114 lines
5.4 KiB
Plaintext
114 lines
5.4 KiB
Plaintext
{
|
|
"platform": "all",
|
|
"version": "1.0.0",
|
|
"description": "Hunt for persistence mechanisms across all platforms",
|
|
"queries": {
|
|
"crontab_monitoring": {
|
|
"query": "SELECT event, minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;",
|
|
"interval": 3600,
|
|
"description": "Monitor cron jobs for persistence",
|
|
"platform": "posix"
|
|
},
|
|
"suspicious_cron_commands": {
|
|
"query": "SELECT * FROM crontab WHERE command LIKE '%curl%' OR command LIKE '%wget%' OR command LIKE '%/tmp/%' OR command LIKE '%bash -i%' OR command LIKE '%python%socket%' OR command LIKE '%nc%';",
|
|
"interval": 1800,
|
|
"description": "Detect suspicious cron job commands",
|
|
"platform": "posix"
|
|
},
|
|
"systemd_units": {
|
|
"query": "SELECT name, description, load_state, active_state, sub_state, fragment_path, source FROM systemd_units WHERE active_state = 'active';",
|
|
"interval": 3600,
|
|
"description": "Active systemd services",
|
|
"platform": "linux"
|
|
},
|
|
"non_standard_systemd": {
|
|
"query": "SELECT name, fragment_path, active_state FROM systemd_units WHERE active_state = 'active' AND fragment_path NOT LIKE '/usr/lib/systemd/system/%' AND fragment_path NOT LIKE '/lib/systemd/system/%';",
|
|
"interval": 1800,
|
|
"description": "Non-standard systemd units (potential persistence)",
|
|
"platform": "linux"
|
|
},
|
|
"launchd_monitoring": {
|
|
"query": "SELECT name, label, path, program, program_arguments, run_at_load, keep_alive FROM launchd WHERE run_at_load = 1;",
|
|
"interval": 3600,
|
|
"description": "macOS launch agents and daemons",
|
|
"platform": "darwin"
|
|
},
|
|
"suspicious_launchd": {
|
|
"query": "SELECT * FROM launchd WHERE run_at_load = 1 AND (path LIKE '%/tmp/%' OR path LIKE '%/Users/%/Library/LaunchAgents/%' OR program LIKE '%curl%' OR program LIKE '%bash%');",
|
|
"interval": 1800,
|
|
"description": "Suspicious launch agents",
|
|
"platform": "darwin"
|
|
},
|
|
"startup_items_mac": {
|
|
"query": "SELECT name, path, args, type, source, status FROM startup_items;",
|
|
"interval": 3600,
|
|
"description": "macOS startup items",
|
|
"platform": "darwin"
|
|
},
|
|
"registry_run_keys": {
|
|
"query": "SELECT key, name, path, data, mtime FROM registry WHERE (key LIKE '%\\\\Run' OR key LIKE '%\\\\RunOnce') AND key NOT LIKE '%\\\\RunOnceEx';",
|
|
"interval": 1800,
|
|
"description": "Windows registry Run keys",
|
|
"platform": "windows"
|
|
},
|
|
"suspicious_registry_entries": {
|
|
"query": "SELECT key, name, path, data FROM registry WHERE (key LIKE '%Run%' OR key LIKE '%RunOnce%') AND (data LIKE '%AppData%' OR data LIKE '%Temp%' OR data LIKE '%ProgramData%' OR data LIKE '%.vbs' OR data LIKE '%.js');",
|
|
"interval": 1800,
|
|
"description": "Suspicious registry persistence entries",
|
|
"platform": "windows"
|
|
},
|
|
"scheduled_tasks": {
|
|
"query": "SELECT name, action, path, enabled, state, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1;",
|
|
"interval": 3600,
|
|
"description": "Windows scheduled tasks",
|
|
"platform": "windows"
|
|
},
|
|
"suspicious_scheduled_tasks": {
|
|
"query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%powershell%' OR action LIKE '%cmd%' OR action LIKE '%wscript%' OR action LIKE '%mshta%' OR action LIKE '%AppData%' OR action LIKE '%Temp%');",
|
|
"interval": 1800,
|
|
"description": "Suspicious scheduled tasks",
|
|
"platform": "windows"
|
|
},
|
|
"windows_services": {
|
|
"query": "SELECT name, display_name, status, path, start_type, user_account FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START') ORDER BY status;",
|
|
"interval": 3600,
|
|
"description": "Windows services configuration",
|
|
"platform": "windows"
|
|
},
|
|
"wmi_event_consumers": {
|
|
"query": "SELECT name, command_line_template, executable_path, script_file_name FROM wmi_cli_event_consumers;",
|
|
"interval": 1800,
|
|
"description": "WMI event consumers (persistence mechanism)",
|
|
"platform": "windows"
|
|
},
|
|
"kernel_modules": {
|
|
"query": "SELECT name, size, used_by, status FROM kernel_modules;",
|
|
"interval": 3600,
|
|
"description": "Loaded Linux kernel modules",
|
|
"platform": "linux"
|
|
},
|
|
"kernel_extensions_mac": {
|
|
"query": "SELECT name, version, path, linked_against FROM kernel_extensions WHERE loaded = 1;",
|
|
"interval": 3600,
|
|
"description": "Loaded macOS kernel extensions",
|
|
"platform": "darwin"
|
|
},
|
|
"bash_profile_modifications": {
|
|
"query": "SELECT path, filename, mtime, ctime, size FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/etc/zshrc') OR path LIKE '/home/%/.bashrc' OR path LIKE '/home/%/.bash_profile' OR path LIKE '/home/%/.zshrc' OR path LIKE '/Users/%/.bashrc' OR path LIKE '/Users/%/.bash_profile' OR path LIKE '/Users/%/.zshrc';",
|
|
"interval": 3600,
|
|
"description": "Shell profile file modifications",
|
|
"platform": "posix"
|
|
},
|
|
"browser_extensions_chrome": {
|
|
"query": "SELECT name, identifier, version, description, path, author FROM chrome_extensions;",
|
|
"interval": 3600,
|
|
"description": "Chrome browser extensions"
|
|
},
|
|
"browser_extensions_firefox": {
|
|
"query": "SELECT name, identifier, version, description, source_url, visible FROM firefox_addons WHERE visible = 1;",
|
|
"interval": 3600,
|
|
"description": "Firefox browser add-ons"
|
|
}
|
|
}
|
|
}
|