12 KiB
12 KiB
MITRE ATT&CK Detection Queries for osquery
Pre-built osquery detection queries mapped to MITRE ATT&CK techniques for threat hunting and incident response.
Table of Contents
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
Initial Access
T1078 - Valid Accounts
Detect unusual account usage patterns.
-- Unusual login times or locations
SELECT username, tty, host, time
FROM last
WHERE time > (strftime('%s', 'now') - 86400)
ORDER BY time DESC;
-- Failed authentication attempts (requires auth logs)
SELECT * FROM logged_in_users WHERE user NOT IN (SELECT username FROM users);
T1190 - Exploit Public-Facing Application
Detect web server exploitation indicators.
-- Web server processes spawning shells
SELECT p1.name AS webserver, p1.cmdline,
p2.name AS child_process, p2.cmdline AS child_cmdline
FROM processes p1
JOIN processes p2 ON p1.pid = p2.parent
WHERE p1.name IN ('httpd', 'nginx', 'apache2', 'w3wp.exe', 'java')
AND p2.name IN ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python', 'perl');
Execution
T1059.001 - PowerShell
Detect suspicious PowerShell execution.
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name LIKE '%powershell%'
AND (cmdline LIKE '%EncodedCommand%'
OR cmdline LIKE '%-enc%'
OR cmdline LIKE '%FromBase64String%'
OR cmdline LIKE '%Invoke-Expression%'
OR cmdline LIKE '%IEX%'
OR cmdline LIKE '%DownloadString%'
OR cmdline LIKE '%-w hidden%'
OR cmdline LIKE '%-WindowStyle hidden%');
T1059.003 - Windows Command Shell
Detect suspicious cmd.exe usage.
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name = 'cmd.exe'
AND (cmdline LIKE '%/c%'
OR cmdline LIKE '%&%'
OR cmdline LIKE '%|%'
OR cmdline LIKE '%<%'
OR cmdline LIKE '%>%');
T1059.004 - Unix Shell
Detect suspicious shell execution.
SELECT pid, name, path, cmdline, parent, uid
FROM processes
WHERE name IN ('bash', 'sh', 'zsh', 'ksh')
AND (cmdline LIKE '%curl%http%'
OR cmdline LIKE '%wget%http%'
OR cmdline LIKE '%nc%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%/dev/tcp%'
OR cmdline LIKE '%base64%');
T1053 - Scheduled Task/Job
Detect suspicious scheduled tasks.
-- Suspicious cron jobs (Linux/macOS)
SELECT command, path, minute, hour
FROM crontab
WHERE command LIKE '%curl%'
OR command LIKE '%wget%'
OR command LIKE '%/tmp/%'
OR command LIKE '%bash -i%'
OR command LIKE '%python -c%';
-- Suspicious scheduled tasks (Windows)
SELECT name, action, path, enabled
FROM scheduled_tasks
WHERE enabled = 1
AND (action LIKE '%powershell%'
OR action LIKE '%cmd%'
OR action LIKE '%wscript%'
OR action LIKE '%mshta%');
Persistence
T1547.001 - Registry Run Keys (Windows)
Detect persistence via registry.
SELECT key, name, path, data
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
AND (data LIKE '%AppData%'
OR data LIKE '%Temp%'
OR data LIKE '%ProgramData%'
OR data LIKE '%.vbs'
OR data LIKE '%.js');
T1547.006 - Kernel Modules and Extensions
Detect unauthorized kernel modules.
-- Linux kernel modules
SELECT name, size, used_by, status
FROM kernel_modules
WHERE name NOT IN (
'ip_tables', 'x_tables', 'nf_conntrack', 'nf_defrag_ipv4',
'iptable_filter', 'iptable_nat', 'ipt_MASQUERADE'
);
-- macOS kernel extensions
SELECT name, version, path
FROM kernel_extensions
WHERE loaded = 1
AND path NOT LIKE '/System/%'
AND path NOT LIKE '/Library/Extensions/%';
T1053.003 - Cron (Linux/macOS)
Detect malicious cron jobs.
SELECT event, command, path, minute, hour, day_of_week
FROM crontab
WHERE command LIKE '%curl%http%'
OR command LIKE '%wget%http%'
OR command LIKE '%bash -i%'
OR command LIKE '%python%socket%'
OR command LIKE '%nc%'
OR command LIKE '%/dev/tcp%'
OR path LIKE '%/tmp/%'
OR path LIKE '%/var/tmp/%';
T1543.002 - Systemd Service (Linux)
Detect malicious systemd services.
SELECT name, fragment_path, description, active_state
FROM systemd_units
WHERE active_state = 'active'
AND fragment_path NOT LIKE '/usr/lib/systemd/system/%'
AND fragment_path NOT LIKE '/lib/systemd/system/%';
Privilege Escalation
T1548.003 - Sudo and Sudo Caching
Detect sudo abuse.
SELECT pid, name, cmdline, uid, euid, parent
FROM processes
WHERE name = 'sudo'
AND (cmdline LIKE '%-i%'
OR cmdline LIKE '%-s%'
OR cmdline LIKE '%-u root%');
T1548.001 - Setuid and Setgid
Find suspicious SUID/SGID binaries.
SELECT path, filename, mode, uid, gid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/home/%'
OR path LIKE '/dev/shm/%');
T1543.001 - Launch Agent (macOS)
Detect malicious launch agents.
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
AND (path LIKE '%/tmp/%'
OR path LIKE '%/Users/%/Library/LaunchAgents/%'
OR program LIKE '%curl%'
OR program LIKE '%bash%');
Defense Evasion
T1055 - Process Injection
Detect process injection techniques.
-- Windows process injection indicators
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%VirtualAllocEx%'
OR cmdline LIKE '%WriteProcessMemory%'
OR cmdline LIKE '%CreateRemoteThread%'
OR cmdline LIKE '%QueueUserAPC%'
OR cmdline LIKE '%SetThreadContext%';
-- Processes with deleted executables (Linux indicator)
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE on_disk = 0;
T1070.004 - File Deletion
Detect log and evidence deletion.
SELECT pid, name, cmdline, path
FROM processes
WHERE (cmdline LIKE '%rm%'
OR cmdline LIKE '%del%'
OR cmdline LIKE '%shred%'
OR cmdline LIKE '%wipe%')
AND (cmdline LIKE '%log%'
OR cmdline LIKE '%audit%'
OR cmdline LIKE '%history%'
OR cmdline LIKE '%bash_history%');
T1027 - Obfuscated Files or Information
Detect encoding and obfuscation.
SELECT pid, name, path, cmdline
FROM processes
WHERE cmdline LIKE '%base64%'
OR cmdline LIKE '%certutil%decode%'
OR cmdline LIKE '%[Convert]::FromBase64String%'
OR cmdline LIKE '%openssl enc%'
OR cmdline LIKE '%uuencode%';
T1564.001 - Hidden Files and Directories
Find hidden files in unusual locations.
SELECT path, filename, size, mtime
FROM file
WHERE filename LIKE '.%'
AND (path LIKE '/tmp/%'
OR path LIKE '/var/tmp/%'
OR path LIKE '/dev/shm/%')
AND size > 0;
Credential Access
T1003.001 - LSASS Memory (Windows)
Detect LSASS dumping.
SELECT pid, name, path, cmdline, parent
FROM processes
WHERE name IN ('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
OR cmdline LIKE '%sekurlsa%'
OR cmdline LIKE '%lsadump%'
OR cmdline LIKE '%procdump%lsass%'
OR cmdline LIKE '%comsvcs.dll%MiniDump%';
T1003.008 - /etc/passwd and /etc/shadow
Detect access to credential files.
-- Processes accessing password files
SELECT p.name, p.cmdline, pm.path
FROM processes p
JOIN process_memory_map pm ON p.pid = pm.pid
WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd')
AND p.name NOT IN ('sshd', 'login', 'su', 'sudo');
T1552.001 - Credentials in Files
Search for credential files.
SELECT path, filename, size
FROM file
WHERE (filename LIKE '%password%'
OR filename LIKE '%credential%'
OR filename LIKE '%secret%'
OR filename LIKE '%.pem'
OR filename LIKE '%.key'
OR filename = '.bash_history'
OR filename = '.zsh_history')
AND path LIKE '/home/%';
Discovery
T1057 - Process Discovery
Detect process enumeration.
SELECT pid, name, cmdline, parent
FROM processes
WHERE cmdline LIKE '%ps aux%'
OR cmdline LIKE '%tasklist%'
OR cmdline LIKE '%Get-Process%'
OR name IN ('ps', 'tasklist.exe');
T1082 - System Information Discovery
Detect system reconnaissance.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%systeminfo%'
OR cmdline LIKE '%uname -a%'
OR cmdline LIKE '%Get-ComputerInfo%'
OR cmdline LIKE '%hostnamectl%'
OR cmdline LIKE '%sw_vers%';
T1083 - File and Directory Discovery
Detect file enumeration.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%find%'
OR cmdline LIKE '%dir /s%'
OR cmdline LIKE '%ls -la%'
OR cmdline LIKE '%Get-ChildItem%';
T1087 - Account Discovery
Detect account enumeration.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%net user%'
OR cmdline LIKE '%net group%'
OR cmdline LIKE '%net localgroup%'
OR cmdline LIKE '%Get-LocalUser%'
OR cmdline LIKE '%whoami%'
OR cmdline LIKE '%id%';
T1046 - Network Service Scanning
Detect network scanning activity.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%nmap%'
OR cmdline LIKE '%masscan%'
OR cmdline LIKE '%netcat%'
OR cmdline LIKE '%nc%'
OR name IN ('nmap', 'masscan', 'nc', 'netcat');
Lateral Movement
T1021.001 - Remote Desktop Protocol
Detect RDP connections.
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 3389
OR p.name LIKE '%mstsc%'
OR p.name LIKE '%rdp%';
T1021.002 - SMB/Windows Admin Shares
Detect SMB lateral movement.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%\\\\%\\admin$%'
OR cmdline LIKE '%\\\\%\\c$%'
OR cmdline LIKE '%net use%'
OR cmdline LIKE '%PsExec%';
T1021.004 - SSH
Detect SSH lateral movement.
-- Outbound SSH connections
SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_port = 22
AND p.name = 'ssh';
-- Unusual SSH sessions
SELECT user, tty, host, time
FROM logged_in_users
WHERE tty LIKE 'pts/%'
AND user NOT IN ('root', 'admin');
Collection
T1560.001 - Archive via Utility
Detect data archiving for staging.
SELECT pid, name, cmdline, path
FROM processes
WHERE cmdline LIKE '%tar%'
OR cmdline LIKE '%zip%'
OR cmdline LIKE '%7z%'
OR cmdline LIKE '%rar%'
OR cmdline LIKE '%Compress-Archive%';
T1119 - Automated Collection
Detect automated data collection scripts.
SELECT pid, name, cmdline
FROM processes
WHERE (cmdline LIKE '%find%'
OR cmdline LIKE '%grep%'
OR cmdline LIKE '%Select-String%')
AND (cmdline LIKE '%password%'
OR cmdline LIKE '%credential%'
OR cmdline LIKE '%secret%'
OR cmdline LIKE '%.doc%'
OR cmdline LIKE '%.xls%');
Exfiltration
T1041 - Exfiltration Over C2 Channel
Detect suspicious network connections.
-- Unusual outbound connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1')
AND ps.remote_port NOT IN (80, 443, 22, 53, 3389)
AND ps.state = 'ESTABLISHED';
T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detect data exfiltration via common tools.
SELECT pid, name, cmdline
FROM processes
WHERE cmdline LIKE '%curl%'
OR cmdline LIKE '%wget%'
OR cmdline LIKE '%scp%'
OR cmdline LIKE '%ftp%'
OR cmdline LIKE '%rsync%';
Query Usage Notes
- Test queries in a lab environment before production use
- Tune for environment - add whitelist filters for legitimate activity
- Combine queries - join multiple detections for higher confidence
- Time window - add time filters to reduce result sets
- Baseline first - understand normal activity before hunting