├── Linux
    └── osquery.conf
├── wp.png
├── OIP.bmp
├── osquery.png
├── windows
    ├── Driver Profiling
    ├── Miscellaneous
    ├── Memory Analysis
    ├── Process Interrogation
    └── Persistence
└── README.md


/Linux/osquery.conf:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/wp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kirtar22/ThreatHunting_with_Osquery/HEAD/wp.png


--------------------------------------------------------------------------------
/OIP.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kirtar22/ThreatHunting_with_Osquery/HEAD/OIP.bmp


--------------------------------------------------------------------------------
/osquery.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kirtar22/ThreatHunting_with_Osquery/HEAD/osquery.png


--------------------------------------------------------------------------------
/windows/Driver Profiling:
--------------------------------------------------------------------------------
 1 | // Driver Profiling 
 2 | 
 3 | // Group By and Order By device_name
 4 | 
 5 |  	select device_name,count(device_name) from drivers group by device_name order by count(device_name) DESC;
 6 | 
 7 | // Group by and Order by description
 8 | 	
 9 | 	select description,count(description) from drivers group by description order by count(description) DESC;
10 | 
11 | // Drivers without device_name
12 | 
13 | 	select device_id,device_name from drivers where device_name='';
14 | 
15 | // Drivers without manufacturer name with sign status
16 | 
17 | 	select device_id,device_name from drivers where manufacturer='';
18 | 	select device_id,device_name,signed from drivers where manufacturer='';
19 | 
20 | // Unsigned drivers && Unsigned drivers with time and other details 
21 | 
22 | 	select device_id,device_name,signed from drivers where signed!=1 ;
23 | 	select d.device_id,d.device_name,d.manufacturer,d.service,d.image, DATETIME(d.date,'unixepoch') as time from drivers d, time where d.signed!=1;
24 | 
25 | // Drivers with no service associated with sign status
26 | 
27 | 	select device_id,manufacturar, signed from drivers where service='';
28 | 
29 | // Drivers Group by service and count by service
30 | 
31 | 	select service,device_name,count(service),signed from drivers where service!='' group by service order by count(service) desc;
32 | 	
33 | 


--------------------------------------------------------------------------------
/windows/Miscellaneous:
--------------------------------------------------------------------------------
 1 | // Miscellaneous 
 2 | 
 3 | // Files with mtime<btime with hash values and sigcheck status in the critical directories
 4 | 
 5 | 	select f.path,h.md5, a.result,DATETIME(f.btime,'unixepoch') as btime,DATETIME(f.mtime,'unixepoch') as mtime from file f JOIN hash h on f.path=h.path JOIN authenticode a on f.path=a.path, time where mtime<btime AND f.directory like 'c:\windows\system32%';
 6 | 
 7 | // List all the Users
 8 | 
 9 | 	 select uid,gid,username,shell,description from users;
10 | 	 select uid,gid,username,directory from users;
11 | 
12 | // List all the users with Administrative privs
13 | 
14 | 	select users.uid,users.gid,users.username,users.directory from users JOIN user_groups ON users.uid=user_groups.uid where user_groups.gid=544;
15 | 
16 | // look for any suspicious domain connection
17 | 
18 | 	select type,name from dns_cache order by type;
19 | 
20 | // Check the security status of the machine
21 | 
22 | 	select * from windows_security_center;
23 | 	select * from windows_security_products;
24 | 
25 | // Execution - T1059.001 - PowerShell
26 | 
27 | 	select p.pid,p.cmdline,p.parent as parentid,pp.path as parenpath ,pp.cmdline as parentcmdline from processes p join processes pp on p.parent=pp.pid where p.name like '%powershell%' OR p.pname like '%wsmprovhost%';
28 | 	select p.pid,p.path,cp.pid as cpid,cp.name as cname,cp.cmdline as ccmdline from processes p join processes cp on p.pid=cp.parent where p.name like '%powershell%' OR p.pname like '%wsmprovhost%';
29 | 	select p.pid,p.name, pp.pid as parentid,pp.name as parentname ,gp.pid as gpid,gp.name as gpname from processes p join processes pp on p.parent=pp.pid join processes gp on pp.parent=gp.pid where p.name like '%powershell%' OR p.pname like '%wsmprovhost%';
30 | 	 
31 | // Execution - T1559.002 - Dynamic Data Exchange 
32 | 	
33 | 	select p.pid,p.cmdline,cp.pid as cpid,cp.name as cname,cp.cmdline as ccmdline from processes p join processes cp on p.pid=cp.parent where p.name like '%excel%';
34 | 	
35 | // Latreal Movement - PSEXEC 
36 | 
37 | 	select s.name,s.path,s.start_type,s.status from services s where s.name like '%psexe%';
38 | 	select s.name,s.path,s.module_path,s.start_type,s.status from services s where s.name like '%psexe%';
39 | 	
40 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Threat Hunting & Incident Investigation with Osquery
 2 | 
 3 | ![osquerylogo](https://github.com/Kirtar22/ThreatHunting_with_Osquery/blob/main/osquery.png) ![](https://github.com/Kirtar22/ThreatHunting_with_Osquery/blob/main/wp.png)     ![dart](https://github.com/Kirtar22/ThreatHunting_with_Osquery/blob/main/OIP.bmp)
 4 | 
 5 | 
 6 | 
 7 | The objective of this repo is to share **100+ hunting queries (osquery)** that will help cyber threat analysts (hunter/investigator) in their hunting or investigation exercises. 
 8 | Broadly, I have covered **persistence, process interrogation, memory analysis, driver profiling, and other misc categories**. Persistence and Process Interrogations queries map to the multiple tactics & techniques/sub-techniques of MITRE ATT&CK framework. 
 9 | 
10 | The following are the key highlights under each category. Please have a look at the repo(windows) for the details. 
11 | 
12 | ## Persistence
13 | 
14 | - Registry Run Keys / StartUp Folder
15 | - RunKeys (with hashvalue)
16 | - Security Support Provider
17 | - Service Creation / Modification (auto_start)
18 | - look for suspicious dlls loaded by any service (with associated username & hash value of the dll) 
19 | - WMI Event Consumers (commandline & script) 
20 | - WMI Process interrogation
21 | - Application Shimming
22 | - Print Processors - Reg Keys
23 | - look for suspicious print drivers
24 | - Screensaver Backdoor
25 | - Image File Execution Options Injection (IFEO)(debugger/GolbalFlag)
26 | - PowerShell Process Interrogation
27 | - Dynamic Data Exchange (DDE) 
28 | 
29 | ## Process Interrogation
30 | 
31 | - Identify the parent & Grantparent processes for all OR a given process - look for any suspicious parent, child relationships 
32 | - Identifying Suspicious Processes (processes) with usernames (users)
33 | - Identifying the programs that are running from "TEMP" locations
34 | - Identify the processes with open pipes (look for suspicious pipe and/or process) 
35 | - Any processes spawning out of wow64 directory
36 | - Identifying suspicious dlls loaded by any service with user_account associated with it (with hash value) 
37 | - Identify if the binary is signed or not 
38 | - PowerShell Process Interrogation (Parent / children of PowerShell) 
39 | - WMI Process Interrogation (Parent / children of PowerShell)
40 | - Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (In Bytes)
41 | - Identifying the processes that makes the remote network connections and look for any suspicious connections
42 | 
43 | ## Memory Analysis 
44 | 
45 | ### Note:I have made an effort to create the queries equivalent to Volatility Plugins 
46 | 
47 | - pslist equivalent 
48 | - pstree equivalent ( Parent & Child) 
49 | - pstree equivalent ( Grandparent, Parent & Child) 
50 | - dlllist equivalent ( with a specific pid ) 
51 | - dlllist - load all the dlls
52 | - getsids - equivalent 
53 | - svcscan - equivalent 
54 | - netscan - equivalent 
55 | - Code Injection
56 | - malfind (not exactly) equivalent 
57 | 
58 | ## Driver Profiling 
59 | 
60 | - Group By and Order By device_name
61 | - Drivers without manufacturer name with sign status
62 | - Unsigned drivers
63 | - Drivers with no service associated with sign status
64 | 
65 | ## Miscellaneous
66 | 
67 | - File Profilig - Files with mtime<btime with hash values and sigcheck status in the critical directories
68 | - Tracking User Changes
69 | - look for any suspicious domain connection
70 | - Execution (PS,DDE)
71 | - Lateral Movement 
72 | 
73 | ## Linux 
74 | 
75 | Note: I will share "osquery.conf" file and queries related to Linux as I get some time to complete them. 
76 | 


--------------------------------------------------------------------------------
/windows/Memory Analysis:
--------------------------------------------------------------------------------
 1 | // Memory Analysis 
 2 | 
 3 | // 'pslist' equivalent 
 4 | 
 5 | 	select p.name,p.pid,p.parent as ppid,p.threads,p.handle_count,p.uid,DATETIME(p.start_time,'unixepoch') as starttime from processes p;
 6 | 	select p.name,p.pid,p.parent as ppid,p.threads,p.handle_count,p.uid,DATETIME(p.start_time,'unixepoch') as starttime from processes p order by starttime,p.name;
 7 | 
 8 | // 'pstree' equivalent  ( Parent & Child) 
 9 | 
10 | 	select p.pid,p.path,DATETIME(p.start_time,'unixepoch') as pstart_time,pp.pid as parentid,pp.name as parentname,DATETIME(pp.start_time,'unixepoch') asppstart from processes p inner join processes pp on p.parent=pp.pid order by p.start_time asc,p.path;
11 | 
12 | // 'pstree' equivalent ( Grandparent, Parent & Child)
13 | 
14 | 	select p.pid,p.path,DATETIME(p.start_time,'unixepoch') as pstart_time,pp.pid as parentid,pp.name as parentname,DATETIME(pp.start_time,'unixepoch') asppstart from processes p inner join processes pp on p.parent=pp.pid order by p.start_time asc,p.path;
15 | 
16 | // 'dlllist' equivalent ( with a specific pid ) -look for suspicious dll 
17 | 
18 | 	select pid,start,end,permissions,offset,path from process_memory_map where pid=13748 AND path NOT LIKE 'C:\windows\system32\%';
19 |  	select pid,start,end,permissions,offset,path from process_memory_map where path LIKE '%temp%';
20 | 
21 |  // 'dlllist' - load all the dlls (exclude std path  & exe from the output) 
22 | 
23 |  	select pid,permissions,offset,path from process_memory_map where path NOT LIKE 'C:\windows\system32\%' AND path not like '%exe%' order by path;
24 | 
25 |  // 'getsids' - equivalent 
26 | 
27 |  	select p.pid,p.name,p.cmdline,p.uid,u.username,u.uuid as useruid,u.type,ug.gid as groupgid from processes p left join users u on p.uid=u.uid left join user_groups ug on u.uid=ug.uid where p.name like '%osquery%';
28 | 
29 | // 'svcscan' - equivalent - look for any suspicious exe OR dll 
30 | 
31 | 	select s.name,s.status,s.start_type,s.pid,s.path,s.module_path,s.user_account from services s where s.name like '%audio%';
32 |  	select s.name,s.status,s.start_type,s.pid,s.path,s.module_path,s.user_account from services s where s.path like '%svchost%';
33 | 
34 | // svcscan - identify the loaded dll and service name for the suspicious process + with if laoded dll is signed or not 
35 | 
36 | 	select p.pid,p.name,p.path,ps.state,ps.local_address,ps.local_port,ps.remote_address,ps.remote_port,ps.protocol,DATETIME(p.start_time,'unixepoch') as starttime from processes p join process_open_sockets ps on p.pid=ps.pid;
37 | 	select p.pid,p.name,p.path,ps.state,ps.remote_address,ps.remote_port,ps.protocol,DATETIME(p.start_time,'unixepoch') as starttime from processes p join process_open_sockets ps on p.pid=ps.pid;
38 | 	select p.pid,p.name,p.path,ps.state,ps.remote_address,ps.remote_port,ps.protocol,DATETIME(p.start_time,'unixepoch') as starttime from processes p join process_open_sockets ps on p.pid=ps.pid where ps.state like '%established%';
39 | 
40 | // Code Injection  - look for the running processes without a path on the disk  (producing false positives) && with users
41 | 
42 | 	 select p.pid,p.name,p.cmdline,p.cwd,p.path,p.parent,pp.name as parentname,pp.path as parent_name,pp.cmdline as pcmdline from processes p left join processes pp on p.parent=pp.pid where p.on_disk!=1;
43 | 	 select p.pid,p.name,p.parent,pp.name as parentname,pp.path as parent_name,pp.cmdline as pcmdline,u.username from processes p left join processes pp on p.parent=pp.pid left join users u on p.uid=u.uid where p.on_disk!=1;
44 | 
45 | // malfind (not exactly) equivalent  && With process and cmdline 
46 | 
47 | 	select pid,start,end,permissions,offset,path from process_memory_map where permissions like '%PAGE_EXECUTE_READWRITE';
48 | 	select pid,start,end,permissions,offset,path from process_memory_map where permissions like '%PAGE_EXECUTE_READWRITE' and path='';
49 | 	select p.pid,pp.cmdline,p.start,p.end,p.permissions,p.offset,p.path from process_memory_map p join processes pp on p.pid=pp.pid where permissions like '%PAGE_EXECUTE_READWRITE';
50 | 


--------------------------------------------------------------------------------
/windows/Process Interrogation:
--------------------------------------------------------------------------------
 1 | // Process Interrogation 
 2 | 
 3 | // Identifying Suspicious Processes (processes) with usernames (users)
 4 | 
 5 | 	select processes.name,processes.path,users.username from processes LEFT JOIN users ON processes.uid=users.uid where processes.path != '';
 6 | 	SELECT p.pid, p.uid,p.name,u.username FROM processes as p LEFT JOIN users as u ORDER BY start_time DESC LIMIT 20;
 7 | 	SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY start_time DESC LIMIT 5;
 8 | 	select COUNT(*) from processes;
 9 | 
10 | // Identify the parent & Grandparent processes for all OR a given process - look for any suspicious parent, child relationships 
11 | 
12 | 	select p.pid,p.name,pp.pid as parentid,pp.name as parentname, gp.pid as gpid, gp.name as gpname from processes p join processes pp on p.parent=pp.pid join processes gp on pp.parent=gp.pid order by p.start_time asc;
13 | 	select p.pid,p.name, pp.pid as parentid,pp.name as parentname ,gp.pid as gpid,gp.name as gpname from processes p join processes pp on p.parent=pp.pid join processes gp on pp.parent=gp.pid where p.name like '%osquery%';
14 | 	select p.pid,p.name, pp.pid as parentid,pp.name as parentname ,gp.pid as gpid,gp.name as gpname from processes p join processes pp on p.parent=pp.pid join processes gp on pp.parent=gp.pid where p.name like '%wmi%';
15 | 
16 | // Identifying Programs that are installed from "TEMP" source
17 | 
18 | 	select name,install_location,install_source from programs where install_source LIKE '%TEMP%';
19 | 
20 | // Identifying the programs that are running from "TEMP" locations
21 | 
22 | 	select name,install_location,install_source from programs where install_location LIKE '%TEMP%';
23 | 
24 | // identify the install_location for a specific program && with hostname
25 | 
26 | 	select name,install_location from programs where name LIKE '%wireshark%';
27 | 	select system_info.hostname,programs.name from programs join system_info where programs.name LIKE '%wireshark%';
28 | 
29 | // Identify the processes with open pipes 
30 | 	
31 | 	select pipes.name as pipename,pipes.instances,pipes.flags,processes.name,processes.path from pipes LEFT JOIN processes ON pipes.pid=processes.pid where processes.name!='';
32 | 
33 | // Identifying the processes that makes the remote network connections 
34 | 
35 | 	select processes.name,process_open_sockets.remote_address,process_open_sockets.remote_port from processes JOIN process_open_sockets ON processes.pid=process_open_sockets.pid;
36 | 
37 | // Identifying the processes with its listening_ports 
38 | 
39 | 	select processes.name,listening_ports.port,listening_ports.address from processes JOIN listening_ports ON processes.pid=listening_ports.pid;
40 | 
41 | // Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (In Bytes)
42 | 
43 | 	select pid,name,user_time,system_time,resident_size from processes order by resident_size;
44 | 
45 | // Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (in MB)
46 | 	
47 | 	select pid,name,user_time,system_time,resident_size from processes order by user_time,system_time;
48 | 
49 | // Identify the hash of the running processes with usernames
50 | 
51 | 	select p.pid,p.name,p.path,h.sha256,u.username from processes as p JOIN hash as h on p.path=h.path JOIN users as u on p.uid=u.uid LIMIT 10;
52 | 
53 | // Process execution/start time 
54 | 
55 | 	select p.name,p.start_time, DATETIME(time.unix_time-(uptime.total_seconds-p.start_time),'unixepoch') as stime from processes as p, uptime,time  order by stime DESC limit 5;
56 | 
57 | // Processes with its parents path 
58 | 	
59 | 	select p.name,p.pid,p.parent as parentid,pp.path from processes as p LEFT OUTER JOIN processes as pp on p.parent=pp.pid limit 10;
60 | 
61 | // Verify the parent process of PowerShell 
62 | 
63 | 	 select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where p.path like '%power%';
64 | 
65 | // Verify the parent process of wmi (with a hash value)
66 | 
67 | 	 select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where p.path like '%wmi%';
68 | 
69 | // Any suspicious process running from PowerShell (with a hash value)
70 | 
71 | 	 select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where pp.path like '%PowerShell%';
72 | 
73 | // Any suspicious process running from cmd (with a hash value)
74 | 
75 | 	select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where pp.path like '%cmd%';
76 | 
77 | // Any suspicious process running from mshta & verify the parent of mshta
78 | 
79 | 	select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where pp.path like '%mshta%';
80 | 	select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where p.path like '%mshta%';
81 | 
82 | // Any processes spawning out of wow64 directory
83 | 
84 | 	select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where p.path like '%wow64%';
85 | 
86 | // Identifying suspicious dlls loaded by any service  with user_account associated with it (with hash value) 
87 | 
88 | 	select s.name, s.path,s.module_path,s.start_type,s.user_account,h.md5 from services s left join hash h on s.module_path=h.path where s.path NOT LIKE 'C:\WINDOWS\System32\svchost.exe -k%' AND s.module_path!='';
89 | 
90 | // Identify if the binary is signed or not && Identify the unsigned binaries in a directory 
91 | 
92 | 	select path,serial_number,issuer_name,subject_name,result from authenticode where path like 'C:\Windows\System32\cmd.exe';
93 | 	select path,serial_number,issuer_name,subject_name,result from authenticode where path like 'C:\Windows\twain_32\%' AND result !='trusted';
94 | 
95 | 


--------------------------------------------------------------------------------
/windows/Persistence:
--------------------------------------------------------------------------------
  1 | // Persistence 
  2 | 
  3 | 
  4 | // T1037.001 - Logon Script (Windows) 
  5 | 
  6 | 	select name,path,data,DATETIME(mtime,'unixepoch') as time from registry where path like 'HKEY_CURRENT_USER\Environment\%';
  7 | 
  8 | // T1053.002, T1053.005 - AT(Windows), Shceduled task 
  9 | 
 10 | 	select name,path,action,state from scheduled_tasks;
 11 | 
 12 | // T1136.001 - Local Account (admin) - look for any addition of admin user in the list 
 13 | 	
 14 | 	select s.hostname,users.uid,users.gid,users.username,users.directory from users JOIN user_groups ON users.uid=user_groups.uid,system_info s where user_groups.gid=544;
 15 | 
 16 | // T1176 - Browser Extensions (Chrome,IE,FireFox, Safari)
 17 | 
 18 |  	select * from chrome_extensions; (.mode line)
 19 | 	select c.name,c.path,c.permissions, users.username from chrome_extensions as c JOIN users where c.uid=users.uid;
 20 | 	select * from firefox_addons; (.mode line)
 21 | 	select name,path,registry_path from ie_extensions;
 22 | 	select name,version,auhor,path,description from safari_extensions;
 23 | 
 24 | // T1457.001 - Registry Run Keys / StartUp Folder - RunKeys && RunKeys with hashvalues
 25 | 
 26 | 	select name,data from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run%\%';
 27 | 	select name,data  from registry where path LIKE 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run%\%'
 28 | 	select r.data, h.md5 from registry r, hash h where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and h.path = r.data;
 29 | 
 30 | // T1457.001 - Registry Run Keys / StartUp Folder - Startup Items
 31 | 
 32 | 	select name,path,source,username,status from startup_items order by source;
 33 | 
 34 | //T1457.002 - Authentication Package (lsa) 
 35 | 
 36 | 	select r.name,r.data from registry r  where r.key like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'AND name like 'Authentication Packages';
 37 | 
 38 | 
 39 | // T1457.004 - Winlogon Helper DLL - UserInit Key, Notify Key, Shell Key
 40 | 
 41 | 	select name,data,mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Userinit';
 42 | 	select name,data,mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Shell';
 43 | 	select name,data,mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Notify';
 44 | 	select name,data,mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell';
 45 | 	select name,lower(data),mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit';
 46 | 	select name,data,mtime from registry where path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify';
 47 | 
 48 | // T1457.005 - Security Support Provider - Lsa\Security Packages && Lsa\OSConfig\Security Packages
 49 | 
 50 | 	select r.name,r.data from registry r  where r.key like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'AND name like 'Security Packages';
 51 | 	select r.name,r.data from registry r  where r.key like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig'AND name like 'Security Packages';
 52 | 
 53 | // T1547.012 - Print Processors - Print Processors - Reg Keys (look for suspicious dll)  
 54 | 
 55 | 	select name,path,data,DATETIME(mtime,'unixepoch') as time from registry where path like 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\%\%';
 56 | 	select name,path,data,DATETIME(mtime,'unixepoch') as time from registry where path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\%\%';
 57 | 
 58 | // T1547.012 - look for  suspicious print drivers 
 59 | 
 60 | 	select device_id,device_name,image, service,signed from drivers where device_name like '%print%' OR service like '%print%';
 61 | 
 62 | // T1543.003 - Windows Service - Service Creation / Modification from suspicious locations
 63 | 
 64 | 	select name, display_name, start_type, path, user_account from services where start_type='AUTO_START' AND path NOT LIKE 'C:\WINDOWS\System32\svchost.exe -k%';
 65 | 	select s.name,lower(s.path) as spath  from services s where spath NOT like 'c:\windows\system32\%';
 66 | 
 67 | // T1543.003 - Windows Service - look for suspicious dlls loaded by any service (with associted username & hashvalue of the dll) 
 68 | 
 69 | 	select s.name, s.path,s.module_path,s.start_type,s.user_account,h.md5 from services s left join hash h on s.module_path=h.path where s.path NOT LIKE 'C:\WINDOWS\System32\svchost.exe -k%' AND s.module_path!='';
 70 | 	select s.name, s.path,s.module_path,s.start_type,s.user_account,h.md5 from services s left join hash h on s.module_path=h.path where s.module_path!='';
 71 | 
 72 | //  T1546.002 - Screensaver 
 73 | 
 74 | 	select name,path,data,DATETIME(mtime,'unixepoch') as time from registry where path like 'HKEY_CURRENT_USER\Control Panel\Desktop\scr%';
 75 | 	select name,path,data,DATETIME(mtime,'unixepoch') as time from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%.scr%';
 76 | 
 77 | // T1546.003 - Windows Management Instrumentation Event Subscription(WMI) - CLI / Script Event Consumers
 78 | 
 79 | 	select * from wmi_cli_event_consumers;
 80 | 	select * from wmi_script_event_consumers;
 81 | 
 82 | // T1546.003 - Windows Management Instrumentation Event Subscription(WMI) - Script Event Consumers
 83 | 
 84 | 	select p.name,p.path,p.pid,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON p.parent=pp.pid where pp.path like '%scrcons%';
 85 | 
 86 | // T1546.003 - Windows Management Instrumentation Event Subscription(WMI)
 87 | 
 88 | 	select p.name,p.pid,p.cmdline,p.parent as parentid,pp.path as parentpath from processes p join processes pp on p.parent=pp.pid where p.path like '%wmi%';
 89 | 	select p.name,p.pid,p.cmdline,pp.pid as childid,pp.path as childpath,pp.cmdline as childcmdline from processes p join processes pp on p.pid=pp.parent where p.path like '%wmi%';
 90 | 
 91 | // T1546.007 - Netsh Helper DLL
 92 | 
 93 | 	select count(r.data) from registry r where key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh%'; 
 94 | 	select r.data from registry r where key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh%';	
 95 | 
 96 | //  T1546.011 - Application Shimming
 97 | 
 98 | 	select executable,path,description,sdb_id from appcompat_shims;
 99 | 
100 | //  Known DLL
101 | 
102 | 	select name,data from registry where path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\%';
103 | 
104 | // T1546.010 - AppInitDLL 
105 | 
106 | 	select name,type,data from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' and name='AppInit_DLLs';
107 | 	select name,type,data from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' and name='LoadAppInit_DLLs';
108 | 	select r.name,r.type,r.data,h.sha256 from registry as r LEFT JOIN hash as h on r.data=h.path where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' and name='AppInit_DLLs';
109 | 
110 | // T1546.010 - AppInitDLL - AppInitDLL with Hash Value AND if that exe is currently running
111 | 
112 | 	 select r.name,r.type,lower(r.data) as rpath,h.sha256,lower(p.path) as ppath,p.pid from registry as r LEFT JOIN hash as h on r.data=h.path LEFT JOIN processes as p on rpath=ppath where r.key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' and r.name='AppInit_DLLs';
113 | 
114 | // T1546.012 -  Image File Execution Options Injection (IFEO) 
115 | 
116 | 	 select r.path,r.data from registry r where r.key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%' AND (r.name like '%debugger' OR r.name like 'GlobalFlag') ;
117 | 	 select p.name,p.pid,pp.cmdline as childcmdline from processes p join processes pp on p.pid=pp.parent where p.name like '%WerFault%'
118 | 


--------------------------------------------------------------------------------