Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/incident-response/forensics-osquery/assets/osquery.conf
+++ b/skills/incident-response/forensics-osquery/assets/osquery.conf
@@ -0,0 +1,77 @@
+{
+  "options": {
+    "config_plugin": "filesystem",
+    "logger_plugin": "filesystem",
+    "logger_path": "/var/log/osquery",
+    "disable_logging": false,
+    "log_result_events": true,
+    "schedule_splay_percent": 10,
+    "pidfile": "/var/osquery/osquery.pidfile",
+    "events_expiry": 3600,
+    "database_path": "/var/osquery/osquery.db",
+    "verbose": false,
+    "worker_threads": 4,
+    "enable_monitor": true,
+    "disable_events": false,
+    "disable_audit": false,
+    "audit_allow_config": true,
+    "audit_allow_sockets": true,
+    "host_identifier": "hostname",
+    "enable_syslog": false,
+    "watchdog_level": 1,
+    "watchdog_memory_limit": 250,
+    "watchdog_utilization_limit": 20
+  },
+
+  "schedule": {
+    "system_info": {
+      "query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
+      "interval": 3600,
+      "description": "Collect basic system information"
+    },
+    "os_version": {
+      "query": "SELECT name, version, platform, build FROM os_version;",
+      "interval": 3600,
+      "description": "OS version information"
+    },
+    "logged_in_users": {
+      "query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
+      "interval": 600,
+      "description": "Currently logged-in users"
+    },
+    "running_processes": {
+      "query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
+      "interval": 300,
+      "description": "Monitor running processes"
+    },
+    "suspicious_processes": {
+      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
+      "interval": 300,
+      "description": "Detect suspicious processes"
+    },
+    "network_connections": {
+      "query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
+      "interval": 600,
+      "description": "Active network connections"
+    },
+    "listening_ports": {
+      "query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
+      "interval": 600,
+      "description": "Listening network ports"
+    }
+  },
+
+  "packs": {
+    "ir-triage": "/etc/osquery/packs/ir-triage.conf",
+    "persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
+    "lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
+    "credential-access": "/etc/osquery/packs/credential-access.conf"
+  },
+
+  "decorators": {
+    "load": [
+      "SELECT uuid AS host_uuid FROM system_info;",
+      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
+    ]
+  }
+}