gh-agentsecops-secopsagentkit/skills/incident-response/forensics-osquery/assets/forensic-packs/lateral-movement.conf

{
  "platform": "all",
  "version": "1.0.0",
  "description": "Detect lateral movement and remote access indicators",
  "queries": {
    "ssh_outbound_connections": {
      "query": "SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 22 AND p.name = 'ssh';",
      "interval": 300,
      "description": "Outbound SSH connections",
      "platform": "posix"
    },
    "rdp_connections": {
      "query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 3389 OR p.name LIKE '%mstsc%' OR p.name LIKE '%rdp%';",
      "interval": 300,
      "description": "RDP connection attempts",
      "platform": "windows"
    },
    "smb_connections": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%\\\\\\\\%\\\\admin$%' OR cmdline LIKE '%\\\\\\\\%\\\\c$%' OR cmdline LIKE '%net use%';",
      "interval": 300,
      "description": "SMB/Windows Admin Share connections",
      "platform": "windows"
    },
    "psexec_indicators": {
      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name LIKE '%psexec%' OR cmdline LIKE '%psexec%' OR path LIKE '%ADMIN$%';",
      "interval": 300,
      "description": "PsExec execution indicators",
      "platform": "windows"
    },
    "remote_wmi_execution": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%/node:%';",
      "interval": 300,
      "description": "Remote WMI execution",
      "platform": "windows"
    },
    "winrm_activity": {
      "query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port IN (5985, 5986);",
      "interval": 300,
      "description": "WinRM connections",
      "platform": "windows"
    },
    "unusual_login_locations": {
      "query": "SELECT username, tty, host, time FROM logged_in_users WHERE host NOT IN ('localhost', '127.0.0.1', '') ORDER BY time DESC;",
      "interval": 600,
      "description": "Remote login sessions"
    },
    "multiple_ssh_sessions": {
      "query": "SELECT user, COUNT(*) AS session_count, GROUP_CONCAT(host) AS hosts FROM logged_in_users WHERE tty LIKE 'pts/%' GROUP BY user HAVING session_count > 2;",
      "interval": 600,
      "description": "Users with multiple SSH sessions",
      "platform": "posix"
    },
    "ssh_authorized_keys": {
      "query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/authorized_keys' OR path LIKE '/root/.ssh/authorized_keys' OR path LIKE '/Users/%/.ssh/authorized_keys';",
      "interval": 3600,
      "description": "SSH authorized_keys file monitoring",
      "platform": "posix"
    },
    "ssh_known_hosts": {
      "query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/known_hosts' OR path LIKE '/root/.ssh/known_hosts' OR path LIKE '/Users/%/.ssh/known_hosts';",
      "interval": 3600,
      "description": "SSH known_hosts file monitoring",
      "platform": "posix"
    },
    "smb_sessions": {
      "query": "SELECT pid, name, cmdline, remote_address FROM process_open_sockets ps JOIN processes p ON ps.pid = p.pid WHERE ps.remote_port IN (445, 139);",
      "interval": 300,
      "description": "Active SMB connections"
    },
    "admin_shares_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ADMIN$%' OR cmdline LIKE '%IPC$%' OR cmdline LIKE '%C$%';",
      "interval": 300,
      "description": "Access to Windows admin shares",
      "platform": "windows"
    },
    "remote_registry_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%reg%' AND cmdline LIKE '%\\\\\\\\%';",
      "interval": 300,
      "description": "Remote registry access attempts",
      "platform": "windows"
    },
    "remote_scheduled_tasks": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%schtasks%' AND cmdline LIKE '%/s%';",
      "interval": 300,
      "description": "Remote scheduled task creation",
      "platform": "windows"
    },
    "remote_service_creation": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%sc%' AND cmdline LIKE '%\\\\\\\\%' AND cmdline LIKE '%create%';",
      "interval": 300,
      "description": "Remote service creation",
      "platform": "windows"
    },
    "vnc_connections": {
      "query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port >= 5900 AND ps.remote_port <= 5999;",
      "interval": 300,
      "description": "VNC connection attempts"
    },
    "suspicious_network_tools": {
      "query": "SELECT pid, name, path, cmdline FROM processes WHERE name IN ('nmap', 'masscan', 'nc', 'netcat', 'socat', 'proxychains') OR cmdline LIKE '%nmap%' OR cmdline LIKE '%nc %-%';",
      "interval": 300,
      "description": "Network reconnaissance tools"
    }
  }
}