├── .circleci └── config.yml ├── .gitignore ├── docs ├── README.md ├── general │ ├── configuration_audits.md │ └── file_enumeration.md ├── img │ ├── favicon.ico │ └── shield.png ├── index.md ├── reference.md ├── requirements.txt ├── tactics │ ├── collection.md │ ├── command_and_control.md │ ├── credential_access.md │ ├── defense_evasion.md │ ├── discovery.md │ ├── execution.md │ ├── exfiltration.md │ ├── impact.md │ ├── initial_access.md │ ├── lateral_movement.md │ ├── persistence.md │ └── privilege_escalation.md └── tips_and_tricks.md └── mkdocs.yml /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2.1 2 | jobs: 3 | deploy: 4 | docker: 5 | - image: circleci/python:3.8.2 6 | working_directory: ~/rhq 7 | parameters: 8 | profile-name: 9 | type: string 10 | default: "default" 11 | aws-access-key-id: 12 | type: env_var_name 13 | default: AWS_ACCESS_KEY_ID 14 | aws-secret-access-key: 15 | type: env_var_name 16 | default: AWS_SECRET_ACCESS_KEY 17 | aws-region: 18 | type: env_var_name 19 | default: "AWS_DEFAULT_REGION" 20 | configure-default-region: 21 | type: boolean 22 | default: true 23 | steps: 24 | - checkout 25 | - run: 26 | name: Remove git 27 | command: rm -rf .git && rm -rf .gitignore && rm -rf .circleci 28 | - run: 29 | name: Install dependencies 30 | command: sudo pip3 install awscli mkdocs==1.1 mkdocs-material==5.3.0 pymdown-extensions==7.0 mkdocs-material-extensions==1.0 markdown==3.2.1 pygments==2.4 31 | - run: 32 | name: Configure AWS Access Key ID 33 | command: aws configure set aws_access_key_id $<> --profile <> 34 | - run: 35 | name: Configure AWS Secret Access Key 36 | command: aws configure set aws_secret_access_key $<> --profile <> 37 | - run: 38 | name: Build 39 | command: mkdocs build 40 | - run: 41 | name: Deploy to S3 42 | branch: master 43 | command: aws s3 sync site/ s3://rhq.reconinfosec.com/ --delete --region us-east-1 --acl public-read 44 | - run: 45 | name: Invalidate cloudfront distribution 46 | branch: master 47 | command: aws cloudfront create-invalidation --distribution-id E3RRROHKOEZQNJ --paths "/*" 48 | 49 | workflows: 50 | version: 2 51 | build-deploy: 52 | jobs: 53 | - deploy: 54 | filters: 55 | branches: 56 | only: master 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | [![CircleCI](https://circleci.com/gh/ReconInfoSec/rhq/tree/master.svg?style=svg&circle-token=9b85ec7f85ae57497134cb6627e7baca708804e1)](https://circleci.com/gh/ReconInfoSec/rhq/tree/master) 2 | 3 | ## Contributing 4 | - https://www.mkdocs.org/user-guide/writing-your-docs/ 5 | 6 | ### Build instructions 7 | 8 | ``` 9 | pip install -r docs/requirements.txt 10 | cd docs 11 | ``` 12 | 13 | Modify `docs/*.md` as needed 14 | 15 | ``` 16 | mkdocs serve 17 | ``` 18 | -------------------------------------------------------------------------------- /docs/general/configuration_audits.md: -------------------------------------------------------------------------------- 1 | Configuration Audits 2 | ========================================= 3 | 4 | ## Active Directory / GPO 5 | ### Checks number of allowed cached credentials 6 | Default is 10, best practice is lower on key terrain. 7 | 8 | ```sql tab="Windows" 9 | SELECT data 10 | FROM registry 11 | WHERE path='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount'; 12 | ``` 13 | 14 | ### Domain information 15 | 16 | ```sql tab="Windows" 17 | SELECT * 18 | FROM ntdomains; 19 | ``` 20 | 21 | ## Patch level 22 | 23 | ```sql tab="Windows" 24 | SELECT * 25 | FROM patches 26 | ``` 27 | 28 | ## Software 29 | 30 | ### Installed Chrome extensions 31 | 32 | ```sql tab="All Platforms" 33 | SELECT * 34 | FROM chrome_extensions 35 | WHERE uid = (SELECT u.uid from users u, logged_in_users liu WHERE liu.user = u.username); 36 | ``` -------------------------------------------------------------------------------- /docs/general/file_enumeration.md: -------------------------------------------------------------------------------- 1 | File Enumeration 2 | ========================================= 3 | 4 | ## List directory contents 5 | **Description:** A non-recursive (single level) directory listing. 6 | 7 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 8 | 9 | **Query:** 10 | 11 | ```sql tab="Windows" 12 | SELECT * 13 | FROM file 14 | WHERE path LIKE 'C:\Users\%'; 15 | ``` 16 | 17 | ```sql tab="MacOS" 18 | SELECT * 19 | FROM file 20 | WHERE path LIKE '/Users/%'; 21 | ``` 22 | 23 | ```sql tab="Linux" 24 | SELECT * 25 | FROM file 26 | WHERE path LIKE '/home/%'; 27 | ``` 28 | 29 | ## Recursive directory listing 30 | ```sql tab="Windows" 31 | SELECT * 32 | FROM file 33 | WHERE path LIKE 'C:\Users\username\%%'; 34 | ``` 35 | 36 | ```sql tab="MacOS" 37 | SELECT * 38 | FROM file 39 | WHERE path LIKE '/Users/username/%%'; 40 | ``` 41 | 42 | ```sql tab="Linux" 43 | SELECT * 44 | FROM file 45 | WHERE path LIKE '/home/username/%%'; 46 | ``` 47 | 48 | ## List downloads for all users 49 | ```sql tab="Windows" 50 | SELECT * 51 | FROM file 52 | WHERE path LIKE 'C:\Users\%\Downloads\%%'; 53 | ``` 54 | 55 | ```sql tab="MacOS" 56 | SELECT * 57 | FROM file 58 | WHERE path LIKE '/Users/%/Downloads/%%'; 59 | ``` 60 | 61 | ```sql tab="Linux" 62 | SELECT * 63 | FROM file 64 | WHERE path LIKE '/home/%/Downloads/%%'; 65 | ``` 66 | 67 | ## List executables in temp directories 68 | ```sql tab="Windows" 69 | SELECT btime,ctime,mtime,directory,filename,path,size 70 | FROM file 71 | WHERE (path LIKE 'C:\Users\%\AppData\Local\Temp\%' OR path LIKE 'C:\Windows\temp\%') 72 | AND (filename LIKE '%.exe' OR filename LIKE '%.dll'); 73 | ``` 74 | 75 | ```sql tab="MacOS" 76 | Contribute a query! 77 | ``` 78 | 79 | ```sql tab="Linux" 80 | Contribute a query! 81 | ``` 82 | 83 | ## Obtain hashes of a file 84 | - **NOTE:** This type of query should only be performed against **specific files**, not entire directories and certainly not recursively against many directories as calculating hashes is resource intensive. 85 | 86 | ```sql tab="Windows" 87 | SELECT * 88 | FROM hash 89 | WHERE path LIKE 'C:\path\to\legit.docx'; 90 | ``` 91 | 92 | ```sql tab="MacOS" 93 | SELECT * 94 | FROM hash 95 | WHERE path LIKE '/Users/%/Downloads/legit.docx'; 96 | ``` 97 | 98 | ```sql tab="Linux" 99 | SELECT * 100 | FROM hash 101 | WHERE path LIKE '/home/%/Downloads/legit.docx'; 102 | ``` -------------------------------------------------------------------------------- /docs/img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReconInfoSec/rhq/ec2cdd505a257b37171e85f6c91ce25a6f3701d7/docs/img/favicon.ico -------------------------------------------------------------------------------- /docs/img/shield.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReconInfoSec/rhq/ec2cdd505a257b37171e85f6c91ce25a6f3701d7/docs/img/shield.png -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | Recon Hunt Queries 2 | ========================================= 3 | Welcome to the Recon Hunt Queries repo! 4 | ## About 5 | This project is proudly maintained by [Recon InfoSec](http://reconinfosec.com) to support the community of osquery users! 6 | 7 | Our goal with this project is to have a consolidated place for **incident response & threat hunting** focused queries for **[osquery](https://github.com/osquery/osquery)**. We've grouped the queries by the [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page) tactics they support, but there are a few "General" categories of queries as well. Use the navigation bar on the top left to explore. 8 | 9 | These are collections of **individual queries** for specific use cases, not query packs which are a [separate thing](https://www.darkbytes.com/osquery-scheduled-queries-packs/) altogether. 10 | 11 | These queries are great for on-demand hunting across hundreds or thousands of systems via osquery [distributed queries](https://osquery.readthedocs.io/en/stable/deployment/remote/) using a frontend like [Kolide Fleet](https://github.com/kolide/fleet). 12 | 13 | There are several other great projects that track example queries, be sure to check them out! 14 | 15 | - [osquery packs](https://github.com/osquery/osquery/tree/master/packs) 16 | - [osquery queryhub](https://github.com/osquery/queryhub) 17 | 18 | ## Contribute 19 | Please contribute any queries you've found useful for threat hunting & incident response! Be sure to study the [osquery Schema](https://osquery.io/schema/) for inspiration. 20 | 21 | Notice the "edit" icon at the top right of every page? Click on it, add your stuff, submit a PR -> raise the collective capabilities of osquery hunters everywhere! 22 | 23 | ### Query template 24 | The following markdown code produces the example below it. 25 | 26 | ## List directory contents 27 | **Description:** A non-recursive (single level) directory listing. 28 | 29 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 30 | 31 | **Query:** 32 | 33 | ```sql tab="Windows" 34 | SELECT * 35 | FROM file 36 | WHERE path LIKE 'C:\Users\%'; 37 | ``` 38 | 39 | ```sql tab="MacOS" 40 | SELECT * 41 | FROM file 42 | WHERE path LIKE '/Users/%'; 43 | ``` 44 | 45 | ```sql tab="Linux" 46 | SELECT * 47 | FROM file 48 | WHERE path LIKE '/home/%'; 49 | ``` 50 | 51 | --- 52 | 53 | ## List directory contents 54 | **Description:** A non-recursive (single level) directory listing. 55 | 56 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 57 | 58 | **Query:** 59 | 60 | ```sql tab="Windows" 61 | SELECT * 62 | FROM file 63 | WHERE path LIKE 'C:\Users\%'; 64 | ``` 65 | 66 | ```sql tab="MacOS" 67 | SELECT * 68 | FROM file 69 | WHERE path LIKE '/Users/%'; 70 | ``` 71 | 72 | ```sql tab="Linux" 73 | SELECT * 74 | FROM file 75 | WHERE path LIKE '/home/%'; 76 | ``` 77 | 78 | --- 79 | 80 | For a query that is universal across all supported osquery platforms, simply specify "All Platforms" as in the `tab` 81 | 82 | If your query is only applicable to one platform, feel free to omit the non-applicable tabs. -------------------------------------------------------------------------------- /docs/reference.md: -------------------------------------------------------------------------------- 1 | osquery Reference Material 2 | ========================================= 3 | 4 | - https://osquery.io/ 5 | - https://github.com/osquery/osquery 6 | - https://github.com/osquery/osquery/tree/master/packs 7 | - https://osquery.readthedocs.io/en/stable/ 8 | - https://www.darkbytes.com/osquery-scheduled-queries-packs/ 9 | - https://www.sans.org/security-resources/posters/dfir 10 | - https://attack.mitre.org/ -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinx 2 | sphinx-rtd-theme 3 | recommonmark 4 | mkdocs 5 | mkdocs-material 6 | pymdown-extensions 7 | pygments 8 | -------------------------------------------------------------------------------- /docs/tactics/collection.md: -------------------------------------------------------------------------------- 1 | Collection 2 | ========================================= -------------------------------------------------------------------------------- /docs/tactics/command_and_control.md: -------------------------------------------------------------------------------- 1 | Networking 2 | ========================================= 3 | 4 | ## Listening Processes 5 | **Description:** Get the process name, port, and PID, for processes listening on all interfaces 6 | 7 | **Author:** 8 | 9 | **Query:** 10 | 11 | ```sql tab="All Platforms" 12 | SELECT DISTINCT processes.name, listening_ports.port, processes.pid 13 | FROM listening_ports JOIN processes USING (pid) 14 | WHERE listening_ports.address = '0.0.0.0'; 15 | ``` 16 | 17 | ## ARP anomalies 18 | **Description:** ARP anomalies 19 | 20 | **Author:** 21 | 22 | **Query:** 23 | 24 | ```sql tab="All Platforms" 25 | SELECT address, mac, COUNT(mac) AS mac_count 26 | FROM arp_cache GROUP BY mac 27 | HAVING count(mac) > 1; 28 | ``` -------------------------------------------------------------------------------- /docs/tactics/credential_access.md: -------------------------------------------------------------------------------- 1 | Credential Access 2 | ========================================= 3 | 4 | ## ProcDump 5 | **Description:** Identify systems that the ProcDump EULA has been accepted. Read more about the technique [here](https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf). 6 | 7 | - `mtime` = Time that EULA was accepted 8 | 9 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 10 | 11 | **Query:** 12 | 13 | ```sql tab="Windows" 14 | SELECT datetime(mtime, 'unixepoch', 'localtime') AS EULA_accepted,path 15 | FROM registry 16 | WHERE path LIKE 'HKEY_USERS\%\Software\Sysinternals\ProcDump\EulaAccepted'; 17 | ``` -------------------------------------------------------------------------------- /docs/tactics/defense_evasion.md: -------------------------------------------------------------------------------- 1 | Defense Evasion 2 | ========================================= -------------------------------------------------------------------------------- /docs/tactics/discovery.md: -------------------------------------------------------------------------------- 1 | Discovery 2 | ========================================= -------------------------------------------------------------------------------- /docs/tactics/execution.md: -------------------------------------------------------------------------------- 1 | Execution 2 | ========================================= 3 | 4 | ## Prefetch files 5 | **Description:** Prefetch is one of several "evidence of execution" artifacts. 6 | 7 | - `btime` = First execution 8 | - `mtime` = Last execution 9 | - Timestamps are in epoch, use converter: [https://www.epochconverter.com/](https://www.epochconverter.com/) 10 | - Will convert time from epoch to local `datetime(btime, 'unixepoch', 'localtime') as ctime ` when defined after select 11 | 12 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 13 | 14 | **Query:** 15 | 16 | ```sql tab="Windows" 17 | SELECT datetime(btime, 'unixepoch', 'localtime') AS firstrun,datetime(mtime, 'unixepoch', 'localtime') AS lastrun,filename 18 | FROM file 19 | WHERE path LIKE 'C:\Windows\Prefetch\%.pf' 20 | ORDER BY lastrun DESC; 21 | ``` 22 | 23 | ## UserAssist 24 | **Description:** 25 | 26 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 27 | 28 | **Query:** 29 | 30 | ```sql tab="Windows" 31 | SELECT * FROM registry 32 | WHERE path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\%%'; 33 | ``` 34 | 35 | ## AppCompat Shims 36 | **Description:** Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details. 37 | 38 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 39 | 40 | **Query:** 41 | 42 | ```sql tab="Windows" 43 | SELECT * FROM appcompat_shims; 44 | ``` 45 | 46 | ## Last-Visited MRU 47 | Values stored in REG_BINARY format – decode with CyberChef recipe: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')Decode_text('UTF16LE%20(1200)') 48 | 49 | ```sql tab="Windows" 50 | SELECT * FROM registry 51 | WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU\%%'; 52 | ``` 53 | 54 | ## RecentApps 55 | **Description:** 56 | GUI Program execution launched on the Win10 system is tracked in the RecentApps key 57 | 58 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 59 | 60 | **Query:** 61 | 62 | ```sql tab="Windows" 63 | SELECT * FROM registry 64 | WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps'; 65 | ``` 66 | 67 | ## Unsigned binaries in system directories 68 | **Description:** 69 | File (executable, bundle, installer, disk) code signing status **NOTE:** Potential for high false positives, validate with sigcheck/SignTool 70 | 71 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 72 | 73 | **Query:** 74 | 75 | ```sql tab="Windows" 76 | SELECT * 77 | FROM authenticode 78 | WHERE path LIKE 'C:\Windows\System32\%' 79 | AND (path like '%.exe' OR path like '%.dll' OR path like '%.sys') 80 | AND result = 'missing'; 81 | ``` 82 | 83 | ## Unsigned/unverified drivers 84 | **Description:** List all loaded drivers without a digital signature. 85 | 86 | - https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/Driver-Signing-changes-in-Windows-10-version-1607/ba-p/364894 87 | 88 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 89 | 90 | **Query:** 91 | 92 | ```sql tab="Windows" 93 | SELECT * 94 | FROM drivers 95 | WHERE signed != '1'; 96 | ``` 97 | 98 | ## Process without binary on disk 99 | **Description:** Check running processes without a binary on disk, filtering out common false positives 100 | 101 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 102 | 103 | **Query:** 104 | 105 | ```sql tab="Windows" 106 | SELECT * 107 | FROM processes 108 | WHERE on_disk != '1' 109 | AND gid >= 1 110 | AND cmdline != '\SystemRoot\System32\smss.exe'; 111 | ``` 112 | 113 | ## Suspicious PowerShell 114 | **Description:** Needs additional testing/benchmarking 115 | 116 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 117 | 118 | **Query:** 119 | 120 | ```sql tab="Windows" 121 | SELECT script_name,script_path,script_text,datetime(time, 'unixepoch', 'localtime') AS time 122 | FROM powershell_events 123 | WHERE (script_text LIKE '%-en%' OR script_text LIKE '%DownloadString%' OR script_text LIKE '%-nop%' OR script_text LIKE '%hidden%' OR script_text LIKE '%IEX%' OR script_text LIKE '%http%'); 124 | ``` -------------------------------------------------------------------------------- /docs/tactics/exfiltration.md: -------------------------------------------------------------------------------- 1 | Exfiltration 2 | ========================================= -------------------------------------------------------------------------------- /docs/tactics/impact.md: -------------------------------------------------------------------------------- 1 | Impact 2 | ========================================= 3 | 4 | ## File Deletion 5 | **Description:** List recycled files for all users on the system. 6 | 7 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 8 | 9 | **Query:** 10 | 11 | ```sql tab="Windows" 12 | SELECT datetime(atime, 'unixepoch', 'localtime') AS atime,datetime(btime, 'unixepoch', 'localtime') AS btime,datetime(ctime, 'unixepoch', 'localtime') AS ctime,datetime(mtime, 'unixepoch', 'localtime') AS mtime,path,device,filename,size,type,uid,volume_serial FROM file 13 | WHERE path LIKE 'C:\$Recycle.bin\%%'; 14 | ``` 15 | -------------------------------------------------------------------------------- /docs/tactics/initial_access.md: -------------------------------------------------------------------------------- 1 | Initial Access 2 | ========================================= 3 | 4 | ## Email 5 | 6 | ### Email Attachments 7 | **Description:** List and hash all files in common Outlook temp directories 8 | 9 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 10 | 11 | **Query:** 12 | 13 | ```sql tab="Windows" 14 | SELECT * FROM hash 15 | WHERE (path LIKE 'C:\Users\%\AppData\Local\Temp\%.tmp\%' 16 | OR path LIKE 'C:\Users\%\AppData\Local\Microsoft\Outlook%%' 17 | OR path LIKE 'C:\Documents and Settings\%\Local Settings\Temporary Internet Files\Content.Outlook%%'); 18 | ``` 19 | 20 | ## File Opening 21 | ### Jump Lists 22 | **Description:** Enumerate LNK files in user jump lists, evidence of file opening. 23 | 24 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 25 | 26 | **Query:** 27 | 28 | ```sql tab="Windows" 29 | SELECT datetime(btime, 'unixepoch', 'localtime') AS firstaccess, 30 | datetime(mtime, 'unixepoch', 'localtime') AS lastaccess,filename,path 31 | FROM file 32 | WHERE path LIKE 'C:\Users\%\AppData\Roaming\Microsoft\Windows\Recent\%.lnk' 33 | ORDER BY lastaccess DESC; 34 | ``` 35 | 36 | ## File Download 37 | ### Open/Save MRU 38 | **Description:** Tracks files that have been opened or saved within a Windows shell dialog box 39 | 40 | - https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru/ 41 | 42 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 43 | 44 | **Query:** 45 | 46 | ```sql tab="Windows" 47 | SELECT datetime(mtime, 'unixepoch', 'localtime') AS mtime,name,path,key FROM registry 48 | WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\%%'; 49 | ``` 50 | -------------------------------------------------------------------------------- /docs/tactics/lateral_movement.md: -------------------------------------------------------------------------------- 1 | # Lateral Movement 2 | 3 | ## SMB / Named Pipes 4 | **Description:** Named pipes are an inter-process communication mechanism on Windows and are very often leveraged by malware and C2 beacons. 5 | 6 | - https://blog.cobaltstrike.com/2013/12/06/stealthy-peer-to-peer-cc-over-smb-pipes/ 7 | - https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5 8 | 9 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 10 | 11 | **Query:** 12 | 13 | ```sql tab="Windows" 14 | SELECT proc.parent AS process_parent, proc.path AS process_path, proc.pid AS process_id, proc.cwd AS process_directory, pipe.pid AS pipe_pid, pipe.name AS pipe_name 15 | FROM processes proc 16 | JOIN pipes pipe ON proc.pid=pipe.pid; 17 | ``` 18 | 19 | ## Logged in users 20 | **Description:** Get all logged on users. Helpful if you already suspect a compromised account and want to quickly identify where that account is in use. 21 | 22 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 23 | 24 | **Query:** 25 | 26 | ```sql tab="All Platforms" 27 | SELECT * 28 | FROM logged_in_users 29 | WHERE user = 'compromised.username'; 30 | ``` 31 | 32 | ## PsExec 33 | **Description:** Identify systems that the PsExec EULA has been accepted. 34 | 35 | - `mtime` = Time that EULA was accepted 36 | 37 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 38 | 39 | **Query:** 40 | 41 | ```sql tab="Windows" 42 | SELECT datetime(mtime, 'unixepoch', 'localtime') AS EULA_accepted,path 43 | FROM registry 44 | WHERE path LIKE 'HKEY_USERS\%\Software\Sysinternals\PsExec\EulaAccepted'; 45 | ``` -------------------------------------------------------------------------------- /docs/tactics/persistence.md: -------------------------------------------------------------------------------- 1 | Persistence 2 | ========================================= 3 | 4 | ## Autoexec (kitchen sink) 5 | **Description:** Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more. 6 | 7 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 8 | 9 | **Query:** 10 | 11 | ```sql tab="Windows" 12 | SELECT * 13 | FROM autoexec; 14 | ``` 15 | 16 | ## Scheduled Tasks 17 | **Description:** List all scheduled tasks, returning only those that are enabled. 18 | 19 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 20 | 21 | **Query:** 22 | 23 | ```sql tab="Windows" 24 | SELECT datetime(last_run_time, 'unixepoch', 'localtime') AS last_run_time,datetime(next_run_time, 'unixepoch', 'localtime') AS next_run_time,action,enabled,hidden,last_run_code,last_run_message,name,path,state 25 | FROM scheduled_tasks 26 | WHERE enabled != 0; 27 | ``` 28 | 29 | ## Startup Items 30 | **Description:** List all startup items, returning only those that are enabled. NOTE: also see "User-specific Run Keys" to ensure you don't miss relevant results. 31 | 32 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 33 | 34 | **Query:** 35 | 36 | ```sql tab="Windows" 37 | SELECT * 38 | FROM startup_items 39 | WHERE status = 'enabled' 40 | AND path NOT LIKE '%\desktop.ini' 41 | AND path NOT LIKE 'C:\Windows\System32\mctadmin.exe' 42 | AND path NOT LIKE '%Sidebar.exe /autoRun'; 43 | ``` 44 | 45 | ## User-specific Run Keys 46 | **Description:** User-specific Run keys that are not included in the `startup_items` table. 47 | 48 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 49 | 50 | **Query:** 51 | 52 | ```sql tab="Windows" 53 | SELECT * 54 | FROM registry 55 | WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Run\%' 56 | AND data NOT LIKE '%Sidebar.exe /autoRun'; 57 | ``` 58 | 59 | ## Services 60 | **Description:** List all services, returning only those that are enabled. 61 | 62 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 63 | 64 | **Query:** 65 | 66 | ```sql tab="Windows" 67 | SELECT * 68 | FROM services 69 | WHERE start_type != 'DISABLED'; 70 | ``` 71 | 72 | ## WMI Event Consumers 73 | ### WMI Event Filters 74 | **Description:** WMI event filters, filtering out common false positives. 75 | 76 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 77 | 78 | **Query:** 79 | 80 | ```sql tab="Windows" 81 | SELECT * 82 | FROM wmi_event_filters 83 | WHERE (name NOT like 'BVTFilter' AND name NOT like 'SCM Event Log Filter'); 84 | ``` 85 | 86 | ### WMI CLI Event Consumers 87 | **Description:** WMI command line event consumers, filtering out common false positives. 88 | 89 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 90 | 91 | **Query:** 92 | 93 | ```sql tab="Windows" 94 | SELECT * 95 | FROM wmi_cli_event_consumers 96 | WHERE name NOT like 'BVTConsumer'; 97 | ``` 98 | 99 | ### WMI Script Event Consumers 100 | **Description:** WMI script event consumers. 101 | 102 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 103 | 104 | **Query:** 105 | 106 | ```sql tab="Windows" 107 | SELECT * 108 | FROM wmi_script_event_consumers; 109 | ``` 110 | 111 | ### WMI Filter+Consumer Bindings 112 | **Description:** WMI event filter/consumer/bindings, filtering out common false positives. 113 | 114 | **Author:** [@eric_capuano](https://twitter.com/eric_capuano) 115 | 116 | **Query:** 117 | 118 | ```sql tab="Windows" 119 | SELECT * 120 | FROM wmi_filter_consumer_binding 121 | WHERE (filter NOT LIKE '%BVTFilter%' AND filter NOT LIKE '%SCM Event Log Filter%'); 122 | ``` -------------------------------------------------------------------------------- /docs/tactics/privilege_escalation.md: -------------------------------------------------------------------------------- 1 | Privilege Escalation 2 | ========================================= -------------------------------------------------------------------------------- /docs/tips_and_tricks.md: -------------------------------------------------------------------------------- 1 | Query Tips & Tricks 2 | ========================================= 3 | 4 | ## Join two tables 5 | - The `p` calls from the `processes` table 6 | - The `u` calls from the `users` table 7 | - `u.uid=p.uid` portion of the command gives the part of the schema that both have in common allowing the join 8 | - Calls from two separate `processes` and `users` using the `uid` to match 9 | 10 | ```sql 11 | SELECT p.parent, p.path, p.pid, p.cwd, u.uid, u.username 12 | FROM processes p 13 | JOIN users u ON u.uid=p.uid; 14 | ``` 15 | 16 | ## Sub-queries 17 | 18 | ```sql 19 | SELECT address, mac, mac_count 20 | FROM 21 | (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac) 22 | WHERE mac_count > 1; 23 | ``` -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: Recon Hunt Queries 2 | theme: 3 | name: 'material' 4 | favicon: 'img/favicon.ico' 5 | logo: 'img/shield.png' 6 | features: 7 | - instant 8 | - tabs 9 | nav: 10 | - Home: index.md 11 | - Query Tips & Tricks: tips_and_tricks.md 12 | - General Queries: 13 | - File Enumeration: general/file_enumeration.md 14 | - Configuration Audits: general/configuration_audits.md 15 | - By Tactic: 16 | - Initial Access: tactics/initial_access.md 17 | - Execution: tactics/execution.md 18 | - Persistence: tactics/persistence.md 19 | - Privilege Escalation: tactics/privilege_escalation.md 20 | - Defense Evasion: tactics/defense_evasion.md 21 | - Credential Access: tactics/credential_access.md 22 | - Discovery: tactics/discovery.md 23 | - Lateral Movement: tactics/lateral_movement.md 24 | - Collection: tactics/collection.md 25 | - Command and Control: tactics/command_and_control.md 26 | - Exfiltration: tactics/exfiltration.md 27 | - Impact: tactics/impact.md 28 | - Reference : reference.md 29 | 30 | markdown_extensions: 31 | - codehilite 32 | - pymdownx.highlight 33 | - pymdownx.arithmatex 34 | - pymdownx.betterem: 35 | smart_enable: all 36 | - pymdownx.caret 37 | - pymdownx.critic 38 | - pymdownx.details 39 | - pymdownx.emoji: 40 | emoji_generator: !!python/name:pymdownx.emoji.to_svg 41 | - pymdownx.inlinehilite 42 | - pymdownx.magiclink 43 | - pymdownx.mark 44 | - pymdownx.smartsymbols 45 | - pymdownx.tasklist: 46 | custom_checkbox: true 47 | - pymdownx.tilde 48 | - admonition 49 | - abbr 50 | - attr_list 51 | - def_list 52 | - footnotes 53 | - meta 54 | - md_in_html 55 | - toc: 56 | permalink: true 57 | - pymdownx.arithmatex: 58 | generic: true 59 | - pymdownx.betterem: 60 | smart_enable: all 61 | - pymdownx.caret 62 | - pymdownx.critic 63 | - pymdownx.details 64 | - pymdownx.emoji: 65 | emoji_index: !!python/name:materialx.emoji.twemoji 66 | emoji_generator: !!python/name:materialx.emoji.to_svg 67 | - pymdownx.highlight 68 | - pymdownx.inlinehilite 69 | - pymdownx.keys 70 | - pymdownx.magiclink: 71 | repo_url_shorthand: true 72 | user: squidfunk 73 | repo: mkdocs-material 74 | - pymdownx.mark 75 | - pymdownx.smartsymbols 76 | - pymdownx.snippets: 77 | check_paths: true 78 | - pymdownx.superfences: 79 | custom_fences: 80 | - name: mermaid 81 | class: mermaid 82 | format: !!python/name:pymdownx.superfences.fence_code_format 83 | - pymdownx.tabbed 84 | - pymdownx.tasklist: 85 | custom_checkbox: true 86 | - pymdownx.tilde 87 | 88 | repo_name: 'ReconInfoSec/rhq' 89 | repo_url: 'https://github.com/ReconInfoSec/rhq' 90 | 91 | google_analytics: ['UA-86110655-14', 'rhq.reconinfosec.com'] --------------------------------------------------------------------------------