf"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
}

539
skills/incident-response/forensics-osquery/references/mitre-attack-queries.md Normal file
View File

@@ -0,0 +1,539 @@
# MITRE ATT&CK Detection Queries for osquery
Pre-built osquery detection queries mapped to MITRE ATT&CK techniques for threat hunting and incident response.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
## Initial Access
### T1078 - Valid Accounts
Detect unusual account usage patterns.
```sql
-- Unusual login times or locations
SELECT username, tty, host, time
FROM last
WHERE time > (strftime('%s', 'now') - 86400)
ORDER BY time DESC;
-- Failed authentication attempts (requires auth logs)
SELECT * FROM logged_in_users WHERE user NOT IN (SELECT username FROM users);
```
### T1190 - Exploit Public-Facing Application
Detect web server exploitation indicators.
```sql
-- Web server processes spawning shells
SELECT p1.name AS webserver, p1.cmdline,
p2.name AS child_process, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe', 'java')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python', 'perl');
```
## Execution
### T1059.001 - PowerShell
Detect suspicious PowerShell execution.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name LIKE '%powershell%'
AND (cmdline LIKE '%EncodedCommand%'
OR cmdline LIKE '%-enc%'
OR cmdline LIKE '%FromBase64String%'
OR cmdline LIKE '%Invoke-Expression%'
OR cmdline LIKE '%IEX%'
OR cmdline LIKE '%DownloadString%'
OR cmdline LIKE '%-w hidden%'
OR cmdline LIKE '%-WindowStyle hidden%');
```
### T1059.003 - Windows Command Shell
Detect suspicious cmd.exe usage.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name = 'cmd.exe'
AND (cmdline LIKE '%/c%'
OR cmdline LIKE '%&%'
OR cmdline LIKE '%|%'
OR cmdline LIKE '%<%'
OR cmdline LIKE '%>%');
```
### T1059.004 - Unix Shell
Detect suspicious shell execution.
```sql
SELECT pid, name, path, cmdline, parent, uid
FROM processes
WHERE name IN ('bash', 'sh', 'zsh', 'ksh')
AND (cmdline LIKE '%curl%http%'
OR cmdline LIKE '%wget%http%'
OR cmdline LIKE '%nc%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%/dev/tcp%'
OR cmdline LIKE '%base64%');
```
### T1053 - Scheduled Task/Job
Detect suspicious scheduled tasks.
```sql
-- Suspicious cron jobs (Linux/macOS)
SELECT command, path, minute, hour
FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%bash -i%'
OR command LIKE '%python -c%';
-- Suspicious scheduled tasks (Windows)
SELECT name, action, path, enabled
FROM scheduled_tasks
WHERE enabled = 1
AND (action LIKE '%powershell%'
OR action LIKE '%cmd%'
OR action LIKE '%wscript%'
OR action LIKE '%mshta%');
```
## Persistence
### T1547.001 - Registry Run Keys (Windows)
Detect persistence via registry.
```sql
SELECT key, name, path, data
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND (data LIKE '%AppData%'
OR data LIKE '%Temp%'
OR data LIKE '%ProgramData%'
OR data LIKE '%.vbs'
OR data LIKE '%.js');
```
### T1547.006 - Kernel Modules and Extensions
Detect unauthorized kernel modules.
```sql
-- Linux kernel modules
SELECT name, size, used_by, status
FROM kernel_modules
WHERE name NOT IN (
'ip_tables', 'x_tables', 'nf_conntrack', 'nf_defrag_ipv4',
'iptable_filter', 'iptable_nat', 'ipt_MASQUERADE'
);
-- macOS kernel extensions
SELECT name, version, path
FROM kernel_extensions
WHERE loaded = 1
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Extensions/%';
```
### T1053.003 - Cron (Linux/macOS)
Detect malicious cron jobs.
```sql
SELECT event, command, path, minute, hour, day_of_week
FROM crontab
WHERE command LIKE '%curl%http%'
OR command LIKE '%wget%http%'
OR command LIKE '%bash -i%'
OR command LIKE '%python%socket%'
OR command LIKE '%nc%'
OR command LIKE '%/dev/tcp%'
OR path LIKE '%/tmp/%'
OR path LIKE '%/var/tmp/%';
```
### T1543.002 - Systemd Service (Linux)
Detect malicious systemd services.
```sql
SELECT name, fragment_path, description, active_state
FROM systemd_units
WHERE active_state = 'active'
AND fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Privilege Escalation
### T1548.003 - Sudo and Sudo Caching
Detect sudo abuse.
```sql
SELECT pid, name, cmdline, uid, euid, parent
FROM processes
WHERE name = 'sudo'
AND (cmdline LIKE '%-i%'
OR cmdline LIKE '%-s%'
OR cmdline LIKE '%-u root%');
```
### T1548.001 - Setuid and Setgid
Find suspicious SUID/SGID binaries.
```sql
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/home/%'
OR path LIKE '/dev/shm/%');
```
### T1543.001 - Launch Agent (macOS)
Detect malicious launch agents.
```sql
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND (path LIKE '%/tmp/%'
OR path LIKE '%/Users/%/Library/LaunchAgents/%'
OR program LIKE '%curl%'
OR program LIKE '%bash%');
```
## Defense Evasion
### T1055 - Process Injection
Detect process injection techniques.
```sql
-- Windows process injection indicators
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%VirtualAllocEx%'
OR cmdline LIKE '%WriteProcessMemory%'
OR cmdline LIKE '%CreateRemoteThread%'
OR cmdline LIKE '%QueueUserAPC%'
OR cmdline LIKE '%SetThreadContext%';
-- Processes with deleted executables (Linux indicator)
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE on_disk = 0;
```
### T1070.004 - File Deletion
Detect log and evidence deletion.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE (cmdline LIKE '%rm%'
OR cmdline LIKE '%del%'
OR cmdline LIKE '%shred%'
OR cmdline LIKE '%wipe%')
AND (cmdline LIKE '%log%'
OR cmdline LIKE '%audit%'
OR cmdline LIKE '%history%'
OR cmdline LIKE '%bash_history%');
```
### T1027 - Obfuscated Files or Information
Detect encoding and obfuscation.
```sql
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%base64%'
OR cmdline LIKE '%certutil%decode%'
OR cmdline LIKE '%[Convert]::FromBase64String%'
OR cmdline LIKE '%openssl enc%'
OR cmdline LIKE '%uuencode%';
```
### T1564.001 - Hidden Files and Directories
Find hidden files in unusual locations.
```sql
SELECT path, filename, size, mtime
FROM file
WHERE filename LIKE '.%'
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/dev/shm/%')
AND size > 0;
```
## Credential Access
### T1003.001 - LSASS Memory (Windows)
Detect LSASS dumping.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR cmdline LIKE '%sekurlsa%'
OR cmdline LIKE '%lsadump%'
OR cmdline LIKE '%procdump%lsass%'
OR cmdline LIKE '%comsvcs.dll%MiniDump%';
```
### T1003.008 - /etc/passwd and /etc/shadow
Detect access to credential files.
```sql
-- Processes accessing password files
SELECT p.name, p.cmdline, pm.path
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd')
AND p.name NOT IN ('sshd', 'login', 'su', 'sudo');
```
### T1552.001 - Credentials in Files
Search for credential files.
```sql
SELECT path, filename, size
FROM file
WHERE (filename LIKE '%password%'
OR filename LIKE '%credential%'
OR filename LIKE '%secret%'
OR filename LIKE '%.pem'
OR filename LIKE '%.key'
OR filename = '.bash_history'
OR filename = '.zsh_history')
AND path LIKE '/home/%';
```
## Discovery
### T1057 - Process Discovery
Detect process enumeration.
```sql
SELECT pid, name, cmdline, parent
FROM processes
WHERE cmdline LIKE '%ps aux%'
OR cmdline LIKE '%tasklist%'
OR cmdline LIKE '%Get-Process%'
OR name IN ('ps', 'tasklist.exe');
```
### T1082 - System Information Discovery
Detect system reconnaissance.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%systeminfo%'
OR cmdline LIKE '%uname -a%'
OR cmdline LIKE '%Get-ComputerInfo%'
OR cmdline LIKE '%hostnamectl%'
OR cmdline LIKE '%sw_vers%';
```
### T1083 - File and Directory Discovery
Detect file enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%find%'
OR cmdline LIKE '%dir /s%'
OR cmdline LIKE '%ls -la%'
OR cmdline LIKE '%Get-ChildItem%';
```
### T1087 - Account Discovery
Detect account enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%net user%'
OR cmdline LIKE '%net group%'
OR cmdline LIKE '%net localgroup%'
OR cmdline LIKE '%Get-LocalUser%'
OR cmdline LIKE '%whoami%'
OR cmdline LIKE '%id%';
```
### T1046 - Network Service Scanning
Detect network scanning activity.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%nmap%'
OR cmdline LIKE '%masscan%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%nc%'
OR name IN ('nmap', 'masscan', 'nc', 'netcat');
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
Detect RDP connections.
```sql
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 3389
OR p.name LIKE '%mstsc%'
OR p.name LIKE '%rdp%';
```
### T1021.002 - SMB/Windows Admin Shares
Detect SMB lateral movement.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%\\\\%\\admin$%'
OR cmdline LIKE '%\\\\%\\c$%'
OR cmdline LIKE '%net use%'
OR cmdline LIKE '%PsExec%';
```
### T1021.004 - SSH
Detect SSH lateral movement.
```sql
-- Outbound SSH connections
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 22
AND p.name = 'ssh';
-- Unusual SSH sessions
SELECT user, tty, host, time
FROM logged_in_users
WHERE tty LIKE 'pts/%'
AND user NOT IN ('root', 'admin');
```
## Collection
### T1560.001 - Archive via Utility
Detect data archiving for staging.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE cmdline LIKE '%tar%'
OR cmdline LIKE '%zip%'
OR cmdline LIKE '%7z%'
OR cmdline LIKE '%rar%'
OR cmdline LIKE '%Compress-Archive%';
```
### T1119 - Automated Collection
Detect automated data collection scripts.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE (cmdline LIKE '%find%'
OR cmdline LIKE '%grep%'
OR cmdline LIKE '%Select-String%')
AND (cmdline LIKE '%password%'
OR cmdline LIKE '%credential%'
OR cmdline LIKE '%secret%'
OR cmdline LIKE '%.doc%'
OR cmdline LIKE '%.xls%');
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
Detect suspicious network connections.
```sql
-- Unusual outbound connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1')
AND ps.remote_port NOT IN (80, 443, 22, 53, 3389)
AND ps.state = 'ESTABLISHED';
```
### T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detect data exfiltration via common tools.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%curl%'
OR cmdline LIKE '%wget%'
OR cmdline LIKE '%scp%'
OR cmdline LIKE '%ftp%'
OR cmdline LIKE '%rsync%';
```
## Query Usage Notes
1. **Test queries** in a lab environment before production use
2. **Tune for environment** - add whitelist filters for legitimate activity
3. **Combine queries** - join multiple detections for higher confidence
4. **Time window** - add time filters to reduce result sets
5. **Baseline first** - understand normal activity before hunting
## Reference
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [MITRE ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/)

518
skills/incident-response/forensics-osquery/references/osqueryd-deployment.md Normal file
View File

@@ -0,0 +1,518 @@
# osqueryd Deployment Guide
Deploy osqueryd for continuous endpoint monitoring, detection, and forensic evidence collection at scale.
## Table of Contents
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Query Packs](#query-packs)
- [Log Management](#log-management)
- [Fleet Management](#fleet-management)
- [Performance Tuning](#performance-tuning)
## Overview
osqueryd is the daemon component of osquery that enables:
- Scheduled query execution across endpoint fleet
- Real-time event monitoring with event tables
- Centralized log collection and aggregation
- Detection-as-code with versioned query packs
## Installation
### Linux (Ubuntu/Debian)
```bash
# Add osquery repository
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
# Add repository
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
# Install
sudo apt update
sudo apt install osquery
```
### Linux (RHEL/CentOS)
```bash
# Add osquery repository
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# Add repository
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# Install
sudo yum install osquery
```
### macOS
```bash
# Using Homebrew
brew install osquery
# Or download official PKG installer
# https://pkg.osquery.io/darwin/osquery-<version>.pkg
```
### Windows
```powershell
# Download MSI installer
# https://pkg.osquery.io/windows/osquery-<version>.msi
# Install via PowerShell
msiexec /i osquery-<version>.msi /quiet
```
## Configuration
### Configuration File Location
- Linux: `/etc/osquery/osquery.conf`
- macOS: `/var/osquery/osquery.conf`
- Windows: `C:\Program Files\osquery\osquery.conf`
### Basic Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 2,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"syslog_pipe_path": "/var/osquery/syslog_pipe"
},
"schedule": {
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 3600,
"description": "Collect system information hourly"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid FROM processes;",
"interval": 300,
"description": "Monitor running processes every 5 minutes"
},
"network_connections": {
"query": "SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Monitor network connections every 10 minutes"
}
},
"packs": {
"incident-response": "/etc/osquery/packs/ir-triage.conf",
"ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
}
}
```
### Security-Focused Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"worker_threads": 4,
"enable_monitor": true,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"suspicious_processes": {
"query": "SELECT * FROM processes WHERE on_disk = 0 OR path LIKE '%tmp%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"unauthorized_suid": {
"query": "SELECT path, mode, uid FROM file WHERE (mode LIKE '%4%' OR mode LIKE '%2%') AND path NOT IN (SELECT path FROM file WHERE path LIKE '/usr/%' OR path LIKE '/bin/%');",
"interval": 3600,
"description": "Find unauthorized SUID binaries",
"platform": "posix"
},
"registry_run_keys": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';",
"interval": 3600,
"description": "Monitor registry persistence",
"platform": "windows"
}
}
}
```
## Query Packs
### Creating Query Packs
Query packs organize related queries for specific security scenarios.
**Example: `/etc/osquery/packs/ir-triage.conf`**
```json
{
"platform": "all",
"version": "1.0.0",
"queries": {
"logged_in_users": {
"query": "SELECT * FROM logged_in_users;",
"interval": 600,
"description": "Track logged-in users"
},
"listening_ports": {
"query": "SELECT lp.port, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 300,
"description": "Monitor listening network ports"
},
"kernel_modules": {
"query": "SELECT name, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Monitor loaded kernel modules",
"platform": "linux"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Monitor Windows scheduled tasks",
"platform": "windows"
},
"launchd_services": {
"query": "SELECT name, path, program, run_at_load FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "Monitor macOS launch services",
"platform": "darwin"
}
}
}
```
### Platform-Specific Packs
Use `"platform"` field to limit queries:
- `"posix"` - Linux and macOS
- `"linux"` - Linux only
- `"darwin"` - macOS only
- `"windows"` - Windows only
- `"all"` - All platforms
## Log Management
### Log Types
osqueryd generates several log types:
1. **Result logs**: Query results from scheduled queries
2. **Status logs**: osqueryd operational status and errors
3. **Snapshot logs**: Full result sets (vs differential)
### Log Formats
**JSON (recommended):**
```json
{
"name": "suspicious_processes",
"hostIdentifier": "web-server-01",
"calendarTime": "Mon Oct 02 12:34:56 2023 UTC",
"unixTime": 1696251296,
"epoch": 0,
"counter": 1,
"columns": {
"pid": "1234",
"name": "suspicious",
"path": "/tmp/suspicious"
},
"action": "added"
}
```
### Centralized Logging
#### Option 1: Syslog
```json
{
"options": {
"logger_plugin": "syslog",
"syslog_pipe_path": "/var/osquery/syslog_pipe"
}
}
```
#### Option 2: AWS Kinesis/Firehose
```json
{
"options": {
"logger_plugin": "aws_kinesis",
"aws_kinesis_stream": "osquery-results",
"aws_region": "us-east-1"
}
}
```
#### Option 3: TLS Endpoint
```json
{
"options": {
"logger_plugin": "tls",
"logger_tls_endpoint": "/log",
"logger_tls_period": 60
}
}
```
#### Option 4: Kafka
```json
{
"options": {
"logger_plugin": "kafka_producer",
"kafka_topic": "osquery-logs",
"kafka_brokers": "broker1:9092,broker2:9092"
}
}
```
## Fleet Management
### Fleet Manager Options
1. **osquery Fleet Manager** - Official fleet management tool
2. **Kolide Fleet** - Open-source fleet management (now FleetDM)
3. **Doorman** - Minimal fleet manager
4. **Zentral** - macOS-focused fleet management
### FleetDM Configuration
```yaml
# fleet-config.yml
mysql:
address: 127.0.0.1:3306
database: fleet
username: fleet
password: fleet_password
redis:
address: 127.0.0.1:6379
server:
address: 0.0.0.0:8080
tls: true
cert: /path/to/cert.pem
key: /path/to/key.pem
logging:
json: true
debug: false
```
### Enrolling Endpoints
#### TLS Enrollment
```json
{
"options": {
"enroll_secret_path": "/etc/osquery/enroll_secret.txt",
"tls_server_certs": "/etc/osquery/certs/server.pem",
"tls_hostname": "fleet.example.com",
"host_identifier": "uuid",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": 60,
"logger_plugin": "tls",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": 10,
"distributed_plugin": "tls",
"distributed_interval": 60,
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write"
}
}
```
## Performance Tuning
### Resource Limits
```json
{
"options": {
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20,
"worker_threads": 4,
"schedule_timeout": 60,
"schedule_max_drift": 60
}
}
```
### Query Optimization
1. **Use appropriate intervals**: Balance freshness vs performance
- Critical queries: 60-300 seconds
- Standard monitoring: 300-900 seconds
- Inventory queries: 3600+ seconds
2. **Add WHERE clauses**: Reduce result set size
```sql
-- Bad: SELECT * FROM file;
-- Good: SELECT * FROM file WHERE path LIKE '/etc/%';
```
3. **Limit result sets**: Use LIMIT clause
```sql
SELECT * FROM processes ORDER BY start_time DESC LIMIT 100;
```
4. **Differential logging**: Only log changes
```json
{
"options": {
"log_result_events": true
}
}
```
### Schedule Splay
Prevent query storms by adding jitter:
```json
{
"options": {
"schedule_splay_percent": 10
}
}
```
## Service Management
### Linux (systemd)
```bash
# Start osqueryd
sudo systemctl start osqueryd
# Enable on boot
sudo systemctl enable osqueryd
# Check status
sudo systemctl status osqueryd
# View logs
sudo journalctl -u osqueryd -f
```
### macOS (launchd)
```bash
# Start osqueryd
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Stop osqueryd
sudo launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Check status
sudo launchctl list | grep osquery
```
### Windows (Service)
```powershell
# Start service
Start-Service osqueryd
# Stop service
Stop-Service osqueryd
# Check status
Get-Service osqueryd
# View logs
Get-Content "C:\ProgramData\osquery\log\osqueryd.results.log" -Wait
```
## Security Best Practices
1. **Limit configuration access**: Restrict `/etc/osquery/` to root only
2. **Use TLS**: Encrypt fleet management communications
3. **Rotate secrets**: Change enrollment secrets regularly
4. **Monitor osqueryd**: Alert on service failures
5. **Version control configs**: Track configuration changes in Git
6. **Test before deploy**: Validate queries in lab first
7. **Implement RBAC**: Use fleet manager role-based access
8. **Audit queries**: Review all scheduled queries for performance impact
## Troubleshooting
### High CPU Usage
Check query performance:
```bash
# Enable verbose logging
sudo osqueryd --verbose --config_path=/etc/osquery/osquery.conf
# Check query times
tail -f /var/log/osquery/osqueryd.INFO | grep "query="
```
### Missing Results
Verify query syntax:
```bash
# Test query interactively
osqueryi "SELECT * FROM processes LIMIT 5;"
# Check for errors
tail -f /var/log/osquery/osqueryd.results.log
```
### Service Crashes
Review watchdog settings:
```json
{
"options": {
"watchdog_level": 0, # Disable for debugging
"verbose": true
}
}
```
## Reference
- [osquery Deployment Guide](https://osquery.readthedocs.io/en/stable/deployment/)
- [FleetDM Documentation](https://fleetdm.com/docs)
- [osquery Configuration](https://osquery.readthedocs.io/en/stable/deployment/configuration/)

353
skills/incident-response/forensics-osquery/references/platform-differences.md Normal file
View File

@@ -0,0 +1,353 @@
# Platform-Specific osquery Tables and Queries
Guide to platform-specific tables and query variations across Linux, macOS, and Windows.
## Table of Contents
- [Cross-Platform Tables](#cross-platform-tables)
- [Linux-Specific Tables](#linux-specific-tables)
- [macOS-Specific Tables](#macos-specific-tables)
- [Windows-Specific Tables](#windows-specific-tables)
- [Query Translation Examples](#query-translation-examples)
## Cross-Platform Tables
These tables work across all platforms with consistent schemas:
- `processes` - Running processes
- `users` - User accounts
- `groups` - User groups
- `file` - File system metadata
- `hash` - File hashing
- `system_info` - System information
- `os_version` - OS version details
- `interface_addresses` - Network interfaces
- `routes` - Routing table
- `listening_ports` - Listening network ports
## Linux-Specific Tables
### Process and System
| Table | Description |
|-------|-------------|
| `kernel_modules` | Loaded kernel modules |
| `kernel_info` | Kernel version and boot parameters |
| `memory_info` | System memory information |
| `process_namespaces` | Linux namespace information |
| `seccomp_events` | Seccomp filter events |
| `selinux_events` | SELinux audit events |
| `apparmor_events` | AppArmor audit events |
### Package Management
| Table | Description |
|-------|-------------|
| `deb_packages` | Debian/Ubuntu packages (dpkg) |
| `rpm_packages` | RPM packages (yum/dnf) |
| `portage_packages` | Gentoo Portage packages |
| `pacman_packages` | Arch Linux packages |
### Persistence
| Table | Description |
|-------|-------------|
| `crontab` | Cron scheduled jobs |
| `systemd_units` | Systemd services and units |
### Example Linux Queries
```sql
-- Check kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Recently installed packages (Debian/Ubuntu)
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC LIMIT 20;
-- SELinux denials
SELECT * FROM selinux_events WHERE denied = 1;
```
## macOS-Specific Tables
### System and Kernel
| Table | Description |
|-------|-------------|
| `kernel_extensions` | Loaded kernel extensions (kexts) |
| `system_extensions` | macOS system extensions |
| `signature` | Code signature verification |
| `quarantine` | Quarantine database entries |
### Persistence
| Table | Description |
|-------|-------------|
| `launchd` | Launch agents and daemons |
| `startup_items` | Startup items |
| `periodic_items` | Periodic script executions |
### Applications
| Table | Description |
|-------|-------------|
| `apps` | Installed macOS applications |
| `safari_extensions` | Safari browser extensions |
| `authorization_mechanisms` | Authorization plugin mechanisms |
### Security
| Table | Description |
|-------|-------------|
| `extended_attributes` | File extended attributes (xattr) |
| `keychain_items` | macOS Keychain items |
| `firewall` | macOS firewall settings |
### Example macOS Queries
```sql
-- Launch agents that run at load
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND path NOT LIKE '/System/%';
-- Loaded kernel extensions
SELECT name, version, path, linked_against
FROM kernel_extensions
WHERE loaded = 1;
-- Quarantined files
SELECT path, description, data_url
FROM quarantine
WHERE path LIKE '/Users/%/Downloads/%';
-- Unsigned executables in Applications
SELECT path, signed FROM signature
WHERE path LIKE '/Applications/%' AND signed = 0;
-- Code signing status
SELECT path, authority, signed, identifier
FROM signature
WHERE path = '/Applications/Suspicious.app/Contents/MacOS/Suspicious';
```
## Windows-Specific Tables
### System and Registry
| Table | Description |
|-------|-------------|
| `registry` | Windows registry access |
| `drivers` | Device drivers |
| `services` | Windows services |
| `wmi_cli_event_consumers` | WMI event consumers |
| `wmi_filter_consumer_binding` | WMI filter bindings |
### Persistence
| Table | Description |
|-------|-------------|
| `scheduled_tasks` | Windows scheduled tasks |
| `autoexec` | Auto-execution entries |
| `startup_items` | Startup folder items |
### Security
| Table | Description |
|-------|-------------|
| `windows_eventlog` | Windows Event Log |
| `authenticode` | Authenticode signature verification |
| `windows_security_products` | Installed security products |
| `bitlocker_info` | BitLocker encryption status |
### Processes
| Table | Description |
|-------|-------------|
| `process_memory_map` | Process memory mappings |
| `process_handles` | Open process handles |
### Example Windows Queries
```sql
-- Registry Run keys
SELECT key, name, path, data, mtime
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND key NOT LIKE '%\\RunOnceEx';
-- Scheduled tasks
SELECT name, action, path, enabled, last_run_time, next_run_time
FROM scheduled_tasks
WHERE enabled = 1
ORDER BY next_run_time;
-- WMI persistence
SELECT name, command_line_template, executable_path
FROM wmi_cli_event_consumers;
-- Windows services
SELECT name, display_name, status, path, start_type, user_account
FROM services
WHERE start_type IN ('AUTO_START', 'DEMAND_START')
ORDER BY status;
-- Event log security events
SELECT datetime, eventid, source, data
FROM windows_eventlog
WHERE channel = 'Security'
AND eventid IN (4624, 4625, 4648, 4672)
ORDER BY datetime DESC LIMIT 100;
-- Authenticode signature verification
SELECT path, result, subject_name, issuer_name
FROM authenticode
WHERE path LIKE 'C:\Users\%'
AND result != 'trusted';
```
## Query Translation Examples
### Persistence Mechanisms
**Linux:**
```sql
-- Cron jobs
SELECT * FROM crontab;
-- Systemd services
SELECT name, fragment_path, active_state
FROM systemd_units
WHERE active_state = 'active';
```
**macOS:**
```sql
-- Launch agents/daemons
SELECT name, path, program, run_at_load
FROM launchd
WHERE run_at_load = 1;
-- Startup items
SELECT name, path, type, source
FROM startup_items;
```
**Windows:**
```sql
-- Registry Run keys
SELECT key, name, path
FROM registry
WHERE key LIKE '%Run%';
-- Scheduled tasks
SELECT name, action, enabled
FROM scheduled_tasks
WHERE enabled = 1;
```
### Package/Application Inventory
**Linux (Debian/Ubuntu):**
```sql
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC;
```
**Linux (RHEL/CentOS):**
```sql
SELECT name, version, install_time
FROM rpm_packages
ORDER BY install_time DESC;
```
**macOS:**
```sql
SELECT name, path, bundle_version, last_opened_time
FROM apps
ORDER BY last_opened_time DESC;
```
**Windows:**
```sql
SELECT name, version, install_location, install_date
FROM programs
ORDER BY install_date DESC;
```
### Network Connections
**All Platforms:**
```sql
-- Active connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.state = 'ESTABLISHED';
```
**Platform-specific filtering:**
```sql
-- Linux: Filter by network namespace
SELECT * FROM process_open_sockets
WHERE pid IN (SELECT pid FROM processes WHERE root != '/');
-- macOS: Include code signature
SELECT p.name, ps.remote_address, s.authority
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN signature s ON p.path = s.path;
-- Windows: Include service name
SELECT p.name, s.name AS service_name, ps.remote_address
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN services s ON p.path = s.path;
```
## Platform Detection in Queries
Use `os_version` table to detect platform:
```sql
-- Get current platform
SELECT platform, name, version FROM os_version;
-- Platform-specific queries
SELECT CASE
WHEN platform = 'darwin' THEN (SELECT COUNT(*) FROM launchd)
WHEN platform LIKE '%linux%' THEN (SELECT COUNT(*) FROM systemd_units)
WHEN platform LIKE '%windows%' THEN (SELECT COUNT(*) FROM services)
ELSE 0
END AS persistence_count
FROM os_version;
```
## Best Practices for Cross-Platform Queries
1. **Check table availability** before querying:
```bash
osqueryi ".tables" | grep <table_name>
```
2. **Use platform detection** for conditional logic
3. **Test queries on each platform** - column names may vary slightly
4. **Document platform requirements** in query comments
5. **Create platform-specific query packs** for osqueryd
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Platform-specific table reference](https://osquery.io/schema/)

479
skills/incident-response/forensics-osquery/references/table-guide.md Normal file
View File

@@ -0,0 +1,479 @@
# osquery Table Reference for Forensic Investigations
Comprehensive guide to osquery tables most relevant for incident response and forensic analysis.
## Table of Contents
- [Process Tables](#process-tables)
- [Network Tables](#network-tables)
- [File System Tables](#file-system-tables)
- [User and Authentication Tables](#user-and-authentication-tables)
- [System Information Tables](#system-information-tables)
- [Persistence Mechanism Tables](#persistence-mechanism-tables)
- [Platform-Specific Tables](#platform-specific-tables)
## Process Tables
### processes
Query running processes with detailed information.
**Key columns**: pid, name, path, cmdline, cwd, uid, gid, parent, pgroup, state, on_disk, start_time
```sql
-- Basic process listing
SELECT pid, name, path, cmdline, uid FROM processes;
-- Processes with deleted executables (malware indicator)
SELECT * FROM processes WHERE on_disk = 0;
-- Process tree
SELECT p1.pid, p1.name, p1.cmdline, p2.pid AS parent_pid, p2.name AS parent_name
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;
```
### process_open_sockets
Network sockets opened by processes.
**Key columns**: pid, socket, family, protocol, local_address, local_port, remote_address, remote_port, state
```sql
-- Active external connections
SELECT p.name, ps.remote_address, ps.remote_port, ps.state, p.cmdline
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');
```
### process_memory_map
Memory regions mapped by processes (useful for detecting injections).
**Key columns**: pid, start, end, permissions, path, pseudo
```sql
-- Detect suspicious memory mappings
SELECT p.name, pm.path, pm.permissions, p.cmdline
FROM process_memory_map pm
JOIN processes p ON pm.pid = p.pid
WHERE pm.path LIKE '%tmp%' OR pm.pseudo = 1;
```
### process_envs
Environment variables for running processes.
**Key columns**: pid, key, value
```sql
-- Check for suspicious environment variables
SELECT p.name, pe.key, pe.value
FROM process_envs pe
JOIN processes p ON pe.pid = p.pid
WHERE pe.key IN ('LD_PRELOAD', 'DYLD_INSERT_LIBRARIES', 'PATH');
```
## Network Tables
### listening_ports
Ports listening for connections.
**Key columns**: pid, port, protocol, family, address
```sql
-- Listening ports mapped to processes
SELECT lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;
```
### interface_addresses
Network interface IP addresses.
**Key columns**: interface, address, mask, broadcast
```sql
-- List all network interfaces and addresses
SELECT interface, address, mask, type FROM interface_addresses;
```
### routes
System routing table.
**Key columns**: destination, netmask, gateway, source, interface, type
```sql
-- Check routing table
SELECT destination, netmask, gateway, interface FROM routes;
```
### arp_cache
ARP table entries (detect ARP spoofing).
**Key columns**: address, mac, interface, permanent
```sql
-- ARP cache analysis
SELECT address, mac, interface FROM arp_cache ORDER BY address;
```
## File System Tables
### file
Query file system metadata.
**Key columns**: path, directory, filename, size, mtime, atime, ctime, mode, uid, gid, type
```sql
-- Recently modified files in sensitive directories
SELECT path, filename, mtime, uid, gid, mode
FROM file
WHERE path LIKE '/etc/%'
OR path LIKE '/usr/bin/%'
OR path LIKE '/usr/sbin/%'
ORDER BY mtime DESC LIMIT 50;
-- SUID/SGID binaries
SELECT path, filename, mode, uid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND path LIKE '/usr/%';
```
### hash
File cryptographic hashes (MD5, SHA1, SHA256).
**Key columns**: path, directory, filename, md5, sha1, sha256, size
```sql
-- Hash files in suspicious locations
SELECT path, filename, md5, sha256
FROM hash
WHERE path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%';
```
### file_events
Real-time file system change monitoring (requires file integrity monitoring).
**Key columns**: target_path, action, time, pid, uid, gid
```sql
-- Recent file modifications
SELECT target_path, action, time, pid
FROM file_events
WHERE action IN ('CREATED', 'UPDATED', 'DELETED')
AND time > strftime('%s', 'now') - 3600;
```
## User and Authentication Tables
### users
System user accounts.
**Key columns**: uid, gid, username, description, directory, shell
```sql
-- Users with login shells
SELECT username, uid, gid, shell, directory
FROM users
WHERE shell NOT LIKE '%nologin%' AND shell NOT LIKE '%false';
-- Recent user additions (requires tracking)
SELECT * FROM users ORDER BY uid DESC LIMIT 10;
```
### logged_in_users
Currently logged-in users.
**Key columns**: user, tty, host, time, pid
```sql
-- Active user sessions
SELECT user, tty, host, time FROM logged_in_users;
```
### last
Login history (last command output).
**Key columns**: username, tty, pid, type, time, host
```sql
-- Recent login history
SELECT username, tty, host, time, type
FROM last
ORDER BY time DESC LIMIT 50;
```
### groups
User groups.
**Key columns**: gid, groupname
```sql
-- List all groups
SELECT gid, groupname FROM groups;
```
### user_groups
User-to-group mappings.
**Key columns**: uid, gid
```sql
-- Users in admin groups
SELECT u.username, g.groupname
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root');
```
## System Information Tables
### system_info
System hardware and OS information.
**Key columns**: hostname, uuid, cpu_type, cpu_brand, physical_memory, hardware_model
```sql
-- System information
SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;
```
### os_version
Operating system version details.
**Key columns**: name, version, major, minor, patch, build, platform
```sql
-- OS version
SELECT name, version, platform, build FROM os_version;
```
### kernel_info
Kernel version and parameters.
**Key columns**: version, arguments, path, device
```sql
-- Kernel information
SELECT version, arguments FROM kernel_info;
```
### uptime
System uptime.
**Key columns**: days, hours, minutes, seconds, total_seconds
```sql
-- System uptime
SELECT days, hours, minutes FROM uptime;
```
## Persistence Mechanism Tables
### crontab
Scheduled cron jobs (Linux/macOS).
**Key columns**: event, minute, hour, day_of_month, month, day_of_week, command, path
```sql
-- All cron jobs
SELECT event, command, path FROM crontab;
-- Suspicious cron commands
SELECT * FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%base64%';
```
### scheduled_tasks (Windows)
Windows scheduled tasks.
**Key columns**: name, action, path, enabled, state
```sql
-- Enabled scheduled tasks
SELECT name, action, path, state FROM scheduled_tasks WHERE enabled = 1;
```
### startup_items (macOS)
macOS startup items.
**Key columns**: name, path, args, type, source, status
```sql
-- macOS startup items
SELECT name, path, type, source FROM startup_items;
```
### launchd (macOS)
macOS launch agents and daemons.
**Key columns**: name, path, program, program_arguments, run_at_load, keep_alive
```sql
-- Launch agents/daemons that run at load
SELECT name, path, program, program_arguments
FROM launchd
WHERE run_at_load = 1;
```
### registry (Windows)
Windows registry access.
**Key columns**: key, name, type, data, path
```sql
-- Registry Run keys
SELECT key, name, path, data
FROM registry
WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';
```
### services (Windows)
Windows services.
**Key columns**: name, display_name, status, path, start_type, user_account
```sql
-- Auto-start services
SELECT name, display_name, path, user_account
FROM services
WHERE start_type = 'AUTO_START';
```
### systemd_units (Linux)
Linux systemd services.
**Key columns**: id, description, load_state, active_state, sub_state, fragment_path
```sql
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Non-default systemd services
SELECT * FROM systemd_units
WHERE fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Platform-Specific Tables
### kernel_modules (Linux)
Loaded kernel modules.
**Key columns**: name, size, used_by, status, address
```sql
-- Loaded kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
```
### kernel_extensions (macOS)
macOS kernel extensions (kexts).
**Key columns**: name, version, path, loaded
```sql
-- Loaded kernel extensions
SELECT name, version, path FROM kernel_extensions WHERE loaded = 1;
```
### drivers (Windows)
Windows device drivers.
**Key columns**: device_id, device_name, image, provider, service, service_key
```sql
-- Loaded drivers
SELECT device_name, image, provider, service FROM drivers;
```
### chrome_extensions
Chrome browser extensions.
**Key columns**: name, identifier, version, description, path, author
```sql
-- Installed Chrome extensions
SELECT name, version, description, path FROM chrome_extensions;
```
### firefox_addons
Firefox browser add-ons.
**Key columns**: name, identifier, version, description, source_url, visible
```sql
-- Installed Firefox add-ons
SELECT name, version, description, source_url FROM firefox_addons;
```
## Query Optimization Tips
1. **Use WHERE clauses**: Always filter results to reduce query time
```sql
-- Bad: SELECT * FROM processes;
-- Good: SELECT * FROM processes WHERE uid = 0;
```
2. **Limit results**: Use LIMIT for large result sets
```sql
SELECT * FROM file WHERE path LIKE '/usr/%' LIMIT 100;
```
3. **Index columns**: Use indexed columns in WHERE clauses (pid, uid, path)
4. **Join efficiently**: Start with smaller tables when joining
```sql
SELECT * FROM listening_ports lp
JOIN processes p ON lp.pid = p.pid; -- listening_ports is usually smaller
```
5. **Time filtering**: Use time comparisons for event tables
```sql
WHERE time > (strftime('%s', 'now') - 3600) -- Last hour
```
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Table schemas by version](https://osquery.io/schema/)

333
skills/incident-response/ir-velociraptor/SKILL.md Normal file
View File

@@ -0,0 +1,333 @@
---
name: ir-velociraptor
description: >
Endpoint visibility, digital forensics, and incident response using Velociraptor
Query Language (VQL) for evidence collection and threat hunting at scale. Use when:
(1) Conducting forensic investigations across multiple endpoints, (2) Hunting for
indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry
and artifacts for incident analysis, (4) Performing live response and evidence
preservation, (5) Monitoring endpoints for security events, (6) Creating custom
forensic artifacts for specific threat scenarios.
version: 0.1.0
maintainer: SirAppSec
category: incident-response
tags: [forensics, incident-response, endpoint-detection, threat-hunting, vql, dfir, live-response, evidence-collection]
frameworks: [MITRE-ATT&CK, NIST]
dependencies:
tools: [velociraptor]
references:
- https://docs.velociraptor.app/
- https://github.com/Velocidex/velociraptor
- https://docs.velociraptor.app/artifact_references/
---
# Velociraptor Incident Response
## Overview
Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: **Collect** (targeted evidence gathering), **Monitor** (continuous event capture), and **Hunt** (proactive threat hunting).
**When to use this skill**:
- Active incident response requiring endpoint evidence collection
- Threat hunting across enterprise infrastructure
- Digital forensics investigations and timeline analysis
- Endpoint monitoring and anomaly detection
- Custom forensic artifact development for specific threats
## Quick Start
### Local Forensic Triage (Standalone Mode)
```bash
# Download Velociraptor binary for your platform
# https://github.com/Velocidex/velociraptor/releases
# Run GUI mode for interactive investigation
velociraptor gui
# Access web interface at https://127.0.0.1:8889/
# Default admin credentials shown in console output
```
### Enterprise Server Deployment
```bash
# Generate server configuration
velociraptor config generate > server.config.yaml
# Start server
velociraptor --config server.config.yaml frontend
# Generate client configuration
velociraptor --config server.config.yaml config client > client.config.yaml
# Deploy clients across endpoints
velociraptor --config client.config.yaml client
```
## Core Incident Response Workflows
### Workflow 1: Initial Compromise Investigation
Progress:
[ ] 1. Identify affected endpoints and timeframe
[ ] 2. Collect authentication logs and suspicious logins
[ ] 3. Gather process execution history and command lines
[ ] 4. Extract network connection artifacts
[ ] 5. Collect persistence mechanisms (scheduled tasks, autoruns, services)
[ ] 6. Analyze file system modifications and suspicious files
[ ] 7. Extract memory artifacts if needed
[ ] 8. Build timeline and document IOCs
Work through each step systematically. Check off completed items.
**Key VQL Artifacts**:
- `Windows.EventLogs.RDP` - Remote desktop authentication events
- `Windows.System.Pslist` - Running processes with details
- `Windows.Network.NetstatEnriched` - Network connections with process context
- `Windows.Persistence.PermanentWMIEvents` - WMI-based persistence
- `Windows.Timeline.Prefetch` - Program execution timeline
- `Windows.Forensics.Timeline` - Comprehensive filesystem timeline
### Workflow 2: Threat Hunting Campaign
Progress:
[ ] 1. Define threat hypothesis and IOCs
[ ] 2. Select or create custom VQL artifacts for detection
[ ] 3. Create hunt targeting relevant endpoint groups
[ ] 4. Execute hunt across infrastructure
[ ] 5. Monitor collection progress and errors
[ ] 6. Analyze results and identify positive matches
[ ] 7. Triage findings and escalate confirmed threats
[ ] 8. Document TTPs and update detections
Work through each step systematically. Check off completed items.
**Common Hunt Scenarios**:
- Lateral movement detection (PsExec, WMI, remote services)
- Webshell identification on web servers
- Suspicious scheduled task discovery
- Credential dumping tool artifacts
- Malicious PowerShell execution patterns
### Workflow 3: Evidence Collection for Forensics
Progress:
[ ] 1. Document collection requirements and scope
[ ] 2. Create offline collector with required artifacts
[ ] 3. Deploy collector to target endpoint(s)
[ ] 4. Execute collection and verify completion
[ ] 5. Retrieve collection archive
[ ] 6. Validate evidence integrity (hashes)
[ ] 7. Import into forensic platform for analysis
[ ] 8. Document chain of custody
Work through each step systematically. Check off completed items.
```bash
# Create offline collector (no server required)
velociraptor --config server.config.yaml artifacts collect \
Windows.KapeFiles.Targets \
Windows.EventLogs.Evtx \
Windows.Registry.Sysinternals.Eulacheck \
--output /path/to/collection.zip
# For custom artifact collection
velociraptor artifacts collect Custom.Artifact.Name --args param=value
```
## VQL Query Patterns
### Pattern 1: Process Investigation
Search for suspicious process execution patterns:
```sql
-- Find processes with unusual parent-child relationships
SELECT Pid, Ppid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE Name =~ "(?i)(powershell|cmd|wscript|cscript)"
AND CommandLine =~ "(?i)(invoke|download|iex|bypass|hidden)"
```
### Pattern 2: Network Connection Analysis
Identify suspicious network connections:
```sql
-- Active connections with process context
SELECT Laddr.IP AS LocalIP,
Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Status, Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP =~ "^(?!10\\.)" -- External IPs only
```
### Pattern 3: File System Forensics
Timeline suspicious file modifications:
```sql
-- Recent file modifications in suspicious locations
SELECT FullPath, Size, Mtime, Atime, Ctime, Btime
FROM glob(globs="C:/Users/*/AppData/**/*.exe")
WHERE Mtime > timestamp(epoch=now() - 86400) -- Last 24 hours
ORDER BY Mtime DESC
```
### Pattern 4: Registry Persistence
Hunt for registry-based persistence:
```sql
-- Common autorun registry keys
SELECT Key.Name AS RegistryKey,
ValueName,
ValueData
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
WHERE ValueData =~ "(?i)(powershell|cmd|wscript|rundll32)"
```
For comprehensive VQL patterns and advanced queries, see [references/vql-patterns.md](references/vql-patterns.md)
## Custom Artifact Development
Create custom VQL artifacts for specific investigation needs:
```yaml
name: Custom.Windows.SuspiciousProcess
description: |
Detect processes with suspicious characteristics for incident response.
parameters:
- name: ProcessNameRegex
default: "(?i)(powershell|cmd|wscript)"
type: regex
- name: CommandLineRegex
default: "(?i)(invoke|download|bypass)"
type: regex
sources:
- query: |
SELECT Pid, Ppid, Name, CommandLine, Username, Exe, CreateTime
FROM pslist()
WHERE Name =~ ProcessNameRegex
AND CommandLine =~ CommandLineRegex
```
Save artifacts in YAML format and import via Velociraptor UI or command line.
**For artifact development guidance**, see [references/artifact-development.md](references/artifact-development.md)
## Security Considerations
- **Sensitive Data Handling**: VQL queries can collect credentials, PII, and sensitive files. Implement data minimization - only collect necessary evidence. Use encryption for evidence transport and storage.
- **Access Control**: Velociraptor server access provides significant endpoint control. Implement RBAC, audit all queries, and restrict administrative access. Use client certificates for authentication.
- **Audit Logging**: All VQL queries, hunts, and collections are logged. Enable audit trail for compliance. Document investigation scope and approvals.
- **Compliance**: Ensure evidence collection follows organizational policies and legal requirements. Document chain of custody for forensic investigations. Consider data sovereignty for multi-region deployments.
- **Operational Security**: Velociraptor generates significant endpoint activity. Plan for network bandwidth, endpoint performance impact, and detection by adversaries during covert investigations.
## Common Investigation Patterns
### Pattern: Ransomware Investigation
1. Identify patient zero endpoint
2. Collect: `Windows.Forensics.Timeline` for file modification patterns
3. Collect: `Windows.EventLogs.Evtx` for authentication events
4. Hunt for: Lateral movement artifacts across network
5. Hunt for: Scheduled tasks or services for persistence
6. Extract: Ransomware binary samples for malware analysis
7. Build: Timeline of infection spread and data encryption
### Pattern: Data Exfiltration Detection
1. Collect network connection history: `Windows.Network.NetstatEnriched`
2. Identify large outbound transfers to unusual destinations
3. Correlate with process execution and file access
4. Hunt for: Compression tools or staging directories
5. Examine: Browser downloads and cloud sync activities
6. Review: DNS queries for tunneling or C2 domains
7. Document: Data classification and breach scope
### Pattern: Insider Threat Investigation
1. Collect: User authentication and logon events
2. Track: USB device connections and file transfers
3. Monitor: Sensitive file access patterns
4. Review: Email and browser history (with authorization)
5. Analyze: Print spooler activity for document printing
6. Examine: Cloud storage access and uploads
7. Build: User activity timeline with behavioral anomalies
## Integration Points
- **SIEM Integration**: Export VQL results to Splunk, Elastic, or other SIEM platforms for correlation
- **Threat Intel Platforms**: Enrich IOCs with TIP integrations via VQL plugins
- **SOAR Platforms**: Trigger automated Velociraptor hunts from SOAR playbooks
- **Forensic Suites**: Import Velociraptor collections into X-Ways, Autopsy, or EnCase
- **EDR Interoperability**: Complement EDR with custom VQL detections and forensic depth
## Troubleshooting
### Issue: High CPU Usage During Collection
**Solution**:
- Limit concurrent VQL queries using `rate()` function
- Reduce glob scope to specific directories
- Use `--ops_per_second` limit when creating offline collectors
- Schedule resource-intensive hunts during maintenance windows
### Issue: Client Not Reporting to Server
**Solution**:
- Verify network connectivity and firewall rules (default: TCP 8000)
- Check client logs: `velociraptor --config client.config.yaml logs`
- Validate client certificate and enrollment status
- Ensure server frontend is running and accessible
### Issue: VQL Query Returns No Results
**Solution**:
- Test query in local notebook mode first
- Verify filesystem paths use correct syntax (forward slashes)
- Check plugin availability on target OS
- Use `log()` function to debug query execution
- Review client event logs for permission errors
## Bundled Resources
### Scripts (`scripts/`)
- `vql_query_builder.py` - Generate common VQL queries from templates
- `artifact_validator.py` - Validate custom artifact YAML syntax
- `evidence_collector.sh` - Automate offline collector deployment
### References (`references/`)
- `vql-patterns.md` - Comprehensive VQL query patterns for common IR scenarios
- `artifact-development.md` - Guide to creating custom forensic artifacts
- `mitre-attack-mapping.md` - MITRE ATT&CK technique detection artifacts
- `deployment-guide.md` - Enterprise server deployment and architecture
### Assets (`assets/`)
- `artifact-template.yaml` - Template for custom artifact development
- `hunt-template.yaml` - Hunt configuration template with best practices
- `offline-collector-config.yaml` - Offline collector configuration example
## References
- [Velociraptor Documentation](https://docs.velociraptor.app/)
- [VQL Reference](https://docs.velociraptor.app/vql_reference/)
- [Artifact Exchange](https://docs.velociraptor.app/exchange/)
- [GitHub Repository](https://github.com/Velocidex/velociraptor)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)

9
skills/incident-response/ir-velociraptor/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

133
skills/incident-response/ir-velociraptor/assets/artifact-template.yaml Normal file
View File

@@ -0,0 +1,133 @@
---
# Velociraptor Artifact Template
# Use this template to create custom forensic artifacts for incident response
name: Custom.IR.TemplateArtifact
description: |
Provide a comprehensive description of what this artifact collects and why.
## Use Cases
- Specific scenario 1
- Specific scenario 2
- Specific scenario 3
## Expected Output
Describe what data will be collected and its format.
## MITRE ATT&CK Mapping
- T1XXX.XXX: Technique Name
# Author information (optional but recommended)
author: Your Name <email@domain.com>
# Artifact type: CLIENT, SERVER, CLIENT_EVENT, SERVER_EVENT
type: CLIENT
# Parameters allow artifact customization
parameters:
- name: SearchPath
default: "C:/Users/**/AppData/**"
type: string
description: |
Directory path or glob pattern to search.
Supports wildcards: * (any characters), ** (recursive)
- name: DaysBack
default: 7
type: int
description: Number of days to look back for modifications
- name: FilePattern
default: "*.exe"
type: string
description: File extension or pattern to match
- name: IncludeHashes
default: Y
type: bool
description: Calculate SHA256 hash for each file
- name: MaxFileSize
default: 104857600
type: int
description: Maximum file size to hash (bytes, default 100MB)
# Optional: Check before running (OS, tool presence, etc.)
precondition: |
SELECT OS FROM info() WHERE OS = 'windows'
# Sources define the VQL queries to execute
sources:
# Main query source
- name: FileCollection
query: |
-- Calculate time threshold
LET StartTime = timestamp(epoch=now() - DaysBack * 86400)
-- Collect files matching criteria
LET MatchingFiles = SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS ModifiedTime,
timestamp(epoch=Ctime) AS CreatedTime,
timestamp(epoch=Atime) AS AccessedTime
FROM glob(globs=SearchPath + "/" + FilePattern)
WHERE NOT IsDir
AND Mtime > StartTime
AND Size < MaxFileSize
-- Conditionally add hashes
SELECT FullPath,
Size,
ModifiedTime,
CreatedTime,
AccessedTime,
if(condition=IncludeHashes,
then=hash(path=FullPath, accessor="file").SHA256,
else="<not computed>") AS SHA256
FROM MatchingFiles
ORDER BY ModifiedTime DESC
# Optional: Additional query source for related data
- name: FileMetadata
query: |
-- Example: Get additional metadata for PE files
SELECT FullPath,
parse_pe(file=FullPath) AS PEInfo
FROM glob(globs=SearchPath + "/**/*.exe")
WHERE PEInfo
# Optional: Report template for formatted output
reports:
- type: CLIENT
template: |
# {{ .ArtifactName }} Results
**Description:** {{ .Description }}
**Client:** {{ .ClientId }}
**Hostname:** {{ .Hostname }}
**Collection Time:** {{ .CollectionTime }}
## Summary
Total Files Found: {{ len .Rows }}
## Detailed Results
{{ range .Rows }}
### {{ .FullPath }}
- **Size:** {{ .Size }} bytes
- **Modified:** {{ .ModifiedTime }}
- **SHA256:** {{ .SHA256 }}
---
{{ end }}
# Optional: External documentation references
references:
- https://docs.velociraptor.app/docs/vql/
- https://attack.mitre.org/
# Optional: Required external tools or binaries
tools:
- name: ExampleTool
url: https://example.com/tool.exe
serve_locally: true

357
skills/incident-response/ir-velociraptor/assets/ci-config-template.yml Normal file
View File

@@ -0,0 +1,357 @@
# Security-Enhanced CI/CD Pipeline Template
#
# This template demonstrates security best practices for CI/CD pipelines.
# Adapt this template to your specific security tool and workflow needs.
#
# Key Security Features:
# - SAST (Static Application Security Testing)
# - Dependency vulnerability scanning
# - Secrets detection
# - Infrastructure-as-Code security scanning
# - Container image scanning
# - Security artifact uploading for compliance
name: Security Scan Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run weekly security scans on Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual trigger
# Security: Restrict permissions to minimum required
permissions:
contents: read
security-events: write # For uploading SARIF results
pull-requests: write # For commenting on PRs
env:
# Configuration
SECURITY_SCAN_FAIL_ON: 'critical,high' # Fail build on these severities
REPORT_DIR: 'security-reports'
jobs:
# Job 1: Static Application Security Testing (SAST)
sast-scan:
name: SAST Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better analysis
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Run SAST Scanner
run: |
# Example: Using Semgrep for SAST
pip install semgrep
semgrep --config=auto \
--json \
--output ${{ env.REPORT_DIR }}/sast-results.json \
. || true
# Alternative: Bandit for Python projects
# pip install bandit
# bandit -r . -f json -o ${{ env.REPORT_DIR }}/bandit-results.json
- name: Process SAST Results
run: |
# Parse results and fail on critical/high severity
python3 -c "
import json
import sys
with open('${{ env.REPORT_DIR }}/sast-results.json') as f:
results = json.load(f)
critical = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'ERROR'])
high = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'WARNING'])
print(f'Critical findings: {critical}')
print(f'High findings: {high}')
if critical > 0:
print('❌ Build failed: Critical security issues found')
sys.exit(1)
elif high > 0:
print('⚠️ Warning: High severity issues found')
# Optionally fail on high severity
# sys.exit(1)
else:
print('✅ No critical security issues found')
"
- name: Upload SAST Results
if: always()
uses: actions/upload-artifact@v4
with:
name: sast-results
path: ${{ env.REPORT_DIR }}/sast-results.json
retention-days: 30
# Job 2: Dependency Vulnerability Scanning
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Scan Python Dependencies
if: hashFiles('requirements.txt') != ''
run: |
pip install safety
safety check \
--json \
--output ${{ env.REPORT_DIR }}/safety-results.json \
|| true
- name: Scan Node Dependencies
if: hashFiles('package.json') != ''
run: |
npm audit --json > ${{ env.REPORT_DIR }}/npm-audit.json || true
- name: Process Dependency Results
run: |
# Check for critical vulnerabilities
if [ -f "${{ env.REPORT_DIR }}/safety-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/safety-results.json')); print(len([v for v in data.get('vulnerabilities', []) if v.get('severity', '').lower() == 'critical']))")
echo "Critical vulnerabilities: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "❌ Build failed: Critical vulnerabilities in dependencies"
exit 1
fi
fi
- name: Upload Dependency Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 3: Secrets Detection
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history to scan all commits
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_SUMMARY: true
- name: Alternative - TruffleHog Scan
if: false # Set to true to enable
run: |
pip install truffleHog
trufflehog --json --regex --entropy=True . \
> ${{ env.REPORT_DIR }}/trufflehog-results.json || true
- name: Upload Secrets Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: secrets-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 4: Container Image Scanning
container-scan:
name: Container Image Security Scan
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker Image
run: |
docker build -t app:${{ github.sha }} .
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: app:${{ github.sha }}
format: 'sarif'
output: '${{ env.REPORT_DIR }}/trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy Results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '${{ env.REPORT_DIR }}/trivy-results.sarif'
- name: Upload Container Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: container-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 5: Infrastructure-as-Code Security Scanning
iac-scan:
name: IaC Security Scan
runs-on: ubuntu-latest
if: hashFiles('**/*.tf', '**/*.yaml', '**/*.yml') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov
run: |
pip install checkov
checkov -d . \
--output json \
--output-file ${{ env.REPORT_DIR }}/checkov-results.json \
--quiet \
|| true
- name: Run tfsec (for Terraform)
if: hashFiles('**/*.tf') != ''
run: |
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
tfsec . \
--format json \
--out ${{ env.REPORT_DIR }}/tfsec-results.json \
|| true
- name: Process IaC Results
run: |
# Fail on critical findings
if [ -f "${{ env.REPORT_DIR }}/checkov-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/checkov-results.json')); print(data.get('summary', {}).get('failed', 0))")
echo "Failed checks: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "⚠️ Warning: IaC security issues found"
# Optionally fail the build
# exit 1
fi
fi
- name: Upload IaC Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: iac-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 6: Security Report Generation and Notification
security-report:
name: Generate Security Report
runs-on: ubuntu-latest
needs: [sast-scan, dependency-scan, secrets-scan]
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download All Scan Results
uses: actions/download-artifact@v4
with:
path: all-results/
- name: Generate Consolidated Report
run: |
# Consolidate all security scan results
mkdir -p consolidated-report
cat > consolidated-report/security-summary.md << 'EOF'
# Security Scan Summary
**Scan Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
**Commit**: ${{ github.sha }}
**Branch**: ${{ github.ref_name }}
## Scan Results
### SAST Scan
See artifacts: `sast-results`
### Dependency Scan
See artifacts: `dependency-scan-results`
### Secrets Scan
See artifacts: `secrets-scan-results`
### Container Scan
See artifacts: `container-scan-results`
### IaC Scan
See artifacts: `iac-scan-results`
---
For detailed results, download scan artifacts from this workflow run.
EOF
- name: Comment on PR (if applicable)
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('consolidated-report/security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: report
});
- name: Upload Consolidated Report
if: always()
uses: actions/upload-artifact@v4
with:
name: consolidated-security-report
path: consolidated-report/
retention-days: 90
# Security Best Practices Demonstrated:
#
# 1. ✅ Minimal permissions (principle of least privilege)
# 2. ✅ Multiple security scan types (defense in depth)
# 3. ✅ Fail-fast on critical findings
# 4. ✅ Secrets detection across full git history
# 5. ✅ Container image scanning before deployment
# 6. ✅ IaC scanning for misconfigurations
# 7. ✅ Artifact retention for compliance audit trail
# 8. ✅ SARIF format for GitHub Security integration
# 9. ✅ Scheduled scans for continuous monitoring
# 10. ✅ PR comments for developer feedback
#
# Compliance Mappings:
# - SOC 2: CC6.1, CC6.6, CC7.2 (Security monitoring and logging)
# - PCI-DSS: 6.2, 6.5 (Secure development practices)
# - NIST: SA-11 (Developer Security Testing)
# - OWASP: Integrated security testing throughout SDLC

210
skills/incident-response/ir-velociraptor/assets/hunt-template.yaml Normal file
View File

@@ -0,0 +1,210 @@
# Velociraptor Hunt Configuration Template
# Use this template to create hunts for organization-wide threat hunting
hunt_description: |
# Hunt: [Descriptive Name]
## Objective
Describe the goal of this hunt (e.g., detect lateral movement, find webshells)
## Hypothesis
What threat or activity are you looking for?
## Timeline
Start Date: YYYY-MM-DD
Expected Duration: X days
Priority: High/Medium/Low
## Artifacts
List of artifacts to collect:
- Artifact.Name.One
- Artifact.Name.Two
## Expected Findings
What constitutes a positive match?
## Triage Criteria
How to prioritize results for investigation?
# Hunt Configuration
configuration:
# Artifact to run across endpoints
artifact: Windows.Detection.SuspiciousProcess
# Artifact parameters (if any)
parameters:
ProcessPattern: "(?i)(powershell|cmd|wscript)"
CommandLinePattern: "(?i)(bypass|hidden|encodedcommand)"
# Target selection
target:
# Option 1: Include all clients
include_all: true
# Option 2: Specific client labels
include_labels:
- "Production-Servers"
- "High-Value-Assets"
# Option 3: Exclude certain clients
exclude_labels:
- "Test-Systems"
# Option 4: Operating system filter
os_condition: "Windows"
# Option 5: Custom VQL condition
client_condition: |
SELECT client_id FROM clients()
WHERE os_info.system = "windows"
AND last_seen_at > now() - 3600
# Resource limits to prevent endpoint impact
resource_limits:
# Maximum CPU usage percentage
cpu_limit: 50
# Maximum number of rows to return per client
max_rows: 10000
# Maximum execution time per client (seconds)
max_execution_time: 600
# Operations per second limit (for filesystem operations)
ops_per_second: 100
# Collection timeout
timeout: 3600 # 1 hour
# Hunt scheduling
schedule:
# Start immediately
start_time: "now"
# Or schedule for specific time (RFC3339 format)
# start_time: "2024-01-15T02:00:00Z"
# Expiration (auto-stop after this time)
expiration: 86400 # 24 hours from start
# Client rolling deployment
rolling_deployment:
# Enable gradual rollout
enabled: true
# Number of clients to run on initially
initial_clients: 10
# Percentage to add every X minutes
increment_percentage: 10
increment_interval: 300 # 5 minutes
# Analysis Guidelines
analysis:
positive_indicators:
- "Process running from temp directory"
- "Obfuscated command line parameters"
- "Unusual parent-child process relationships"
triage_priority:
critical:
- "Known malicious process names"
- "Connections to known C2 infrastructure"
high:
- "Living-off-the-land binaries with suspicious arguments"
- "PowerShell execution with bypass flags"
medium:
- "Unusual process execution times"
- "Processes running as SYSTEM from user directories"
investigation_steps:
- "Review full process tree"
- "Check network connections"
- "Examine file system timeline"
- "Correlate with other hunt results"
- "Check threat intelligence feeds"
# Post-Hunt Actions
post_hunt:
# Notification settings
notifications:
- type: email
recipients:
- ir-team@company.com
on_complete: true
on_match: true
- type: slack
webhook: "https://hooks.slack.com/services/..."
channel: "#security-alerts"
# Automatic follow-up collections
follow_up_artifacts:
- name: Windows.Forensics.Timeline
condition: "positive_match"
parameters:
StartDate: "hunt_start_time"
- name: Windows.Memory.Acquisition
condition: "critical_match"
parameters:
TargetPath: "C:/ir-evidence/"
# Reporting
reports:
- type: summary
format: html
include_statistics: true
- type: detailed
format: json
include_all_results: true
# Documentation
metadata:
created_by: "analyst@company.com"
created_date: "2024-01-15"
last_modified: "2024-01-15"
version: "1.0"
# Compliance and audit trail
approval:
requested_by: "IR Team Lead"
approved_by: "CISO"
approval_date: "2024-01-14"
ticket_reference: "INC-12345"
# MITRE ATT&CK mapping
mitre_attack:
tactics:
- "TA0002: Execution"
- "TA0005: Defense Evasion"
techniques:
- "T1059.001: PowerShell"
- "T1027: Obfuscated Files or Information"
# Sample VQL for hunt creation via command line
sample_commands: |
# Create hunt from artifact
velociraptor --config server.config.yaml query "
SELECT hunt_id FROM hunt(
artifact='Windows.Detection.SuspiciousProcess',
description='Hunt for suspicious process execution',
include_labels=['Production-Servers'],
cpu_limit=50,
timeout=3600
)
"
# Monitor hunt progress
velociraptor --config server.config.yaml query "
SELECT hunt_id, state, total_clients_scheduled,
total_clients_with_results, total_clients_with_errors
FROM hunt_status()
WHERE hunt_id = 'H.1234567890'
"
# Export hunt results
velociraptor --config server.config.yaml query "
SELECT * FROM hunt_results(hunt_id='H.1234567890')
" --format json > hunt_results.json

270
skills/incident-response/ir-velociraptor/assets/offline-collector-config.yaml Normal file
View File

@@ -0,0 +1,270 @@
# Velociraptor Offline Collector Configuration
# Configuration for creating standalone collectors that don't require server connection
# Collector metadata
collector_info:
name: "IR-Collector-Incident-Response"
version: "1.0"
description: |
Offline collector for incident response evidence gathering.
Collects key artifacts without requiring Velociraptor server.
created_by: "IR Team"
created_date: "2024-01-15"
incident_reference: "INC-12345"
# Target platform
# Options: windows, linux, macos, all
target_platform: windows
# Artifacts to collect
artifacts:
# System Information
- name: Generic.Client.Info
description: "Basic system information"
# Process Information
- name: Windows.System.Pslist
description: "Running processes"
parameters:
CalculateHashes: "Y"
# Network Connections
- name: Windows.Network.NetstatEnriched
description: "Network connections with process context"
# Persistence Mechanisms
- name: Windows.Persistence.PermanentRuns
description: "Registry Run keys and startup locations"
- name: Windows.System.TaskScheduler
description: "Scheduled tasks"
- name: Windows.System.Services
description: "Windows services"
# Event Logs
- name: Windows.EventLogs.EvtxHunter
description: "Security-relevant event logs"
parameters:
EvtxGlob: "C:/Windows/System32/winevt/Logs/{Security,System,Application}.evtx"
# Filter for last 7 days
DateAfter: "{{subtract (now) (duration \"168h\")}}"
# File System Timeline
- name: Windows.Forensics.Timeline
description: "Filesystem timeline"
parameters:
# Limit to key directories
PathGlob: |
C:/Users/*/AppData/**
C:/Windows/Temp/**
C:/ProgramData/**
DateAfter: "{{subtract (now) (duration \"168h\")}}"
# Prefetch Analysis
- name: Windows.Forensics.Prefetch
description: "Program execution artifacts"
# USB Device History
- name: Windows.Forensics.USBDevices
description: "USB device connection history"
# Browser History (if needed)
# - name: Windows.Browsers.Chrome
# description: "Chrome browser history"
# Registry Forensics
# - name: Windows.Registry.RecentDocs
# description: "Recently accessed files from registry"
# Collection Configuration
collection_config:
# Output options
output:
# Compression format: zip, tar
format: zip
# Output filename template
filename_template: "collection-{{.Hostname}}-{{.Now.Unix}}.zip"
# Encryption (optional)
# encryption:
# enabled: true
# public_key_file: "collector-public.pem"
# Output location
output_directory: "."
# Resource limits
resource_limits:
# Maximum CPU usage (percentage)
cpu_limit: 70
# Maximum memory usage (MB)
max_memory: 2048
# I/O operations per second limit
ops_per_second: 500
# Maximum collection time (seconds)
max_execution_time: 3600
# Maximum output size (bytes, 0 = unlimited)
max_output_size: 10737418240 # 10GB
# Progress reporting
progress:
# Show progress bar
show_progress: true
# Log file location
log_file: "collector.log"
# Log level: DEBUG, INFO, WARN, ERROR
log_level: INFO
# Artifact execution options
execution:
# Run artifacts in parallel (faster but more resource intensive)
parallel: false
# Number of concurrent artifacts (if parallel enabled)
max_parallel: 3
# Continue on artifact errors
continue_on_error: true
# Timeout per artifact (seconds)
artifact_timeout: 600
# Pre-collection Checks
pre_collection:
# Verify requirements before starting
checks:
# Minimum free disk space (bytes)
min_disk_space: 5368709120 # 5GB
# Check for admin/root privileges
require_admin: true
# Verify OS compatibility
verify_os: true
# Warnings (not blocking)
warnings:
# Warn if antivirus is active
warn_av_active: true
# Warn if disk space is limited
warn_disk_space_threshold: 10737418240 # 10GB
# Post-collection Actions
post_collection:
# Automatic uploads (if network available)
# uploads:
# - type: smb
# path: "\\\\evidence-server\\ir-collections\\"
# credentials_file: "smb-creds.json"
#
# - type: s3
# bucket: "ir-evidence-bucket"
# region: "us-east-1"
# credentials_file: "aws-creds.json"
# Hash the output file
generate_hash: true
hash_algorithms:
- sha256
- md5
# Generate collection report
generate_report: true
report_format: html
# Cleanup options
cleanup:
# Delete temp files after collection
delete_temp_files: true
# Secure delete collector binary after execution (optional)
# secure_delete_collector: false
# Deployment Options
deployment:
# Create executable for easy deployment
executable:
# Embed configuration in binary
embed_config: true
# Self-extracting executable
self_extracting: true
# Icon file (optional)
# icon_file: "collector-icon.ico"
# Code signing (optional)
# signing:
# certificate_file: "code-signing-cert.pfx"
# password_file: "cert-password.txt"
# Packaging
package:
# Include README with instructions
include_readme: true
# Include hash verification file
include_hashes: true
# Include deployment script
# include_deployment_script: true
# Usage Instructions (embedded in collector)
usage_instructions: |
VELOCIRAPTOR OFFLINE COLLECTOR
This collector gathers forensic artifacts for incident response.
No network connection or Velociraptor server required.
REQUIREMENTS:
- Administrator/root privileges
- Minimum 5GB free disk space
- Windows 7/Server 2008 R2 or later
USAGE:
collector.exe [OPTIONS]
OPTIONS:
--output DIR Output directory (default: current directory)
--verbose Enable verbose logging
--help Show this help message
EXAMPLE:
# Run with default settings
collector.exe
# Specify output directory
collector.exe --output C:\\Evidence\\
OUTPUT:
Collection results saved to: collection-[hostname]-[timestamp].zip
IMPORTANT:
- Preserve chain of custody
- Document collection time and collector version
- Securely transfer collection to analysis system
- Do not run on production systems without approval
For support: ir-team@company.com
# Sample command to create collector from this config
sample_command: |
velociraptor --config server.config.yaml artifacts collect \
Windows.System.Pslist \
Windows.Network.NetstatEnriched \
Windows.Persistence.PermanentRuns \
Windows.EventLogs.EvtxHunter \
Windows.Forensics.Timeline \
--output collector.zip \
--cpu_limit 70 \
--progress

355
skills/incident-response/ir-velociraptor/assets/rule-template.yaml Normal file
View File

@@ -0,0 +1,355 @@
# Security Rule Template
#
# This template demonstrates how to structure security rules/policies.
# Adapt this template to your specific security tool (Semgrep, OPA, etc.)
#
# Rule Structure Best Practices:
# - Clear rule ID and metadata
# - Severity classification
# - Framework mappings (OWASP, CWE)
# - Remediation guidance
# - Example vulnerable and fixed code
rules:
# Example Rule 1: SQL Injection Detection
- id: sql-injection-string-concatenation
metadata:
name: "SQL Injection via String Concatenation"
description: "Detects potential SQL injection vulnerabilities from string concatenation in SQL queries"
severity: "HIGH"
category: "security"
subcategory: "injection"
# Security Framework Mappings
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-89: SQL Injection"
mitre_attack:
- "T1190: Exploit Public-Facing Application"
# Compliance Standards
compliance:
- "PCI-DSS 6.5.1: Injection flaws"
- "NIST 800-53 SI-10: Information Input Validation"
# Confidence and Impact
confidence: "HIGH"
likelihood: "HIGH"
impact: "HIGH"
# References
references:
- "https://owasp.org/www-community/attacks/SQL_Injection"
- "https://cwe.mitre.org/data/definitions/89.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
# Languages this rule applies to
languages:
- python
- javascript
- java
- go
# Detection Pattern (example using Semgrep-style syntax)
pattern-either:
- pattern: |
cursor.execute($SQL + $VAR)
- pattern: |
cursor.execute(f"... {$VAR} ...")
- pattern: |
cursor.execute("..." + $VAR + "...")
# What to report when found
message: |
Potential SQL injection vulnerability detected. SQL query is constructed using
string concatenation or f-strings with user input. This allows attackers to
inject malicious SQL code.
Use parameterized queries instead:
- Python: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
- JavaScript: db.query("SELECT * FROM users WHERE id = $1", [userId])
See: https://owasp.org/www-community/attacks/SQL_Injection
# Suggested fix (auto-fix if supported)
fix: |
Use parameterized queries with placeholders
# Example vulnerable code
examples:
- vulnerable: |
# Vulnerable: String concatenation
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
- fixed: |
# Fixed: Parameterized query
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
# Example Rule 2: Hardcoded Secrets Detection
- id: hardcoded-secret-credential
metadata:
name: "Hardcoded Secret or Credential"
description: "Detects hardcoded secrets, API keys, passwords, or tokens in source code"
severity: "CRITICAL"
category: "security"
subcategory: "secrets"
owasp:
- "A07:2021 - Identification and Authentication Failures"
cwe:
- "CWE-798: Use of Hard-coded Credentials"
- "CWE-259: Use of Hard-coded Password"
compliance:
- "PCI-DSS 8.2.1: Use of strong cryptography"
- "SOC 2 CC6.1: Logical access controls"
- "GDPR Article 32: Security of processing"
confidence: "MEDIUM"
likelihood: "HIGH"
impact: "CRITICAL"
references:
- "https://cwe.mitre.org/data/definitions/798.html"
- "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password"
languages:
- python
- javascript
- java
- go
- ruby
pattern-either:
- pattern: |
password = "..."
- pattern: |
api_key = "..."
- pattern: |
secret = "..."
- pattern: |
token = "..."
pattern-not: |
$VAR = ""
message: |
Potential hardcoded secret detected. Hardcoding credentials in source code
is a critical security vulnerability that can lead to unauthorized access
if the code is exposed.
Use environment variables or a secrets management system instead:
- Python: os.environ.get('API_KEY')
- Node.js: process.env.API_KEY
- Secrets Manager: AWS Secrets Manager, HashiCorp Vault, etc.
See: https://cwe.mitre.org/data/definitions/798.html
examples:
- vulnerable: |
# Vulnerable: Hardcoded API key
api_key = "sk-1234567890abcdef"
api.authenticate(api_key)
- fixed: |
# Fixed: Environment variable
import os
api_key = os.environ.get('API_KEY')
if not api_key:
raise ValueError("API_KEY environment variable not set")
api.authenticate(api_key)
# Example Rule 3: XSS via Unsafe HTML Rendering
- id: xss-unsafe-html-rendering
metadata:
name: "Cross-Site Scripting (XSS) via Unsafe HTML"
description: "Detects unsafe HTML rendering that could lead to XSS vulnerabilities"
severity: "HIGH"
category: "security"
subcategory: "xss"
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-79: Cross-site Scripting (XSS)"
- "CWE-80: Improper Neutralization of Script-Related HTML Tags"
compliance:
- "PCI-DSS 6.5.7: Cross-site scripting"
- "NIST 800-53 SI-10: Information Input Validation"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://owasp.org/www-community/attacks/xss/"
- "https://cwe.mitre.org/data/definitions/79.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
languages:
- javascript
- typescript
- jsx
- tsx
pattern-either:
- pattern: |
dangerouslySetInnerHTML={{__html: $VAR}}
- pattern: |
innerHTML = $VAR
message: |
Potential XSS vulnerability detected. Setting HTML content directly from
user input without sanitization can allow attackers to inject malicious
JavaScript code.
Use one of these safe alternatives:
- React: Use {userInput} for automatic escaping
- DOMPurify: const clean = DOMPurify.sanitize(dirty);
- Framework-specific sanitizers
See: https://owasp.org/www-community/attacks/xss/
examples:
- vulnerable: |
// Vulnerable: Unsanitized HTML
function UserComment({ comment }) {
return <div dangerouslySetInnerHTML={{__html: comment}} />;
}
- fixed: |
// Fixed: Sanitized with DOMPurify
import DOMPurify from 'dompurify';
function UserComment({ comment }) {
const sanitized = DOMPurify.sanitize(comment);
return <div dangerouslySetInnerHTML={{__html: sanitized}} />;
}
# Example Rule 4: Insecure Cryptography
- id: weak-cryptographic-algorithm
metadata:
name: "Weak Cryptographic Algorithm"
description: "Detects use of weak or deprecated cryptographic algorithms"
severity: "HIGH"
category: "security"
subcategory: "cryptography"
owasp:
- "A02:2021 - Cryptographic Failures"
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
- "CWE-326: Inadequate Encryption Strength"
compliance:
- "PCI-DSS 4.1: Use strong cryptography"
- "NIST 800-53 SC-13: Cryptographic Protection"
- "GDPR Article 32: Security of processing"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://cwe.mitre.org/data/definitions/327.html"
- "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/"
languages:
- python
- javascript
- java
pattern-either:
- pattern: |
hashlib.md5(...)
- pattern: |
hashlib.sha1(...)
- pattern: |
crypto.createHash('md5')
- pattern: |
crypto.createHash('sha1')
message: |
Weak cryptographic algorithm detected (MD5 or SHA1). These algorithms are
considered cryptographically broken and should not be used for security purposes.
Use strong alternatives:
- For hashing: SHA-256, SHA-384, or SHA-512
- For password hashing: bcrypt, argon2, or PBKDF2
- Python: hashlib.sha256()
- Node.js: crypto.createHash('sha256')
See: https://cwe.mitre.org/data/definitions/327.html
examples:
- vulnerable: |
# Vulnerable: MD5 hash
import hashlib
hash_value = hashlib.md5(data).hexdigest()
- fixed: |
# Fixed: SHA-256 hash
import hashlib
hash_value = hashlib.sha256(data).hexdigest()
# Rule Configuration
configuration:
# Global settings
enabled: true
severity_threshold: "MEDIUM" # Report findings at MEDIUM severity and above
# Performance tuning
max_file_size_kb: 1024
exclude_patterns:
- "test/*"
- "tests/*"
- "node_modules/*"
- "vendor/*"
- "*.min.js"
# False positive reduction
confidence_threshold: "MEDIUM" # Only report findings with MEDIUM confidence or higher
# Rule Metadata Schema
# This section documents the expected structure for rules
metadata_schema:
required:
- id: "Unique identifier for the rule (kebab-case)"
- name: "Human-readable rule name"
- description: "What the rule detects"
- severity: "CRITICAL | HIGH | MEDIUM | LOW | INFO"
- category: "security | best-practice | performance"
optional:
- subcategory: "Specific type (injection, xss, secrets, etc.)"
- owasp: "OWASP Top 10 mappings"
- cwe: "CWE identifier(s)"
- mitre_attack: "MITRE ATT&CK technique(s)"
- compliance: "Compliance standard references"
- confidence: "Detection confidence level"
- likelihood: "Likelihood of exploitation"
- impact: "Potential impact if exploited"
- references: "External documentation links"
# Usage Instructions:
#
# 1. Copy this template when creating new security rules
# 2. Update metadata fields with appropriate framework mappings
# 3. Customize detection patterns for your tool (Semgrep, OPA, etc.)
# 4. Provide clear remediation guidance in the message field
# 5. Include both vulnerable and fixed code examples
# 6. Test rules on real codebases before deployment
#
# Best Practices:
# - Map to multiple frameworks (OWASP, CWE, MITRE ATT&CK)
# - Include compliance standard references
# - Provide actionable remediation guidance
# - Show code examples (vulnerable vs. fixed)
# - Tune confidence levels to reduce false positives
# - Exclude test directories to reduce noise

550
skills/incident-response/ir-velociraptor/references/EXAMPLE.md Normal file
View File

@@ -0,0 +1,550 @@
# Reference Document Template
This file demonstrates how to structure detailed reference material that Claude loads on-demand.
**When to use this reference**: Include a clear statement about when Claude should consult this document.
For example: "Consult this reference when analyzing Python code for security vulnerabilities and needing detailed remediation patterns."
**Document purpose**: Briefly explain what this reference provides that's not in SKILL.md.
---
## Table of Contents
**For documents >100 lines, always include a table of contents** to help Claude navigate quickly.
- [When to Use References](#when-to-use-references)
- [Document Organization](#document-organization)
- [Detailed Technical Content](#detailed-technical-content)
- [Security Framework Mappings](#security-framework-mappings)
- [OWASP Top 10](#owasp-top-10)
- [CWE Mappings](#cwe-mappings)
- [MITRE ATT&CK](#mitre-attck)
- [Remediation Patterns](#remediation-patterns)
- [Advanced Configuration](#advanced-configuration)
- [Examples and Code Samples](#examples-and-code-samples)
---
## When to Use References
**Move content from SKILL.md to references/** when:
1. **Content exceeds 100 lines** - Keep SKILL.md concise
2. **Framework-specific details** - Detailed OWASP/CWE/MITRE mappings
3. **Advanced user content** - Deep technical details for expert users
4. **Lookup-oriented content** - Rule libraries, configuration matrices, comprehensive lists
5. **Language-specific patterns** - Separate files per language/framework
6. **Historical context** - Old patterns and deprecated approaches
**Keep in SKILL.md**:
- Core workflows (top 3-5 use cases)
- Decision points and branching logic
- Quick start guidance
- Essential security considerations
---
## Document Organization
### Structure for Long Documents
For references >100 lines:
```markdown
# Title
**When to use**: Clear trigger statement
**Purpose**: What this provides
## Table of Contents
- Links to all major sections
## Quick Reference
- Key facts or commands for fast lookup
## Detailed Content
- Comprehensive information organized logically
## Framework Mappings
- OWASP, CWE, MITRE ATT&CK references
## Examples
- Code samples and patterns
```
### Section Naming Conventions
- Use **imperative** or **declarative** headings
- ✅ "Detecting SQL Injection" not "How to detect SQL Injection"
- ✅ "Common Patterns" not "These are common patterns"
- Make headings **searchable** and **specific**
---
## Detailed Technical Content
This section demonstrates the type of detailed content that belongs in references rather than SKILL.md.
### Example: Comprehensive Vulnerability Detection
#### SQL Injection Detection Patterns
**Pattern 1: String Concatenation in Queries**
```python
# Vulnerable pattern
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
# Detection criteria:
# - SQL keyword (SELECT, INSERT, UPDATE, DELETE)
# - String concatenation operator (+, f-string)
# - Variable user input (request params, form data)
# Severity: HIGH
# CWE: CWE-89
# OWASP: A03:2021 - Injection
```
**Remediation**:
```python
# Fixed: Parameterized query
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
# OR using ORM
user = User.objects.get(id=user_id)
```
**Pattern 2: Unsafe String Formatting**
```python
# Vulnerable patterns
query = f"SELECT * FROM users WHERE name = '{username}'"
query = "SELECT * FROM users WHERE name = '%s'" % username
query = "SELECT * FROM users WHERE name = '{}'".format(username)
# All three patterns are vulnerable to SQL injection
```
#### Cross-Site Scripting (XSS) Detection
**Pattern 1: Unescaped Output in Templates**
```javascript
// Vulnerable: Direct HTML injection
element.innerHTML = userInput;
document.write(userInput);
// Vulnerable: React dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{__html: userComment}} />
// Detection criteria:
# - Direct DOM manipulation (innerHTML, document.write)
# - React dangerouslySetInnerHTML with user data
# - Template engines with autoescaping disabled
// Severity: HIGH
// CWE: CWE-79
// OWASP: A03:2021 - Injection
```
**Remediation**:
```javascript
// Fixed: Escaped output
element.textContent = userInput; // Auto-escapes
// Fixed: Sanitization library
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userComment);
<div dangerouslySetInnerHTML={{__html: clean}} />
```
---
## Security Framework Mappings
This section provides comprehensive security framework mappings for findings.
### OWASP Top 10
Map security findings to OWASP Top 10 (2021) categories:
| Category | Title | Common Vulnerabilities |
|----------|-------|----------------------|
| **A01:2021** | Broken Access Control | Authorization bypass, privilege escalation, IDOR |
| **A02:2021** | Cryptographic Failures | Weak crypto, plaintext storage, insecure TLS |
| **A03:2021** | Injection | SQL injection, XSS, command injection, LDAP injection |
| **A04:2021** | Insecure Design | Missing security controls, threat modeling gaps |
| **A05:2021** | Security Misconfiguration | Default configs, verbose errors, unnecessary features |
| **A06:2021** | Vulnerable Components | Outdated libraries, unpatched dependencies |
| **A07:2021** | Auth & Session Failures | Weak passwords, session fixation, missing MFA |
| **A08:2021** | Software & Data Integrity | Unsigned updates, insecure CI/CD, deserialization |
| **A09:2021** | Logging & Monitoring Failures | Insufficient logging, no alerting, log injection |
| **A10:2021** | SSRF | Server-side request forgery, unvalidated redirects |
**Usage**: When reporting findings, map to primary OWASP category and reference the identifier (e.g., "A03:2021 - Injection").
### CWE Mappings
Map to relevant Common Weakness Enumeration categories for precise vulnerability classification:
#### Injection Vulnerabilities
- **CWE-78**: OS Command Injection
- **CWE-79**: Cross-site Scripting (XSS)
- **CWE-89**: SQL Injection
- **CWE-90**: LDAP Injection
- **CWE-91**: XML Injection
- **CWE-94**: Code Injection
#### Authentication & Authorization
- **CWE-287**: Improper Authentication
- **CWE-288**: Authentication Bypass Using Alternate Path
- **CWE-290**: Authentication Bypass by Spoofing
- **CWE-294**: Authentication Bypass by Capture-replay
- **CWE-306**: Missing Authentication for Critical Function
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
- **CWE-352**: Cross-Site Request Forgery (CSRF)
#### Cryptographic Issues
- **CWE-256**: Plaintext Storage of Password
- **CWE-259**: Use of Hard-coded Password
- **CWE-261**: Weak Encoding for Password
- **CWE-321**: Use of Hard-coded Cryptographic Key
- **CWE-326**: Inadequate Encryption Strength
- **CWE-327**: Use of Broken or Risky Cryptographic Algorithm
- **CWE-329**: Not Using a Random IV with CBC Mode
- **CWE-798**: Use of Hard-coded Credentials
#### Input Validation
- **CWE-20**: Improper Input Validation
- **CWE-73**: External Control of File Name or Path
- **CWE-434**: Unrestricted Upload of File with Dangerous Type
- **CWE-601**: URL Redirection to Untrusted Site
#### Sensitive Data Exposure
- **CWE-200**: Information Exposure
- **CWE-209**: Information Exposure Through Error Message
- **CWE-312**: Cleartext Storage of Sensitive Information
- **CWE-319**: Cleartext Transmission of Sensitive Information
- **CWE-532**: Information Exposure Through Log Files
**Usage**: Include CWE identifier in all vulnerability reports for standardized classification.
### MITRE ATT&CK
Reference relevant tactics and techniques for threat context:
#### Initial Access (TA0001)
- **T1190**: Exploit Public-Facing Application
- **T1133**: External Remote Services
- **T1078**: Valid Accounts
#### Execution (TA0002)
- **T1059**: Command and Scripting Interpreter
- **T1203**: Exploitation for Client Execution
#### Persistence (TA0003)
- **T1098**: Account Manipulation
- **T1136**: Create Account
- **T1505**: Server Software Component
#### Privilege Escalation (TA0004)
- **T1068**: Exploitation for Privilege Escalation
- **T1548**: Abuse Elevation Control Mechanism
#### Defense Evasion (TA0005)
- **T1027**: Obfuscated Files or Information
- **T1140**: Deobfuscate/Decode Files or Information
- **T1562**: Impair Defenses
#### Credential Access (TA0006)
- **T1110**: Brute Force
- **T1555**: Credentials from Password Stores
- **T1552**: Unsecured Credentials
#### Discovery (TA0007)
- **T1083**: File and Directory Discovery
- **T1046**: Network Service Scanning
#### Collection (TA0009)
- **T1005**: Data from Local System
- **T1114**: Email Collection
#### Exfiltration (TA0010)
- **T1041**: Exfiltration Over C2 Channel
- **T1567**: Exfiltration Over Web Service
**Usage**: When identifying vulnerabilities, consider which ATT&CK techniques an attacker could use to exploit them.
---
## Remediation Patterns
This section provides specific remediation guidance for common vulnerability types.
### SQL Injection Remediation
**Step 1: Identify vulnerable queries**
- Search for string concatenation in SQL queries
- Check for f-strings or format() with SQL keywords
- Review all database interaction code
**Step 2: Apply parameterized queries**
```python
# Python with sqlite3
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
# Python with psycopg2 (PostgreSQL)
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# Python with SQLAlchemy (ORM)
from sqlalchemy import text
result = session.execute(text("SELECT * FROM users WHERE id = :id"), {"id": user_id})
```
**Step 3: Validate and sanitize input** (defense in depth)
```python
import re
# Validate input format
if not re.match(r'^\d+$', user_id):
raise ValueError("Invalid user ID format")
# Use ORM query builders
user = User.query.filter_by(id=user_id).first()
```
**Step 4: Implement least privilege**
- Database user should have minimum required permissions
- Use read-only accounts for SELECT operations
- Never use admin/root accounts for application queries
### XSS Remediation
**Step 1: Enable auto-escaping**
- Most modern frameworks escape by default
- Ensure auto-escaping is not disabled
**Step 2: Use framework-specific safe methods**
```javascript
// React: Use JSX (auto-escapes)
<div>{userInput}</div>
// Vue: Use template syntax (auto-escapes)
<div>{{ userInput }}</div>
// Angular: Use property binding (auto-escapes)
<div [textContent]="userInput"></div>
```
**Step 3: Sanitize when HTML is required**
```javascript
import DOMPurify from 'dompurify';
// Sanitize HTML content
const clean = DOMPurify.sanitize(userHTML, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
});
```
**Step 4: Content Security Policy (CSP)**
```html
<!-- Add CSP header -->
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'
```
---
## Advanced Configuration
This section contains detailed configuration options and tuning parameters.
### Example: SAST Tool Configuration
```yaml
# Advanced security scanner configuration
scanner:
# Severity threshold
severity_threshold: MEDIUM
# Rule configuration
rules:
enabled:
- sql-injection
- xss
- hardcoded-secrets
disabled:
- informational-only
# False positive reduction
confidence_threshold: HIGH
exclude_patterns:
- "*/test/*"
- "*/tests/*"
- "*/node_modules/*"
- "*.test.js"
- "*.spec.ts"
# Performance tuning
max_file_size_kb: 2048
timeout_seconds: 300
parallel_jobs: 4
# Output configuration
output_format: json
include_code_snippets: true
max_snippet_lines: 10
```
---
## Examples and Code Samples
This section provides comprehensive code examples for various scenarios.
### Example 1: Secure API Authentication
```python
# Secure API key handling
import os
from functools import wraps
from flask import Flask, request, jsonify
app = Flask(__name__)
# Load API key from environment (never hardcode)
VALID_API_KEY = os.environ.get('API_KEY')
if not VALID_API_KEY:
raise ValueError("API_KEY environment variable not set")
def require_api_key(f):
@wraps(f)
def decorated_function(*args, **kwargs):
api_key = request.headers.get('X-API-Key')
if not api_key:
return jsonify({'error': 'API key required'}), 401
# Constant-time comparison to prevent timing attacks
import hmac
if not hmac.compare_digest(api_key, VALID_API_KEY):
return jsonify({'error': 'Invalid API key'}), 403
return f(*args, **kwargs)
return decorated_function
@app.route('/api/secure-endpoint')
@require_api_key
def secure_endpoint():
return jsonify({'message': 'Access granted'})
```
### Example 2: Secure Password Hashing
```python
# Secure password storage with bcrypt
import bcrypt
def hash_password(password: str) -> str:
"""Hash a password using bcrypt."""
# Generate salt and hash password
salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)
hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
return hashed.decode('utf-8')
def verify_password(password: str, hashed: str) -> bool:
"""Verify a password against a hash."""
return bcrypt.checkpw(
password.encode('utf-8'),
hashed.encode('utf-8')
)
# Usage
stored_hash = hash_password("user_password")
is_valid = verify_password("user_password", stored_hash) # True
```
### Example 3: Secure File Upload
```python
# Secure file upload with validation
import os
import magic
from werkzeug.utils import secure_filename
ALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}
ALLOWED_MIME_TYPES = {
'application/pdf',
'image/png',
'image/jpeg'
}
MAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB
def is_allowed_file(filename: str, file_content: bytes) -> bool:
"""Validate file extension and MIME type."""
# Check extension
if '.' not in filename:
return False
ext = filename.rsplit('.', 1)[1].lower()
if ext not in ALLOWED_EXTENSIONS:
return False
# Check MIME type (prevent extension spoofing)
mime = magic.from_buffer(file_content, mime=True)
if mime not in ALLOWED_MIME_TYPES:
return False
return True
def handle_upload(file):
"""Securely handle file upload."""
# Check file size
file.seek(0, os.SEEK_END)
size = file.tell()
file.seek(0)
if size > MAX_FILE_SIZE:
raise ValueError("File too large")
# Read content for validation
content = file.read()
file.seek(0)
# Validate file type
if not is_allowed_file(file.filename, content):
raise ValueError("Invalid file type")
# Sanitize filename
filename = secure_filename(file.filename)
# Generate unique filename to prevent overwrite attacks
import uuid
unique_filename = f"{uuid.uuid4()}_{filename}"
# Save to secure location (outside web root)
upload_path = os.path.join('/secure/uploads', unique_filename)
file.save(upload_path)
return unique_filename
```
---
## Best Practices for Reference Documents
1. **Start with "When to use"** - Help Claude know when to load this reference
2. **Include table of contents** - For documents >100 lines
3. **Use concrete examples** - Code samples with vulnerable and fixed versions
4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context
5. **Provide remediation** - Don't just identify issues, show how to fix them
6. **Organize logically** - Group related content, use clear headings
7. **Keep examples current** - Use modern patterns and current framework versions
8. **Be concise** - Even in references, challenge every sentence

253
skills/incident-response/ir-velociraptor/references/WORKFLOW_CHECKLIST.md Normal file
View File

@@ -0,0 +1,253 @@
# Workflow Checklist Template
This template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.
## Pattern 1: Sequential Workflow Checklist
Use this pattern for operations that must be completed in order, step-by-step.
### Security Assessment Workflow
Progress:
[ ] 1. Identify application entry points and attack surface
[ ] 2. Map authentication and authorization flows
[ ] 3. Identify data flows and sensitive data handling
[ ] 4. Review existing security controls
[ ] 5. Document findings with framework references (OWASP, CWE)
[ ] 6. Prioritize findings by severity (CVSS scores)
[ ] 7. Generate report with remediation recommendations
Work through each step systematically. Check off completed items.
---
## Pattern 2: Conditional Workflow
Use this pattern when the workflow branches based on findings or conditions.
### Vulnerability Remediation Workflow
1. Identify vulnerability type
- If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)
- If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)
- If Authentication flaw → See [auth-remediation.md](auth-remediation.md)
- If Authorization flaw → See [authz-remediation.md](authz-remediation.md)
- If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)
2. Assess severity using CVSS calculator
- If CVSS >= 9.0 → Priority: Critical (immediate action)
- If CVSS 7.0-8.9 → Priority: High (action within 24h)
- If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)
- If CVSS < 4.0 → Priority: Low (action within 30 days)
3. Apply appropriate remediation pattern
4. Validate fix with security testing
5. Document changes and update security documentation
---
## Pattern 3: Iterative Workflow
Use this pattern for operations that repeat across multiple targets or items.
### Code Security Review Workflow
For each file in the review scope:
1. Identify security-sensitive operations (auth, data access, crypto, input handling)
2. Check against secure coding patterns for the language
3. Flag potential vulnerabilities with severity rating
4. Map findings to CWE and OWASP categories
5. Suggest specific remediation approaches
6. Document finding with code location and fix priority
Continue until all files in scope have been reviewed.
---
## Pattern 4: Feedback Loop Workflow
Use this pattern when validation and iteration are required.
### Secure Configuration Generation Workflow
1. Generate initial security configuration based on requirements
2. Run validation script: `./scripts/validate_config.py config.yaml`
3. Review validation output:
- Note all errors (must fix)
- Note all warnings (should fix)
- Note all info items (consider)
4. Fix identified issues in configuration
5. Repeat steps 2-4 until validation passes with zero errors
6. Review warnings and determine if they should be addressed
7. Apply configuration once validation is clean
**Validation Loop**: Run validator → Fix errors → Repeat until clean
---
## Pattern 5: Parallel Analysis Workflow
Use this pattern when multiple independent analyses can run concurrently.
### Comprehensive Security Scan Workflow
Run these scans in parallel:
**Static Analysis**:
[ ] 1a. Run SAST scan (Semgrep/Bandit)
[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)
[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)
[ ] 1d. Run license compliance check
**Dynamic Analysis**:
[ ] 2a. Run DAST scan (ZAP/Burp)
[ ] 2b. Run API security testing
[ ] 2c. Run authentication/authorization testing
**Infrastructure Analysis**:
[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)
[ ] 3b. Run container image scan (Trivy/Grype)
[ ] 3c. Run configuration review
**Consolidation**:
[ ] 4. Aggregate all findings
[ ] 5. Deduplicate and correlate findings
[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)
[ ] 7. Generate unified security report
---
## Pattern 6: Research and Documentation Workflow
Use this pattern for security research and documentation tasks.
### Threat Modeling Workflow
Research Progress:
[ ] 1. Identify system components and boundaries
[ ] 2. Map data flows between components
[ ] 3. Identify trust boundaries
[ ] 4. Enumerate assets (data, services, credentials)
[ ] 5. Apply STRIDE framework to each component:
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
[ ] 6. Map threats to MITRE ATT&CK techniques
[ ] 7. Identify existing mitigations
[ ] 8. Document residual risks
[ ] 9. Recommend additional security controls
[ ] 10. Generate threat model document
Work through each step systematically. Check off completed items.
---
## Pattern 7: Compliance Validation Workflow
Use this pattern for compliance checks against security standards.
### Security Compliance Audit Workflow
**SOC 2 Controls Review**:
[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)
[ ] 2. Verify logical access controls implementation (CC6.1)
[ ] 3. Review authentication mechanisms (CC6.1)
[ ] 4. Verify encryption implementation (CC6.1, CC6.7)
[ ] 5. Review audit logging configuration (CC7.2)
[ ] 6. Verify security monitoring (CC7.2, CC7.3)
[ ] 7. Review incident response procedures (CC7.3, CC7.4)
[ ] 8. Verify backup and recovery processes (A1.2, A1.3)
**Evidence Collection**:
[ ] 9. Collect policy documents
[ ] 10. Collect configuration screenshots
[ ] 11. Collect audit logs
[ ] 12. Document control gaps
[ ] 13. Generate compliance report
---
## Pattern 8: Incident Response Workflow
Use this pattern for security incident handling.
### Security Incident Response Workflow
**Detection and Analysis**:
[ ] 1. Confirm security incident (rule out false positive)
[ ] 2. Determine incident severity (SEV1/2/3/4)
[ ] 3. Identify affected systems and data
[ ] 4. Preserve evidence (logs, memory dumps, network captures)
**Containment**:
[ ] 5. Isolate affected systems (network segmentation)
[ ] 6. Disable compromised accounts
[ ] 7. Block malicious indicators (IPs, domains, hashes)
[ ] 8. Implement temporary compensating controls
**Eradication**:
[ ] 9. Identify root cause
[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)
[ ] 11. Patch vulnerabilities exploited
[ ] 12. Reset compromised credentials
**Recovery**:
[ ] 13. Restore systems from clean backups (if needed)
[ ] 14. Re-enable systems with monitoring
[ ] 15. Verify system integrity
[ ] 16. Resume normal operations
**Post-Incident**:
[ ] 17. Document incident timeline
[ ] 18. Identify lessons learned
[ ] 19. Update security controls to prevent recurrence
[ ] 20. Update incident response procedures
[ ] 21. Communicate with stakeholders
---
## Usage Guidelines
### When to Use Workflow Checklists
**Use checklists for**:
- Complex multi-step operations
- Operations requiring specific order
- Security assessments and audits
- Incident response procedures
- Compliance validation tasks
**Don't use checklists for**:
- Simple single-step operations
- Highly dynamic exploratory work
- Operations that vary significantly each time
### Adapting This Template
1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file
2. **Customize steps** to match your specific security tool or process
3. **Add framework references** (OWASP, CWE, NIST) where applicable
4. **Include tool-specific commands** for automation
5. **Add decision points** where manual judgment is required
### Checklist Best Practices
- **Be specific**: "Run semgrep --config=auto ." not "Scan the code"
- **Include success criteria**: "Validation passes with 0 errors"
- **Reference standards**: Link to OWASP, CWE, NIST where relevant
- **Show progress**: Checkbox format helps track completion
- **Provide escape hatches**: "If validation fails, see troubleshooting.md"
### Integration with Feedback Loops
Combine checklists with validation scripts for maximum effectiveness:
1. Create checklist for the workflow
2. Provide validation script that checks quality
3. Include "run validator" step in checklist
4. Loop: Complete step → Validate → Fix issues → Re-validate
This pattern dramatically improves output quality through systematic validation.

627
skills/incident-response/ir-velociraptor/references/artifact-development.md Normal file
View File

@@ -0,0 +1,627 @@
# Velociraptor Artifact Development Guide
Guide to creating custom VQL artifacts for specific investigation and threat hunting scenarios.
## Table of Contents
- [Artifact Structure](#artifact-structure)
- [Parameter Types](#parameter-types)
- [Source Types](#source-types)
- [Best Practices](#best-practices)
- [Common Patterns](#common-patterns)
- [Testing Artifacts](#testing-artifacts)
## Artifact Structure
Velociraptor artifacts are YAML files with a defined structure:
```yaml
name: Category.Subcategory.ArtifactName
description: |
Detailed description of what this artifact collects and why.
Include use cases and expected output.
author: Your Name <email@domain.com>
type: CLIENT # CLIENT, SERVER, or CLIENT_EVENT
parameters:
- name: ParameterName
default: "default_value"
type: string
description: Parameter description
precondition: |
SELECT OS FROM info() WHERE OS = 'windows'
sources:
- name: SourceName
query: |
SELECT * FROM plugin()
WHERE condition
reports:
- type: CLIENT
template: |
# Report Title
{{ .Description }}
{{ range .Rows }}
- {{ .Column }}
{{ end }}
```
### Required Fields
- **name**: Unique artifact identifier in dot notation
- **description**: What the artifact does and when to use it
- **sources**: At least one VQL query source
### Optional Fields
- **author**: Creator information
- **type**: Artifact type (CLIENT, SERVER, CLIENT_EVENT)
- **parameters**: User-configurable inputs
- **precondition**: Check before running (OS, software presence)
- **reports**: Output formatting templates
- **references**: External documentation links
## Parameter Types
### String Parameters
```yaml
parameters:
- name: SearchPath
default: "C:/Windows/System32/"
type: string
description: Directory path to search
```
### Integer Parameters
```yaml
parameters:
- name: DaysBack
default: 7
type: int
description: Number of days to look back
```
### Boolean Parameters
```yaml
parameters:
- name: IncludeSystem
default: Y
type: bool
description: Include system files
```
### Regex Parameters
```yaml
parameters:
- name: ProcessPattern
default: "(?i)(powershell|cmd)"
type: regex
description: Process name pattern to match
```
### Choice Parameters
```yaml
parameters:
- name: LogLevel
default: "INFO"
type: choices
choices:
- DEBUG
- INFO
- WARNING
- ERROR
description: Logging verbosity
```
### CSV Parameters
```yaml
parameters:
- name: IOCList
default: |
evil.com
malicious.net
type: csv
description: List of IOC domains
```
## Source Types
### Query Sources
Standard VQL query that collects data:
```yaml
sources:
- name: ProcessCollection
query: |
SELECT Pid, Name, CommandLine, Username
FROM pslist()
WHERE Name =~ ProcessPattern
```
### Event Sources
Continuous monitoring queries for CLIENT_EVENT artifacts:
```yaml
sources:
- name: ProcessCreation
query: |
SELECT * FROM watch_evtx(
filename="C:/Windows/System32/winevt/Logs/Security.evtx"
)
WHERE System.EventID.Value = 4688
```
### Multiple Sources
Artifacts can have multiple sources for different data collection:
```yaml
sources:
- name: Processes
query: |
SELECT * FROM pslist()
- name: NetworkConnections
query: |
SELECT * FROM netstat()
- name: LoadedDLLs
query: |
SELECT * FROM modules()
```
## Best Practices
### 1. Use Preconditions
Prevent artifact execution on incompatible systems:
```yaml
# Windows-only artifact
precondition: |
SELECT OS FROM info() WHERE OS = 'windows'
# Requires specific tool
precondition: |
SELECT * FROM stat(filename="C:/Tools/sysinternals/psexec.exe")
# Version check
precondition: |
SELECT * FROM info() WHERE OS = 'windows' AND OSVersion =~ '10'
```
### 2. Parameterize Paths and Patterns
Make artifacts flexible and reusable:
```yaml
parameters:
- name: TargetPath
default: "C:/Users/**/AppData/**"
type: string
- name: FilePattern
default: "*.exe"
type: string
sources:
- query: |
SELECT * FROM glob(globs=TargetPath + "/" + FilePattern)
```
### 3. Use LET for Query Composition
Break complex queries into manageable parts:
```yaml
sources:
- query: |
-- Define reusable subqueries
LET SuspiciousProcesses = SELECT Pid, Name, CommandLine
FROM pslist()
WHERE CommandLine =~ "(?i)(bypass|hidden)"
LET NetworkConnections = SELECT Pid, Raddr.IP AS RemoteIP
FROM netstat()
WHERE Status = "ESTABLISHED"
-- Join and correlate
SELECT sp.Name,
sp.CommandLine,
nc.RemoteIP
FROM SuspiciousProcesses sp
JOIN NetworkConnections nc ON sp.Pid = nc.Pid
```
### 4. Add Error Handling
Handle missing data gracefully:
```yaml
sources:
- query: |
SELECT * FROM foreach(
row={
SELECT FullPath FROM glob(globs=SearchPath)
},
query={
SELECT FullPath,
hash(path=FullPath, accessor="file").SHA256 AS SHA256
FROM scope()
WHERE log(message="Processing: " + FullPath)
},
workers=5
)
WHERE SHA256 -- Filter out hash failures
```
### 5. Include Documentation
Add inline comments and comprehensive descriptions:
```yaml
description: |
## Overview
This artifact hunts for suspicious scheduled tasks.
## Use Cases
- Persistence mechanism detection
- Lateral movement artifact collection
- Threat hunting campaigns
## Output
Returns task name, actions, triggers, and creation time.
## References
- MITRE ATT&CK T1053.005 (Scheduled Task/Job)
```
## Common Patterns
### Pattern: File Collection with Hashing
```yaml
name: Custom.Windows.FileCollection
description: Collect files matching patterns with hashes
parameters:
- name: GlobPatterns
default: |
C:/Users/**/AppData/**/*.exe
C:/Windows/Temp/**/*.dll
type: csv
sources:
- query: |
SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS Modified,
timestamp(epoch=Btime) AS Created,
hash(path=FullPath, accessor="file") AS Hashes
FROM foreach(
row={
SELECT * FROM parse_csv(filename=GlobPatterns, accessor="data")
},
query={
SELECT * FROM glob(globs=_value)
}
)
WHERE NOT IsDir
```
### Pattern: Event Log Analysis
```yaml
name: Custom.Windows.EventLogHunt
description: Hunt for specific event IDs with context
parameters:
- name: LogFile
default: "C:/Windows/System32/winevt/Logs/Security.evtx"
type: string
- name: EventIDs
default: "4624,4625,4672"
type: csv
sources:
- query: |
LET EventIDList = SELECT parse_string_with_regex(
string=EventIDs,
regex="(\\d+)"
).g1 AS EventID FROM scope()
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
System.EventID.Value AS EventID,
System.Computer AS Computer,
EventData
FROM parse_evtx(filename=LogFile)
WHERE str(str=System.EventID.Value) IN EventIDList.EventID
ORDER BY EventTime DESC
```
### Pattern: Process Tree Analysis
```yaml
name: Custom.Windows.ProcessTree
description: Build process tree from a starting PID
parameters:
- name: RootPID
default: 0
type: int
description: Starting process PID (0 for all)
sources:
- query: |
LET ProcessList = SELECT Pid, Ppid, Name, CommandLine, Username, CreateTime
FROM pslist()
LET RECURSIVE GetChildren(ParentPID) = SELECT *
FROM ProcessList
WHERE Ppid = ParentPID
LET RECURSIVE BuildTree(Level, ParentPID) = SELECT
Level,
Pid,
Ppid,
Name,
CommandLine,
Username,
CreateTime
FROM GetChildren(ParentPID=ParentPID)
UNION ALL
SELECT * FROM BuildTree(Level=Level+1, ParentPID=Pid)
SELECT * FROM if(
condition=RootPID > 0,
then={
SELECT * FROM BuildTree(Level=0, ParentPID=RootPID)
},
else={
SELECT 0 AS Level, * FROM ProcessList
}
)
ORDER BY CreateTime
```
### Pattern: Network IOC Matching
```yaml
name: Custom.Windows.NetworkIOCMatch
description: Match network connections against IOC list
parameters:
- name: IOCList
default: |
IP,Description
192.0.2.1,C2 Server
198.51.100.50,Malicious Host
type: csv
sources:
- query: |
LET IOCs = SELECT IP, Description
FROM parse_csv(filename=IOCList, accessor="data")
LET Connections = SELECT
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
SELECT c.RemoteIP,
c.RemotePort,
c.ProcessName,
c.CommandLine,
i.Description AS IOCMatch
FROM Connections c
JOIN IOCs i ON c.RemoteIP = i.IP
```
### Pattern: Registry Timeline
```yaml
name: Custom.Windows.RegistryTimeline
description: Timeline registry modifications in specific keys
parameters:
- name: RegistryPaths
default: |
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**
HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**
type: csv
- name: DaysBack
default: 7
type: int
sources:
- query: |
LET StartTime = timestamp(epoch=now() - DaysBack * 86400)
SELECT timestamp(epoch=Key.Mtime) AS Modified,
Key.FullPath AS RegistryPath,
ValueName,
ValueData.value AS Value
FROM foreach(
row={
SELECT * FROM parse_csv(filename=RegistryPaths, accessor="data")
},
query={
SELECT * FROM read_reg_key(globs=_value)
}
)
WHERE Key.Mtime > StartTime
ORDER BY Modified DESC
```
## Testing Artifacts
### 1. Local Testing with GUI
```bash
# Start Velociraptor in GUI mode
velociraptor gui
# Navigate to: View Artifacts → Add Artifact
# Paste your artifact YAML and click Save
# Run artifact via Collected Artifacts → New Collection
```
### 2. Command Line Testing
```bash
# Test artifact syntax
velociraptor artifacts show Custom.Artifact.Name
# Run artifact locally
velociraptor artifacts collect Custom.Artifact.Name \
--args ParameterName=value \
--format json
# Run with output file
velociraptor artifacts collect Custom.Artifact.Name \
--output results.json
```
### 3. Notebook Testing
Use VQL notebooks for interactive development:
```sql
-- Test query components in isolation
SELECT * FROM pslist() WHERE Name =~ "powershell" LIMIT 10
-- Test parameter substitution
LET ProcessPattern = "(?i)(powershell|cmd)"
SELECT * FROM pslist() WHERE Name =~ ProcessPattern
-- Test full artifact query
/* Paste your artifact query here */
```
### 4. Validation Checklist
Before deploying artifacts:
- [ ] Artifact name follows convention: Category.Subcategory.Name
- [ ] Description includes use cases and expected output
- [ ] Parameters have sensible defaults
- [ ] Precondition prevents incompatible execution
- [ ] Query tested in notebook mode
- [ ] Error handling for missing data
- [ ] Performance acceptable on test system
- [ ] Output format is useful and parseable
- [ ] Documentation includes MITRE ATT&CK mapping if applicable
## Performance Considerations
### Limit Scope
```yaml
# BAD: Scans entire filesystem
SELECT * FROM glob(globs="C:/**/*.exe")
# GOOD: Targeted scope
SELECT * FROM glob(globs=[
"C:/Users/**/AppData/**/*.exe",
"C:/Windows/Temp/**/*.exe"
])
```
### Use Workers for Parallel Processing
```yaml
sources:
- query: |
SELECT * FROM foreach(
row={SELECT * FROM glob(globs=SearchPath)},
query={
SELECT FullPath,
hash(path=FullPath, accessor="file").SHA256 AS SHA256
FROM scope()
},
workers=10 -- Process 10 files concurrently
)
```
### Rate Limiting
```yaml
sources:
- query: |
SELECT * FROM foreach(
row={SELECT * FROM glob(globs="C:/**")},
query={
SELECT * FROM scope()
WHERE rate(query_name="my_query", ops_per_sec=100)
}
)
```
## MITRE ATT&CK Mapping
Map artifacts to MITRE ATT&CK techniques:
```yaml
name: Custom.Windows.PersistenceHunt
description: |
Hunt for persistence mechanisms.
MITRE ATT&CK Techniques:
- T1547.001: Registry Run Keys / Startup Folder
- T1053.005: Scheduled Task/Job
- T1543.003: Windows Service
- T1546.003: Windows Management Instrumentation Event Subscription
references:
- https://attack.mitre.org/techniques/T1547/001/
- https://attack.mitre.org/techniques/T1053/005/
```
## Artifact Distribution
### Export Artifacts
```bash
# Export single artifact
velociraptor artifacts show Custom.Artifact.Name > artifact.yaml
# Export all custom artifacts
velociraptor artifacts list --filter Custom > all_artifacts.yaml
```
### Import Artifacts
```bash
# Via command line
velociraptor --config server.config.yaml artifacts import artifact.yaml
# Via GUI
# Navigate to: View Artifacts → Upload Artifact Pack
```
### Share via Artifact Exchange
Contribute artifacts to the community:
1. Test thoroughly across different systems
2. Document clearly with examples
3. Add MITRE ATT&CK mappings
4. Submit to: https://docs.velociraptor.app/exchange/

657
skills/incident-response/ir-velociraptor/references/deployment-guide.md Normal file
View File

@@ -0,0 +1,657 @@
# Velociraptor Enterprise Deployment Guide
Comprehensive guide for deploying Velociraptor in enterprise environments.
## Table of Contents
- [Architecture Overview](#architecture-overview)
- [Server Deployment](#server-deployment)
- [Client Deployment](#client-deployment)
- [High Availability](#high-availability)
- [Security Hardening](#security-hardening)
- [Monitoring and Maintenance](#monitoring-and-maintenance)
- [Scaling Considerations](#scaling-considerations)
## Architecture Overview
### Components
**Frontend Server**:
- Handles client communication (gRPC)
- Serves web GUI
- Manages TLS connections
- Default port: TCP 8000 (clients), TCP 8889 (GUI)
**Datastore**:
- Filesystem-based by default
- Stores artifacts, collections, and configurations
- Can use external storage (S3, GCS)
**Clients (Agents)**:
- Lightweight endpoint agents
- Execute VQL queries
- Report results to server
- Self-updating capability
### Deployment Models
**Single Server** (< 1000 endpoints):
```
[Clients] ──→ [Frontend + GUI + Datastore]
```
**Multi-Frontend** (1000-10000 endpoints):
```
┌─→ [Frontend 1]
[Clients] ──→ [LB]├─→ [Frontend 2] ──→ [Shared Datastore]
└─→ [Frontend 3]
```
**Distributed** (> 10000 endpoints):
```
┌─→ [Frontend Pool 1] ──→ [Datastore Region 1]
[Clients by region]├─→ [Frontend Pool 2] ──→ [Datastore Region 2]
└─→ [Frontend Pool 3] ──→ [Datastore Region 3]
```
## Server Deployment
### Prerequisites
**System Requirements**:
- OS: Linux (Ubuntu 20.04+, RHEL 8+), Windows Server 2019+
- RAM: 8GB minimum, 16GB+ recommended for large deployments
- CPU: 4 cores minimum, 8+ for production
- Storage: 100GB+ for datastore (grows with collections)
- Network: Public IP or internal with client access
**Software Requirements**:
- No external dependencies (single binary)
- Optional: MySQL/PostgreSQL for metadata (future enhancement)
### Installation Steps
#### 1. Download Velociraptor
```bash
# Linux
wget https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-linux-amd64
# Make executable
chmod +x velociraptor-v0.72.3-linux-amd64
sudo mv velociraptor-v0.72.3-linux-amd64 /usr/local/bin/velociraptor
```
#### 2. Generate Server Configuration
```bash
# Interactive configuration generation
velociraptor config generate -i
# Or automated with defaults
velociraptor config generate \
--deployment linux \
--frontend_hostname velociraptor.company.com \
--frontend_port 8000 \
--gui_port 8889 \
--datastore /var/lib/velociraptor \
> /etc/velociraptor/server.config.yaml
```
**Key Configuration Options**:
```yaml
# server.config.yaml
version:
name: velociraptor
version: "0.72"
Client:
server_urls:
- https://velociraptor.company.com:8000/
ca_certificate: |
-----BEGIN CERTIFICATE-----
[CA cert]
-----END CERTIFICATE-----
API:
bind_address: 0.0.0.0
bind_port: 8001
bind_scheme: tcp
GUI:
bind_address: 0.0.0.0
bind_port: 8889
use_plain_http: false
internal_cidr:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Frontend:
hostname: velociraptor.company.com
bind_address: 0.0.0.0
bind_port: 8000
Datastore:
implementation: FileBaseDataStore
location: /var/lib/velociraptor
filestore_directory: /var/lib/velociraptor
```
#### 3. Setup Systemd Service (Linux)
```bash
# Create service file
sudo cat > /etc/systemd/system/velociraptor.service <<'EOF'
[Unit]
Description=Velociraptor DFIR Agent
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend -v
Restart=on-failure
RestartSec=10
User=velociraptor
Group=velociraptor
StandardOutput=journal
StandardError=journal
SyslogIdentifier=velociraptor
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
ReadWritePaths=/var/lib/velociraptor
[Install]
WantedBy=multi-user.target
EOF
# Create user
sudo useradd -r -s /bin/false velociraptor
# Setup directories
sudo mkdir -p /etc/velociraptor /var/lib/velociraptor
sudo chown -R velociraptor:velociraptor /etc/velociraptor /var/lib/velociraptor
# Start service
sudo systemctl daemon-reload
sudo systemctl enable velociraptor
sudo systemctl start velociraptor
```
#### 4. Create Initial Admin User
```bash
# Create admin user
velociraptor --config /etc/velociraptor/server.config.yaml \
user add admin --role administrator
# Verify
velociraptor --config /etc/velociraptor/server.config.yaml \
user show admin
```
#### 5. Access Web Interface
```bash
# Access GUI at: https://velociraptor.company.com:8889/
# Login with admin credentials created above
```
### TLS Certificate Configuration
**Option 1: Self-Signed (Testing)**:
```bash
# Already generated during config creation
# Certificates in server.config.yaml
```
**Option 2: Let's Encrypt**:
```bash
# Install certbot
sudo apt install certbot
# Generate certificate
sudo certbot certonly --standalone \
-d velociraptor.company.com \
--non-interactive --agree-tos \
-m admin@company.com
# Update server.config.yaml with Let's Encrypt certs
```
**Option 3: Corporate CA**:
```yaml
# Update server.config.yaml
Frontend:
certificate: /path/to/server-cert.pem
private_key: /path/to/server-key.pem
GUI:
use_plain_http: false
certificate: /path/to/gui-cert.pem
private_key: /path/to/gui-key.pem
```
## Client Deployment
### Generate Client Configuration
```bash
# Generate client config from server config
velociraptor --config /etc/velociraptor/server.config.yaml \
config client > /tmp/client.config.yaml
```
### Deployment Methods
#### Method 1: MSI Installer (Windows)
```bash
# Generate MSI installer
velociraptor --config /etc/velociraptor/server.config.yaml \
config msi --binary velociraptor.exe \
--output VelociraptorClient.msi
# Deploy via GPO, SCCM, or Intune
# Silent install: msiexec /i VelociraptorClient.msi /quiet
```
#### Method 2: DEB/RPM Package (Linux)
```bash
# Generate DEB package
velociraptor --config /etc/velociraptor/server.config.yaml \
debian client --binary velociraptor-linux-amd64 \
--output velociraptor-client.deb
# Deploy via Ansible, Puppet, or package manager
# Install: sudo dpkg -i velociraptor-client.deb
```
#### Method 3: Manual Installation
**Windows**:
```powershell
# Copy binary and config
Copy-Item velociraptor.exe C:\Program Files\Velociraptor\
Copy-Item client.config.yaml C:\Program Files\Velociraptor\
# Install as service
& "C:\Program Files\Velociraptor\velociraptor.exe" `
--config "C:\Program Files\Velociraptor\client.config.yaml" `
service install
# Start service
Start-Service Velociraptor
```
**Linux**:
```bash
# Copy binary and config
sudo cp velociraptor /usr/local/bin/
sudo cp client.config.yaml /etc/velociraptor/
# Create systemd service
sudo cat > /etc/systemd/system/velociraptor-client.service <<'EOF'
[Unit]
Description=Velociraptor DFIR Client
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor/client.config.yaml client -v
Restart=on-failure
User=root
[Install]
WantedBy=multi-user.target
EOF
# Start service
sudo systemctl enable velociraptor-client
sudo systemctl start velociraptor-client
```
### Client Configuration Options
```yaml
# client.config.yaml
Client:
server_urls:
- https://velociraptor.company.com:8000/
# Connection tuning
max_poll: 60 # Max seconds between polls
max_poll_std: 10 # Jitter to prevent thundering herd
# Performance
max_upload_size: 104857600 # 100MB
cpu_limit: 80 # CPU usage percentage limit
progress_timeout: 3600 # Query timeout
# Writeback file (client state)
writeback_linux: /etc/velociraptor/writeback.yaml
writeback_windows: C:\Program Files\Velociraptor\writeback.yaml
```
## High Availability
### Load Balancer Configuration
**HAProxy Example**:
```conf
# /etc/haproxy/haproxy.cfg
frontend velociraptor_frontend
bind *:8000 ssl crt /etc/ssl/certs/velociraptor.pem
mode tcp
default_backend velociraptor_servers
backend velociraptor_servers
mode tcp
balance leastconn
option tcp-check
server velo1 10.0.1.10:8000 check
server velo2 10.0.1.11:8000 check
server velo3 10.0.1.12:8000 check
frontend velociraptor_gui
bind *:8889 ssl crt /etc/ssl/certs/velociraptor.pem
mode http
default_backend velociraptor_gui_servers
backend velociraptor_gui_servers
mode http
balance roundrobin
option httpchk GET /
server velo1 10.0.1.10:8889 check
server velo2 10.0.1.11:8889 check
server velo3 10.0.1.12:8889 check
```
### Shared Datastore
**NFS Configuration**:
```bash
# On NFS server
sudo apt install nfs-kernel-server
sudo mkdir -p /export/velociraptor
sudo chown nobody:nogroup /export/velociraptor
# /etc/exports
/export/velociraptor 10.0.1.0/24(rw,sync,no_subtree_check,no_root_squash)
# On Velociraptor servers
sudo mount -t nfs nfs-server:/export/velociraptor /var/lib/velociraptor
```
**S3 Datastore (Future)**:
```yaml
# server.config.yaml
Datastore:
implementation: S3DataStore
s3_bucket: velociraptor-datastore
s3_region: us-east-1
credentials_file: /etc/velociraptor/aws-credentials
```
## Security Hardening
### Network Security
**Firewall Rules** (iptables):
```bash
# Allow client connections
sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
# Allow GUI access from management network only
sudo iptables -A INPUT -p tcp --dport 8889 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8889 -j DROP
# Save rules
sudo iptables-save > /etc/iptables/rules.v4
```
**TLS Configuration**:
```yaml
# Enforce TLS 1.2+
Frontend:
min_tls_version: "1.2"
GUI:
min_tls_version: "1.2"
```
### Access Control
**Role-Based Access**:
```bash
# Create read-only analyst role
velociraptor --config server.config.yaml \
acl grant analyst --role reader
# Create hunt operator role
velociraptor --config server.config.yaml \
acl grant hunter --role analyst
# Create admin role
velociraptor --config server.config.yaml \
acl grant admin --role administrator
```
**Permissions Matrix**:
| Role | View Artifacts | Run Collections | Create Hunts | Manage Users | View All Clients |
|------|---------------|-----------------|--------------|--------------|------------------|
| Reader | ✓ | ✗ | ✗ | ✗ | ✗ |
| Analyst | ✓ | ✓ | ✗ | ✗ | ✓ |
| Investigator | ✓ | ✓ | ✓ | ✗ | ✓ |
| Administrator | ✓ | ✓ | ✓ | ✓ | ✓ |
### Audit Logging
**Enable Comprehensive Logging**:
```yaml
# server.config.yaml
Logging:
output_directory: /var/log/velociraptor
separate_logs_per_component: true
max_age: 365
# Log queries
log_queries: true
# Log all API calls
log_api_calls: true
```
**Audit Log Monitoring**:
```bash
# Monitor authentication events
tail -f /var/log/velociraptor/frontend.log | grep -i "auth"
# Monitor collection starts
tail -f /var/log/velociraptor/frontend.log | grep -i "collection"
# Monitor hunt creation
tail -f /var/log/velociraptor/frontend.log | grep -i "hunt"
```
## Monitoring and Maintenance
### Health Checks
**Server Health**:
```bash
# Check server status
systemctl status velociraptor
# Check connected clients
velociraptor --config server.config.yaml \
query "SELECT client_id, os_info.hostname, last_seen_at FROM clients()"
# Check resource usage
velociraptor --config server.config.yaml \
query "SELECT * FROM monitoring()"
```
**Client Health Monitoring**:
```sql
-- Find offline clients (>24 hours)
SELECT client_id,
os_info.hostname AS Hostname,
timestamp(epoch=last_seen_at) AS LastSeen
FROM clients()
WHERE last_seen_at < now() - 86400
ORDER BY last_seen_at
```
### Backup and Recovery
**Backup Strategy**:
```bash
#!/bin/bash
# velociraptor-backup.sh
BACKUP_DIR="/backup/velociraptor"
DATASTORE="/var/lib/velociraptor"
DATE=$(date +%Y%m%d-%H%M%S)
# Stop server (optional for consistency)
# systemctl stop velociraptor
# Backup datastore
tar -czf "$BACKUP_DIR/datastore-$DATE.tar.gz" "$DATASTORE"
# Backup configuration
cp /etc/velociraptor/server.config.yaml "$BACKUP_DIR/server.config-$DATE.yaml"
# Restart server
# systemctl start velociraptor
# Rotate old backups (keep 30 days)
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +30 -delete
```
**Recovery**:
```bash
# Stop server
systemctl stop velociraptor
# Restore datastore
tar -xzf /backup/velociraptor/datastore-20240115.tar.gz -C /var/lib/
# Restore config
cp /backup/velociraptor/server.config-20240115.yaml /etc/velociraptor/server.config.yaml
# Start server
systemctl start velociraptor
```
### Maintenance Tasks
**Database Cleanup**:
```bash
# Delete old collections
velociraptor --config server.config.yaml \
query "DELETE FROM collections WHERE timestamp < now() - 7776000" # 90 days
# Vacuum datastore (reclaim space)
velociraptor --config server.config.yaml \
datastore vacuum
```
**Client Updates**:
```bash
# Update clients via server
# 1. Upload new binary to server
velociraptor --config server.config.yaml \
tools upload --file velociraptor-v0.72.4.exe --name velociraptor
# 2. Create update hunt
velociraptor --config server.config.yaml \
query "SELECT * FROM hunt(artifact='Generic.Client.Update')"
```
## Scaling Considerations
### Performance Tuning
**Server Configuration**:
```yaml
# server.config.yaml
Frontend:
# Increase concurrent connections
max_connections: 10000
# Connection timeouts
keep_alive_timeout: 300
Datastore:
# Filesystem tuning
max_dir_size: 10000 # Files per directory
Resources:
# Increase worker pools
expected_clients: 10000
max_poll_threads: 100
```
**System Tuning**:
```bash
# Increase file descriptors
echo "velociraptor soft nofile 65536" >> /etc/security/limits.conf
echo "velociraptor hard nofile 65536" >> /etc/security/limits.conf
# Kernel tuning
cat >> /etc/sysctl.conf <<EOF
net.core.somaxconn = 4096
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_local_port_range = 10000 65000
EOF
sysctl -p
```
### Capacity Planning
**Client-to-Server Ratio**:
- Single server: Up to 10,000 clients
- Multi-frontend: Up to 100,000 clients
- Distributed: 100,000+ clients
**Storage Requirements**:
- Base install: ~200MB
- Per-client metadata: ~100KB
- Per-collection: Varies (typically 1-50MB)
- Retention: Plan for 90-180 days of data
**Network Bandwidth**:
- Baseline: ~1KB/client/minute (polling)
- Collection: Depends on artifacts (10MB-1GB)
- Hunt: Multiply collection size by client count
**Formula**:
```
Storage = (Clients × 100KB) + (Collections/day × AvgSize × RetentionDays)
Bandwidth = (Clients × 1KB × 60 × 24) + (Hunts/day × Clients × AvgCollection)
```
### Monitoring Metrics
**Key Performance Indicators**:
- Client check-in rate (target: >99%)
- Average query execution time
- Collection success rate
- Datastore growth rate
- Server CPU/memory usage
- Network throughput
**Prometheus Metrics** (if enabled):
```yaml
# server.config.yaml
Monitoring:
bind_address: localhost
bind_port: 9090
```

597
skills/incident-response/ir-velociraptor/references/mitre-attack-mapping.md Normal file
View File

@@ -0,0 +1,597 @@
# MITRE ATT&CK Technique Detection with Velociraptor
Mapping of MITRE ATT&CK techniques to Velociraptor artifacts and VQL queries.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
- [Command and Control](#command-and-control)
## Initial Access
### T1078: Valid Accounts
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4624, 4625)
- `Windows.EventLogs.RDP`
**VQL Query**:
```sql
-- Detect unusual logon patterns
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.LogonType AS LogonType,
EventData.WorkstationName AS Workstation
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND (
EventData.LogonType IN (3, 10) -- Network or RemoteInteractive
OR timestamp(epoch=System.TimeCreated.SystemTime).Hour NOT IN (8,9,10,11,12,13,14,15,16,17) -- Off-hours
)
ORDER BY LogonTime DESC
```
### T1566: Phishing
**Artifacts**:
- `Windows.Forensics.Lnk`
- `Windows.Applications.Office.Keywords`
**VQL Query**:
```sql
-- Suspicious Office document execution
SELECT FullPath,
Mtime,
read_file(filename=FullPath, length=100000) AS Content
FROM glob(globs=[
"C:/Users/*/Downloads/**/*.doc*",
"C:/Users/*/Downloads/**/*.xls*"
])
WHERE Content =~ "(?i)(macro|vba|shell|exec|powershell)"
AND Mtime > timestamp(epoch=now() - 604800)
```
## Execution
### T1059.001: PowerShell
**Artifacts**:
- `Windows.EventLogs.PowershellScriptblock`
- `Windows.System.Powershell.PSReadline`
**VQL Query**:
```sql
-- Malicious PowerShell execution
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ExecutionTime,
EventData.ScriptBlockText AS Command,
EventData.Path AS ScriptPath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx")
WHERE System.EventID.Value = 4104 -- Script Block Logging
AND EventData.ScriptBlockText =~ "(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)"
ORDER BY ExecutionTime DESC
```
### T1059.003: Windows Command Shell
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- Suspicious cmd.exe usage
SELECT Pid, Ppid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE Name =~ "(?i)cmd.exe"
AND CommandLine =~ "(?i)(/c|/k|/r)"
AND Ppid IN (
SELECT Pid FROM pslist()
WHERE Name =~ "(?i)(winword|excel|powerpnt|acrobat|outlook)"
)
```
### T1053.005: Scheduled Task
**Artifacts**:
- `Windows.System.TaskScheduler`
- `Windows.EventLogs.ScheduledTasks`
**VQL Query**:
```sql
-- Recently created scheduled tasks
SELECT FullPath AS TaskPath,
parse_xml(file=FullPath).Task.Actions.Exec.Command AS Command,
parse_xml(file=FullPath).Task.Principals.Principal.UserId AS RunAsUser,
timestamp(epoch=Mtime) AS Created
FROM glob(globs="C:/Windows/System32/Tasks/**")
WHERE NOT IsDir
AND Mtime > timestamp(epoch=now() - 86400)
AND Command != ""
ORDER BY Created DESC
```
## Persistence
### T1547.001: Registry Run Keys
**Artifacts**:
- `Windows.Persistence.PermanentRuns`
- `Windows.System.StartupItems`
**VQL Query**:
```sql
-- Autorun registry entries
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS ExecutablePath,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*",
"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*"
])
WHERE ValueData.value != ""
ORDER BY LastModified DESC
```
### T1543.003: Windows Service
**Artifacts**:
- `Windows.System.Services`
- `Windows.EventLogs.ServiceCreation`
**VQL Query**:
```sql
-- Suspicious services
SELECT Key.Name AS ServiceName,
ImagePath.value AS ExecutablePath,
DisplayName.value AS DisplayName,
Start.value AS StartType,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*")
WHERE ImagePath.value != ""
AND (
ImagePath.value =~ "(?i)(temp|appdata|users)"
OR ImagePath.value =~ "(?i)(powershell|cmd|wscript)"
OR Key.Mtime > timestamp(epoch=now() - 604800)
)
```
### T1546.003: WMI Event Subscription
**Artifacts**:
- `Windows.Persistence.PermanentWMIEvents`
**VQL Query**:
```sql
-- Malicious WMI event subscriptions
SELECT Namespace,
FilterName,
Query,
ConsumerName,
ConsumerType,
ConsumerData
FROM wmi(
query="SELECT * FROM __FilterToConsumerBinding",
namespace="ROOT/Subscription"
)
WHERE ConsumerData =~ "(?i)(powershell|cmd|wscript|executable)"
```
## Privilege Escalation
### T1548.002: Bypass User Account Control
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4688 with elevated token)
**VQL Query**:
```sql
-- UAC bypass indicators
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.NewProcessName AS ProcessName,
EventData.CommandLine AS CommandLine,
EventData.ParentProcessName AS ParentProcess
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4688
AND EventData.TokenElevationType = "%%1937" -- Full token elevated
AND (
EventData.NewProcessName =~ "(?i)(fodhelper|computerdefaults|sdclt)"
OR EventData.CommandLine =~ "(?i)(eventvwr|ms-settings)"
)
```
### T1134: Access Token Manipulation
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4672, 4673)
**VQL Query**:
```sql
-- Sensitive privilege use
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.SubjectUserName AS Username,
EventData.PrivilegeList AS Privileges
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4672
AND EventData.PrivilegeList =~ "(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)"
```
## Defense Evasion
### T1070.001: Clear Windows Event Logs
**Artifacts**:
- `Windows.EventLogs.Cleared`
**VQL Query**:
```sql
-- Event log clearing
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ClearedTime,
System.Channel AS LogName,
EventData.SubjectUserName AS Username
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value IN (1102, 104) -- Audit log cleared
ORDER BY ClearedTime DESC
```
### T1562.001: Disable or Modify Tools
**Artifacts**:
- `Windows.Forensics.Timeline`
- `Windows.Registry.RecentDocs`
**VQL Query**:
```sql
-- Security tool tampering
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS Value,
timestamp(epoch=Key.Mtime) AS Modified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinDefend/**"
])
WHERE (
ValueName =~ "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|Start)"
AND (ValueData.value = 1 OR ValueData.value = 4)
)
```
### T1055: Process Injection
**Artifacts**:
- `Windows.Detection.ProcessInjection`
- `Windows.Memory.Acquisition`
**VQL Query**:
```sql
-- Detect process injection via memory protections
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
Address,
Size,
Protection,
Type
FROM vad()
WHERE Protection =~ "EXECUTE.*WRITE" -- RWX memory
AND Type = "Private"
AND process_tracker_get(id=Pid).Name NOT IN ("chrome.exe", "firefox.exe") -- Exclude known JIT
```
## Credential Access
### T1003.001: LSASS Memory
**Artifacts**:
- `Windows.EventLogs.ProcessAccess`
- `Windows.Detection.Mimikatz`
**VQL Query**:
```sql
-- LSASS access attempts
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SourceProcessId AS SourcePID,
EventData.SourceImage AS SourceImage,
EventData.TargetImage AS TargetImage,
EventData.GrantedAccess AS AccessRights
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx")
WHERE System.EventID.Value = 10 -- ProcessAccess
AND EventData.TargetImage =~ "(?i)lsass.exe"
AND EventData.GrantedAccess =~ "(0x1010|0x1410|0x143A)" -- Suspicious access rights
```
### T1003.002: Security Account Manager
**Artifacts**:
- `Windows.Forensics.SAM`
- `Windows.EventLogs.EvtxHunter`
**VQL Query**:
```sql
-- SAM registry hive access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime,
timestamp(epoch=Mtime) AS ModifiedTime
FROM glob(globs=[
"C:/Windows/System32/config/SAM",
"C:/Windows/System32/config/SYSTEM",
"C:/Windows/System32/config/SECURITY"
])
WHERE Atime > timestamp(epoch=now() - 86400)
```
### T1555: Credentials from Password Stores
**Artifacts**:
- `Windows.Forensics.DPAPI`
- `Windows.Browsers.ChromeHistory`
**VQL Query**:
```sql
-- Browser credential access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime
FROM glob(globs=[
"C:/Users/*/AppData/Local/Google/Chrome/User Data/*/Login Data",
"C:/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/*/logins.json"
])
WHERE Atime > timestamp(epoch=now() - 86400)
ORDER BY AccessTime DESC
```
## Discovery
### T1082: System Information Discovery
**Artifacts**:
- `Generic.Client.Info`
- `Windows.System.SystemInfo`
**VQL Query**:
```sql
-- System enumeration commands
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(systeminfo|whoami|ipconfig|hostname|ver)"
AND CreateTime > timestamp(epoch=now() - 3600)
ORDER BY CreateTime DESC
```
### T1083: File and Directory Discovery
**Artifacts**:
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- File system enumeration
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(dir|tree|findstr|where)"
AND CommandLine =~ "(?i)(\\*|recursive|/s|/b)"
ORDER BY CreateTime DESC
```
### T1049: System Network Connections Discovery
**Artifacts**:
- `Windows.Network.Netstat`
**VQL Query**:
```sql
-- Network enumeration commands
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(netstat|net use|net view|arp|route print|nslookup)"
ORDER BY CreateTime DESC
```
## Lateral Movement
### T1021.001: Remote Desktop Protocol
**Artifacts**:
- `Windows.EventLogs.RDP`
- `Windows.EventLogs.EvtxHunter`
**VQL Query**:
```sql
-- RDP lateral movement
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
System.Computer AS DestinationHost
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND EventData.LogonType = 10 -- RemoteInteractive
AND EventData.IpAddress != "127.0.0.1"
ORDER BY LogonTime DESC
```
### T1021.002: SMB/Windows Admin Shares
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 5140, 5145)
**VQL Query**:
```sql
-- Admin share access
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SubjectUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.ShareName AS Share,
EventData.RelativeTargetName AS FilePath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 5140
AND EventData.ShareName =~ "(?i)(ADMIN\\$|C\\$|IPC\\$)"
```
### T1047: Windows Management Instrumentation
**Artifacts**:
- `Windows.EventLogs.WMIActivity`
- `Windows.System.Pslist`
**VQL Query**:
```sql
-- WMI process creation
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE (
-- WMI spawned processes
Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "(?i)wmiprvse.exe")
-- Or WMIC usage
OR (Name =~ "(?i)wmic.exe" AND CommandLine =~ "(?i)(process call create|/node:)")
)
ORDER BY CreateTime DESC
```
## Collection
### T1005: Data from Local System
**Artifacts**:
- `Windows.Forensics.Timeline`
- `Windows.Detection.Yara`
**VQL Query**:
```sql
-- Data staging detection
SELECT FullPath, Size,
timestamp(epoch=Ctime) AS Created,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=[
"C:/Users/*/AppData/**/*.zip",
"C:/Users/*/AppData/**/*.rar",
"C:/Users/*/AppData/**/*.7z",
"C:/Windows/Temp/**/*.zip"
])
WHERE Size > 10485760 -- > 10MB
AND Ctime > timestamp(epoch=now() - 86400)
ORDER BY Size DESC
```
### T1119: Automated Collection
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- Automated collection tools
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(robocopy|xcopy|tar|7z|winrar)"
AND CommandLine =~ "(?i)(/s|recursive|mirror)"
```
## Exfiltration
### T1041: Exfiltration Over C2 Channel
**Artifacts**:
- `Windows.Network.NetstatEnriched`
- `Windows.Detection.NetworkAlerts`
**VQL Query**:
```sql
-- Large outbound transfers
SELECT Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 22)
```
### T1052: Exfiltration Over Physical Medium
**Artifacts**:
- `Windows.Forensics.USBDevices`
- `Windows.EventLogs.USBActivity`
**VQL Query**:
```sql
-- USB file transfers
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=["D:/**", "E:/**", "F:/**"]) -- Removable drives
WHERE Mtime > timestamp(epoch=now() - 86400)
AND Size > 1048576 -- > 1MB
ORDER BY Mtime DESC, Size DESC
```
## Command and Control
### T1071: Application Layer Protocol
**Artifacts**:
- `Windows.Network.NetstatEnriched`
- `Windows.Detection.Sigma`
**VQL Query**:
```sql
-- Unusual outbound connections
SELECT Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
COUNT(*) AS ConnectionCount,
GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 53, 22, 3389)
GROUP BY Raddr.IP, Raddr.Port
HAVING ConnectionCount > 10
```
### T1095: Non-Application Layer Protocol
**Artifacts**:
- `Windows.Network.RawConnections`
**VQL Query**:
```sql
-- Raw socket usage (ICMP tunneling, etc.)
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine,
Protocol,
Laddr.IP AS LocalIP,
Raddr.IP AS RemoteIP
FROM netstat()
WHERE Protocol NOT IN ("TCP", "UDP")
AND Raddr.IP != ""
```
### T1219: Remote Access Software
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.Persistence.PermanentRuns`
**VQL Query**:
```sql
-- Remote access tools
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "(?i)(teamviewer|anydesk|logmein|ammyy|vnc|radmin|screenconnect)"
OR Exe =~ "(?i)(remote|rdp|desktop|viewer)"
```

535
skills/incident-response/ir-velociraptor/references/vql-patterns.md Normal file
View File

@@ -0,0 +1,535 @@
# VQL Query Patterns for Incident Response
Comprehensive VQL query patterns for common incident response and threat hunting scenarios.
## Table of Contents
- [Process Analysis](#process-analysis)
- [Network Forensics](#network-forensics)
- [File System Analysis](#file-system-analysis)
- [Registry Forensics](#registry-forensics)
- [Memory Analysis](#memory-analysis)
- [Event Log Analysis](#event-log-analysis)
- [Persistence Mechanisms](#persistence-mechanisms)
- [Lateral Movement Detection](#lateral-movement-detection)
- [Data Exfiltration](#data-exfiltration)
- [Malware Analysis](#malware-analysis)
## Process Analysis
### Suspicious Process Detection
```sql
-- Processes with suspicious characteristics
SELECT Pid, Ppid, Name, CommandLine, Username, Exe, CreateTime
FROM pslist()
WHERE (
-- Suspicious parent-child relationships
(Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "(?i)(winword|excel|powerpnt|acrobat)")
AND Name =~ "(?i)(powershell|cmd|wscript|cscript)")
-- Processes running from temp directories
OR Exe =~ "(?i)(temp|tmp|appdata)"
-- Processes with obfuscated command lines
OR CommandLine =~ "(?i)(iex|invoke-expression|downloadstring|webclient|hidden|bypass)"
)
```
### Living-off-the-Land Binaries (LOLBins)
```sql
-- Detect abuse of legitimate Windows binaries
SELECT Pid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE (
-- certutil for downloading
(Name =~ "(?i)certutil" AND CommandLine =~ "(?i)(urlcache|url)")
-- bitsadmin for downloading
OR (Name =~ "(?i)bitsadmin" AND CommandLine =~ "(?i)(transfer|download)")
-- mshta for code execution
OR (Name =~ "(?i)mshta" AND CommandLine =~ "(?i)(http|javascript|vbscript)")
-- rundll32 suspicious usage
OR (Name =~ "(?i)rundll32" AND CommandLine =~ "(?i)(javascript|url)")
)
```
### Process Injection Detection
```sql
-- Identify potential process injection
SELECT Pid, Name,
AllocatedMemory,
ProtectionFlags,
Handles
FROM handles()
WHERE Type = "Section"
AND ProtectionFlags =~ "EXECUTE"
AND Name != ""
```
## Network Forensics
### External Connections
```sql
-- All external network connections with process context
SELECT Laddr.IP AS LocalIP,
Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Status, Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).Exe AS ProcessPath,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP != ""
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)" -- Exclude RFC1918
AND Raddr.IP !~ "^(127\\.|169\\.254\\.)" -- Exclude localhost and link-local
```
### Unusual Port Activity
```sql
-- Connections on unusual ports
SELECT Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
COUNT(*) AS ConnectionCount,
GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.Port NOT IN (80, 443, 22, 3389, 445, 139, 53)
GROUP BY Raddr.IP, Raddr.Port
HAVING ConnectionCount > 5
```
### DNS Query Analysis
```sql
-- Suspicious DNS queries
SELECT query AS Domain,
response AS IPAddress,
timestamp(epoch=Time) AS QueryTime
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-DNS-Client%4Operational.evtx")
WHERE System.EventID.Value = 3008
AND (
-- Long domain names (possible DGA)
length(query) > 50
-- High entropy domains
OR query =~ "[a-z0-9]{20,}"
-- Suspicious TLDs
OR query =~ "\\.(tk|ml|ga|cf|gq)$"
)
```
## File System Analysis
### Recently Modified Executables
```sql
-- Executables modified in last 7 days
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS ModifiedTime,
timestamp(epoch=Ctime) AS CreatedTime,
hash(path=FullPath, accessor="file") AS SHA256
FROM glob(globs=[
"C:/Windows/System32/**/*.exe",
"C:/Windows/SysWOW64/**/*.exe",
"C:/Users/*/AppData/**/*.exe",
"C:/ProgramData/**/*.exe"
])
WHERE Mtime > timestamp(epoch=now() - 604800) -- 7 days
ORDER BY Mtime DESC
```
### Webshell Detection
```sql
-- Potential webshells in web directories
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS ModifiedTime,
read_file(filename=FullPath, length=1000) AS Content
FROM glob(globs=[
"C:/inetpub/wwwroot/**/*.asp",
"C:/inetpub/wwwroot/**/*.aspx",
"C:/inetpub/wwwroot/**/*.php",
"C:/xampp/htdocs/**/*.php"
])
WHERE Content =~ "(?i)(eval|base64_decode|exec|shell_exec|system|passthru|WScript\\.Shell)"
OR FullPath =~ "(?i)(cmd|shell|upload|backdoor|c99)"
```
### Suspicious File Timestamps
```sql
-- Files with timestamp anomalies (timestomping detection)
SELECT FullPath,
timestamp(epoch=Mtime) AS ModifiedTime,
timestamp(epoch=Ctime) AS ChangeTime,
timestamp(epoch=Btime) AS BornTime
FROM glob(globs="C:/Users/**/*.exe")
WHERE Mtime < Btime -- Modified time before birth time (anomaly)
OR Ctime < Btime -- Change time before birth time
```
## Registry Forensics
### Autorun Locations
```sql
-- Comprehensive autorun registry key enumeration
SELECT Key.FullPath AS RegistryPath,
ValueName,
ValueData.value AS Value,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*",
"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*"
])
WHERE ValueData.value != ""
```
### Recent Registry Modifications
```sql
-- Recently modified registry keys in security-sensitive locations
SELECT FullPath,
timestamp(epoch=Mtime) AS ModifiedTime
FROM glob(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/**",
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/**",
"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/**"
], accessor="registry")
WHERE Mtime > timestamp(epoch=now() - 86400) -- Last 24 hours
ORDER BY Mtime DESC
```
### AppInit DLL Injection
```sql
-- Detect AppInit DLL injection mechanism
SELECT ValueName,
ValueData.value AS DLLPath,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs",
"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs"
])
WHERE ValueData.value != ""
```
## Memory Analysis
### Suspicious Memory Regions
```sql
-- Memory regions with unusual protections
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
Address,
Size,
Protection
FROM vad()
WHERE Protection =~ "EXECUTE.*WRITE" -- RWX memory (suspicious)
AND Type = "Private"
```
### Injected Code Detection
```sql
-- Detect potentially injected code
SELECT Pid,
Name AS ProcessName,
Vad.Address AS MemoryAddress,
Vad.Protection AS Protection,
Vad.Type AS MemoryType
FROM pslist()
LET Vad <= SELECT * FROM vad(pid=Pid)
WHERE Vad.Protection =~ "EXECUTE"
AND Vad.Type = "Private"
AND Vad.Name = ""
```
## Event Log Analysis
### Failed Logon Attempts
```sql
-- Failed authentication attempts
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.WorkstationName AS Workstation,
EventData.FailureReason AS Reason
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4625 -- Failed logon
ORDER BY EventTime DESC
LIMIT 1000
```
### Privilege Escalation Events
```sql
-- Privilege elevation and sensitive privilege use
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
System.EventID.Value AS EventID,
EventData.SubjectUserName AS User,
EventData.PrivilegeList AS Privileges
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value IN (4672, 4673, 4674) -- Special privilege events
AND EventData.PrivilegeList =~ "(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)"
```
### Scheduled Task Creation
```sql
-- Detect scheduled task creation for persistence
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.TaskName AS TaskName,
EventData.UserContext AS RunAsUser,
EventData.TaskContent AS TaskXML
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-TaskScheduler%4Operational.evtx")
WHERE System.EventID.Value = 106 -- Task registered
ORDER BY EventTime DESC
```
## Persistence Mechanisms
### Comprehensive Persistence Hunt
```sql
-- Multi-vector persistence detection
LET RegistryAutoRuns = SELECT "Registry" AS Method, Key.FullPath AS Location, ValueData.value AS Value
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
LET ScheduledTasks = SELECT "Scheduled Task" AS Method, FullPath AS Location, "" AS Value
FROM glob(globs="C:/Windows/System32/Tasks/**")
WHERE NOT IsDir
LET Services = SELECT "Service" AS Method, Key.Name AS Location, ImagePath.value AS Value
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/**/ImagePath")
LET StartupFolders = SELECT "Startup Folder" AS Method, FullPath AS Location, "" AS Value
FROM glob(globs=[
"C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*",
"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/*"
])
SELECT * FROM chain(
a=RegistryAutoRuns,
b=ScheduledTasks,
c=Services,
d=StartupFolders
)
```
### WMI Event Subscription Persistence
```sql
-- Detect malicious WMI event subscriptions
SELECT Name,
EventFilter,
Consumer,
timestamp(epoch=CreationDate) AS Created
FROM wmi_persist()
WHERE EventFilter != "" OR Consumer != ""
```
## Lateral Movement Detection
### PsExec Activity
```sql
-- PsExec service creation and execution
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.ServiceName AS ServiceName,
EventData.ImagePath AS ExecutablePath,
EventData.AccountName AS Account
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/System.evtx")
WHERE System.EventID.Value = 7045 -- Service installed
AND (
EventData.ServiceName =~ "(?i)PSEXESVC"
OR EventData.ImagePath =~ "(?i)(\\\\\\\\.*\\\\.*\\\\|admin\\$|c\\$)"
)
```
### Remote Desktop Activity
```sql
-- RDP logon activity
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.LogonType AS LogonType
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624 -- Successful logon
AND EventData.LogonType = 10 -- RemoteInteractive (RDP)
ORDER BY LogonTime DESC
```
### SMB/Admin Share Access
```sql
-- Network share access from remote systems
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SubjectUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.ShareName AS ShareAccessed,
EventData.ObjectName AS FileAccessed
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 5140 -- Network share accessed
AND EventData.ShareName =~ "(?i)(ADMIN\\$|C\\$|IPC\\$)"
```
## Data Exfiltration
### Large File Transfers
```sql
-- Files copied to removable media or network shares
SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS LastModified,
hash(path=FullPath, accessor="file").SHA256 AS SHA256
FROM glob(globs=[
"D:/**", -- Removable drive
"E:/**",
"\\\\*/**" -- Network paths
])
WHERE Size > 10485760 -- Files larger than 10MB
AND Mtime > timestamp(epoch=now() - 86400)
ORDER BY Size DESC
```
### USB Device History
```sql
-- USB device connection history
SELECT Key.Name AS DeviceID,
FriendlyName.value AS DeviceName,
timestamp(epoch=Key.Mtime) AS LastConnected
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/USBSTOR/**/FriendlyName")
ORDER BY LastConnected DESC
```
### Cloud Storage Activity
```sql
-- Files in cloud sync directories
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS LastModified
FROM glob(globs=[
"C:/Users/*/OneDrive/**",
"C:/Users/*/Dropbox/**",
"C:/Users/*/Google Drive/**"
])
WHERE Mtime > timestamp(epoch=now() - 86400)
ORDER BY Mtime DESC
```
## Malware Analysis
### Suspicious File Indicators
```sql
-- Files with malware-associated characteristics
SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS ModifiedTime,
hash(path=FullPath, accessor="file") AS Hashes
FROM glob(globs=[
"C:/Windows/Temp/**/*.exe",
"C:/Users/*/AppData/Local/Temp/**/*.exe",
"C:/ProgramData/**/*.exe"
])
WHERE (
-- Small executables (potential droppers)
Size < 102400
-- Or recently created
OR Mtime > timestamp(epoch=now() - 3600)
)
```
### Packed Executable Detection
```sql
-- Detect potentially packed executables (high entropy)
SELECT FullPath,
parse_pe(file=FullPath).Entropy AS Entropy,
parse_pe(file=FullPath).Sections AS Sections
FROM glob(globs="C:/Users/**/*.exe")
WHERE parse_pe(file=FullPath).Entropy > 7.0 -- High entropy suggests packing
```
### Malicious Scripts
```sql
-- Suspicious PowerShell/VBS scripts
SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS ModifiedTime,
read_file(filename=FullPath, length=5000) AS Content
FROM glob(globs=[
"C:/Users/**/*.ps1",
"C:/Users/**/*.vbs",
"C:/Users/**/*.js",
"C:/Windows/Temp/**/*.ps1"
])
WHERE Content =~ "(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)"
```
## Advanced Hunting Patterns
### Threat Hunting with Multiple Indicators
```sql
-- Correlate multiple suspicious indicators
LET SuspiciousProcesses = SELECT Pid, Name, CommandLine
FROM pslist()
WHERE CommandLine =~ "(?i)(bypass|hidden|encodedcommand)"
LET SuspiciousConnections = SELECT Pid, Raddr.IP AS RemoteIP
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
SELECT sp.Pid,
sp.Name,
sp.CommandLine,
GROUP_CONCAT(sc.RemoteIP) AS ConnectedIPs
FROM SuspiciousProcesses sp
JOIN SuspiciousConnections sc ON sp.Pid = sc.Pid
GROUP BY sp.Pid
```
### Timeline Analysis
```sql
-- Comprehensive timeline of system activity
SELECT timestamp(epoch=Timestamp) AS EventTime,
Source,
EventType,
Details
FROM chain(
a={SELECT Mtime AS Timestamp, "FileSystem" AS Source, "FileCreated" AS EventType, FullPath AS Details
FROM glob(globs="C:/Users/**") WHERE Mtime > timestamp(epoch=now() - 86400)},
b={SELECT System.TimeCreated.SystemTime AS Timestamp, "EventLog" AS Source,
format(format="EventID:%v", args=System.EventID.Value) AS EventType,
EventData AS Details
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.TimeCreated.SystemTime > timestamp(epoch=now() - 86400)},
c={SELECT Key.Mtime AS Timestamp, "Registry" AS Source, "KeyModified" AS EventType, Key.FullPath AS Details
FROM glob(globs="HKEY_LOCAL_MACHINE/SOFTWARE/**", accessor="registry")
WHERE Key.Mtime > timestamp(epoch=now() - 86400)}
)
ORDER BY EventTime DESC
```