zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

539
skills/incident-response/forensics-osquery/references/mitre-attack-queries.md Normal file
View File

@@ -0,0 +1,539 @@
# MITRE ATT&CK Detection Queries for osquery
Pre-built osquery detection queries mapped to MITRE ATT&CK techniques for threat hunting and incident response.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
## Initial Access
### T1078 - Valid Accounts
Detect unusual account usage patterns.
```sql
-- Unusual login times or locations
SELECT username, tty, host, time
FROM last
WHERE time > (strftime('%s', 'now') - 86400)
ORDER BY time DESC;
-- Failed authentication attempts (requires auth logs)
SELECT * FROM logged_in_users WHERE user NOT IN (SELECT username FROM users);
```
### T1190 - Exploit Public-Facing Application
Detect web server exploitation indicators.
```sql
-- Web server processes spawning shells
SELECT p1.name AS webserver, p1.cmdline,
p2.name AS child_process, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe', 'java')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python', 'perl');
```
## Execution
### T1059.001 - PowerShell
Detect suspicious PowerShell execution.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name LIKE '%powershell%'
AND (cmdline LIKE '%EncodedCommand%'
OR cmdline LIKE '%-enc%'
OR cmdline LIKE '%FromBase64String%'
OR cmdline LIKE '%Invoke-Expression%'
OR cmdline LIKE '%IEX%'
OR cmdline LIKE '%DownloadString%'
OR cmdline LIKE '%-w hidden%'
OR cmdline LIKE '%-WindowStyle hidden%');
```
### T1059.003 - Windows Command Shell
Detect suspicious cmd.exe usage.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name = 'cmd.exe'
AND (cmdline LIKE '%/c%'
OR cmdline LIKE '%&%'
OR cmdline LIKE '%|%'
OR cmdline LIKE '%<%'
OR cmdline LIKE '%>%');
```
### T1059.004 - Unix Shell
Detect suspicious shell execution.
```sql
SELECT pid, name, path, cmdline, parent, uid
FROM processes
WHERE name IN ('bash', 'sh', 'zsh', 'ksh')
AND (cmdline LIKE '%curl%http%'
OR cmdline LIKE '%wget%http%'
OR cmdline LIKE '%nc%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%/dev/tcp%'
OR cmdline LIKE '%base64%');
```
### T1053 - Scheduled Task/Job
Detect suspicious scheduled tasks.
```sql
-- Suspicious cron jobs (Linux/macOS)
SELECT command, path, minute, hour
FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%bash -i%'
OR command LIKE '%python -c%';
-- Suspicious scheduled tasks (Windows)
SELECT name, action, path, enabled
FROM scheduled_tasks
WHERE enabled = 1
AND (action LIKE '%powershell%'
OR action LIKE '%cmd%'
OR action LIKE '%wscript%'
OR action LIKE '%mshta%');
```
## Persistence
### T1547.001 - Registry Run Keys (Windows)
Detect persistence via registry.
```sql
SELECT key, name, path, data
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND (data LIKE '%AppData%'
OR data LIKE '%Temp%'
OR data LIKE '%ProgramData%'
OR data LIKE '%.vbs'
OR data LIKE '%.js');
```
### T1547.006 - Kernel Modules and Extensions
Detect unauthorized kernel modules.
```sql
-- Linux kernel modules
SELECT name, size, used_by, status
FROM kernel_modules
WHERE name NOT IN (
'ip_tables', 'x_tables', 'nf_conntrack', 'nf_defrag_ipv4',
'iptable_filter', 'iptable_nat', 'ipt_MASQUERADE'
);
-- macOS kernel extensions
SELECT name, version, path
FROM kernel_extensions
WHERE loaded = 1
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Extensions/%';
```
### T1053.003 - Cron (Linux/macOS)
Detect malicious cron jobs.
```sql
SELECT event, command, path, minute, hour, day_of_week
FROM crontab
WHERE command LIKE '%curl%http%'
OR command LIKE '%wget%http%'
OR command LIKE '%bash -i%'
OR command LIKE '%python%socket%'
OR command LIKE '%nc%'
OR command LIKE '%/dev/tcp%'
OR path LIKE '%/tmp/%'
OR path LIKE '%/var/tmp/%';
```
### T1543.002 - Systemd Service (Linux)
Detect malicious systemd services.
```sql
SELECT name, fragment_path, description, active_state
FROM systemd_units
WHERE active_state = 'active'
AND fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
```
## Privilege Escalation
### T1548.003 - Sudo and Sudo Caching
Detect sudo abuse.
```sql
SELECT pid, name, cmdline, uid, euid, parent
FROM processes
WHERE name = 'sudo'
AND (cmdline LIKE '%-i%'
OR cmdline LIKE '%-s%'
OR cmdline LIKE '%-u root%');
```
### T1548.001 - Setuid and Setgid
Find suspicious SUID/SGID binaries.
```sql
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/home/%'
OR path LIKE '/dev/shm/%');
```
### T1543.001 - Launch Agent (macOS)
Detect malicious launch agents.
```sql
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND (path LIKE '%/tmp/%'
OR path LIKE '%/Users/%/Library/LaunchAgents/%'
OR program LIKE '%curl%'
OR program LIKE '%bash%');
```
## Defense Evasion
### T1055 - Process Injection
Detect process injection techniques.
```sql
-- Windows process injection indicators
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%VirtualAllocEx%'
OR cmdline LIKE '%WriteProcessMemory%'
OR cmdline LIKE '%CreateRemoteThread%'
OR cmdline LIKE '%QueueUserAPC%'
OR cmdline LIKE '%SetThreadContext%';
-- Processes with deleted executables (Linux indicator)
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE on_disk = 0;
```
### T1070.004 - File Deletion
Detect log and evidence deletion.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE (cmdline LIKE '%rm%'
OR cmdline LIKE '%del%'
OR cmdline LIKE '%shred%'
OR cmdline LIKE '%wipe%')
AND (cmdline LIKE '%log%'
OR cmdline LIKE '%audit%'
OR cmdline LIKE '%history%'
OR cmdline LIKE '%bash_history%');
```
### T1027 - Obfuscated Files or Information
Detect encoding and obfuscation.
```sql
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%base64%'
OR cmdline LIKE '%certutil%decode%'
OR cmdline LIKE '%[Convert]::FromBase64String%'
OR cmdline LIKE '%openssl enc%'
OR cmdline LIKE '%uuencode%';
```
### T1564.001 - Hidden Files and Directories
Find hidden files in unusual locations.
```sql
SELECT path, filename, size, mtime
FROM file
WHERE filename LIKE '.%'
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/dev/shm/%')
AND size > 0;
```
## Credential Access
### T1003.001 - LSASS Memory (Windows)
Detect LSASS dumping.
```sql
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR cmdline LIKE '%sekurlsa%'
OR cmdline LIKE '%lsadump%'
OR cmdline LIKE '%procdump%lsass%'
OR cmdline LIKE '%comsvcs.dll%MiniDump%';
```
### T1003.008 - /etc/passwd and /etc/shadow
Detect access to credential files.
```sql
-- Processes accessing password files
SELECT p.name, p.cmdline, pm.path
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd')
AND p.name NOT IN ('sshd', 'login', 'su', 'sudo');
```
### T1552.001 - Credentials in Files
Search for credential files.
```sql
SELECT path, filename, size
FROM file
WHERE (filename LIKE '%password%'
OR filename LIKE '%credential%'
OR filename LIKE '%secret%'
OR filename LIKE '%.pem'
OR filename LIKE '%.key'
OR filename = '.bash_history'
OR filename = '.zsh_history')
AND path LIKE '/home/%';
```
## Discovery
### T1057 - Process Discovery
Detect process enumeration.
```sql
SELECT pid, name, cmdline, parent
FROM processes
WHERE cmdline LIKE '%ps aux%'
OR cmdline LIKE '%tasklist%'
OR cmdline LIKE '%Get-Process%'
OR name IN ('ps', 'tasklist.exe');
```
### T1082 - System Information Discovery
Detect system reconnaissance.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%systeminfo%'
OR cmdline LIKE '%uname -a%'
OR cmdline LIKE '%Get-ComputerInfo%'
OR cmdline LIKE '%hostnamectl%'
OR cmdline LIKE '%sw_vers%';
```
### T1083 - File and Directory Discovery
Detect file enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%find%'
OR cmdline LIKE '%dir /s%'
OR cmdline LIKE '%ls -la%'
OR cmdline LIKE '%Get-ChildItem%';
```
### T1087 - Account Discovery
Detect account enumeration.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%net user%'
OR cmdline LIKE '%net group%'
OR cmdline LIKE '%net localgroup%'
OR cmdline LIKE '%Get-LocalUser%'
OR cmdline LIKE '%whoami%'
OR cmdline LIKE '%id%';
```
### T1046 - Network Service Scanning
Detect network scanning activity.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%nmap%'
OR cmdline LIKE '%masscan%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%nc%'
OR name IN ('nmap', 'masscan', 'nc', 'netcat');
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
Detect RDP connections.
```sql
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 3389
OR p.name LIKE '%mstsc%'
OR p.name LIKE '%rdp%';
```
### T1021.002 - SMB/Windows Admin Shares
Detect SMB lateral movement.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%\\\\%\\admin$%'
OR cmdline LIKE '%\\\\%\\c$%'
OR cmdline LIKE '%net use%'
OR cmdline LIKE '%PsExec%';
```
### T1021.004 - SSH
Detect SSH lateral movement.
```sql
-- Outbound SSH connections
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 22
AND p.name = 'ssh';
-- Unusual SSH sessions
SELECT user, tty, host, time
FROM logged_in_users
WHERE tty LIKE 'pts/%'
AND user NOT IN ('root', 'admin');
```
## Collection
### T1560.001 - Archive via Utility
Detect data archiving for staging.
```sql
SELECT pid, name, cmdline, path
FROM processes
WHERE cmdline LIKE '%tar%'
OR cmdline LIKE '%zip%'
OR cmdline LIKE '%7z%'
OR cmdline LIKE '%rar%'
OR cmdline LIKE '%Compress-Archive%';
```
### T1119 - Automated Collection
Detect automated data collection scripts.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE (cmdline LIKE '%find%'
OR cmdline LIKE '%grep%'
OR cmdline LIKE '%Select-String%')
AND (cmdline LIKE '%password%'
OR cmdline LIKE '%credential%'
OR cmdline LIKE '%secret%'
OR cmdline LIKE '%.doc%'
OR cmdline LIKE '%.xls%');
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
Detect suspicious network connections.
```sql
-- Unusual outbound connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1')
AND ps.remote_port NOT IN (80, 443, 22, 53, 3389)
AND ps.state = 'ESTABLISHED';
```
### T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detect data exfiltration via common tools.
```sql
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%curl%'
OR cmdline LIKE '%wget%'
OR cmdline LIKE '%scp%'
OR cmdline LIKE '%ftp%'
OR cmdline LIKE '%rsync%';
```
## Query Usage Notes
1. **Test queries** in a lab environment before production use
2. **Tune for environment** - add whitelist filters for legitimate activity
3. **Combine queries** - join multiple detections for higher confidence
4. **Time window** - add time filters to reduce result sets
5. **Baseline first** - understand normal activity before hunting
## Reference
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [MITRE ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/)