zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
skills/incident-response/forensics-osquery/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

104
skills/incident-response/forensics-osquery/assets/forensic-packs/credential-access.conf Normal file
View File

@@ -0,0 +1,104 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect credential dumping and credential access techniques",
"queries": {
"mimikatz_execution": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
"interval": 300,
"description": "Mimikatz execution detection",
"platform": "windows"
},
"lsass_process_access": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
"interval": 300,
"description": "LSASS memory dumping tools",
"platform": "windows"
},
"credential_file_access": {
"query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
"interval": 300,
"description": "Access to credential storage files"
},
"shadow_file_reads": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
"interval": 300,
"description": "Unauthorized /etc/shadow access",
"platform": "posix"
},
"sam_registry_access": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
"interval": 600,
"description": "SAM registry key access",
"platform": "windows"
},
"password_search": {
"query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
"interval": 300,
"description": "Searching for password files"
},
"credential_files": {
"query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
"interval": 3600,
"description": "Credential-related files"
},
"browser_credential_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
"interval": 300,
"description": "Browser credential database access"
},
"keychain_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
"interval": 300,
"description": "macOS Keychain access",
"platform": "darwin"
},
"dpapi_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
"interval": 300,
"description": "Windows DPAPI credential access",
"platform": "windows"
},
"ntds_dit_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
"interval": 300,
"description": "Active Directory database access",
"platform": "windows"
},
"kerberos_ticket_theft": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
"interval": 300,
"description": "Kerberos ticket manipulation"
},
"sudo_without_password": {
"query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
"interval": 300,
"description": "Sudo usage potentially leveraging cached credentials",
"platform": "posix"
},
"sudoers_file_access": {
"query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
"interval": 3600,
"description": "Sudoers file modification monitoring",
"platform": "posix"
},
"ssh_private_keys": {
"query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
"interval": 3600,
"description": "SSH private key files",
"platform": "posix"
},
"powershell_credential_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
"interval": 300,
"description": "PowerShell credential access commands",
"platform": "windows"
},
"registry_credential_storage": {
"query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
"interval": 3600,
"description": "Credentials stored in registry",
"platform": "windows"
}
}
}

80
skills/incident-response/forensics-osquery/assets/forensic-packs/ir-triage.conf Normal file
View File

@@ -0,0 +1,80 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Incident response triage queries for rapid forensic collection",
"queries": {
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 0,
"snapshot": true,
"description": "Complete system information snapshot"
},
"users_snapshot": {
"query": "SELECT uid, gid, username, description, directory, shell FROM users;",
"interval": 0,
"snapshot": true,
"description": "All user accounts"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 300,
"description": "Currently logged-in users"
},
"last_logins": {
"query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
"interval": 600,
"description": "Recent login history"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
"interval": 300,
"description": "All running processes with metadata"
},
"processes_deleted_binary": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "Processes with deleted executables (malware indicator)"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 300,
"description": "Active external network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Network services listening on external interfaces"
},
"interface_addresses": {
"query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
"interval": 3600,
"description": "Network interface configuration"
},
"arp_cache": {
"query": "SELECT address, mac, interface, permanent FROM arp_cache;",
"interval": 600,
"description": "ARP cache entries"
},
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "Configured DNS resolvers"
},
"tmp_directory_files": {
"query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
"interval": 900,
"description": "Files in temporary directories",
"snapshot": true
},
"recent_file_modifications": {
"query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
"interval": 3600,
"description": "Recently modified system files (last 24 hours)"
},
"user_groups": {
"query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
"interval": 3600,
"description": "Users in privileged groups"
}
}
}

105
skills/incident-response/forensics-osquery/assets/forensic-packs/lateral-movement.conf Normal file
View File

@@ -0,0 +1,105 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Detect lateral movement and remote access indicators",
"queries": {
"ssh_outbound_connections": {
"query": "SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 22 AND p.name = 'ssh';",
"interval": 300,
"description": "Outbound SSH connections",
"platform": "posix"
},
"rdp_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 3389 OR p.name LIKE '%mstsc%' OR p.name LIKE '%rdp%';",
"interval": 300,
"description": "RDP connection attempts",
"platform": "windows"
},
"smb_connections": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%\\\\\\\\%\\\\admin$%' OR cmdline LIKE '%\\\\\\\\%\\\\c$%' OR cmdline LIKE '%net use%';",
"interval": 300,
"description": "SMB/Windows Admin Share connections",
"platform": "windows"
},
"psexec_indicators": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name LIKE '%psexec%' OR cmdline LIKE '%psexec%' OR path LIKE '%ADMIN$%';",
"interval": 300,
"description": "PsExec execution indicators",
"platform": "windows"
},
"remote_wmi_execution": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%/node:%';",
"interval": 300,
"description": "Remote WMI execution",
"platform": "windows"
},
"winrm_activity": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port IN (5985, 5986);",
"interval": 300,
"description": "WinRM connections",
"platform": "windows"
},
"unusual_login_locations": {
"query": "SELECT username, tty, host, time FROM logged_in_users WHERE host NOT IN ('localhost', '127.0.0.1', '') ORDER BY time DESC;",
"interval": 600,
"description": "Remote login sessions"
},
"multiple_ssh_sessions": {
"query": "SELECT user, COUNT(*) AS session_count, GROUP_CONCAT(host) AS hosts FROM logged_in_users WHERE tty LIKE 'pts/%' GROUP BY user HAVING session_count > 2;",
"interval": 600,
"description": "Users with multiple SSH sessions",
"platform": "posix"
},
"ssh_authorized_keys": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/authorized_keys' OR path LIKE '/root/.ssh/authorized_keys' OR path LIKE '/Users/%/.ssh/authorized_keys';",
"interval": 3600,
"description": "SSH authorized_keys file monitoring",
"platform": "posix"
},
"ssh_known_hosts": {
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/known_hosts' OR path LIKE '/root/.ssh/known_hosts' OR path LIKE '/Users/%/.ssh/known_hosts';",
"interval": 3600,
"description": "SSH known_hosts file monitoring",
"platform": "posix"
},
"smb_sessions": {
"query": "SELECT pid, name, cmdline, remote_address FROM process_open_sockets ps JOIN processes p ON ps.pid = p.pid WHERE ps.remote_port IN (445, 139);",
"interval": 300,
"description": "Active SMB connections"
},
"admin_shares_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ADMIN$%' OR cmdline LIKE '%IPC$%' OR cmdline LIKE '%C$%';",
"interval": 300,
"description": "Access to Windows admin shares",
"platform": "windows"
},
"remote_registry_access": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%reg%' AND cmdline LIKE '%\\\\\\\\%';",
"interval": 300,
"description": "Remote registry access attempts",
"platform": "windows"
},
"remote_scheduled_tasks": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%schtasks%' AND cmdline LIKE '%/s%';",
"interval": 300,
"description": "Remote scheduled task creation",
"platform": "windows"
},
"remote_service_creation": {
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%sc%' AND cmdline LIKE '%\\\\\\\\%' AND cmdline LIKE '%create%';",
"interval": 300,
"description": "Remote service creation",
"platform": "windows"
},
"vnc_connections": {
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port >= 5900 AND ps.remote_port <= 5999;",
"interval": 300,
"description": "VNC connection attempts"
},
"suspicious_network_tools": {
"query": "SELECT pid, name, path, cmdline FROM processes WHERE name IN ('nmap', 'masscan', 'nc', 'netcat', 'socat', 'proxychains') OR cmdline LIKE '%nmap%' OR cmdline LIKE '%nc %-%';",
"interval": 300,
"description": "Network reconnaissance tools"
}
}
}

113
skills/incident-response/forensics-osquery/assets/forensic-packs/persistence-hunt.conf Normal file
View File

@@ -0,0 +1,113 @@
{
"platform": "all",
"version": "1.0.0",
"description": "Hunt for persistence mechanisms across all platforms",
"queries": {
"crontab_monitoring": {
"query": "SELECT event, minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;",
"interval": 3600,
"description": "Monitor cron jobs for persistence",
"platform": "posix"
},
"suspicious_cron_commands": {
"query": "SELECT * FROM crontab WHERE command LIKE '%curl%' OR command LIKE '%wget%' OR command LIKE '%/tmp/%' OR command LIKE '%bash -i%' OR command LIKE '%python%socket%' OR command LIKE '%nc%';",
"interval": 1800,
"description": "Detect suspicious cron job commands",
"platform": "posix"
},
"systemd_units": {
"query": "SELECT name, description, load_state, active_state, sub_state, fragment_path, source FROM systemd_units WHERE active_state = 'active';",
"interval": 3600,
"description": "Active systemd services",
"platform": "linux"
},
"non_standard_systemd": {
"query": "SELECT name, fragment_path, active_state FROM systemd_units WHERE active_state = 'active' AND fragment_path NOT LIKE '/usr/lib/systemd/system/%' AND fragment_path NOT LIKE '/lib/systemd/system/%';",
"interval": 1800,
"description": "Non-standard systemd units (potential persistence)",
"platform": "linux"
},
"launchd_monitoring": {
"query": "SELECT name, label, path, program, program_arguments, run_at_load, keep_alive FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "macOS launch agents and daemons",
"platform": "darwin"
},
"suspicious_launchd": {
"query": "SELECT * FROM launchd WHERE run_at_load = 1 AND (path LIKE '%/tmp/%' OR path LIKE '%/Users/%/Library/LaunchAgents/%' OR program LIKE '%curl%' OR program LIKE '%bash%');",
"interval": 1800,
"description": "Suspicious launch agents",
"platform": "darwin"
},
"startup_items_mac": {
"query": "SELECT name, path, args, type, source, status FROM startup_items;",
"interval": 3600,
"description": "macOS startup items",
"platform": "darwin"
},
"registry_run_keys": {
"query": "SELECT key, name, path, data, mtime FROM registry WHERE (key LIKE '%\\\\Run' OR key LIKE '%\\\\RunOnce') AND key NOT LIKE '%\\\\RunOnceEx';",
"interval": 1800,
"description": "Windows registry Run keys",
"platform": "windows"
},
"suspicious_registry_entries": {
"query": "SELECT key, name, path, data FROM registry WHERE (key LIKE '%Run%' OR key LIKE '%RunOnce%') AND (data LIKE '%AppData%' OR data LIKE '%Temp%' OR data LIKE '%ProgramData%' OR data LIKE '%.vbs' OR data LIKE '%.js');",
"interval": 1800,
"description": "Suspicious registry persistence entries",
"platform": "windows"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled, state, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Windows scheduled tasks",
"platform": "windows"
},
"suspicious_scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%powershell%' OR action LIKE '%cmd%' OR action LIKE '%wscript%' OR action LIKE '%mshta%' OR action LIKE '%AppData%' OR action LIKE '%Temp%');",
"interval": 1800,
"description": "Suspicious scheduled tasks",
"platform": "windows"
},
"windows_services": {
"query": "SELECT name, display_name, status, path, start_type, user_account FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START') ORDER BY status;",
"interval": 3600,
"description": "Windows services configuration",
"platform": "windows"
},
"wmi_event_consumers": {
"query": "SELECT name, command_line_template, executable_path, script_file_name FROM wmi_cli_event_consumers;",
"interval": 1800,
"description": "WMI event consumers (persistence mechanism)",
"platform": "windows"
},
"kernel_modules": {
"query": "SELECT name, size, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Loaded Linux kernel modules",
"platform": "linux"
},
"kernel_extensions_mac": {
"query": "SELECT name, version, path, linked_against FROM kernel_extensions WHERE loaded = 1;",
"interval": 3600,
"description": "Loaded macOS kernel extensions",
"platform": "darwin"
},
"bash_profile_modifications": {
"query": "SELECT path, filename, mtime, ctime, size FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/etc/zshrc') OR path LIKE '/home/%/.bashrc' OR path LIKE '/home/%/.bash_profile' OR path LIKE '/home/%/.zshrc' OR path LIKE '/Users/%/.bashrc' OR path LIKE '/Users/%/.bash_profile' OR path LIKE '/Users/%/.zshrc';",
"interval": 3600,
"description": "Shell profile file modifications",
"platform": "posix"
},
"browser_extensions_chrome": {
"query": "SELECT name, identifier, version, description, path, author FROM chrome_extensions;",
"interval": 3600,
"description": "Chrome browser extensions"
},
"browser_extensions_firefox": {
"query": "SELECT name, identifier, version, description, source_url, visible FROM firefox_addons WHERE visible = 1;",
"interval": 3600,
"description": "Firefox browser add-ons"
}
}
}

77
skills/incident-response/forensics-osquery/assets/osquery.conf Normal file
View File

@@ -0,0 +1,77 @@
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 4,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
"interval": 3600,
"description": "Collect basic system information"
},
"os_version": {
"query": "SELECT name, version, platform, build FROM os_version;",
"interval": 3600,
"description": "OS version information"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 600,
"description": "Currently logged-in users"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
"interval": 300,
"description": "Monitor running processes"
},
"suspicious_processes": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 600,
"description": "Active network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Listening network ports"
}
},
"packs": {
"ir-triage": "/etc/osquery/packs/ir-triage.conf",
"persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
"lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
"credential-access": "/etc/osquery/packs/credential-access.conf"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
}