zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

492
skills/incident-response/forensics-osquery/SKILL.md Normal file
View File

@@ -0,0 +1,492 @@
---
name: forensics-osquery
description: >
SQL-powered forensic investigation and system interrogation using osquery to query
operating systems as relational databases. Enables rapid evidence collection, threat
hunting, and incident response across Linux, macOS, and Windows endpoints.
Use when: (1) Investigating security incidents and collecting forensic artifacts,
(2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running
processes, network connections, and persistence mechanisms, (4) Collecting system
state during incident response, (5) Querying file hashes, user activity, and system
configuration for compromise indicators, (6) Building detection queries for continuous
monitoring with osqueryd.
version: 0.1.0
maintainer: SirAppSec
category: incident-response
tags: [forensics, osquery, incident-response, threat-hunting, endpoint-detection, dfir, live-forensics, sql]
frameworks: [MITRE-ATT&CK, NIST]
dependencies:
tools: [osquery]
platforms: [linux, macos, windows]
references:
- https://github.com/osquery/osquery
- https://osquery.io/
- https://osquery.readthedocs.io/
---
# osquery Forensics & Incident Response
## Overview
osquery transforms operating systems into queryable relational databases, enabling security analysts to investigate compromises using SQL rather than traditional CLI tools. This skill provides forensic investigation workflows, common detection queries, and incident response patterns for rapid evidence collection across Linux, macOS, and Windows endpoints.
**Core capabilities**:
- SQL-based system interrogation for process, network, file, and user analysis
- Cross-platform forensic artifact collection (Linux, macOS, Windows)
- Live system analysis without deploying heavyweight forensic tools
- Threat hunting queries mapped to MITRE ATT&CK techniques
- Scheduled monitoring with osqueryd for continuous detection
- Integration with SIEM and incident response platforms
## Quick Start
### Interactive Investigation (osqueryi)
```bash
# Launch interactive shell
osqueryi
# Check running processes
SELECT pid, name, path, cmdline, uid FROM processes WHERE name LIKE '%suspicious%';
# Identify listening network services
SELECT DISTINCT processes.name, listening_ports.port, listening_ports.address, processes.pid, processes.path
FROM listening_ports
JOIN processes USING (pid)
WHERE listening_ports.address != '127.0.0.1';
# Find processes with deleted executables (potential malware)
SELECT name, path, pid, cmdline FROM processes WHERE on_disk = 0;
# Check persistence mechanisms (Linux/macOS cron jobs)
SELECT command, path FROM crontab;
```
### One-Liner Forensic Queries
```bash
# Single query execution
osqueryi --json "SELECT * FROM logged_in_users;"
# Export query results for analysis
osqueryi --json "SELECT * FROM processes;" > processes_snapshot.json
# Check for suspicious kernel modules (Linux)
osqueryi --line "SELECT name, used_by, status FROM kernel_modules WHERE name NOT IN (SELECT name FROM known_good_modules);"
```
## Core Workflows
### Workflow 1: Initial Incident Response Triage
For rapid assessment of potentially compromised systems:
Progress:
[ ] 1. Collect running processes and command lines
[ ] 2. Identify network connections and listening ports
[ ] 3. Check user accounts and recent logins
[ ] 4. Examine persistence mechanisms (scheduled tasks, startup items)
[ ] 5. Review suspicious file modifications and executions
[ ] 6. Document findings with timestamps and process ancestry
[ ] 7. Export evidence to JSON for preservation
Work through each step systematically. Use bundled triage script for automated collection.
**Execute triage**: `./scripts/osquery_triage.sh > incident_triage_$(date +%Y%m%d_%H%M%S).json`
### Workflow 2: Threat Hunting for Specific TTPs
When hunting for specific MITRE ATT&CK techniques:
1. **Select Target Technique**
- Identify technique from threat intelligence (e.g., T1055 - Process Injection)
- Map technique to observable system artifacts
- See [references/mitre-attack-queries.md](references/mitre-attack-queries.md) for pre-built queries
2. **Build Detection Query**
- Identify relevant osquery tables (processes, file_events, registry, etc.)
- Join tables to correlate related artifacts
- Use [references/table-guide.md](references/table-guide.md) for schema reference
3. **Execute Hunt**
```sql
-- Example: Hunt for credential dumping (T1003)
SELECT p.pid, p.name, p.cmdline, p.path, p.parent, pm.permissions
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE p.name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR p.cmdline LIKE '%sekurlsa%'
OR (pm.path = '/etc/shadow' OR pm.path LIKE '%SAM%');
```
4. **Analyze Results**
- Review process ancestry and command-line arguments
- Check file hashes against threat intelligence
- Document timeline of suspicious activity
5. **Pivot Investigation**
- Use findings to identify additional indicators
- Query related artifacts (network connections, files, registry)
- Expand hunt scope if compromise confirmed
### Workflow 3: Persistence Mechanism Analysis
Detecting persistence across platforms:
**Linux/macOS Persistence**:
```sql
-- Cron jobs
SELECT * FROM crontab;
-- Systemd services (Linux)
SELECT name, path, status, source FROM systemd_units WHERE source != '/usr/lib/systemd/system';
-- Launch Agents/Daemons (macOS)
SELECT name, path, program, run_at_load FROM launchd WHERE run_at_load = 1;
-- Bash profile modifications
SELECT * FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/home/*/.bashrc', '/home/*/.bash_profile');
```
**Windows Persistence**:
```sql
-- Registry Run keys
SELECT key, name, path, type FROM registry WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';
-- Scheduled tasks
SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1;
-- Services
SELECT name, display_name, status, path, start_type FROM services WHERE start_type = 'AUTO_START';
-- WMI event consumers
SELECT name, command_line_template FROM wmi_cli_event_consumers;
```
Review results for:
- Unusual executables in startup locations
- Base64-encoded or obfuscated commands
- Executables in temporary or user-writable directories
- Recently modified persistence mechanisms
### Workflow 4: Network Connection Analysis
Investigating suspicious network activity:
```sql
-- Active network connections with process details
SELECT p.name, p.pid, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0')
ORDER BY ps.remote_port;
-- Listening ports mapped to processes
SELECT DISTINCT p.name, lp.port, lp.address, lp.protocol, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;
-- DNS lookups (requires events table or process monitoring)
SELECT name, domains, pid FROM dns_resolvers;
```
**Investigation checklist**:
- [ ] Identify non-standard listening ports (not 80, 443, 22, 3389)
- [ ] Check processes with external connections
- [ ] Review destination IPs against threat intelligence
- [ ] Correlate connections with process execution timeline
- [ ] Validate legitimate business purpose for connections
### Workflow 5: File System Forensics
Analyzing file modifications and suspicious files:
```sql
-- Recently modified files in sensitive locations
SELECT path, filename, size, mtime, ctime, md5, sha256
FROM hash
WHERE path LIKE '/etc/%' OR path LIKE '/tmp/%' OR path LIKE 'C:\Windows\Temp\%'
AND mtime > (strftime('%s', 'now') - 86400); -- Last 24 hours
-- Executable files in unusual locations
SELECT path, filename, size, md5, sha256
FROM hash
WHERE (path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\Users\%\AppData\%')
AND (filename LIKE '%.exe' OR filename LIKE '%.sh' OR filename LIKE '%.py');
-- SUID/SGID binaries (Linux/macOS) - potential privilege escalation
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND path LIKE '/usr/%' OR path LIKE '/bin/%';
```
**File analysis workflow**:
1. Identify suspicious files by location and timestamp
2. Extract file hashes (MD5, SHA256) for threat intel lookup
3. Review file permissions and ownership
4. Check for living-off-the-land binaries (LOLBins) abuse
5. Document file metadata for forensic timeline
## Forensic Query Patterns
### Pattern 1: Process Analysis
Standard process investigation queries:
```sql
-- Processes with network connections
SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid;
-- Process tree (parent-child relationships)
SELECT p1.pid, p1.name AS process, p1.cmdline,
p2.pid AS parent_pid, p2.name AS parent_name, p2.cmdline AS parent_cmdline
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;
-- High-privilege processes (UID 0 / SYSTEM)
SELECT pid, name, path, cmdline, uid, euid FROM processes WHERE uid = 0 OR euid = 0;
```
### Pattern 2: User Activity Monitoring
Track user accounts and authentication:
```sql
-- Currently logged in users
SELECT user, tty, host, time, pid FROM logged_in_users;
-- User accounts with login shells
SELECT username, uid, gid, shell, directory FROM users WHERE shell NOT LIKE '%nologin%';
-- Recent authentication events (requires auditd/Windows Event Log integration)
SELECT * FROM user_events WHERE time > (strftime('%s', 'now') - 3600);
-- Sudo usage history (Linux/macOS)
SELECT username, command, time FROM sudo_usage_history ORDER BY time DESC LIMIT 50;
```
### Pattern 3: System Configuration Review
Identify configuration changes:
```sql
-- Kernel configuration and parameters (Linux)
SELECT name, value FROM kernel_info;
SELECT path, key, value FROM sysctl WHERE key LIKE 'kernel.%';
-- Installed packages (detect unauthorized software)
SELECT name, version, install_time FROM deb_packages ORDER BY install_time DESC LIMIT 20; -- Debian/Ubuntu
SELECT name, version, install_time FROM rpm_packages ORDER BY install_time DESC LIMIT 20; -- RHEL/CentOS
-- System information
SELECT hostname, computer_name, local_hostname FROM system_info;
```
## Security Considerations
- **Sensitive Data Handling**: osquery can access sensitive system information (password hashes, private keys, process memory). Limit access to forensic analysts and incident responders. Export query results to encrypted storage. Sanitize logs before sharing with third parties.
- **Access Control**: Requires root/administrator privileges on investigated systems. Use dedicated forensic user accounts with audit logging. Restrict osqueryd configuration files (osquery.conf) to prevent query tampering. Implement least-privilege access to query results.
- **Audit Logging**: Log all osquery executions for forensic chain-of-custody. Record analyst username, timestamp, queries executed, and systems queried. Maintain immutable audit logs for compliance and legal requirements. Use `osqueryd --audit` flag for detailed logging.
- **Compliance**: osquery supports NIST SP 800-53 AU (Audit and Accountability) controls and NIST Cybersecurity Framework detection capabilities. Enables evidence collection for GDPR data breach investigations (Article 33). Query results constitute forensic evidence - maintain integrity and chain-of-custody.
- **Safe Defaults**: Use read-only queries during investigations to avoid system modification. Test complex queries in lab environments before production use. Monitor osqueryd resource consumption to prevent denial of service. Disable dangerous tables (e.g., `curl`, `yara`) in osqueryd configurations unless explicitly needed.
## Bundled Resources
### Scripts
- `scripts/osquery_triage.sh` - Automated triage collection script for rapid incident response
- `scripts/osquery_hunt.py` - Threat hunting query executor with MITRE ATT&CK mapping
- `scripts/parse_osquery_json.py` - Parse and analyze osquery JSON output
- `scripts/osquery_to_timeline.py` - Generate forensic timelines from osquery results
### References
- `references/table-guide.md` - Comprehensive osquery table reference for forensic investigations
- `references/mitre-attack-queries.md` - Pre-built queries mapped to MITRE ATT&CK techniques
- `references/platform-differences.md` - Platform-specific tables and query variations (Linux/macOS/Windows)
- `references/osqueryd-deployment.md` - Deploy osqueryd for continuous monitoring and fleet management
### Assets
- `assets/osquery.conf` - Production osqueryd configuration template for security monitoring
- `assets/forensic-packs/` - Query packs for incident response scenarios
- `ir-triage.conf` - Initial triage queries
- `persistence-hunt.conf` - Persistence mechanism detection
- `lateral-movement.conf` - Lateral movement indicators
- `credential-access.conf` - Credential dumping detection
## Common Investigation Scenarios
### Scenario 1: Webshell Detection
Detect webshells on compromised web servers:
```sql
-- Check web server processes with suspicious child processes
SELECT p1.name AS webserver, p1.pid, p1.cmdline,
p2.name AS child, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'perl', 'python');
-- Files in web directories with recent modifications
SELECT path, filename, mtime, md5, sha256
FROM hash
WHERE path LIKE '/var/www/%' OR path LIKE 'C:\inetpub\wwwroot\%'
AND (filename LIKE '%.php' OR filename LIKE '%.asp' OR filename LIKE '%.jsp')
AND mtime > (strftime('%s', 'now') - 604800); -- Last 7 days
```
### Scenario 2: Ransomware Investigation
Identify ransomware indicators:
```sql
-- Processes writing to many files rapidly (potential encryption activity)
SELECT p.name, p.pid, p.cmdline, COUNT(fe.path) AS files_modified
FROM processes p
JOIN file_events fe ON p.pid = fe.pid
WHERE fe.action = 'WRITE' AND fe.time > (strftime('%s', 'now') - 300)
GROUP BY p.pid
HAVING files_modified > 100;
-- Look for ransom note files
SELECT path, filename FROM file
WHERE filename LIKE '%DECRYPT%' OR filename LIKE '%README%' OR filename LIKE '%RANSOM%';
-- Check for file extension changes (encrypted files)
SELECT path, filename FROM file
WHERE filename LIKE '%.locked' OR filename LIKE '%.encrypted' OR filename LIKE '%.crypto';
```
### Scenario 3: Privilege Escalation Detection
Detect privilege escalation attempts:
```sql
-- Processes running as root from non-standard paths
SELECT pid, name, path, cmdline, uid, euid FROM processes
WHERE (uid = 0 OR euid = 0)
AND path NOT LIKE '/usr/%'
AND path NOT LIKE '/sbin/%'
AND path NOT LIKE '/bin/%'
AND path NOT LIKE 'C:\Windows\%';
-- SUID binaries (Linux/macOS)
SELECT path, filename, uid, gid FROM file
WHERE mode LIKE '%4%' AND path NOT IN (SELECT path FROM known_suid_binaries);
-- Sudoers file modifications
SELECT * FROM file WHERE path = '/etc/sudoers' AND mtime > (strftime('%s', 'now') - 86400);
```
## Integration Points
### SIEM Integration
Forward osqueryd logs to SIEM platforms:
- **Splunk**: Use Splunk Add-on for osquery or universal forwarder
- **Elasticsearch**: Configure osqueryd to output JSON logs, ingest with Filebeat
- **Sentinel**: Stream logs via Azure Monitor Agent or custom ingestion
- **QRadar**: Use QRadar osquery app or log source extension
Configure osqueryd result logging:
```json
{
"options": {
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false
}
}
```
### EDR/XDR Integration
Combine with endpoint detection:
- Correlate osquery results with EDR alerts
- Use osquery for EDR alert enrichment and investigation
- Deploy osquery packs based on EDR threat intelligence
- Augment EDR telemetry with custom osquery tables
### Threat Intelligence Enrichment
Enrich findings with threat intel:
- Query file hashes against VirusTotal, MISP, or threat feeds
- Match network indicators with IOC databases
- Tag findings with MITRE ATT&CK techniques
- Generate hunting hypotheses from threat reports
## Troubleshooting
### Issue: osquery Not Finding Expected Results
**Solution**: Verify table availability and platform compatibility
- Check table schema: `osqueryi ".schema processes"`
- List available tables: `osqueryi ".tables"`
- Review platform-specific tables in [references/platform-differences.md](references/platform-differences.md)
- Some tables require specific osquery versions or kernel features
### Issue: High Resource Consumption
**Solution**: Optimize query performance and scheduling
- Use indexed columns in WHERE clauses (pid, uid, path)
- Avoid unbounded queries without filters
- Reduce osqueryd query frequency in osquery.conf
- Limit result set sizes with LIMIT clause
- Monitor with: `SELECT * FROM osquery_info; SELECT * FROM osquery_schedule;`
### Issue: Permission Denied Errors
**Solution**: Ensure proper privilege escalation
- Run osqueryi with sudo/admin privileges: `sudo osqueryi`
- Some tables require root access (kernel_modules, process_memory_map)
- Check file permissions on osqueryd configuration files
- Review SELinux/AppArmor policies blocking osquery
## Best Practices
1. **Document Queries**: Maintain query library with descriptions and expected results
2. **Test Before Production**: Validate queries in lab before running on production systems
3. **Minimize Scope**: Use WHERE clauses to limit query scope and reduce performance impact
4. **Export Results**: Save query output for evidence preservation (`--json` or `--csv` flags)
5. **Correlate Findings**: Join multiple tables for comprehensive artifact analysis
6. **Version Control**: Track osquery configuration and query packs in Git
7. **Monitor Performance**: Watch osqueryd CPU/memory usage during scheduled queries
8. **Update Regularly**: Keep osquery updated for latest table schemas and security patches
## MITRE ATT&CK Coverage
osquery enables detection and investigation of techniques across the ATT&CK matrix:
- **Initial Access**: Detect suspicious services and scheduled tasks (T1053)
- **Execution**: Monitor process creation and command-line arguments (T1059)
- **Persistence**: Identify registry modifications, cron jobs, startup items (T1547, T1053)
- **Privilege Escalation**: Find SUID binaries, sudo abuse, service creation (T1548, T1543)
- **Defense Evasion**: Detect process injection, file deletion, timestomping (T1055, T1070)
- **Credential Access**: Hunt for credential dumping tools and access (T1003, T1552)
- **Discovery**: Track system enumeration activities (T1082, T1083, T1057)
- **Lateral Movement**: Monitor remote service creation and authentication (T1021)
- **Collection**: Detect archive creation and data staging (T1560, T1074)
- **Exfiltration**: Identify unusual network connections and data transfers (T1041)
See [references/mitre-attack-queries.md](references/mitre-attack-queries.md) for technique-specific detection queries.
## References
- [osquery GitHub Repository](https://github.com/osquery/osquery)
- [osquery Schema Documentation](https://osquery.io/schema/)
- [osquery Deployment Guide](https://osquery.readthedocs.io/en/stable/deployment/)
- [osquery SQL Reference](https://osquery.readthedocs.io/en/stable/introduction/sql/)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)

9
skills/incident-response/forensics-osquery/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

104
skills/incident-response/forensics-osquery/assets/forensic-packs/credential-access.conf Normal file
View File

@@ -0,0 +1,104 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect credential dumping and credential access techniques",
"queries": {
"mimikatz_execution": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
"interval": 300,
"description": "Mimikatz execution detection",
"platform": "windows"
},
"lsass_process_access": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
"interval": 300,
"description": "LSASS memory dumping tools",
"platform": "windows"
},
"credential_file_access": {
"query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
"interval": 300,
"description": "Access to credential storage files"
},
"shadow_file_reads": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
"interval": 300,
"description": "Unauthorized /etc/shadow access",
"platform": "posix"
},
"sam_registry_access": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
"interval": 600,
"description": "SAM registry key access",
"platform": "windows"
},
"password_search": {
"query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
"interval": 300,
"description": "Searching for password files"
},
"credential_files": {
"query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
"interval": 3600,
"description": "Credential-related files"
},
"browser_credential_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
"interval": 300,
"description": "Browser credential database access"
},
"keychain_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
"interval": 300,
"description": "macOS Keychain access",
"platform": "darwin"
},
"dpapi_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
"interval": 300,
"description": "Windows DPAPI credential access",
"platform": "windows"
},
"ntds_dit_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
"interval": 300,
"description": "Active Directory database access",
"platform": "windows"
},
"kerberos_ticket_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
"interval": 300,
"description": "Kerberos ticket manipulation"
},
"sudo_without_password": {
"query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
"interval": 300,
"description": "Sudo usage potentially leveraging cached credentials",
"platform": "posix"
},
"sudoers_file_access": {
"query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
"interval": 3600,
"description": "Sudoers file modification monitoring",
"platform": "posix"
},
"ssh_private_keys": {
"query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
"interval": 3600,
"description": "SSH private key files",
"platform": "posix"
},
"powershell_credential_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
"interval": 300,
"description": "PowerShell credential access commands",
"platform": "windows"
},
"registry_credential_storage": {
"query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
"interval": 3600,
"description": "Credentials stored in registry",
"platform": "windows"
}
}
}

80
skills/incident-response/forensics-osquery/assets/forensic-packs/ir-triage.conf Normal file
View File

@@ -0,0 +1,80 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Incident response triage queries for rapid forensic collection",
"queries": {
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 0,
"snapshot": true,
"description": "Complete system information snapshot"
},
"users_snapshot": {
"query": "SELECT uid, gid, username, description, directory, shell FROM users;",
"interval": 0,
"snapshot": true,
"description": "All user accounts"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 300,
"description": "Currently logged-in users"
},
"last_logins": {
"query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
"interval": 600,
"description": "Recent login history"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
"interval": 300,
"description": "All running processes with metadata"
},
"processes_deleted_binary": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "Processes with deleted executables (malware indicator)"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 300,
"description": "Active external network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Network services listening on external interfaces"
},
"interface_addresses": {
"query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
"interval": 3600,
"description": "Network interface configuration"
},
"arp_cache": {
"query": "SELECT address, mac, interface, permanent FROM arp_cache;",
"interval": 600,
"description": "ARP cache entries"
},
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "Configured DNS resolvers"
},
"tmp_directory_files": {
"query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
"interval": 900,
"description": "Files in temporary directories",
"snapshot": true
},
"recent_file_modifications": {
"query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
"interval": 3600,
"description": "Recently modified system files (last 24 hours)"
},
"user_groups": {
"query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
"interval": 3600,
"description": "Users in privileged groups"
}
}
}

105
skills/incident-response/forensics-osquery/assets/forensic-packs/lateral-movement.conf Normal file
View File

@@ -0,0 +1,105 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect lateral movement and remote access indicators",
"queries": {
"ssh_outbound_connections": {
"query": "SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 22 AND p.name = 'ssh';",
"interval": 300,
"description": "Outbound SSH connections",
"platform": "posix"
},
"rdp_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 3389 OR p.name LIKE '%mstsc%' OR p.name LIKE '%rdp%';",
"interval": 300,
"description": "RDP connection attempts",
"platform": "windows"
},
"smb_connections": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%\\\\\\\\%\\\\admin$%' OR cmdline LIKE '%\\\\\\\\%\\\\c$%' OR cmdline LIKE '%net use%';",
"interval": 300,
"description": "SMB/Windows Admin Share connections",
"platform": "windows"
},
"psexec_indicators": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name LIKE '%psexec%' OR cmdline LIKE '%psexec%' OR path LIKE '%ADMIN$%';",
"interval": 300,
"description": "PsExec execution indicators",
"platform": "windows"
},
"remote_wmi_execution": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%/node:%';",
"interval": 300,
"description": "Remote WMI execution",
"platform": "windows"
},
"winrm_activity": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port IN (5985, 5986);",
"interval": 300,
"description": "WinRM connections",
"platform": "windows"
},
"unusual_login_locations": {
"query": "SELECT username, tty, host, time FROM logged_in_users WHERE host NOT IN ('localhost', '127.0.0.1', '') ORDER BY time DESC;",
"interval": 600,
"description": "Remote login sessions"
},
"multiple_ssh_sessions": {
"query": "SELECT user, COUNT(*) AS session_count, GROUP_CONCAT(host) AS hosts FROM logged_in_users WHERE tty LIKE 'pts/%' GROUP BY user HAVING session_count > 2;",
"interval": 600,
"description": "Users with multiple SSH sessions",
"platform": "posix"
},
"ssh_authorized_keys": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/authorized_keys' OR path LIKE '/root/.ssh/authorized_keys' OR path LIKE '/Users/%/.ssh/authorized_keys';",
"interval": 3600,
"description": "SSH authorized_keys file monitoring",
"platform": "posix"
},
"ssh_known_hosts": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/known_hosts' OR path LIKE '/root/.ssh/known_hosts' OR path LIKE '/Users/%/.ssh/known_hosts';",
"interval": 3600,
"description": "SSH known_hosts file monitoring",
"platform": "posix"
},
"smb_sessions": {
"query": "SELECT pid, name, cmdline, remote_address FROM process_open_sockets ps JOIN processes p ON ps.pid = p.pid WHERE ps.remote_port IN (445, 139);",
"interval": 300,
"description": "Active SMB connections"
},
"admin_shares_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ADMIN$%' OR cmdline LIKE '%IPC$%' OR cmdline LIKE '%C$%';",
"interval": 300,
"description": "Access to Windows admin shares",
"platform": "windows"
},
"remote_registry_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%reg%' AND cmdline LIKE '%\\\\\\\\%';",
"interval": 300,
"description": "Remote registry access attempts",
"platform": "windows"
},
"remote_scheduled_tasks": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%schtasks%' AND cmdline LIKE '%/s%';",
"interval": 300,
"description": "Remote scheduled task creation",
"platform": "windows"
},
"remote_service_creation": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%sc%' AND cmdline LIKE '%\\\\\\\\%' AND cmdline LIKE '%create%';",
"interval": 300,
"description": "Remote service creation",
"platform": "windows"
},
"vnc_connections": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port >= 5900 AND ps.remote_port <= 5999;",
"interval": 300,
"description": "VNC connection attempts"
},
"suspicious_network_tools": {
"query": "SELECT pid, name, path, cmdline FROM processes WHERE name IN ('nmap', 'masscan', 'nc', 'netcat', 'socat', 'proxychains') OR cmdline LIKE '%nmap%' OR cmdline LIKE '%nc %-%';",
"interval": 300,
"description": "Network reconnaissance tools"
}
}
}

113
skills/incident-response/forensics-osquery/assets/forensic-packs/persistence-hunt.conf Normal file
View File

@@ -0,0 +1,113 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Hunt for persistence mechanisms across all platforms",
"queries": {
"crontab_monitoring": {
"query": "SELECT event, minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;",
"interval": 3600,
"description": "Monitor cron jobs for persistence",
"platform": "posix"
},
"suspicious_cron_commands": {
"query": "SELECT * FROM crontab WHERE command LIKE '%curl%' OR command LIKE '%wget%' OR command LIKE '%/tmp/%' OR command LIKE '%bash -i%' OR command LIKE '%python%socket%' OR command LIKE '%nc%';",
"interval": 1800,
"description": "Detect suspicious cron job commands",
"platform": "posix"
},
"systemd_units": {
"query": "SELECT name, description, load_state, active_state, sub_state, fragment_path, source FROM systemd_units WHERE active_state = 'active';",
"interval": 3600,
"description": "Active systemd services",
"platform": "linux"
},
"non_standard_systemd": {
"query": "SELECT name, fragment_path, active_state FROM systemd_units WHERE active_state = 'active' AND fragment_path NOT LIKE '/usr/lib/systemd/system/%' AND fragment_path NOT LIKE '/lib/systemd/system/%';",
"interval": 1800,
"description": "Non-standard systemd units (potential persistence)",
"platform": "linux"
},
"launchd_monitoring": {
"query": "SELECT name, label, path, program, program_arguments, run_at_load, keep_alive FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "macOS launch agents and daemons",
"platform": "darwin"
},
"suspicious_launchd": {
"query": "SELECT * FROM launchd WHERE run_at_load = 1 AND (path LIKE '%/tmp/%' OR path LIKE '%/Users/%/Library/LaunchAgents/%' OR program LIKE '%curl%' OR program LIKE '%bash%');",
"interval": 1800,
"description": "Suspicious launch agents",
"platform": "darwin"
},
"startup_items_mac": {
"query": "SELECT name, path, args, type, source, status FROM startup_items;",
"interval": 3600,
"description": "macOS startup items",
"platform": "darwin"
},
"registry_run_keys": {
"query": "SELECT key, name, path, data, mtime FROM registry WHERE (key LIKE '%\\\\Run' OR key LIKE '%\\\\RunOnce') AND key NOT LIKE '%\\\\RunOnceEx';",
"interval": 1800,
"description": "Windows registry Run keys",
"platform": "windows"
},
"suspicious_registry_entries": {
"query": "SELECT key, name, path, data FROM registry WHERE (key LIKE '%Run%' OR key LIKE '%RunOnce%') AND (data LIKE '%AppData%' OR data LIKE '%Temp%' OR data LIKE '%ProgramData%' OR data LIKE '%.vbs' OR data LIKE '%.js');",
"interval": 1800,
"description": "Suspicious registry persistence entries",
"platform": "windows"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled, state, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Windows scheduled tasks",
"platform": "windows"
},
"suspicious_scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%powershell%' OR action LIKE '%cmd%' OR action LIKE '%wscript%' OR action LIKE '%mshta%' OR action LIKE '%AppData%' OR action LIKE '%Temp%');",
"interval": 1800,
"description": "Suspicious scheduled tasks",
"platform": "windows"
},
"windows_services": {
"query": "SELECT name, display_name, status, path, start_type, user_account FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START') ORDER BY status;",
"interval": 3600,
"description": "Windows services configuration",
"platform": "windows"
},
"wmi_event_consumers": {
"query": "SELECT name, command_line_template, executable_path, script_file_name FROM wmi_cli_event_consumers;",
"interval": 1800,
"description": "WMI event consumers (persistence mechanism)",
"platform": "windows"
},
"kernel_modules": {
"query": "SELECT name, size, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Loaded Linux kernel modules",
"platform": "linux"
},
"kernel_extensions_mac": {
"query": "SELECT name, version, path, linked_against FROM kernel_extensions WHERE loaded = 1;",
"interval": 3600,
"description": "Loaded macOS kernel extensions",
"platform": "darwin"
},
"bash_profile_modifications": {
"query": "SELECT path, filename, mtime, ctime, size FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/etc/zshrc') OR path LIKE '/home/%/.bashrc' OR path LIKE '/home/%/.bash_profile' OR path LIKE '/home/%/.zshrc' OR path LIKE '/Users/%/.bashrc' OR path LIKE '/Users/%/.bash_profile' OR path LIKE '/Users/%/.zshrc';",
"interval": 3600,
"description": "Shell profile file modifications",
"platform": "posix"
},
"browser_extensions_chrome": {
"query": "SELECT name, identifier, version, description, path, author FROM chrome_extensions;",
"interval": 3600,
"description": "Chrome browser extensions"
},
"browser_extensions_firefox": {
"query": "SELECT name, identifier, version, description, source_url, visible FROM firefox_addons WHERE visible = 1;",
"interval": 3600,
"description": "Firefox browser add-ons"
}
}
}

77
skills/incident-response/forensics-osquery/assets/osquery.conf Normal file
View File

@@ -0,0 +1,77 @@
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 4,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
"interval": 3600,
"description": "Collect basic system information"
},
"os_version": {
"query": "SELECT name, version, platform, build FROM os_version;",
"interval": 3600,
"description": "OS version information"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 600,
"description": "Currently logged-in users"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
"interval": 300,
"description": "Monitor running processes"
},
"suspicious_processes": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 600,
"description": "Active network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Listening network ports"
}
},
"packs": {
"ir-triage": "/etc/osquery/packs/ir-triage.conf",
"persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
"lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
"credential-access": "/etc/osquery/packs/credential-access.conf"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
}

539
skills/incident-response/forensics-osquery/references/mitre-attack-queries.md Normal file
View File

@@ -0,0 +1,539 @@
# MITRE ATT&CK Detection Queries for osquery
Pre-built osquery detection queries mapped to MITRE ATT&CK techniques for threat hunting and incident response.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
## Initial Access
### T1078 - Valid Accounts
Detect unusual account usage patterns.
```sql
-- Unusual login times or locations
SELECT username, tty, host, time
FROM last
WHERE time > (strftime('%s', 'now') - 86400)
ORDER BY time DESC;
-- Failed authentication attempts (requires auth logs)
SELECT * FROM logged_in_users WHERE user NOT IN (SELECT username FROM users);
```
### T1190 - Exploit Public-Facing Application
Detect web server exploitation indicators.
```sql
-- Web server processes spawning shells
SELECT p1.name AS webserver, p1.cmdline,
p2.name AS child_process, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe', 'java')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python', 'perl');
```
## Execution
### T1059.001 - PowerShell
Detect suspicious PowerShell execution.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name LIKE '%powershell%'
AND (cmdline LIKE '%EncodedCommand%'
OR cmdline LIKE '%-enc%'
OR cmdline LIKE '%FromBase64String%'
OR cmdline LIKE '%Invoke-Expression%'
OR cmdline LIKE '%IEX%'
OR cmdline LIKE '%DownloadString%'
OR cmdline LIKE '%-w hidden%'
OR cmdline LIKE '%-WindowStyle hidden%');
```
### T1059.003 - Windows Command Shell
Detect suspicious cmd.exe usage.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name = 'cmd.exe'
AND (cmdline LIKE '%/c%'
OR cmdline LIKE '%&%'
OR cmdline LIKE '%|%'
OR cmdline LIKE '%<%'
OR cmdline LIKE '%>%');
```
### T1059.004 - Unix Shell
Detect suspicious shell execution.
```sql
SELECT pid, name, path, cmdline, parent, uid
FROM processes
WHERE name IN ('bash', 'sh', 'zsh', 'ksh')
AND (cmdline LIKE '%curl%http%'
OR cmdline LIKE '%wget%http%'
OR cmdline LIKE '%nc%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%/dev/tcp%'
OR cmdline LIKE '%base64%');
```
### T1053 - Scheduled Task/Job
Detect suspicious scheduled tasks.
```sql
-- Suspicious cron jobs (Linux/macOS)
SELECT command, path, minute, hour
FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%bash -i%'
OR command LIKE '%python -c%';
-- Suspicious scheduled tasks (Windows)
SELECT name, action, path, enabled
FROM scheduled_tasks
WHERE enabled = 1
AND (action LIKE '%powershell%'
OR action LIKE '%cmd%'
OR action LIKE '%wscript%'
OR action LIKE '%mshta%');
```
## Persistence
### T1547.001 - Registry Run Keys (Windows)
Detect persistence via registry.
```sql
SELECT key, name, path, data
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND (data LIKE '%AppData%'
OR data LIKE '%Temp%'
OR data LIKE '%ProgramData%'
OR data LIKE '%.vbs'
OR data LIKE '%.js');
```
### T1547.006 - Kernel Modules and Extensions
Detect unauthorized kernel modules.
```sql
-- Linux kernel modules
SELECT name, size, used_by, status
FROM kernel_modules
WHERE name NOT IN (
'ip_tables', 'x_tables', 'nf_conntrack', 'nf_defrag_ipv4',
'iptable_filter', 'iptable_nat', 'ipt_MASQUERADE'
);
-- macOS kernel extensions
SELECT name, version, path
FROM kernel_extensions
WHERE loaded = 1
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Extensions/%';
```
### T1053.003 - Cron (Linux/macOS)
Detect malicious cron jobs.
```sql
SELECT event, command, path, minute, hour, day_of_week
FROM crontab
WHERE command LIKE '%curl%http%'
OR command LIKE '%wget%http%'
OR command LIKE '%bash -i%'
OR command LIKE '%python%socket%'
OR command LIKE '%nc%'
OR command LIKE '%/dev/tcp%'
OR path LIKE '%/tmp/%'
OR path LIKE '%/var/tmp/%';
```
### T1543.002 - Systemd Service (Linux)
Detect malicious systemd services.
```sql
SELECT name, fragment_path, description, active_state
FROM systemd_units
WHERE active_state = 'active'
AND fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Privilege Escalation
### T1548.003 - Sudo and Sudo Caching
Detect sudo abuse.
```sql
SELECT pid, name, cmdline, uid, euid, parent
FROM processes
WHERE name = 'sudo'
AND (cmdline LIKE '%-i%'
OR cmdline LIKE '%-s%'
OR cmdline LIKE '%-u root%');
```
### T1548.001 - Setuid and Setgid
Find suspicious SUID/SGID binaries.
```sql
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/home/%'
OR path LIKE '/dev/shm/%');
```
### T1543.001 - Launch Agent (macOS)
Detect malicious launch agents.
```sql
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND (path LIKE '%/tmp/%'
OR path LIKE '%/Users/%/Library/LaunchAgents/%'
OR program LIKE '%curl%'
OR program LIKE '%bash%');
```
## Defense Evasion
### T1055 - Process Injection
Detect process injection techniques.
```sql
-- Windows process injection indicators
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%VirtualAllocEx%'
OR cmdline LIKE '%WriteProcessMemory%'
OR cmdline LIKE '%CreateRemoteThread%'
OR cmdline LIKE '%QueueUserAPC%'
OR cmdline LIKE '%SetThreadContext%';
-- Processes with deleted executables (Linux indicator)
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE on_disk = 0;
```
### T1070.004 - File Deletion
Detect log and evidence deletion.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE (cmdline LIKE '%rm%'
OR cmdline LIKE '%del%'
OR cmdline LIKE '%shred%'
OR cmdline LIKE '%wipe%')
AND (cmdline LIKE '%log%'
OR cmdline LIKE '%audit%'
OR cmdline LIKE '%history%'
OR cmdline LIKE '%bash_history%');
```
### T1027 - Obfuscated Files or Information
Detect encoding and obfuscation.
```sql
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%base64%'
OR cmdline LIKE '%certutil%decode%'
OR cmdline LIKE '%[Convert]::FromBase64String%'
OR cmdline LIKE '%openssl enc%'
OR cmdline LIKE '%uuencode%';
```
### T1564.001 - Hidden Files and Directories
Find hidden files in unusual locations.
```sql
SELECT path, filename, size, mtime
FROM file
WHERE filename LIKE '.%'
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/dev/shm/%')
AND size > 0;
```
## Credential Access
### T1003.001 - LSASS Memory (Windows)
Detect LSASS dumping.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR cmdline LIKE '%sekurlsa%'
OR cmdline LIKE '%lsadump%'
OR cmdline LIKE '%procdump%lsass%'
OR cmdline LIKE '%comsvcs.dll%MiniDump%';
```
### T1003.008 - /etc/passwd and /etc/shadow
Detect access to credential files.
```sql
-- Processes accessing password files
SELECT p.name, p.cmdline, pm.path
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd')
AND p.name NOT IN ('sshd', 'login', 'su', 'sudo');
```
### T1552.001 - Credentials in Files
Search for credential files.
```sql
SELECT path, filename, size
FROM file
WHERE (filename LIKE '%password%'
OR filename LIKE '%credential%'
OR filename LIKE '%secret%'
OR filename LIKE '%.pem'
OR filename LIKE '%.key'
OR filename = '.bash_history'
OR filename = '.zsh_history')
AND path LIKE '/home/%';
```
## Discovery
### T1057 - Process Discovery
Detect process enumeration.
```sql
SELECT pid, name, cmdline, parent
FROM processes
WHERE cmdline LIKE '%ps aux%'
OR cmdline LIKE '%tasklist%'
OR cmdline LIKE '%Get-Process%'
OR name IN ('ps', 'tasklist.exe');
```
### T1082 - System Information Discovery
Detect system reconnaissance.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%systeminfo%'
OR cmdline LIKE '%uname -a%'
OR cmdline LIKE '%Get-ComputerInfo%'
OR cmdline LIKE '%hostnamectl%'
OR cmdline LIKE '%sw_vers%';
```
### T1083 - File and Directory Discovery
Detect file enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%find%'
OR cmdline LIKE '%dir /s%'
OR cmdline LIKE '%ls -la%'
OR cmdline LIKE '%Get-ChildItem%';
```
### T1087 - Account Discovery
Detect account enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%net user%'
OR cmdline LIKE '%net group%'
OR cmdline LIKE '%net localgroup%'
OR cmdline LIKE '%Get-LocalUser%'
OR cmdline LIKE '%whoami%'
OR cmdline LIKE '%id%';
```
### T1046 - Network Service Scanning
Detect network scanning activity.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%nmap%'
OR cmdline LIKE '%masscan%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%nc%'
OR name IN ('nmap', 'masscan', 'nc', 'netcat');
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
Detect RDP connections.
```sql
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 3389
OR p.name LIKE '%mstsc%'
OR p.name LIKE '%rdp%';
```
### T1021.002 - SMB/Windows Admin Shares
Detect SMB lateral movement.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%\\\\%\\admin$%'
OR cmdline LIKE '%\\\\%\\c$%'
OR cmdline LIKE '%net use%'
OR cmdline LIKE '%PsExec%';
```
### T1021.004 - SSH
Detect SSH lateral movement.
```sql
-- Outbound SSH connections
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 22
AND p.name = 'ssh';
-- Unusual SSH sessions
SELECT user, tty, host, time
FROM logged_in_users
WHERE tty LIKE 'pts/%'
AND user NOT IN ('root', 'admin');
```
## Collection
### T1560.001 - Archive via Utility
Detect data archiving for staging.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE cmdline LIKE '%tar%'
OR cmdline LIKE '%zip%'
OR cmdline LIKE '%7z%'
OR cmdline LIKE '%rar%'
OR cmdline LIKE '%Compress-Archive%';
```
### T1119 - Automated Collection
Detect automated data collection scripts.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE (cmdline LIKE '%find%'
OR cmdline LIKE '%grep%'
OR cmdline LIKE '%Select-String%')
AND (cmdline LIKE '%password%'
OR cmdline LIKE '%credential%'
OR cmdline LIKE '%secret%'
OR cmdline LIKE '%.doc%'
OR cmdline LIKE '%.xls%');
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
Detect suspicious network connections.
```sql
-- Unusual outbound connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1')
AND ps.remote_port NOT IN (80, 443, 22, 53, 3389)
AND ps.state = 'ESTABLISHED';
```
### T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detect data exfiltration via common tools.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%curl%'
OR cmdline LIKE '%wget%'
OR cmdline LIKE '%scp%'
OR cmdline LIKE '%ftp%'
OR cmdline LIKE '%rsync%';
```
## Query Usage Notes
1. **Test queries** in a lab environment before production use
2. **Tune for environment** - add whitelist filters for legitimate activity
3. **Combine queries** - join multiple detections for higher confidence
4. **Time window** - add time filters to reduce result sets
5. **Baseline first** - understand normal activity before hunting
## Reference
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [MITRE ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/)

518
skills/incident-response/forensics-osquery/references/osqueryd-deployment.md Normal file
View File

@@ -0,0 +1,518 @@
# osqueryd Deployment Guide
Deploy osqueryd for continuous endpoint monitoring, detection, and forensic evidence collection at scale.
## Table of Contents
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Query Packs](#query-packs)
- [Log Management](#log-management)
- [Fleet Management](#fleet-management)
- [Performance Tuning](#performance-tuning)
## Overview
osqueryd is the daemon component of osquery that enables:
- Scheduled query execution across endpoint fleet
- Real-time event monitoring with event tables
- Centralized log collection and aggregation
- Detection-as-code with versioned query packs
## Installation
### Linux (Ubuntu/Debian)
```bash
# Add osquery repository
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
# Add repository
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
# Install
sudo apt update
sudo apt install osquery
```
### Linux (RHEL/CentOS)
```bash
# Add osquery repository
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# Add repository
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# Install
sudo yum install osquery
```
### macOS
```bash
# Using Homebrew
brew install osquery
# Or download official PKG installer
# https://pkg.osquery.io/darwin/osquery-<version>.pkg
```
### Windows
```powershell
# Download MSI installer
# https://pkg.osquery.io/windows/osquery-<version>.msi
# Install via PowerShell
msiexec /i osquery-<version>.msi /quiet
```
## Configuration
### Configuration File Location
- Linux: `/etc/osquery/osquery.conf`
- macOS: `/var/osquery/osquery.conf`
- Windows: `C:\Program Files\osquery\osquery.conf`
### Basic Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 2,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"syslog_pipe_path": "/var/osquery/syslog_pipe"
},
"schedule": {
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 3600,
"description": "Collect system information hourly"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid FROM processes;",
"interval": 300,
"description": "Monitor running processes every 5 minutes"
},
"network_connections": {
"query": "SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Monitor network connections every 10 minutes"
}
},
"packs": {
"incident-response": "/etc/osquery/packs/ir-triage.conf",
"ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
}
}
```
### Security-Focused Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"worker_threads": 4,
"enable_monitor": true,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"suspicious_processes": {
"query": "SELECT * FROM processes WHERE on_disk = 0 OR path LIKE '%tmp%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"unauthorized_suid": {
"query": "SELECT path, mode, uid FROM file WHERE (mode LIKE '%4%' OR mode LIKE '%2%') AND path NOT IN (SELECT path FROM file WHERE path LIKE '/usr/%' OR path LIKE '/bin/%');",
"interval": 3600,
"description": "Find unauthorized SUID binaries",
"platform": "posix"
},
"registry_run_keys": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';",
"interval": 3600,
"description": "Monitor registry persistence",
"platform": "windows"
}
}
}
```
## Query Packs
### Creating Query Packs
Query packs organize related queries for specific security scenarios.
**Example: `/etc/osquery/packs/ir-triage.conf`**
```json
{
"platform": "all",
"version": "1.0.0",
"queries": {
"logged_in_users": {
"query": "SELECT * FROM logged_in_users;",
"interval": 600,
"description": "Track logged-in users"
},
"listening_ports": {
"query": "SELECT lp.port, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 300,
"description": "Monitor listening network ports"
},
"kernel_modules": {
"query": "SELECT name, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Monitor loaded kernel modules",
"platform": "linux"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Monitor Windows scheduled tasks",
"platform": "windows"
},
"launchd_services": {
"query": "SELECT name, path, program, run_at_load FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "Monitor macOS launch services",
"platform": "darwin"
}
}
}
```
### Platform-Specific Packs
Use `"platform"` field to limit queries:
- `"posix"` - Linux and macOS
- `"linux"` - Linux only
- `"darwin"` - macOS only
- `"windows"` - Windows only
- `"all"` - All platforms
## Log Management
### Log Types
osqueryd generates several log types:
1. **Result logs**: Query results from scheduled queries
2. **Status logs**: osqueryd operational status and errors
3. **Snapshot logs**: Full result sets (vs differential)
### Log Formats
**JSON (recommended):**
```json
{
"name": "suspicious_processes",
"hostIdentifier": "web-server-01",
"calendarTime": "Mon Oct 02 12:34:56 2023 UTC",
"unixTime": 1696251296,
"epoch": 0,
"counter": 1,
"columns": {
"pid": "1234",
"name": "suspicious",
"path": "/tmp/suspicious"
},
"action": "added"
}
```
### Centralized Logging
#### Option 1: Syslog
```json
{
"options": {
"logger_plugin": "syslog",
"syslog_pipe_path": "/var/osquery/syslog_pipe"
}
}
```
#### Option 2: AWS Kinesis/Firehose
```json
{
"options": {
"logger_plugin": "aws_kinesis",
"aws_kinesis_stream": "osquery-results",
"aws_region": "us-east-1"
}
}
```
#### Option 3: TLS Endpoint
```json
{
"options": {
"logger_plugin": "tls",
"logger_tls_endpoint": "/log",
"logger_tls_period": 60
}
}
```
#### Option 4: Kafka
```json
{
"options": {
"logger_plugin": "kafka_producer",
"kafka_topic": "osquery-logs",
"kafka_brokers": "broker1:9092,broker2:9092"
}
}
```
## Fleet Management
### Fleet Manager Options
1. **osquery Fleet Manager** - Official fleet management tool
2. **Kolide Fleet** - Open-source fleet management (now FleetDM)
3. **Doorman** - Minimal fleet manager
4. **Zentral** - macOS-focused fleet management
### FleetDM Configuration
```yaml
# fleet-config.yml
mysql:
address: 127.0.0.1:3306
database: fleet
username: fleet
password: fleet_password
redis:
address: 127.0.0.1:6379
server:
address: 0.0.0.0:8080
tls: true
cert: /path/to/cert.pem
key: /path/to/key.pem
logging:
json: true
debug: false
```
### Enrolling Endpoints
#### TLS Enrollment
```json
{
"options": {
"enroll_secret_path": "/etc/osquery/enroll_secret.txt",
"tls_server_certs": "/etc/osquery/certs/server.pem",
"tls_hostname": "fleet.example.com",
"host_identifier": "uuid",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": 60,
"logger_plugin": "tls",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": 10,
"distributed_plugin": "tls",
"distributed_interval": 60,
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write"
}
}
```
## Performance Tuning
### Resource Limits
```json
{
"options": {
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20,
"worker_threads": 4,
"schedule_timeout": 60,
"schedule_max_drift": 60
}
}
```
### Query Optimization
1. **Use appropriate intervals**: Balance freshness vs performance
- Critical queries: 60-300 seconds
- Standard monitoring: 300-900 seconds
- Inventory queries: 3600+ seconds
2. **Add WHERE clauses**: Reduce result set size
```sql
-- Bad: SELECT * FROM file;
-- Good: SELECT * FROM file WHERE path LIKE '/etc/%';
```
3. **Limit result sets**: Use LIMIT clause
```sql
SELECT * FROM processes ORDER BY start_time DESC LIMIT 100;
```
4. **Differential logging**: Only log changes
```json
{
"options": {
"log_result_events": true
}
}
```
### Schedule Splay
Prevent query storms by adding jitter:
```json
{
"options": {
"schedule_splay_percent": 10
}
}
```
## Service Management
### Linux (systemd)
```bash
# Start osqueryd
sudo systemctl start osqueryd
# Enable on boot
sudo systemctl enable osqueryd
# Check status
sudo systemctl status osqueryd
# View logs
sudo journalctl -u osqueryd -f
```
### macOS (launchd)
```bash
# Start osqueryd
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Stop osqueryd
sudo launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Check status
sudo launchctl list | grep osquery
```
### Windows (Service)
```powershell
# Start service
Start-Service osqueryd
# Stop service
Stop-Service osqueryd
# Check status
Get-Service osqueryd
# View logs
Get-Content "C:\ProgramData\osquery\log\osqueryd.results.log" -Wait
```
## Security Best Practices
1. **Limit configuration access**: Restrict `/etc/osquery/` to root only
2. **Use TLS**: Encrypt fleet management communications
3. **Rotate secrets**: Change enrollment secrets regularly
4. **Monitor osqueryd**: Alert on service failures
5. **Version control configs**: Track configuration changes in Git
6. **Test before deploy**: Validate queries in lab first
7. **Implement RBAC**: Use fleet manager role-based access
8. **Audit queries**: Review all scheduled queries for performance impact
## Troubleshooting
### High CPU Usage
Check query performance:
```bash
# Enable verbose logging
sudo osqueryd --verbose --config_path=/etc/osquery/osquery.conf
# Check query times
tail -f /var/log/osquery/osqueryd.INFO | grep "query="
```
### Missing Results
Verify query syntax:
```bash
# Test query interactively
osqueryi "SELECT * FROM processes LIMIT 5;"
# Check for errors
tail -f /var/log/osquery/osqueryd.results.log
```
### Service Crashes
Review watchdog settings:
```json
{
"options": {
"watchdog_level": 0, # Disable for debugging
"verbose": true
}
}
```
## Reference
- [osquery Deployment Guide](https://osquery.readthedocs.io/en/stable/deployment/)
- [FleetDM Documentation](https://fleetdm.com/docs)
- [osquery Configuration](https://osquery.readthedocs.io/en/stable/deployment/configuration/)

353
skills/incident-response/forensics-osquery/references/platform-differences.md Normal file
View File

@@ -0,0 +1,353 @@
# Platform-Specific osquery Tables and Queries
Guide to platform-specific tables and query variations across Linux, macOS, and Windows.
## Table of Contents
- [Cross-Platform Tables](#cross-platform-tables)
- [Linux-Specific Tables](#linux-specific-tables)
- [macOS-Specific Tables](#macos-specific-tables)
- [Windows-Specific Tables](#windows-specific-tables)
- [Query Translation Examples](#query-translation-examples)
## Cross-Platform Tables
These tables work across all platforms with consistent schemas:
- `processes` - Running processes
- `users` - User accounts
- `groups` - User groups
- `file` - File system metadata
- `hash` - File hashing
- `system_info` - System information
- `os_version` - OS version details
- `interface_addresses` - Network interfaces
- `routes` - Routing table
- `listening_ports` - Listening network ports
## Linux-Specific Tables
### Process and System
| Table | Description |
|-------|-------------|
| `kernel_modules` | Loaded kernel modules |
| `kernel_info` | Kernel version and boot parameters |
| `memory_info` | System memory information |
| `process_namespaces` | Linux namespace information |
| `seccomp_events` | Seccomp filter events |
| `selinux_events` | SELinux audit events |
| `apparmor_events` | AppArmor audit events |
### Package Management
| Table | Description |
|-------|-------------|
| `deb_packages` | Debian/Ubuntu packages (dpkg) |
| `rpm_packages` | RPM packages (yum/dnf) |
| `portage_packages` | Gentoo Portage packages |
| `pacman_packages` | Arch Linux packages |
### Persistence
| Table | Description |
|-------|-------------|
| `crontab` | Cron scheduled jobs |
| `systemd_units` | Systemd services and units |
### Example Linux Queries
```sql
-- Check kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Recently installed packages (Debian/Ubuntu)
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC LIMIT 20;
-- SELinux denials
SELECT * FROM selinux_events WHERE denied = 1;
```
## macOS-Specific Tables
### System and Kernel
| Table | Description |
|-------|-------------|
| `kernel_extensions` | Loaded kernel extensions (kexts) |
| `system_extensions` | macOS system extensions |
| `signature` | Code signature verification |
| `quarantine` | Quarantine database entries |
### Persistence
| Table | Description |
|-------|-------------|
| `launchd` | Launch agents and daemons |
| `startup_items` | Startup items |
| `periodic_items` | Periodic script executions |
### Applications
| Table | Description |
|-------|-------------|
| `apps` | Installed macOS applications |
| `safari_extensions` | Safari browser extensions |
| `authorization_mechanisms` | Authorization plugin mechanisms |
### Security
| Table | Description |
|-------|-------------|
| `extended_attributes` | File extended attributes (xattr) |
| `keychain_items` | macOS Keychain items |
| `firewall` | macOS firewall settings |
### Example macOS Queries
```sql
-- Launch agents that run at load
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND path NOT LIKE '/System/%';
-- Loaded kernel extensions
SELECT name, version, path, linked_against
FROM kernel_extensions
WHERE loaded = 1;
-- Quarantined files
SELECT path, description, data_url
FROM quarantine
WHERE path LIKE '/Users/%/Downloads/%';
-- Unsigned executables in Applications
SELECT path, signed FROM signature
WHERE path LIKE '/Applications/%' AND signed = 0;
-- Code signing status
SELECT path, authority, signed, identifier
FROM signature
WHERE path = '/Applications/Suspicious.app/Contents/MacOS/Suspicious';
```
## Windows-Specific Tables
### System and Registry
| Table | Description |
|-------|-------------|
| `registry` | Windows registry access |
| `drivers` | Device drivers |
| `services` | Windows services |
| `wmi_cli_event_consumers` | WMI event consumers |
| `wmi_filter_consumer_binding` | WMI filter bindings |
### Persistence
| Table | Description |
|-------|-------------|
| `scheduled_tasks` | Windows scheduled tasks |
| `autoexec` | Auto-execution entries |
| `startup_items` | Startup folder items |
### Security
| Table | Description |
|-------|-------------|
| `windows_eventlog` | Windows Event Log |
| `authenticode` | Authenticode signature verification |
| `windows_security_products` | Installed security products |
| `bitlocker_info` | BitLocker encryption status |
### Processes
| Table | Description |
|-------|-------------|
| `process_memory_map` | Process memory mappings |
| `process_handles` | Open process handles |
### Example Windows Queries
```sql
-- Registry Run keys
SELECT key, name, path, data, mtime
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND key NOT LIKE '%\\RunOnceEx';
-- Scheduled tasks
SELECT name, action, path, enabled, last_run_time, next_run_time
FROM scheduled_tasks
WHERE enabled = 1
ORDER BY next_run_time;
-- WMI persistence
SELECT name, command_line_template, executable_path
FROM wmi_cli_event_consumers;
-- Windows services
SELECT name, display_name, status, path, start_type, user_account
FROM services
WHERE start_type IN ('AUTO_START', 'DEMAND_START')
ORDER BY status;
-- Event log security events
SELECT datetime, eventid, source, data
FROM windows_eventlog
WHERE channel = 'Security'
AND eventid IN (4624, 4625, 4648, 4672)
ORDER BY datetime DESC LIMIT 100;
-- Authenticode signature verification
SELECT path, result, subject_name, issuer_name
FROM authenticode
WHERE path LIKE 'C:\Users\%'
AND result != 'trusted';
```
## Query Translation Examples
### Persistence Mechanisms
**Linux:**
```sql
-- Cron jobs
SELECT * FROM crontab;
-- Systemd services
SELECT name, fragment_path, active_state
FROM systemd_units
WHERE active_state = 'active';
```
**macOS:**
```sql
-- Launch agents/daemons
SELECT name, path, program, run_at_load
FROM launchd
WHERE run_at_load = 1;
-- Startup items
SELECT name, path, type, source
FROM startup_items;
```
**Windows:**
```sql
-- Registry Run keys
SELECT key, name, path
FROM registry
WHERE key LIKE '%Run%';
-- Scheduled tasks
SELECT name, action, enabled
FROM scheduled_tasks
WHERE enabled = 1;
```
### Package/Application Inventory
**Linux (Debian/Ubuntu):**
```sql
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC;
```
**Linux (RHEL/CentOS):**
```sql
SELECT name, version, install_time
FROM rpm_packages
ORDER BY install_time DESC;
```
**macOS:**
```sql
SELECT name, path, bundle_version, last_opened_time
FROM apps
ORDER BY last_opened_time DESC;
```
**Windows:**
```sql
SELECT name, version, install_location, install_date
FROM programs
ORDER BY install_date DESC;
```
### Network Connections
**All Platforms:**
```sql
-- Active connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.state = 'ESTABLISHED';
```
**Platform-specific filtering:**
```sql
-- Linux: Filter by network namespace
SELECT * FROM process_open_sockets
WHERE pid IN (SELECT pid FROM processes WHERE root != '/');
-- macOS: Include code signature
SELECT p.name, ps.remote_address, s.authority
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN signature s ON p.path = s.path;
-- Windows: Include service name
SELECT p.name, s.name AS service_name, ps.remote_address
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN services s ON p.path = s.path;
```
## Platform Detection in Queries
Use `os_version` table to detect platform:
```sql
-- Get current platform
SELECT platform, name, version FROM os_version;
-- Platform-specific queries
SELECT CASE
WHEN platform = 'darwin' THEN (SELECT COUNT(*) FROM launchd)
WHEN platform LIKE '%linux%' THEN (SELECT COUNT(*) FROM systemd_units)
WHEN platform LIKE '%windows%' THEN (SELECT COUNT(*) FROM services)
ELSE 0
END AS persistence_count
FROM os_version;
```
## Best Practices for Cross-Platform Queries
1. **Check table availability** before querying:
```bash
osqueryi ".tables" | grep <table_name>
```
2. **Use platform detection** for conditional logic
3. **Test queries on each platform** - column names may vary slightly
4. **Document platform requirements** in query comments
5. **Create platform-specific query packs** for osqueryd
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Platform-specific table reference](https://osquery.io/schema/)

479
skills/incident-response/forensics-osquery/references/table-guide.md Normal file
View File

@@ -0,0 +1,479 @@
# osquery Table Reference for Forensic Investigations
Comprehensive guide to osquery tables most relevant for incident response and forensic analysis.
## Table of Contents
- [Process Tables](#process-tables)
- [Network Tables](#network-tables)
- [File System Tables](#file-system-tables)
- [User and Authentication Tables](#user-and-authentication-tables)
- [System Information Tables](#system-information-tables)
- [Persistence Mechanism Tables](#persistence-mechanism-tables)
- [Platform-Specific Tables](#platform-specific-tables)
## Process Tables
### processes
Query running processes with detailed information.
**Key columns**: pid, name, path, cmdline, cwd, uid, gid, parent, pgroup, state, on_disk, start_time
```sql
-- Basic process listing
SELECT pid, name, path, cmdline, uid FROM processes;
-- Processes with deleted executables (malware indicator)
SELECT * FROM processes WHERE on_disk = 0;
-- Process tree
SELECT p1.pid, p1.name, p1.cmdline, p2.pid AS parent_pid, p2.name AS parent_name
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;
```
### process_open_sockets
Network sockets opened by processes.
**Key columns**: pid, socket, family, protocol, local_address, local_port, remote_address, remote_port, state
```sql
-- Active external connections
SELECT p.name, ps.remote_address, ps.remote_port, ps.state, p.cmdline
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');
```
### process_memory_map
Memory regions mapped by processes (useful for detecting injections).
**Key columns**: pid, start, end, permissions, path, pseudo
```sql
-- Detect suspicious memory mappings
SELECT p.name, pm.path, pm.permissions, p.cmdline
FROM process_memory_map pm
JOIN processes p ON pm.pid = p.pid
WHERE pm.path LIKE '%tmp%' OR pm.pseudo = 1;
```
### process_envs
Environment variables for running processes.
**Key columns**: pid, key, value
```sql
-- Check for suspicious environment variables
SELECT p.name, pe.key, pe.value
FROM process_envs pe
JOIN processes p ON pe.pid = p.pid
WHERE pe.key IN ('LD_PRELOAD', 'DYLD_INSERT_LIBRARIES', 'PATH');
```
## Network Tables
### listening_ports
Ports listening for connections.
**Key columns**: pid, port, protocol, family, address
```sql
-- Listening ports mapped to processes
SELECT lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;
```
### interface_addresses
Network interface IP addresses.
**Key columns**: interface, address, mask, broadcast
```sql
-- List all network interfaces and addresses
SELECT interface, address, mask, type FROM interface_addresses;
```
### routes
System routing table.
**Key columns**: destination, netmask, gateway, source, interface, type
```sql
-- Check routing table
SELECT destination, netmask, gateway, interface FROM routes;
```
### arp_cache
ARP table entries (detect ARP spoofing).
**Key columns**: address, mac, interface, permanent
```sql
-- ARP cache analysis
SELECT address, mac, interface FROM arp_cache ORDER BY address;
```
## File System Tables
### file
Query file system metadata.
**Key columns**: path, directory, filename, size, mtime, atime, ctime, mode, uid, gid, type
```sql
-- Recently modified files in sensitive directories
SELECT path, filename, mtime, uid, gid, mode
FROM file
WHERE path LIKE '/etc/%'
OR path LIKE '/usr/bin/%'
OR path LIKE '/usr/sbin/%'
ORDER BY mtime DESC LIMIT 50;
-- SUID/SGID binaries
SELECT path, filename, mode, uid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND path LIKE '/usr/%';
```
### hash
File cryptographic hashes (MD5, SHA1, SHA256).
**Key columns**: path, directory, filename, md5, sha1, sha256, size
```sql
-- Hash files in suspicious locations
SELECT path, filename, md5, sha256
FROM hash
WHERE path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%';
```
### file_events
Real-time file system change monitoring (requires file integrity monitoring).
**Key columns**: target_path, action, time, pid, uid, gid
```sql
-- Recent file modifications
SELECT target_path, action, time, pid
FROM file_events
WHERE action IN ('CREATED', 'UPDATED', 'DELETED')
AND time > strftime('%s', 'now') - 3600;
```
## User and Authentication Tables
### users
System user accounts.
**Key columns**: uid, gid, username, description, directory, shell
```sql
-- Users with login shells
SELECT username, uid, gid, shell, directory
FROM users
WHERE shell NOT LIKE '%nologin%' AND shell NOT LIKE '%false';
-- Recent user additions (requires tracking)
SELECT * FROM users ORDER BY uid DESC LIMIT 10;
```
### logged_in_users
Currently logged-in users.
**Key columns**: user, tty, host, time, pid
```sql
-- Active user sessions
SELECT user, tty, host, time FROM logged_in_users;
```
### last
Login history (last command output).
**Key columns**: username, tty, pid, type, time, host
```sql
-- Recent login history
SELECT username, tty, host, time, type
FROM last
ORDER BY time DESC LIMIT 50;
```
### groups
User groups.
**Key columns**: gid, groupname
```sql
-- List all groups
SELECT gid, groupname FROM groups;
```
### user_groups
User-to-group mappings.
**Key columns**: uid, gid
```sql
-- Users in admin groups
SELECT u.username, g.groupname
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root');
```
## System Information Tables
### system_info
System hardware and OS information.
**Key columns**: hostname, uuid, cpu_type, cpu_brand, physical_memory, hardware_model
```sql
-- System information
SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;
```
### os_version
Operating system version details.
**Key columns**: name, version, major, minor, patch, build, platform
```sql
-- OS version
SELECT name, version, platform, build FROM os_version;
```
### kernel_info
Kernel version and parameters.
**Key columns**: version, arguments, path, device
```sql
-- Kernel information
SELECT version, arguments FROM kernel_info;
```
### uptime
System uptime.
**Key columns**: days, hours, minutes, seconds, total_seconds
```sql
-- System uptime
SELECT days, hours, minutes FROM uptime;
```
## Persistence Mechanism Tables
### crontab
Scheduled cron jobs (Linux/macOS).
**Key columns**: event, minute, hour, day_of_month, month, day_of_week, command, path
```sql
-- All cron jobs
SELECT event, command, path FROM crontab;
-- Suspicious cron commands
SELECT * FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%base64%';
```
### scheduled_tasks (Windows)
Windows scheduled tasks.
**Key columns**: name, action, path, enabled, state
```sql
-- Enabled scheduled tasks
SELECT name, action, path, state FROM scheduled_tasks WHERE enabled = 1;
```
### startup_items (macOS)
macOS startup items.
**Key columns**: name, path, args, type, source, status
```sql
-- macOS startup items
SELECT name, path, type, source FROM startup_items;
```
### launchd (macOS)
macOS launch agents and daemons.
**Key columns**: name, path, program, program_arguments, run_at_load, keep_alive
```sql
-- Launch agents/daemons that run at load
SELECT name, path, program, program_arguments
FROM launchd
WHERE run_at_load = 1;
```
### registry (Windows)
Windows registry access.
**Key columns**: key, name, type, data, path
```sql
-- Registry Run keys
SELECT key, name, path, data
FROM registry
WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';
```
### services (Windows)
Windows services.
**Key columns**: name, display_name, status, path, start_type, user_account
```sql
-- Auto-start services
SELECT name, display_name, path, user_account
FROM services
WHERE start_type = 'AUTO_START';
```
### systemd_units (Linux)
Linux systemd services.
**Key columns**: id, description, load_state, active_state, sub_state, fragment_path
```sql
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Non-default systemd services
SELECT * FROM systemd_units
WHERE fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Platform-Specific Tables
### kernel_modules (Linux)
Loaded kernel modules.
**Key columns**: name, size, used_by, status, address
```sql
-- Loaded kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
```
### kernel_extensions (macOS)
macOS kernel extensions (kexts).
**Key columns**: name, version, path, loaded
```sql
-- Loaded kernel extensions
SELECT name, version, path FROM kernel_extensions WHERE loaded = 1;
```
### drivers (Windows)
Windows device drivers.
**Key columns**: device_id, device_name, image, provider, service, service_key
```sql
-- Loaded drivers
SELECT device_name, image, provider, service FROM drivers;
```
### chrome_extensions
Chrome browser extensions.
**Key columns**: name, identifier, version, description, path, author
```sql
-- Installed Chrome extensions
SELECT name, version, description, path FROM chrome_extensions;
```
### firefox_addons
Firefox browser add-ons.
**Key columns**: name, identifier, version, description, source_url, visible
```sql
-- Installed Firefox add-ons
SELECT name, version, description, source_url FROM firefox_addons;
```
## Query Optimization Tips
1. **Use WHERE clauses**: Always filter results to reduce query time
```sql
-- Bad: SELECT * FROM processes;
-- Good: SELECT * FROM processes WHERE uid = 0;
```
2. **Limit results**: Use LIMIT for large result sets
```sql
SELECT * FROM file WHERE path LIKE '/usr/%' LIMIT 100;
```
3. **Index columns**: Use indexed columns in WHERE clauses (pid, uid, path)
4. **Join efficiently**: Start with smaller tables when joining
```sql
SELECT * FROM listening_ports lp
JOIN processes p ON lp.pid = p.pid; -- listening_ports is usually smaller
```
5. **Time filtering**: Use time comparisons for event tables
```sql
WHERE time > (strftime('%s', 'now') - 3600) -- Last hour
```
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Table schemas by version](https://osquery.io/schema/)