├── .circleci └── config.yml ├── .gitignore ├── Classic ├── Endpoints │ ├── MacOS │ │ ├── osquery.conf │ │ ├── osquery.flags │ │ └── osquery_no_tls.flags │ ├── Windows │ │ ├── osquery.conf │ │ ├── osquery.flags │ │ └── osquery_no_tls.flags │ └── packs │ │ ├── performance-metrics.conf │ │ ├── security-tooling-checks.conf │ │ ├── windows-application-security.conf │ │ ├── windows-compliance.conf │ │ └── windows-registry-monitoring.conf └── Servers │ └── Linux │ ├── osquery.conf │ ├── osquery.flags │ └── packs │ ├── ossec-rootkit.conf │ └── ossec-rootkit.yaml ├── Fleet ├── Endpoints │ ├── MacOS │ │ └── osquery.yaml │ ├── Windows │ │ └── osquery.yaml │ ├── options.yaml │ └── packs │ │ ├── performance-metrics.yaml │ │ ├── security-tooling-checks.yaml │ │ ├── windows-application-security.yaml │ │ ├── windows-compliance.yaml │ │ └── windows-registry-monitoring.yaml └── Servers │ ├── Linux │ └── osquery.yaml │ └── options.yaml ├── LICENSE.md └── README.md /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | jobs: 4 | build: 5 | machine: true 6 | steps: 7 | - checkout 8 | - run: curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash - 9 | - run: sudo apt-get install -y nodejs 10 | - run: sudo /usr/bin/npm i -g sqlite-parser 11 | - run: wget https://pkg.osquery.io/deb/osquery_2.11.2_1.linux.amd64.deb 12 | - run: sudo dpkg -i osquery_2.11.2_1.linux.amd64.deb 13 | - run: sudo cp -R Classic/Endpoints/packs /var/osquery 14 | - run: sudo cp -R Classic/Servers/Linux/packs /var/osquery 15 | - run: cp -R Classic/Endpoints/packs Classic/Endpoints/Windows 16 | # Use osquery to check the entire config 17 | - run: cd Classic/Servers/Linux && sudo osqueryd --config_path=osquery.conf --config_check 18 | # Extract raw queries from the config 19 | - run: cd Classic/Servers/Linux && jq '.. | .query? | select(type != "null")' osquery.conf | tr -d '"' > linux_query_lint.txt 20 | # Use sqlite-parser to verify none of the queries have syntax errors 21 | - run: cd Classic/Servers/Linux && sudo sqlite-parser linux_query_lint.txt 22 | # Fix all the line breaks (if they exist) using sed, then extract the raw queries 23 | - run: cd Classic/Servers/Linux/packs && for file in $(ls *.conf); do cat "$file" | sed ':a;N;$!ba;s/\\\n/ /g' | tr -s ' ' | jq '.. | .query? | select(type != "null")' | tr -d '"' > "$file".test; done 24 | # Use sqlite-parser to check the syntax of every query in each pack 25 | - run: cd Classic/Servers/Linux/packs && for file in $(ls *.test); do sudo sqlite-parser "$file"; done 26 | 27 | # Use osquery to check the entire config 28 | - run: cd Classic/Endpoints/MacOS && sudo osqueryd --config_path=osquery.conf --config_check 29 | # Extract raw queries from the config 30 | - run: cd Classic/Endpoints/MacOS && jq '.. | .query? | select(type != "null")' osquery.conf | tr -d '"' > macos_query_lint.txt 31 | # Use sqlite-parser to verify none of the queries have syntax errors 32 | - run: cd Classic/Endpoints/MacOS && sudo sqlite-parser macos_query_lint.txt 33 | 34 | # Use osquery to check the entire config 35 | - run: cd Classic/Endpoints/Windows && sudo osqueryd --config_path=osquery.conf --config-check 36 | # Extract raw queries from the config 37 | - run: cd Classic/Endpoints/Windows && jq '.. | .query? | select(type != "null")' osquery.conf | tr -d '"' > windows_query_lint.txt 38 | # Use sqlite-parser to verify none of the queries have syntax errors 39 | - run: cd Classic/Endpoints/Windows && sudo sqlite-parser windows_query_lint.txt 40 | # Fix all the line breaks (if they exist) using sed, then extract the raw queries 41 | - run: cd Classic/Endpoints/packs && for file in $(ls *.conf); do cat "$file" | sed ':a;N;$!ba;s/\\\n/ /g' | tr -s ' ' | jq '.. | .query? | select(type != "null")' | tr -d '"' > "$file".test; done 42 | # Use sqlite-parser to check the syntax of every query in each pack 43 | - run: cd Classic/Endpoints/packs && for file in $(ls *.test); do sudo sqlite-parser "$file"; done 44 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # MSTest test Results 33 | [Tt]est[Rr]esult*/ 34 | [Bb]uild[Ll]og.* 35 | 36 | # NUNIT 37 | *.VisualState.xml 38 | TestResult.xml 39 | 40 | # Build Results of an ATL Project 41 | [Dd]ebugPS/ 42 | [Rr]eleasePS/ 43 | dlldata.c 44 | 45 | # .NET Core 46 | project.lock.json 47 | project.fragment.lock.json 48 | artifacts/ 49 | **/Properties/launchSettings.json 50 | 51 | *_i.c 52 | *_p.c 53 | *_i.h 54 | *.ilk 55 | *.meta 56 | *.obj 57 | *.pch 58 | *.pdb 59 | *.pgc 60 | *.pgd 61 | *.rsp 62 | *.sbr 63 | *.tlb 64 | *.tli 65 | *.tlh 66 | *.tmp 67 | *.tmp_proj 68 | *.log 69 | *.vspscc 70 | *.vssscc 71 | .builds 72 | *.pidb 73 | *.svclog 74 | *.scc 75 | 76 | # Chutzpah Test files 77 | _Chutzpah* 78 | 79 | # Visual C++ cache files 80 | ipch/ 81 | *.aps 82 | *.ncb 83 | *.opendb 84 | *.opensdf 85 | *.sdf 86 | *.cachefile 87 | *.VC.db 88 | *.VC.VC.opendb 89 | 90 | # Visual Studio profiler 91 | *.psess 92 | *.vsp 93 | *.vspx 94 | *.sap 95 | 96 | # TFS 2012 Local Workspace 97 | $tf/ 98 | 99 | # Guidance Automation Toolkit 100 | *.gpState 101 | 102 | # ReSharper is a .NET coding add-in 103 | _ReSharper*/ 104 | *.[Rr]e[Ss]harper 105 | *.DotSettings.user 106 | 107 | # JustCode is a .NET coding add-in 108 | .JustCode 109 | 110 | # TeamCity is a build add-in 111 | _TeamCity* 112 | 113 | # DotCover is a Code Coverage Tool 114 | *.dotCover 115 | 116 | # Visual Studio code coverage results 117 | *.coverage 118 | *.coveragexml 119 | 120 | # NCrunch 121 | _NCrunch_* 122 | .*crunch*.local.xml 123 | nCrunchTemp_* 124 | 125 | # MightyMoose 126 | *.mm.* 127 | AutoTest.Net/ 128 | 129 | # Web workbench (sass) 130 | .sass-cache/ 131 | 132 | # Installshield output folder 133 | [Ee]xpress/ 134 | 135 | # DocProject is a documentation generator add-in 136 | DocProject/buildhelp/ 137 | DocProject/Help/*.HxT 138 | DocProject/Help/*.HxC 139 | DocProject/Help/*.hhc 140 | DocProject/Help/*.hhk 141 | DocProject/Help/*.hhp 142 | DocProject/Help/Html2 143 | DocProject/Help/html 144 | 145 | # Click-Once directory 146 | publish/ 147 | 148 | # Publish Web Output 149 | *.[Pp]ublish.xml 150 | *.azurePubxml 151 | # TODO: Comment the next line if you want to checkin your web deploy settings 152 | # but database connection strings (with potential passwords) will be unencrypted 153 | *.pubxml 154 | *.publishproj 155 | 156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 157 | # checkin your Azure Web App publish settings, but sensitive information contained 158 | # in these scripts will be unencrypted 159 | PublishScripts/ 160 | 161 | # NuGet Packages 162 | *.nupkg 163 | # The packages folder can be ignored because of Package Restore 164 | **/packages/* 165 | # except build/, which is used as an MSBuild target. 166 | !**/packages/build/ 167 | # Uncomment if necessary however generally it will be regenerated when needed 168 | #!**/packages/repositories.config 169 | # NuGet v3's project.json files produces more ignorable files 170 | *.nuget.props 171 | *.nuget.targets 172 | 173 | # Microsoft Azure Build Output 174 | csx/ 175 | *.build.csdef 176 | 177 | # Microsoft Azure Emulator 178 | ecf/ 179 | rcf/ 180 | 181 | # Windows Store app package directories and files 182 | AppPackages/ 183 | BundleArtifacts/ 184 | Package.StoreAssociation.xml 185 | _pkginfo.txt 186 | 187 | # Visual Studio cache files 188 | # files ending in .cache can be ignored 189 | *.[Cc]ache 190 | # but keep track of directories ending in .cache 191 | !*.[Cc]ache/ 192 | 193 | # Others 194 | ClientBin/ 195 | ~$* 196 | *~ 197 | *.dbmdl 198 | *.dbproj.schemaview 199 | *.jfm 200 | *.pfx 201 | *.publishsettings 202 | orleans.codegen.cs 203 | 204 | # Since there are multiple workflows, uncomment next line to ignore bower_components 205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 206 | #bower_components/ 207 | 208 | # RIA/Silverlight projects 209 | Generated_Code/ 210 | 211 | # Backup & report files from converting an old project file 212 | # to a newer Visual Studio version. Backup files are not needed, 213 | # because we have git ;-) 214 | _UpgradeReport_Files/ 215 | Backup*/ 216 | UpgradeLog*.XML 217 | UpgradeLog*.htm 218 | 219 | # SQL Server files 220 | *.mdf 221 | *.ldf 222 | *.ndf 223 | 224 | # Business Intelligence projects 225 | *.rdl.data 226 | *.bim.layout 227 | *.bim_*.settings 228 | 229 | # Microsoft Fakes 230 | FakesAssemblies/ 231 | 232 | # GhostDoc plugin setting file 233 | *.GhostDoc.xml 234 | 235 | # Node.js Tools for Visual Studio 236 | .ntvs_analysis.dat 237 | node_modules/ 238 | 239 | # Typescript v1 declaration files 240 | typings/ 241 | 242 | # Visual Studio 6 build log 243 | *.plg 244 | 245 | # Visual Studio 6 workspace options file 246 | *.opt 247 | 248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 249 | *.vbw 250 | 251 | # Visual Studio LightSwitch build output 252 | **/*.HTMLClient/GeneratedArtifacts 253 | **/*.DesktopClient/GeneratedArtifacts 254 | **/*.DesktopClient/ModelManifest.xml 255 | **/*.Server/GeneratedArtifacts 256 | **/*.Server/ModelManifest.xml 257 | _Pvt_Extensions 258 | 259 | # Paket dependency manager 260 | .paket/paket.exe 261 | paket-files/ 262 | 263 | # FAKE - F# Make 264 | .fake/ 265 | 266 | # JetBrains Rider 267 | .idea/ 268 | *.sln.iml 269 | 270 | # CodeRush 271 | .cr/ 272 | 273 | # Python Tools for Visual Studio (PTVS) 274 | __pycache__/ 275 | *.pyc 276 | 277 | # Cake - Uncomment if you are using it 278 | # tools/** 279 | # !tools/packages.config 280 | 281 | # Telerik's JustMock configuration file 282 | *.jmconfig 283 | 284 | # BizTalk build output 285 | *.btp.cs 286 | *.btm.cs 287 | *.odx.cs 288 | *.xsd.cs 289 | .DS_Score 290 | -------------------------------------------------------------------------------- /Classic/Endpoints/MacOS/osquery.conf: -------------------------------------------------------------------------------- 1 | { 2 | "options": { 3 | "logger_snapshot_event_type": "true", 4 | "schedule_splay_percent": 10 5 | }, 6 | "platform": "darwin", 7 | "schedule": { 8 | "authorized_keys": { 9 | "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);", 10 | "interval": 28800, 11 | "description": "List authorized_keys for each user on the system" 12 | }, 13 | "boot_efi_hash": { 14 | "query": "SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';", 15 | "interval": 28800, 16 | "description": "MD5 hash of boot.efi" 17 | }, 18 | "browser_plugins": { 19 | "query": "SELECT * FROM users CROSS JOIN browser_plugins USING (uid);", 20 | "interval": 3600, 21 | "description": "All C/NPAPI browser plugin details for all users." 22 | }, 23 | "chrome_extensions": { 24 | "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);", 25 | "interval": 3600, 26 | "description": "List installed Chrome Extensions for all users" 27 | }, 28 | "chrome_extensions_snapshot": { 29 | "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);", 30 | "interval": 28800, 31 | "description": "Snapshot query for Chrome extensions" 32 | }, 33 | "crashes": { 34 | "query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users JOIN crashes USING (uid);", 35 | "interval": 3600, 36 | "description": "Application, System, and Mobile App crash logs.", 37 | "removed": false 38 | }, 39 | "crontab": { 40 | "query": "SELECT * FROM crontab;", 41 | "interval": 3600, 42 | "description": "Line parsed values from system and user cron/tab." 43 | }, 44 | "disk_encryption_snapshot": { 45 | "query": "SELECT * FROM disk_encryption;", 46 | "interval": 28800, 47 | "description": "Disk encryption status and information.", 48 | "snapshot": true 49 | }, 50 | "disk_free_space_pct": { 51 | "query": "SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';", 52 | "interval": 3600, 53 | "description": "Displays the percentage of free space available on the primary disk partition", 54 | "snapshot": true 55 | }, 56 | "efigy": { 57 | "query": "SELECT * FROM efigy;", 58 | "interval": 28800, 59 | "description": "Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)", 60 | "snapshot": true 61 | }, 62 | "emond": { 63 | "query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');", 64 | "interval": 3600, 65 | "description": "Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)" 66 | }, 67 | "emond_snapshot": { 68 | "query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');", 69 | "interval": 28800, 70 | "description": "Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)", 71 | "snapshot": true 72 | }, 73 | "etc_hosts": { 74 | "query": "SELECT * FROM etc_hosts;", 75 | "interval": 28800, 76 | "description": "List the contents of /etc/hosts" 77 | }, 78 | "event_taps": { 79 | "query": "SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;", 80 | "interval": 300, 81 | "description": "Returns information about installed event taps. Can be used to detect keyloggers" 82 | }, 83 | "file_events": { 84 | "query": "SELECT * FROM file_events;", 85 | "interval": 300, 86 | "removed": false, 87 | "description": "Track time/action changes to files specified in configuration data." 88 | }, 89 | "firefox_addons": { 90 | "query": "SELECT * FROM users CROSS JOIN firefox_addons USING (uid);", 91 | "interval": 3600, 92 | "description": "List installed Firefox addons for all users" 93 | }, 94 | "hardware_events": { 95 | "query": "SELECT * FROM hardware_events;", 96 | "interval": 300, 97 | "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", 98 | "removed": false 99 | }, 100 | "homebrew_packages": { 101 | "query": "SELECT * FROM homebrew_packages;", 102 | "interval": 3600, 103 | "description": "The installed homebrew package database." 104 | }, 105 | "homebrew_packages_snapshot": { 106 | "query": "SELECT name, version FROM homebrew_packages;", 107 | "interval": 28800, 108 | "description": "The installed homebrew package database.", 109 | "snapshot": true 110 | }, 111 | "installed_applications": { 112 | "query": "SELECT * FROM apps;", 113 | "interval": 3600, 114 | "description": "OS X applications installed in known search paths (e.g., /Applications)." 115 | }, 116 | "installed_applications_snapshot": { 117 | "query": "SELECT name, path, bundle_short_version, bundle_version, display_name FROM apps;", 118 | "interval": 28800, 119 | "description": "Snapshot query for installed_applications", 120 | "snapshot": true 121 | }, 122 | "ip_forwarding_enabled": { 123 | "query": "SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE '%ip%' AND current_value=1;", 124 | "interval": 28800, 125 | "description": "Discover hosts that have IP forwarding enabled", 126 | "removed": false 127 | }, 128 | "last": { 129 | "query": "SELECT * FROM last;", 130 | "interval": 3600, 131 | "description": "System logins and logouts.", 132 | "removed": false 133 | }, 134 | "launchd": { 135 | "query": "SELECT * FROM launchd;", 136 | "interval": 3600, 137 | "description": "LaunchAgents and LaunchDaemons from default search paths." 138 | }, 139 | "launchd_snapshot": { 140 | "query": "SELECT path, name, label, program, run_at_load, program_arguments FROM launchd WHERE run_at_load=1;", 141 | "interval": 28800, 142 | "description": "Snapshot query for launchd", 143 | "snapshot": true 144 | }, 145 | "ld_preload": { 146 | "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", 147 | "interval": 60, 148 | "description": "Detect the presence of the LD_PRELOAD environment variable", 149 | "removed": false 150 | }, 151 | "macosx_kextstat": { 152 | "query": "SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';", 153 | "interval": 3600, 154 | "description": "List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple)" 155 | }, 156 | "macosx_kextstat_snapshot": { 157 | "query": "SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';", 158 | "interval": 28800, 159 | "description": "Snapshot query for macosx_kextstat", 160 | "snapshot": true 161 | }, 162 | "mounts": { 163 | "query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;", 164 | "interval": 3600, 165 | "description": "System mounted devices and filesystems (not process specific).", 166 | "removed": false 167 | }, 168 | "network_interfaces_snapshot": { 169 | "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);", 170 | "interval": 600, 171 | "description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.", 172 | "snapshot": true 173 | }, 174 | "nfs_shares": { 175 | "query": "SELECT * FROM nfs_shares;", 176 | "interval": 3600, 177 | "description": "NFS shares exported by the host.", 178 | "removed": false 179 | }, 180 | "nvram": { 181 | "query": "SELECT * FROM nvram;", 182 | "interval": 3600, 183 | "description": "Apple NVRAM variable listing.", 184 | "removed": false 185 | }, 186 | "os_version": { 187 | "query": "SELECT * FROM os_version;", 188 | "interval": 28800, 189 | "description": "List the version of the resident operating system" 190 | }, 191 | "os_version_snapshot": { 192 | "query": "SELECT * FROM os_version;", 193 | "interval": 28800, 194 | "description": "Operating system version snapshot query", 195 | "snapshot": true 196 | }, 197 | "osquery_info": { 198 | "query": "SELECT * FROM osquery_info;", 199 | "interval": 28800, 200 | "description": "Information about the resident osquery process", 201 | "snapshot": true 202 | }, 203 | "platform_info": { 204 | "query": "SELECT * FROM platform_info;", 205 | "interval": 28800, 206 | "description": "Information about EFI/UEFI/ROM and platform/boot.", 207 | "removed": false 208 | }, 209 | "platform_info_snapshot": { 210 | "query": "SELECT vendor, version, date, revision from platform_info;", 211 | "interval": 28800, 212 | "description": "Platform info snapshot query" 213 | }, 214 | "python_packages": { 215 | "query": "SELECT * FROM python_packages;", 216 | "interval": 3600, 217 | "description": "Python packages installed in a system." 218 | }, 219 | "rc.common": { 220 | "query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';", 221 | "interval": 3600, 222 | "description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence." 223 | }, 224 | "rc.common_snapshot": { 225 | "query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';", 226 | "interval": 28800, 227 | "description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence.", 228 | "snapshot": true 229 | }, 230 | "safari_extensions": { 231 | "query": "SELECT * FROM users CROSS JOIN safari_extensions USING (uid);", 232 | "interval": 3600, 233 | "description": "Safari browser extension details for all users." 234 | }, 235 | "sip_config": { 236 | "query": "SELECT * FROM sip_config;", 237 | "interval": 3600, 238 | "description": "Apple's System Integrity Protection (rootless) status." 239 | }, 240 | "startup_items": { 241 | "query": "SELECT * FROM startup_items;", 242 | "interval": 3600, 243 | "description": "Applications and binaries set as user/login startup items." 244 | }, 245 | "suid_bin": { 246 | "query": "SELECT * FROM suid_bin;", 247 | "interval": 28800, 248 | "description": "suid binaries in common locations.", 249 | "removed": false 250 | }, 251 | "uptime": { 252 | "query": "SELECT * FROM uptime;", 253 | "interval": 1800, 254 | "description": "System uptime", 255 | "snapshot": true 256 | }, 257 | "usb_devices": { 258 | "query": "SELECT * FROM usb_devices;", 259 | "interval": 300, 260 | "description": "USB devices that are actively plugged into the host system." 261 | }, 262 | "user_ssh_keys": { 263 | "query": "SELECT * FROM users JOIN user_ssh_keys USING (uid);", 264 | "interval": 3600, 265 | "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.", 266 | "removed": false 267 | }, 268 | "users": { 269 | "query": "SELECT * FROM users;", 270 | "interval": 28800, 271 | "description": "Local system users." 272 | }, 273 | "users_snapshot": { 274 | "query": "SELECT * FROM users;", 275 | "interval": 28800, 276 | "description": "Local system users." 277 | }, 278 | "wifi_status_snapshot": { 279 | "query": "SELECT * FROM wifi_status;", 280 | "interval": 28800, 281 | "description": "Shows information about the wifi network that a host is currently connected to.", 282 | "snapshot": true 283 | }, 284 | "wireless_networks": { 285 | "query": "SELECT ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile FROM wifi_networks;", 286 | "interval": 28800, 287 | "description": "OS X known/remembered Wi-Fi networks list.", 288 | "removed": false 289 | } 290 | }, 291 | "packs": { 292 | "osx-attacks": "/var/osquery/packs/osx-attacks.conf", 293 | "performance-metrics": "/var/osquery/packs/performance-metrics.conf", 294 | "security-tooling-checks": "/var/osquery/packs/security-tooling-checks.conf", 295 | "unwanted-chrome-extensions": "/var/osquery/packs/unwanted-chrome-extensions.conf" 296 | }, 297 | "file_paths": { 298 | "configuration": [ 299 | "/etc/%%" 300 | ], 301 | "binaries": [ 302 | "/usr/bin/%%", 303 | "/usr/sbin/%%", 304 | "/bin/%%", 305 | "/sbin/%%", 306 | "/usr/local/bin/%%", 307 | "/usr/local/sbin/%%", 308 | "/opt/bin/%%", 309 | "/opt/sbin/%%" 310 | ], 311 | "efi": [ 312 | "/System/Library/CoreServices/boot.efi" 313 | ] 314 | } 315 | } 316 | -------------------------------------------------------------------------------- /Classic/Endpoints/MacOS/osquery.flags: -------------------------------------------------------------------------------- 1 | --allow_unsafe 2 | --config_plugin=tls 3 | --config_tls_endpoint=/api/v1/osquery/config 4 | --config_tls_refresh=10 5 | --disable_distributed=false 6 | --distributed_plugin=tls 7 | --distributed_interval=10 8 | --distributed_tls_max_attempts=3 9 | --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read 10 | --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write 11 | --enroll_secret_path=/path/to/folder/containing/secret.txt 12 | --enroll_tls_endpoint=/api/v1/osquery/enroll 13 | --host_identifier=hostname 14 | --logger_plugin=tls 15 | --logger_tls_endpoint=/api/v1/osquery/log 16 | --logger_tls_period=10 17 | --tls_hostname=tls.endpoint.server.com 18 | --tls_server_certs=/var/osquery/certfile.crt 19 | --verbose=true 20 | -------------------------------------------------------------------------------- /Classic/Endpoints/MacOS/osquery_no_tls.flags: -------------------------------------------------------------------------------- 1 | --allow_unsafe 2 | --config_path=/var/osquery/osquery.conf 3 | --host_identifier=hostname 4 | --logger_plugin=filesystem 5 | --verbose=true 6 | -------------------------------------------------------------------------------- /Classic/Endpoints/Windows/osquery.conf: -------------------------------------------------------------------------------- 1 | { 2 | "options": { 3 | "logger_snapshot_event_type": "true", 4 | "schedule_splay_percent": 10 5 | }, 6 | "platform": "windows", 7 | "schedule": { 8 | "appcompat_shims": { 9 | "query": "SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');", 10 | "interval": 3600, 11 | "description": "Appcompat shims (.sdb files) installed on Windows hosts." 12 | }, 13 | "bitlocker_info_snapshot": { 14 | "query": "SELECT * FROM bitlocker_info;", 15 | "interval": 28800, 16 | "description": "Disk encryption status and information snapshot query." 17 | }, 18 | "certificates": { 19 | "query": "SELECT * FROM certificates WHERE path!='Other People';", 20 | "interval": 3600, 21 | "description": "List all certificates in the trust store", 22 | "removed": false 23 | }, 24 | "certificates_snapshot": { 25 | "query": "SELECT * FROM certificates WHERE path!='Other People';", 26 | "interval": 28800, 27 | "description": "List all certificates in the trust store (snapshot query)", 28 | "snapshot": true 29 | }, 30 | "chocolatey_packages": { 31 | "query": "SELECT * FROM chocolatey_packages;", 32 | "interval": 3600, 33 | "description": "List installed Chocolatey packages" 34 | }, 35 | "chrome_extensions": { 36 | "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);", 37 | "interval": 3600, 38 | "description": "List installed Chrome Extensions for all users" 39 | }, 40 | "chrome_extensions_snapshot": { 41 | "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);", 42 | "interval": 28800, 43 | "description": "Snapshot query for Chrome extensions" 44 | }, 45 | "drivers": { 46 | "query": "SELECT * FROM drivers;", 47 | "interval": 3600, 48 | "description": "List in-use Windows drivers" 49 | }, 50 | "drivers_snapshot": { 51 | "query": "SELECT * FROM drivers;", 52 | "interval": 28800, 53 | "description": "Drivers snapshot query", 54 | "snapshot": true 55 | }, 56 | "etc_hosts": { 57 | "query": "SELECT * FROM etc_hosts;", 58 | "interval": 3600, 59 | "description": "List the contents of the Windows hosts file" 60 | }, 61 | "ie_extensions": { 62 | "query": "SELECT * FROM ie_extensions;", 63 | "interval": 3600, 64 | "description": "List installed Internet Explorer extensions" 65 | }, 66 | "kernel_info": { 67 | "query": "SELECT * FROM kernel_info;", 68 | "interval": 3600, 69 | "description": "List the kernel path, version, etc." 70 | }, 71 | "network_interfaces_snapshot": { 72 | "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);", 73 | "interval": 600, 74 | "description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.", 75 | "snapshot": true 76 | }, 77 | "os_version": { 78 | "query": "SELECT * FROM os_version;", 79 | "interval": 3600, 80 | "description": "List the version of the resident operating system" 81 | }, 82 | "os_version_snapshot": { 83 | "query": "SELECT * FROM os_version;", 84 | "interval": 28800, 85 | "description": "Operating system version snapshot query", 86 | "snapshot": true 87 | }, 88 | "osquery_info": { 89 | "query": "SELECT * FROM osquery_info;", 90 | "interval": 28800, 91 | "description": "Information about the resident osquery process", 92 | "snapshot": true 93 | }, 94 | "patches": { 95 | "query": "SELECT * FROM patches;", 96 | "interval": 3600, 97 | "description": "Lists all the patches applied", 98 | "removed": false 99 | }, 100 | "patches_snapshot": { 101 | "query": "SELECT * FROM patches;", 102 | "interval": 28800, 103 | "description": "Patches snapshot query", 104 | "snapshot": true 105 | }, 106 | "pipes": { 107 | "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);", 108 | "interval": 3600, 109 | "description": "Named and Anonymous pipes.", 110 | "removed": false 111 | }, 112 | "pipes_snapshot": { 113 | "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);", 114 | "interval": 28800, 115 | "description": "Pipes snapshot query", 116 | "snapshot": true 117 | }, 118 | "programs": { 119 | "query": "SELECT * FROM programs;", 120 | "interval": 3600, 121 | "description": "Lists installed programs" 122 | }, 123 | "programs_snapshot": { 124 | "query": "SELECT * FROM programs;", 125 | "interval": 28800, 126 | "description": "Programs snapshot query", 127 | "snapshot": true 128 | }, 129 | "scheduled_tasks": { 130 | "query": "SELECT * FROM scheduled_tasks;", 131 | "interval": 3600, 132 | "description": "Lists all of the tasks in the Windows task scheduler" 133 | }, 134 | "scheduled_tasks_snapshot": { 135 | "query": "SELECT * FROM scheduled_tasks;", 136 | "interval": 28800, 137 | "description": "Scheduled Tasks snapshot query", 138 | "snapshot": true 139 | }, 140 | "services": { 141 | "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';", 142 | "interval": 3600, 143 | "description": "Lists all installed services configured to start automatically at boot" 144 | }, 145 | "services_snapshot": { 146 | "query": "SELECT * FROM services;", 147 | "interval": 28800, 148 | "description": "Services snapshot query", 149 | "snapshot": true 150 | }, 151 | "shared_resources": { 152 | "query": "SELECT * FROM shared_resources;", 153 | "interval": 3600, 154 | "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device." 155 | }, 156 | "shared_resources_snapshot": { 157 | "query": "SELECT * FROM shared_resources;", 158 | "interval": 28800, 159 | "description": "Shared resources snapshot query", 160 | "snapshot": true 161 | }, 162 | "system_info": { 163 | "query": "SELECT * FROM system_info;", 164 | "interval": 3600, 165 | "description": "System information for identification." 166 | }, 167 | "system_info_snapshot": { 168 | "query": "SELECT * FROM system_info;", 169 | "interval": 28800, 170 | "description": "System info snapshot query", 171 | "snapshot": true 172 | }, 173 | "uptime": { 174 | "query": "SELECT * FROM uptime;", 175 | "interval": 3600, 176 | "description": "System uptime", 177 | "snapshot": true 178 | }, 179 | "users": { 180 | "query": "SELECT * FROM users;", 181 | "interval": 3600, 182 | "description": "Local system users." 183 | }, 184 | "users_snapshot": { 185 | "query": "SELECT * FROM users;", 186 | "interval": 28800, 187 | "description": "Users snapshot query", 188 | "snapshot": true 189 | }, 190 | "windows_crashes": { 191 | "query": "SELECT * FROM windows_crashes;", 192 | "interval": 3600, 193 | "description": "Extracted information from Windows crash logs (Minidumps).", 194 | "removed": false 195 | }, 196 | "wmi_cli_event_consumers": { 197 | "query": "SELECT * FROM wmi_cli_event_consumers;", 198 | "interval": 3600, 199 | "description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." 200 | }, 201 | "wmi_cli_event_consumers_snapshot": { 202 | "query": "SELECT * FROM wmi_cli_event_consumers;", 203 | "interval": 28800, 204 | "description": "Snapshot query for WMI event consumers.", 205 | "snapshot": true 206 | }, 207 | "wmi_event_filters": { 208 | "query": "SELECT * FROM wmi_event_filters;", 209 | "interval": 3600, 210 | "description": "Lists WMI event filters." 211 | }, 212 | "wmi_event_filters_snapshot": { 213 | "query": "SELECT * FROM wmi_event_filters;", 214 | "interval": 28800, 215 | "description": "Snapshot query for WMI event filters.", 216 | "snapshot": true 217 | }, 218 | "wmi_filter_consumer_binding": { 219 | "query": "SELECT * FROM wmi_filter_consumer_binding;", 220 | "interval": 3600, 221 | "description": "Lists the relationship between event consumers and filters." 222 | }, 223 | "wmi_filter_consumer_binding_snapshot": { 224 | "query": "SELECT * FROM wmi_filter_consumer_binding;", 225 | "interval": 28800, 226 | "description": "Snapshot query for WMI filter consumer bindings.", 227 | "snapshot": true 228 | }, 229 | "wmi_script_event_consumers": { 230 | "query": "SELECT * FROM wmi_script_event_consumers;", 231 | "interval": 3600, 232 | "description": "WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." 233 | }, 234 | "wmi_script_event_consumers": { 235 | "query": "SELECT * FROM wmi_script_event_consumers;", 236 | "interval": 28800, 237 | "description": "Snapshot query for WMI script event consumers.", 238 | "snapshot": true 239 | } 240 | }, 241 | "packs": { 242 | "performance-metrics": "packs/performance-metrics.conf", 243 | "security-tooling-checks": "packs/security-tooling-checks.conf", 244 | "unwanted-chrome-extensions": "packs/unwanted-chrome-extensions.conf", 245 | "windows-application-security": "packs/windows-application-security.conf", 246 | "windows-compliance": "packs/windows-compliance.conf", 247 | "windows-registry-monitoring": "packs/windows-registry-monitoring.conf", 248 | "windows-attacks": "packs/windows-attacks.conf" 249 | } 250 | } 251 | -------------------------------------------------------------------------------- /Classic/Endpoints/Windows/osquery.flags: -------------------------------------------------------------------------------- 1 | --allow_unsafe 2 | --config_plugin=tls 3 | --config_tls_endpoint=/api/v1/osquery/config 4 | --config_tls_refresh=10 5 | --disable_events=true 6 | --disable_distributed=false 7 | --disable_tables=windows_events 8 | --distributed_interval=10 9 | --distributed_plugin=tls 10 | --distributed_tls_max_attempts=3 11 | --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read 12 | --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write 13 | --enroll_secret_path=c:\path\to\file\containing\secret.txt 14 | --enroll_tls_endpoint=/api/v1/osquery/enroll 15 | --host_identifier=hostname 16 | --logger_plugin=tls 17 | --logger_tls_endpoint=/api/v1/osquery/log 18 | --logger_tls_period=10 19 | --tls_hostname=tls.endpoint.server.com 20 | --tls_server_certs=c:\ProgramData\osquery\certfile.crt 21 | --verbose=true 22 | -------------------------------------------------------------------------------- /Classic/Endpoints/Windows/osquery_no_tls.flags: -------------------------------------------------------------------------------- 1 | --allow_unsafe 2 | --config_path=c:\ProgramData\osquery\osquery.conf 3 | --disable_events=true 4 | --disable_tables=windows_events 5 | --host_identifier=hostname 6 | --logger_min_status=1 7 | --logger_plugin=filesystem 8 | --verbose=true 9 | -------------------------------------------------------------------------------- /Classic/Endpoints/packs/performance-metrics.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows,darwin", 3 | "queries": { 4 | "per_query_perf": { 5 | "query": "SELECT name, interval, executions, output_size, wall_time, (user_time/executions) AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory FROM osquery_schedule;", 6 | "interval": 1800, 7 | "description": "Records the CPU time and memory usage for each individual query. Helpful for identifying queries that may impact performance.", 8 | "snapshot": true 9 | }, 10 | "runtime_perf": { 11 | "query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov, processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;", 12 | "interval": 1800, 13 | "description": "Track the amount of CPU time used by osquery.", 14 | "snapshot": true 15 | }, 16 | "endpoint_security_tool_perf": { 17 | "query": "SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time FROM processes WHERE name='endpoint_security_tool');", 18 | "interval": 1800, 19 | "description": "Track the percentage of total CPU time utilized by $endpoint_security_tool", 20 | "snapshot": true 21 | }, 22 | "backup_tool_perf": { 23 | "query": "SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS backuptool_time FROM processes WHERE name='backup_tool');", 24 | "interval": 1800, 25 | "description": "Track the percentage of total CPU time utilized by $backup_tool", 26 | "snapshot": true 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Classic/Endpoints/packs/security-tooling-checks.conf: -------------------------------------------------------------------------------- 1 | { 2 | "queries": { 3 | "endpoint_security_tool_backend_server_registry_misconfigured": { 4 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\EndpointSecurityTool\\BackendServerLocation' AND data!='https://expected_endpoint.local';", 5 | "interval": 3600, 6 | "description": "Returns the content of the key if the backend server does not match the expected value", 7 | "platform": "windows" 8 | }, 9 | "endpoint_security_tool_not_running": { 10 | "query": "SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as process_count from processes where path='/Applications/EndpointSecurityTool' OR lower(path)='c:\\endpointsecuritytool.exe') where process_exists!=1;", 11 | "interval": 28800, 12 | "description": "Returns an event if a EndpointSecurityTool process is not found running from /Applications/EndpointSecurityTool' (OSX) or 'c:\\endpointsecuritytool.exe' (Windows)", 13 | "platform": "windows,darwin", 14 | "snapshot": true 15 | }, 16 | "backup_tool_not_running": { 17 | "query": "SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as process_count from processes where path='/Applications/BackupTool' OR lower(path) LIKE 'c:\\backuptool.exe') where process_exists!=1;", 18 | "interval": 28800, 19 | "description": "Returns an event if a BackupTool process is not found running from '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)", 20 | "platform": "windows,darwin", 21 | "snapshot": true 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Classic/Endpoints/packs/windows-application-security.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "bitlocker_autoencrypt_settings_registry": { 5 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Bitlocker\\%%';", 6 | "interval": 3600, 7 | "description": "Controls Bitlocker full-disk encryption settings." 8 | }, 9 | "bitlocker_fde_settings_registry": { 10 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\%%';", 11 | "interval": 3600, 12 | "description": "Controls Bitlocker full-disk encryption settings." 13 | }, 14 | "chrome_extension_force_list_registry": { 15 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist';", 16 | "interval": 3600, 17 | "description": "Controls Google Chrome plugins that are forcibly installed." 18 | }, 19 | "emet_settings_registry": { 20 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\EMET\\%%';", 21 | "interval": 3600, 22 | "description": "Controls EMET-protected applications and system settings." 23 | }, 24 | "microsoft_laps_settings_registry": { 25 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft Services\\AdmPwd';", 26 | "interval": 3600, 27 | "description": "Controls Local Administrative Password Solution (LAPS) settings." 28 | }, 29 | "passport_for_work_settings_registry": { 30 | "query": "SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PassportForWork\\%%';", 31 | "interval": 3600, 32 | "description": "Controls Windows Passport for Work (Hello) settings." 33 | }, 34 | "uac_settings_registry": { 35 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA';", 36 | "interval": 3600, 37 | "description": "Controls UAC. A setting of 0 indicates that UAC is disabled." 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /Classic/Endpoints/packs/windows-compliance.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "command_line_auditing_registry": { 5 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit';", 6 | "interval": 3600, 7 | "description": "Controls Windows command-line auditing" 8 | }, 9 | "crash_dump_registry": { 10 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled';", 11 | "interval": 3600, 12 | "description": "Controls enabling/disabling crash dumps. This key has a default value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 13 | }, 14 | "dns_plugin_dll_registry": { 15 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll';", 16 | "interval": 3600, 17 | "description": "This registry key specifies the path to a DLL to be loaded by a Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83" 18 | }, 19 | "dr_watson_registry": { 20 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug';", 21 | "interval": 3600, 22 | "description": "This key (and subkeys) exist by default and are required to allow post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 23 | }, 24 | "error_display_ui_registry": { 25 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\ShowUI';", 26 | "interval": 3600, 27 | "description": "This key does not exist by default and controls enabling/disabling error reporting display. Some malware creates this key and sets the value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 28 | }, 29 | "error_mode_registry": { 30 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode';", 31 | "interval": 3600, 32 | "description": "Controls the suppression of error dialog boxes. The default value is 0 (all messages are visible), but some malware sets this value to 2 (all messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 33 | }, 34 | "error_report_registry": { 35 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\DoReport';", 36 | "interval": 3600, 37 | "description": "This key does not exist by default and controls enabling/disabling error reporting. Some malware creates this key sets the value to 0 (disables error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 38 | }, 39 | "event_log_settings_registry": { 40 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\%%';", 41 | "interval": 3600, 42 | "description": "Controls behavior, size, and rotation strategy for primary windows event log files." 43 | }, 44 | "filerenameoperations_registry": { 45 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations';", 46 | "interval": 3600, 47 | "description": "Entries for the FileRenameOperation support the MoveFileEx delayed-rename and delayed-delete capabilities. Sometimes used as a self-deletion technique for malware." 48 | }, 49 | "knowndlls_registry": { 50 | "query": "SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs\\%%';", 51 | "interval": 3600, 52 | "description": "The KnownDlls key defines the set of DLLs that are first searched during system startup." 53 | }, 54 | "local_security_authority_registry": { 55 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\%%';", 56 | "interval": 3600, 57 | "description": "Controls which security packages store credentials in LSA memory, secure boot, etc." 58 | }, 59 | "log_errors_registry": { 60 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent';", 61 | "interval": 3600, 62 | "description": "This key exists by default and has a default value of 1. Setting this key to 0 disables logging errors/crashes to the System event channel. Some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 63 | }, 64 | "per_user_ts_session_registry": { 65 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser';", 66 | "interval": 3600, 67 | "description": "Controls how many simultaneous terminal services sessions can use the same account" 68 | }, 69 | "powershell_settings_registry": { 70 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\%%';", 71 | "interval": 3600, 72 | "description": "Controls Powershell execution policy, script execution, logging, and more." 73 | }, 74 | "smbv1_registry": { 75 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1';", 76 | "interval": 3600, 77 | "description": "Controls enabling/disabling SMBv1. Setting this key to 0 disables the SMBv1 protocol on the host." 78 | }, 79 | "secure_boot_registry": { 80 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot';", 81 | "interval": 3600, 82 | "description": "Lists information about SecureBoot status." 83 | }, 84 | "security_providers_registry": { 85 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\%%';", 86 | "interval": 3600, 87 | "description": "Controls Windows security provider configurations" 88 | }, 89 | "send_error_alert_registry": { 90 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\SendAlert';", 91 | "interval": 3600, 92 | "description": "Controls sending administrative notifications after a crash. Some malware sets this value to 0" 93 | }, 94 | "tpm_registry": { 95 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\TPM';", 96 | "interval": 3600, 97 | "description": "Controls system TPM settings" 98 | }, 99 | "terminal_service_deny_registry": { 100 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections';", 101 | "interval": 3600, 102 | "description": "This key exists by default and has a default value of 1. Terminal service connections are allowed to the host when the key value is set to 0" 103 | }, 104 | "winrm_settings_registry": { 105 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\%%';", 106 | "interval": 3600, 107 | "description": "Controls local WinRM client configuration and security." 108 | }, 109 | "windows_update_settings_registry": { 110 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\%%';", 111 | "interval": 3600, 112 | "description": "Controls Windows Update server location and installation behavior." 113 | } 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /Classic/Endpoints/packs/windows-registry-monitoring.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "amsi_disabled_registry": { 5 | "query": "SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users WHERE path = 'HKEY_USERS\\'||uuid||'\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable' AND data=0;", 6 | "interval": 3600, 7 | "description": "A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)", 8 | "platform": "windows" 9 | }, 10 | "bitlocker_encryption_settings_registry_misconfigured": { 11 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\ShouldEncryptOSDrive' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\OSDriveProtector') AND data!=1;", 12 | "interval": 3600, 13 | "description": "Returns the content of the key if it does not match the expected value", 14 | "platform": "windows" 15 | }, 16 | "bitlocker_mbam_endpoint_registry_misconfigured": { 17 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\KeyRecoveryServiceEndPoint' AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc';", 18 | "interval": 3600, 19 | "description": "Returns the content of the key if it does not match the expected value", 20 | "platform": "windows" 21 | }, 22 | "bitlocker_mbam_registry_misconfigured": { 23 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\UseMBAMServices' AND data!=1;", 24 | "interval": 3600, 25 | "description": "Returns the content of the key if it does not match the expected value", 26 | "platform": "windows" 27 | }, 28 | "command_line_auditing_registry_misconfigured": { 29 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled' AND data!=1;", 30 | "interval": 3600, 31 | "description": "Returns the content of the key if it does not match the expected value", 32 | "platform": "windows" 33 | }, 34 | "command_line_auditing_registry_missing": { 35 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled') WHERE key_exists!=1;", 36 | "interval": 3600, 37 | "description": "Returns 0 as a result if the registry key does not exist", 38 | "platform": "windows" 39 | }, 40 | "computer_maximum_password_age_changed_registry": { 41 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\MaximumPasswordAge' and data!=30;", 42 | "interval": 3600, 43 | "description": "Controls how often to rotate the local computer password (defaults to 30 days). A modification of this value may be an indicator of attacker activity.", 44 | "platform": "windows" 45 | }, 46 | "computer_password_change_disabled_registry": { 47 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\DisablePasswordChange' AND data!=0;", 48 | "interval": 3600, 49 | "description": "Technique used by attackers to prevent computer accounts from changing their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011)", 50 | "platform": "windows" 51 | }, 52 | "crash_dump_registry_misconfigured": { 53 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled' AND data=0;", 54 | "interval": 3600, 55 | "description": "Returns the content of the key if it does not match the expected value", 56 | "platform": "windows" 57 | }, 58 | "crash_dump_registry_missing": { 59 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled') WHERE key_exists!=1;", 60 | "interval": 3600, 61 | "description": "Returns 0 as a result if the registry key does not exist", 62 | "platform": "windows" 63 | }, 64 | "dns_plugin_dll_registry_exists": { 65 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll';", 66 | "interval": 3600, 67 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 68 | "platform": "windows" 69 | }, 70 | "dr_watson_registry_missing": { 71 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug') WHERE key_exists!=2;", 72 | "interval": 3600, 73 | "description": "Returns 0 as a result if the registry key does not exist", 74 | "platform": "windows" 75 | }, 76 | "error_display_ui_registry_exists": { 77 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\ShowUI';", 78 | "interval": 3600, 79 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 80 | "platform": "windows" 81 | }, 82 | "error_mode_registry_misconfigured": { 83 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode' AND data=2;", 84 | "interval": 3600, 85 | "description": "Returns the content of the key if it does not match the expected value", 86 | "platform": "windows" 87 | }, 88 | "error_mode_registry_missing": { 89 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode') WHERE key_exists!=1;", 90 | "interval": 3600, 91 | "description": "Returns 0 as a result if the registry key does not exist", 92 | "platform": "windows" 93 | }, 94 | "log_errors_registry_misconfigured": { 95 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent' AND data!=1;", 96 | "interval": 3600, 97 | "description": "Returns the content of the key if it does not match the expected value", 98 | "platform": "windows" 99 | }, 100 | "log_errors_registry_missing": { 101 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent') WHERE key_exists!=1;", 102 | "interval": 3600, 103 | "description": "Returns 0 as a result if the registry key does not exist", 104 | "platform": "windows" 105 | }, 106 | "per_user_ts_session_registry_misconfigured": { 107 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser' AND data!=1;", 108 | "interval": 3600, 109 | "description": "Returns the content of the key if it does not match the expected value", 110 | "platform": "windows" 111 | }, 112 | "per_user_ts_session_registry_missing": { 113 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser') WHERE key_exists!=1;", 114 | "interval": 3600, 115 | "description": "Returns 0 as a result if the registry key does not exist", 116 | "platform": "windows" 117 | }, 118 | "physicalstore_dll_registry_persistence": { 119 | "query": "SELECT key, path, name, mtime, username FROM registry r, users WHERE path LIKE 'HKEY_USERS\\'||uuid||'\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores\\%%' OR path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\%%' AND name!='#16' AND name!='Ldap';", 120 | "interval": 3600, 121 | "description": "Detect a registry based persistence mechanism that allows an attacker to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105)", 122 | "platform": "windows" 123 | }, 124 | "powershell_invocationheader_registry_missing": { 125 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') WHERE key_exists!=1;", 126 | "interval": 3600, 127 | "description": "Returns 0 as a result if the registry key does not exist", 128 | "platform": "windows" 129 | }, 130 | "powershell_logging_registry_misconfigured": { 131 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') AND data!=1;", 132 | "interval": 3600, 133 | "description": "Returns the content of the key if it does not match the expected value", 134 | "platform": "windows" 135 | }, 136 | "powershell_module_logging_registry_missing": { 137 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging') WHERE key_exists!=1;", 138 | "interval": 3600, 139 | "description": "Returns 0 as a result if the registry key does not exist", 140 | "platform": "windows" 141 | }, 142 | "powershell_scriptblock_logging_registry_missing": { 143 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging') WHERE key_exists!=1;", 144 | "interval": 3600, 145 | "description": "Returns 0 as a result if the registry key does not exist", 146 | "platform": "windows" 147 | }, 148 | "powershell_transcription_logging_registry_missing": { 149 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting') WHERE key_exists!=1;", 150 | "interval": 3600, 151 | "description": "Returns 0 as a result if the registry key does not exist", 152 | "platform": "windows" 153 | }, 154 | "runonceex_persistence_registry": { 155 | "query": "SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx';", 156 | "interval": 3600, 157 | "description": "Registry based persistence mechanism to load DLLs at reboot time and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will remain.", 158 | "platform": "windows" 159 | }, 160 | "smbv1_registry_misconfigured": { 161 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1' AND data!=0;", 162 | "interval": 3600, 163 | "description": "", 164 | "platform": "windows" 165 | }, 166 | "smbv1_registry_missing": { 167 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1') WHERE key_exists!=1;", 168 | "interval": 3600, 169 | "description": "Returns 0 as a result if the registry key does not exist", 170 | "platform": "windows" 171 | }, 172 | "send_error_alert_registry_exists": { 173 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\SendAlert';", 174 | "interval": 3600, 175 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 176 | "platform": "windows" 177 | }, 178 | "subscription_manager_registry_misconfigured": { 179 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1' AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC');", 180 | "interval": 3600, 181 | "description": "Returns the content of the key if it does not match the expected value", 182 | "platform": "windows" 183 | }, 184 | "subscription_manager_registry_missing": { 185 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1') WHERE key_exists!=1;", 186 | "interval": 3600, 187 | "description": "Returns 0 as a result if the registry key does not exist", 188 | "platform": "windows" 189 | }, 190 | "winrm_settings_registry_misconfigured": { 191 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowDigest' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\WinRS\\AllowRemoteShellAccess') AND data!=0; ", 192 | "interval": 3600, 193 | "description": "Returns the content of the key if it does not match the expected value", 194 | "platform": "windows" 195 | } 196 | } 197 | } 198 | -------------------------------------------------------------------------------- /Classic/Servers/Linux/osquery.conf: -------------------------------------------------------------------------------- 1 | { 2 | "options": { 3 | "logger_snapshot_event_type": "true", 4 | "schedule_splay_percent": 10 5 | }, 6 | "platform": "linux", 7 | "schedule": { 8 | "process_events":{ 9 | "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", 10 | "interval": 10, 11 | "description": "Process events collected from the audit framework" 12 | }, 13 | "socket_events":{ 14 | "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", 15 | "interval": 10, 16 | "description": "Socket events collected from the audit framework" 17 | }, 18 | "file_events": { 19 | "query": "SELECT * FROM file_events;", 20 | "interval": 10, 21 | "description": "File events collected from file integrity monitoring", 22 | "removed":false 23 | }, 24 | "apt_sources": { 25 | "query": "SELECT * FROM apt_sources;", 26 | "interval": 86400, 27 | "description": "Display apt package manager sources.", 28 | "snapshot": true, 29 | "platform": "ubuntu" 30 | }, 31 | "authorized_keys": { 32 | "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);", 33 | "interval": 86400, 34 | "description": "A line-delimited authorized_keys table." 35 | }, 36 | "behavioral_reverse_shell": { 37 | "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", 38 | "interval": 600, 39 | "description": "Find shell processes that have open sockets" 40 | }, 41 | "cpu_time": { 42 | "query": "SELECT * FROM cpu_time;", 43 | "interval": 3600, 44 | "description": "Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system" 45 | }, 46 | "crontab": { 47 | "query": "SELECT * FROM crontab;", 48 | "interval": 3600, 49 | "description": "Retrieves all the jobs scheduled in crontab in the target system." 50 | }, 51 | "crontab_snapshot": { 52 | "query": "SELECT * FROM crontab;", 53 | "interval": 86400, 54 | "description": "Retrieves all the jobs scheduled in crontab in the target system.", 55 | "snapshot": true 56 | }, 57 | "deb_packages": { 58 | "query": "SELECT * FROM deb_packages;", 59 | "interval": 86400, 60 | "description": "Display all installed DEB packages", 61 | "snapshot": true, 62 | "platform": "ubuntu" 63 | }, 64 | "dns_resolvers": { 65 | "query": "SELECT * FROM dns_resolvers;", 66 | "interval": 3600, 67 | "description": "DNS resolvers used by the host" 68 | }, 69 | "ec2_instance_metadata": { 70 | "query": "SELECT * FROM ec2_instance_metadata;", 71 | "interval": 3600, 72 | "description": "Retrieve the EC2 metadata for this endpoint" 73 | }, 74 | "ec2_instance_metadata_snapshot": { 75 | "query": "SELECT * FROM ec2_instance_metadata;", 76 | "interval": 86400, 77 | "description": "Snapshot query to retrieve the EC2 metadata for this endpoint", 78 | "snapshot": true 79 | }, 80 | "ec2_instance_tags": { 81 | "query": "SELECT * FROM ec2_instance_tags;", 82 | "interval": 3600, 83 | "description": "Retrieve the EC2 tags for this endpoint" 84 | }, 85 | "ec2_instance_tags_snapshot": { 86 | "query": "SELECT * FROM ec2_instance_tags;", 87 | "interval": 86400, 88 | "description": "Snapshot query to retrieve the EC2 tags for this instance", 89 | "snapshot": true 90 | }, 91 | "etc_hosts": { 92 | "query": "SELECT * FROM etc_hosts;", 93 | "interval": 3600, 94 | "description": "Retrieves all the entries in the target system /etc/hosts file." 95 | }, 96 | "etc_hosts_snapshot": { 97 | "query": "SELECT * FROM etc_hosts;", 98 | "interval": 86400, 99 | "description": "Retrieves all the entries in the target system /etc/hosts file.", 100 | "snapshot": true 101 | }, 102 | "hardware_events": { 103 | "query": "SELECT * FROM hardware_events;", 104 | "interval": 10, 105 | "removed":false 106 | }, 107 | "iptables": { 108 | "query": "SELECT * FROM iptables;", 109 | "interval": 86400, 110 | "platform": "linux", 111 | "description": "Retrieves the current filters and chains per filter in the target system." 112 | }, 113 | "kernel_info": { 114 | "query": "SELECT * FROM kernel_info;", 115 | "interval": 86400, 116 | "description": "Retrieves information from the current kernel in the target system.", 117 | "snapshot": true 118 | }, 119 | "kernel_integrity": { 120 | "query": "SELECT * FROM kernel_integrity;", 121 | "interval": 86400, 122 | "description": "Various Linux kernel integrity checked attributes." 123 | }, 124 | "kernel_modules": { 125 | "query": "SELECT * FROM kernel_modules;", 126 | "interval": 3600, 127 | "description": "Linux kernel modules both loaded and within the load search path." 128 | }, 129 | "kernel_modules_snapshot": { 130 | "query": "SELECT * FROM kernel_modules;", 131 | "interval": 86400, 132 | "description": "Linux kernel modules both loaded and within the load search path.", 133 | "snapshot": true 134 | }, 135 | "last": { 136 | "query": "SELECT * FROM last;", 137 | "interval": 3600, 138 | "description": "Retrieves the list of the latest logins with PID, username and timestamp." 139 | }, 140 | "ld_preload": { 141 | "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", 142 | "interval": 60, 143 | "description": "Any processes that run with an LD_PRELOAD environment variable", 144 | "snapshot": true 145 | }, 146 | "ld_so_preload_exists": { 147 | "query": "SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';", 148 | "interval": 3600, 149 | "description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx", 150 | "snapshot": true 151 | }, 152 | "listening_ports": { 153 | "query": "SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;", 154 | "interval": 86400, 155 | "description": "Gather information about processes that are listening on a socket.", 156 | "snapshot": true 157 | }, 158 | "memory_info": { 159 | "query": "SELECT * FROM memory_info;", 160 | "interval": 3600, 161 | "description": "Information about memory usage on the system" 162 | }, 163 | "mounts": { 164 | "query": "SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;", 165 | "interval": 86400, 166 | "description": "Retrieves the current list of mounted drives in the target system." 167 | }, 168 | "network_interfaces_snapshot": { 169 | "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);", 170 | "interval": 600, 171 | "description": "Record the network interfaces and their associated IP and MAC addresses", 172 | "snapshot": true 173 | }, 174 | "os_version": { 175 | "query": "SELECT * FROM os_version;", 176 | "interval": 86400, 177 | "description": "Retrieves information from the Operating System where osquery is currently running.", 178 | "snapshot": true 179 | }, 180 | "osquery_info": { 181 | "query": "SELECT * FROM osquery_info;", 182 | "interval": 86400, 183 | "description": "Information about the running osquery configuration", 184 | "snapshot": true 185 | }, 186 | "processes_snapshot": { 187 | "query": "select name, path, cmdline, cwd, on_disk from processes;", 188 | "interval": 86400, 189 | "description": "A snapshot of all processes running on the host. Useful for outlier analysis.", 190 | "snapshot": true 191 | }, 192 | "rpm_packages": { 193 | "query": "SELECT name, version, release, arch FROM rpm_packages;", 194 | "interval": 86400, 195 | "description": "Display all installed RPM packages", 196 | "snapshot": true, 197 | "platform": "centos" 198 | }, 199 | "runtime_perf": { 200 | "query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;", 201 | "interval": 1800, 202 | "description": "Records system/user time, db size, and many other system metrics" 203 | }, 204 | "shell_history": { 205 | "query": "SELECT * FROM users CROSS JOIN shell_history USING (uid);", 206 | "interval": 3600, 207 | "description": "Record shell history for all users on system (instead of just root)" 208 | }, 209 | "suid_bin": { 210 | "query": "SELECT * FROM suid_bin;", 211 | "interval": 86400, 212 | "description": "Display any SUID binaries that are owned by root" 213 | }, 214 | "system_info": { 215 | "query": "SELECT * FROM system_info;", 216 | "interval": 86400, 217 | "description": "Information about the system hardware and name", 218 | "snapshot": true 219 | }, 220 | "usb_devices": { 221 | "query": "SELECT * FROM usb_devices;", 222 | "interval": 120, 223 | "description": "Retrieves the current list of USB devices in the target system." 224 | }, 225 | "user_ssh_keys": { 226 | "query": "SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);", 227 | "interval": 86400, 228 | "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted" 229 | }, 230 | "users": { 231 | "query": "SELECT * FROM users;", 232 | "interval": 86400, 233 | "description": "Local system users." 234 | }, 235 | "users_snapshot": { 236 | "query": "SELECT * FROM users;", 237 | "interval": 86400, 238 | "description": "Local system users.", 239 | "snapshot": true 240 | }, 241 | "yum_sources": { 242 | "query": "SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;", 243 | "interval": 86400, 244 | "description": "Display yum package manager sources", 245 | "snapshot": true, 246 | "platform": "centos" 247 | } 248 | }, 249 | "file_paths": { 250 | "configuration": [ 251 | "/etc/passwd", 252 | "/etc/shadow", 253 | "/etc/ld.so.preload", 254 | "/etc/ld.so.conf", 255 | "/etc/ld.so.conf.d/%%", 256 | "/etc/pam.d/%%", 257 | "/etc/resolv.conf", 258 | "/etc/rc%/%%", 259 | "/etc/my.cnf", 260 | "/etc/modules", 261 | "/etc/hosts", 262 | "/etc/hostname", 263 | "/etc/fstab", 264 | "/etc/crontab", 265 | "/etc/cron%/%%", 266 | "/etc/init/%%", 267 | "/etc/rsyslog.conf" 268 | ], 269 | "binaries": [ 270 | "/usr/bin/%%", 271 | "/usr/sbin/%%", 272 | "/bin/%%", 273 | "/sbin/%%", 274 | "/usr/local/bin/%%", 275 | "/usr/local/sbin/%%" 276 | ] 277 | }, 278 | "events": { 279 | "disable_subscribers": ["user_events"] 280 | }, 281 | "packs": { 282 | "ossec-rootkit": "/etc/osquery/packs/ossec-rootkit.conf" 283 | } 284 | } 285 | -------------------------------------------------------------------------------- /Classic/Servers/Linux/osquery.flags: -------------------------------------------------------------------------------- 1 | --audit_allow_config=true 2 | --audit_allow_sockets 3 | --audit_persist=true 4 | --disable_audit=false 5 | --events_expiry=1 6 | --events_max=500000 7 | --logger_min_status=1 8 | --logger_plugin=filesystem 9 | --watchdog_memory_limit=350 10 | --watchdog_utilization_limit=130 11 | -------------------------------------------------------------------------------- /Classic/Servers/Linux/packs/ossec-rootkit.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "linux", 3 | "version": "1.4.5", 4 | "queries": { 5 | "bash_door": { 6 | "query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');", 7 | "interval": "3600", 8 | "description": "bash_door", 9 | "value": "Artifacts used by this malware", 10 | "platform": "linux" 11 | }, 12 | "slapper_installed": { 13 | "query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');", 14 | "interval": "3600", 15 | "description": "slapper_installed", 16 | "value": "Artifacts used by this malware", 17 | "platform": "linux" 18 | }, 19 | "mithra`s_rootkit": { 20 | "query": "select * from file where path in ('/usr/lib/locale/uboot');", 21 | "interval": "3600", 22 | "description": "mithra`s_rootkit", 23 | "value": "Artifacts used by this malware", 24 | "platform": "linux" 25 | }, 26 | "omega_worm": { 27 | "query": "select * from file where path in ('/dev/chr');", 28 | "interval": "3600", 29 | "description": "omega_worm", 30 | "value": "Artifacts used by this malware", 31 | "platform": "linux" 32 | }, 33 | "kenga3_rootkit": { 34 | "query": "select * from file where path in ('/usr/include/. .');", 35 | "interval": "3600", 36 | "description": "kenga3_rootkit", 37 | "value": "Artifacts used by this malware", 38 | "platform": "linux" 39 | }, 40 | "sadmind/iis_worm": { 41 | "query": "select * from file where path in ('/dev/cuc');", 42 | "interval": "3600", 43 | "description": "sadmind/iis_worm", 44 | "value": "Artifacts used by this malware", 45 | "platform": "linux" 46 | }, 47 | "rsha": { 48 | "query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');", 49 | "interval": "3600", 50 | "description": "rsha", 51 | "value": "Artifacts used by this malware", 52 | "platform": "linux" 53 | }, 54 | "old_rootkits": { 55 | "query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');", 56 | "interval": "3600", 57 | "description": "old_rootkits", 58 | "value": "Artifacts used by this malware", 59 | "platform": "linux" 60 | }, 61 | "telekit_trojan": { 62 | "query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');", 63 | "interval": "3600", 64 | "description": "telekit_trojan", 65 | "value": "Artifacts used by this malware", 66 | "platform": "linux" 67 | }, 68 | "tc2_worm": { 69 | "query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');", 70 | "interval": "3600", 71 | "description": "tc2_worm", 72 | "value": "Artifacts used by this malware", 73 | "platform": "linux" 74 | }, 75 | "shitc": { 76 | "query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');", 77 | "interval": "3600", 78 | "description": "shitc", 79 | "value": "Artifacts used by this malware", 80 | "platform": "linux" 81 | }, 82 | "rh_sharpe": { 83 | "query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');", 84 | "interval": "3600", 85 | "description": "rh_sharpe", 86 | "value": "Artifacts used by this malware", 87 | "platform": "linux" 88 | }, 89 | "showtee_/_romanian_rootkit": { 90 | "query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');", 91 | "interval": "3600", 92 | "description": "showtee_/_romanian_rootkit", 93 | "value": "Artifacts used by this malware", 94 | "platform": "linux" 95 | }, 96 | "lrk_rootkit": { 97 | "query": "select * from file where path in ('/dev/ida/.inet');", 98 | "interval": "3600", 99 | "description": "lrk_rootkit", 100 | "value": "Artifacts used by this malware", 101 | "platform": "linux" 102 | }, 103 | "zk_rootkit": { 104 | "query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');", 105 | "interval": "3600", 106 | "description": "zk_rootkit", 107 | "value": "Artifacts used by this malware", 108 | "platform": "linux" 109 | }, 110 | "ramen_worm": { 111 | "query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');", 112 | "interval": "3600", 113 | "description": "ramen_worm", 114 | "value": "Artifacts used by this malware", 115 | "platform": "linux" 116 | }, 117 | "maniac_rk": { 118 | "query": "select * from file where path in ('/usr/bin/mailrc');", 119 | "interval": "3600", 120 | "description": "maniac_rk", 121 | "value": "Artifacts used by this malware", 122 | "platform": "linux" 123 | }, 124 | "bmbl_rootkit": { 125 | "query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');", 126 | "interval": "3600", 127 | "description": "bmbl_rootkit", 128 | "value": "Artifacts used by this malware", 129 | "platform": "linux" 130 | }, 131 | "suckit_rootkit": { 132 | "query": "select * from file where path in ('/lib/.x', '/lib/sk');", 133 | "interval": "3600", 134 | "description": "suckit_rootkit", 135 | "value": "Artifacts used by this malware", 136 | "platform": "linux" 137 | }, 138 | "adore_rootkit": { 139 | "query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');", 140 | "interval": "3600", 141 | "description": "adore_rootkit", 142 | "value": "Artifacts used by this malware", 143 | "platform": "linux" 144 | }, 145 | "ldp_worm": { 146 | "query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');", 147 | "interval": "3600", 148 | "description": "ldp_worm", 149 | "value": "Artifacts used by this malware", 150 | "platform": "linux" 151 | }, 152 | "romanian_rootkit": { 153 | "query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');", 154 | "interval": "3600", 155 | "description": "romanian_rootkit", 156 | "value": "Artifacts used by this malware", 157 | "platform": "linux" 158 | }, 159 | "illogic_rootkit": { 160 | "query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');", 161 | "interval": "3600", 162 | "description": "illogic_rootkit", 163 | "value": "Artifacts used by this malware", 164 | "platform": "linux" 165 | }, 166 | "bobkit_rootkit": { 167 | "query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');", 168 | "interval": "3600", 169 | "description": "bobkit_rootkit", 170 | "value": "Artifacts used by this malware", 171 | "platform": "linux" 172 | }, 173 | "monkit": { 174 | "query": "select * from file where path in ('/lib/defs');", 175 | "interval": "3600", 176 | "description": "monkit", 177 | "value": "Artifacts used by this malware", 178 | "platform": "linux" 179 | }, 180 | "override_rootkit": { 181 | "query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');", 182 | "interval": "3600", 183 | "description": "override_rootkit", 184 | "value": "Artifacts used by this malware", 185 | "platform": "linux" 186 | }, 187 | "madalin_rootkit": { 188 | "query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');", 189 | "interval": "3600", 190 | "description": "madalin_rootkit", 191 | "value": "Artifacts used by this malware", 192 | "platform": "linux" 193 | }, 194 | "solaris_worm": { 195 | "query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');", 196 | "interval": "3600", 197 | "description": "solaris_worm", 198 | "value": "Artifacts used by this malware", 199 | "platform": "linux" 200 | }, 201 | "phalanx_rootkit": { 202 | "query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');", 203 | "interval": "3600", 204 | "description": "phalanx_rootkit", 205 | "value": "Artifacts used by this malware", 206 | "platform": "linux" 207 | }, 208 | "ark_rootkit": { 209 | "query": "select * from file where path in ('/dev/ptyxx');", 210 | "interval": "3600", 211 | "description": "ark_rootkit", 212 | "value": "Artifacts used by this malware", 213 | "platform": "linux" 214 | }, 215 | "tribe_bot": { 216 | "query": "select * from file where path in ('/dev/wd4');", 217 | "interval": "3600", 218 | "description": "tribe_bot", 219 | "value": "Artifacts used by this malware", 220 | "platform": "linux" 221 | }, 222 | "cback_worm": { 223 | "query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');", 224 | "interval": "3600", 225 | "description": "cback_worm", 226 | "value": "Artifacts used by this malware", 227 | "platform": "linux" 228 | }, 229 | "optickit": { 230 | "query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');", 231 | "interval": "3600", 232 | "description": "optickit", 233 | "value": "Artifacts used by this malware", 234 | "platform": "linux" 235 | }, 236 | "anonoiyng_rootkit": { 237 | "query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');", 238 | "interval": "3600", 239 | "description": "anonoiyng_rootkit", 240 | "value": "Artifacts used by this malware", 241 | "platform": "linux" 242 | }, 243 | "loc_rookit": { 244 | "query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');", 245 | "interval": "3600", 246 | "description": "loc_rookit", 247 | "value": "Artifacts used by this malware", 248 | "platform": "linux" 249 | }, 250 | "showtee": { 251 | "query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');", 252 | "interval": "3600", 253 | "description": "showtee", 254 | "value": "Artifacts used by this malware", 255 | "platform": "linux" 256 | }, 257 | "zarwt_rootkit": { 258 | "query": "select * from file where path in ('/bin/imin', '/bin/imout');", 259 | "interval": "3600", 260 | "description": "zarwt_rootkit", 261 | "value": "Artifacts used by this malware", 262 | "platform": "linux" 263 | }, 264 | "lion_worm": { 265 | "query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');", 266 | "interval": "3600", 267 | "description": "lion_worm", 268 | "value": "Artifacts used by this malware", 269 | "platform": "linux" 270 | }, 271 | "suspicious_file": { 272 | "query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');", 273 | "interval": "3600", 274 | "description": "suspicious_file", 275 | "value": "Artifacts used by this malware", 276 | "platform": "linux" 277 | }, 278 | "apa_kit": { 279 | "query": "select * from file where path in ('/usr/share/.aPa');", 280 | "interval": "3600", 281 | "description": "apa_kit", 282 | "value": "Artifacts used by this malware", 283 | "platform": "linux" 284 | }, 285 | "enye_sec_rootkit": { 286 | "query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');", 287 | "interval": "3600", 288 | "description": "enye_sec_rootkit", 289 | "value": "Artifacts used by this malware", 290 | "platform": "linux" 291 | }, 292 | "rk17": { 293 | "query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');", 294 | "interval": "3600", 295 | "description": "rk17", 296 | "value": "Artifacts used by this malware", 297 | "platform": "linux" 298 | }, 299 | "trk_rootkit": { 300 | "query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');", 301 | "interval": "3600", 302 | "description": "trk_rootkit", 303 | "value": "Artifacts used by this malware", 304 | "platform": "linux" 305 | }, 306 | "scalper_installed": { 307 | "query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');", 308 | "interval": "3600", 309 | "description": "scalper_installed", 310 | "value": "Artifacts used by this malware", 311 | "platform": "linux" 312 | }, 313 | "hidr00tkit": { 314 | "query": "select * from file where path in ('/var/lib/games/.k');", 315 | "interval": "3600", 316 | "description": "hidr00tkit", 317 | "value": "Artifacts used by this malware", 318 | "platform": "linux" 319 | }, 320 | "beastkit_rootkit": { 321 | "query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');", 322 | "interval": "3600", 323 | "description": "beastkit_rootkit", 324 | "value": "Artifacts used by this malware", 325 | "platform": "linux" 326 | }, 327 | "shv5_rootkit": { 328 | "query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');", 329 | "interval": "3600", 330 | "description": "shv5_rootkit", 331 | "value": "Artifacts used by this malware", 332 | "platform": "linux" 333 | }, 334 | "esrk_rootkit": { 335 | "query": "select * from file where path in ('/usr/lib/tcl5.3');", 336 | "interval": "3600", 337 | "description": "esrk_rootkit", 338 | "value": "Artifacts used by this malware", 339 | "platform": "linux" 340 | }, 341 | "shkit_rootkit": { 342 | "query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');", 343 | "interval": "3600", 344 | "description": "shkit_rootkit", 345 | "value": "Artifacts used by this malware", 346 | "platform": "linux" 347 | }, 348 | "knark_installed": { 349 | "query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');", 350 | "interval": "3600", 351 | "description": "knark_installed", 352 | "value": "Artifacts used by this malware", 353 | "platform": "linux" 354 | }, 355 | "volc_rootkit": { 356 | "query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');", 357 | "interval": "3600", 358 | "description": "volc_rootkit", 359 | "value": "Artifacts used by this malware", 360 | "platform": "linux" 361 | }, 362 | "fu_rootkit": { 363 | "query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');", 364 | "interval": "3600", 365 | "description": "fu_rootkit", 366 | "value": "Artifacts used by this malware", 367 | "platform": "linux" 368 | }, 369 | "ajakit_rootkit": { 370 | "query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');", 371 | "interval": "3600", 372 | "description": "ajakit_rootkit", 373 | "value": "Artifacts used by this malware", 374 | "platform": "linux" 375 | }, 376 | "monkit_found": { 377 | "query": "select * from file where path in ('/usr/lib/libpikapp.a');", 378 | "interval": "3600", 379 | "description": "monkit_found", 380 | "value": "Artifacts used by this malware", 381 | "platform": "linux" 382 | }, 383 | "t0rn_rootkit": { 384 | "query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');", 385 | "interval": "3600", 386 | "description": "t0rn_rootkit", 387 | "value": "Artifacts used by this malware", 388 | "platform": "linux" 389 | }, 390 | "adore_worm": { 391 | "query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');", 392 | "interval": "3600", 393 | "description": "adore_worm", 394 | "value": "Artifacts used by this malware", 395 | "platform": "linux" 396 | }, 397 | "55808.a_worm": { 398 | "query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');", 399 | "interval": "3600", 400 | "description": "55808.a_worm", 401 | "value": "Artifacts used by this malware", 402 | "platform": "linux" 403 | }, 404 | "tuxkit_rootkit": { 405 | "query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');", 406 | "interval": "3600", 407 | "description": "tuxkit_rootkit", 408 | "value": "Artifacts used by this malware", 409 | "platform": "linux" 410 | } 411 | } 412 | } -------------------------------------------------------------------------------- /Classic/Servers/Linux/packs/ossec-rootkit.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: ossec-rootkit 6 | queries: 7 | - description: mithra`s_rootkit 8 | interval: 3600 9 | name: mithra`s_rootkit 10 | platform: linux 11 | query: mithra`s_rootkit 12 | - description: illogic_rootkit 13 | interval: 3600 14 | name: illogic_rootkit 15 | platform: linux 16 | query: illogic_rootkit 17 | - description: override_rootkit 18 | interval: 3600 19 | name: override_rootkit 20 | platform: linux 21 | query: override_rootkit 22 | - description: monkit_found 23 | interval: 3600 24 | name: monkit_found 25 | platform: linux 26 | query: monkit_found 27 | - description: tuxkit_rootkit 28 | interval: 3600 29 | name: tuxkit_rootkit 30 | platform: linux 31 | query: tuxkit_rootkit 32 | - description: tc2_worm 33 | interval: 3600 34 | name: tc2_worm 35 | platform: linux 36 | query: tc2_worm 37 | - description: sadmind/iis_worm 38 | interval: 3600 39 | name: sadmind/iis_worm 40 | platform: linux 41 | query: sadmind/iis_worm 42 | - description: showtee 43 | interval: 3600 44 | name: showtee 45 | platform: linux 46 | query: showtee 47 | - description: rk17 48 | interval: 3600 49 | name: rk17 50 | platform: linux 51 | query: rk17 52 | - description: scalper_installed 53 | interval: 3600 54 | name: scalper_installed 55 | platform: linux 56 | query: scalper_installed 57 | - description: shv5_rootkit 58 | interval: 3600 59 | name: shv5_rootkit 60 | platform: linux 61 | query: shv5_rootkit 62 | - description: monkit 63 | interval: 3600 64 | name: monkit 65 | platform: linux 66 | query: monkit 67 | - description: shitc 68 | interval: 3600 69 | name: shitc 70 | platform: linux 71 | query: shitc 72 | - description: romanian_rootkit 73 | interval: 3600 74 | name: romanian_rootkit 75 | platform: linux 76 | query: romanian_rootkit 77 | - description: cback_worm 78 | interval: 3600 79 | name: cback_worm 80 | platform: linux 81 | query: cback_worm 82 | - description: volc_rootkit 83 | interval: 3600 84 | name: volc_rootkit 85 | platform: linux 86 | query: volc_rootkit 87 | - description: telekit_trojan 88 | interval: 3600 89 | name: telekit_trojan 90 | platform: linux 91 | query: telekit_trojan 92 | - description: lrk_rootkit 93 | interval: 3600 94 | name: lrk_rootkit 95 | platform: linux 96 | query: lrk_rootkit 97 | - description: zk_rootkit 98 | interval: 3600 99 | name: zk_rootkit 100 | platform: linux 101 | query: zk_rootkit 102 | - description: optickit 103 | interval: 3600 104 | name: optickit 105 | platform: linux 106 | query: optickit 107 | - description: hidr00tkit 108 | interval: 3600 109 | name: hidr00tkit 110 | platform: linux 111 | query: hidr00tkit 112 | - description: knark_installed 113 | interval: 3600 114 | name: knark_installed 115 | platform: linux 116 | query: knark_installed 117 | - description: fu_rootkit 118 | interval: 3600 119 | name: fu_rootkit 120 | platform: linux 121 | query: fu_rootkit 122 | - description: kenga3_rootkit 123 | interval: 3600 124 | name: kenga3_rootkit 125 | platform: linux 126 | query: kenga3_rootkit 127 | - description: ajakit_rootkit 128 | interval: 3600 129 | name: ajakit_rootkit 130 | platform: linux 131 | query: ajakit_rootkit 132 | - description: esrk_rootkit 133 | interval: 3600 134 | name: esrk_rootkit 135 | platform: linux 136 | query: esrk_rootkit 137 | - description: apa_kit 138 | interval: 3600 139 | name: apa_kit 140 | platform: linux 141 | query: apa_kit 142 | - description: adore_worm 143 | interval: 3600 144 | name: adore_worm 145 | platform: linux 146 | query: adore_worm 147 | - description: phalanx_rootkit 148 | interval: 3600 149 | name: phalanx_rootkit 150 | platform: linux 151 | query: phalanx_rootkit 152 | - description: zarwt_rootkit 153 | interval: 3600 154 | name: zarwt_rootkit 155 | platform: linux 156 | query: zarwt_rootkit 157 | - description: beastkit_rootkit 158 | interval: 3600 159 | name: beastkit_rootkit 160 | platform: linux 161 | query: beastkit_rootkit 162 | - description: t0rn_rootkit 163 | interval: 3600 164 | name: t0rn_rootkit 165 | platform: linux 166 | query: t0rn_rootkit 167 | - description: 55808.a_worm 168 | interval: 3600 169 | name: 55808.a_worm 170 | platform: linux 171 | query: 55808.a_worm 172 | - description: ramen_worm 173 | interval: 3600 174 | name: ramen_worm 175 | platform: linux 176 | query: ramen_worm 177 | - description: bobkit_rootkit 178 | interval: 3600 179 | name: bobkit_rootkit 180 | platform: linux 181 | query: bobkit_rootkit 182 | - description: enye_sec_rootkit 183 | interval: 3600 184 | name: enye_sec_rootkit 185 | platform: linux 186 | query: enye_sec_rootkit 187 | - description: trk_rootkit 188 | interval: 3600 189 | name: trk_rootkit 190 | platform: linux 191 | query: trk_rootkit 192 | - description: ldp_worm 193 | interval: 3600 194 | name: ldp_worm 195 | platform: linux 196 | query: ldp_worm 197 | - description: bmbl_rootkit 198 | interval: 3600 199 | name: bmbl_rootkit 200 | platform: linux 201 | query: bmbl_rootkit 202 | - description: suckit_rootkit 203 | interval: 3600 204 | name: suckit_rootkit 205 | platform: linux 206 | query: suckit_rootkit 207 | - description: lion_worm 208 | interval: 3600 209 | name: lion_worm 210 | platform: linux 211 | query: lion_worm 212 | - description: shkit_rootkit 213 | interval: 3600 214 | name: shkit_rootkit 215 | platform: linux 216 | query: shkit_rootkit 217 | - description: slapper_installed 218 | interval: 3600 219 | name: slapper_installed 220 | platform: linux 221 | query: slapper_installed 222 | - description: old_rootkits 223 | interval: 3600 224 | name: old_rootkits 225 | platform: linux 226 | query: old_rootkits 227 | - description: anonoiyng_rootkit 228 | interval: 3600 229 | name: anonoiyng_rootkit 230 | platform: linux 231 | query: anonoiyng_rootkit 232 | - description: omega_worm 233 | interval: 3600 234 | name: omega_worm 235 | platform: linux 236 | query: omega_worm 237 | - description: tribe_bot 238 | interval: 3600 239 | name: tribe_bot 240 | platform: linux 241 | query: tribe_bot 242 | - description: loc_rookit 243 | interval: 3600 244 | name: loc_rookit 245 | platform: linux 246 | query: loc_rookit 247 | - description: adore_rootkit 248 | interval: 3600 249 | name: adore_rootkit 250 | platform: linux 251 | query: adore_rootkit 252 | - description: solaris_worm 253 | interval: 3600 254 | name: solaris_worm 255 | platform: linux 256 | query: solaris_worm 257 | - description: ark_rootkit 258 | interval: 3600 259 | name: ark_rootkit 260 | platform: linux 261 | query: ark_rootkit 262 | - description: rh_sharpe 263 | interval: 3600 264 | name: rh_sharpe 265 | platform: linux 266 | query: rh_sharpe 267 | - description: rsha 268 | interval: 3600 269 | name: rsha 270 | platform: linux 271 | query: rsha 272 | - description: showtee_/_romanian_rootkit 273 | interval: 3600 274 | name: showtee_/_romanian_rootkit 275 | platform: linux 276 | query: showtee_/_romanian_rootkit 277 | - description: maniac_rk 278 | interval: 3600 279 | name: maniac_rk 280 | platform: linux 281 | query: maniac_rk 282 | - description: madalin_rootkit 283 | interval: 3600 284 | name: madalin_rootkit 285 | platform: linux 286 | query: madalin_rootkit 287 | - description: suspicious_file 288 | interval: 3600 289 | name: suspicious_file 290 | platform: linux 291 | query: suspicious_file 292 | - description: bash_door 293 | interval: 3600 294 | name: bash_door 295 | platform: linux 296 | query: bash_door 297 | targets: 298 | labels: null 299 | --- 300 | apiVersion: v1 301 | kind: query 302 | spec: 303 | description: mithra`s_rootkit 304 | name: mithra`s_rootkit 305 | query: select * from file where path in ('/usr/lib/locale/uboot'); 306 | --- 307 | apiVersion: v1 308 | kind: query 309 | spec: 310 | description: illogic_rootkit 311 | name: illogic_rootkit 312 | query: select * from file where path in ('/lib/security/.config', '/usr/bin/sia', 313 | '/etc/ld.so.hash'); 314 | --- 315 | apiVersion: v1 316 | kind: query 317 | spec: 318 | description: override_rootkit 319 | name: override_rootkit 320 | query: select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', 321 | '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-'); 322 | --- 323 | apiVersion: v1 324 | kind: query 325 | spec: 326 | description: monkit_found 327 | name: monkit_found 328 | query: select * from file where path in ('/usr/lib/libpikapp.a'); 329 | --- 330 | apiVersion: v1 331 | kind: query 332 | spec: 333 | description: tuxkit_rootkit 334 | name: tuxkit_rootkit 335 | query: select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk'); 336 | --- 337 | apiVersion: v1 338 | kind: query 339 | spec: 340 | description: tc2_worm 341 | name: tc2_worm 342 | query: select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', 343 | '/usr/sbin/ldb'); 344 | --- 345 | apiVersion: v1 346 | kind: query 347 | spec: 348 | description: sadmind/iis_worm 349 | name: sadmind/iis_worm 350 | query: select * from file where path in ('/dev/cuc'); 351 | --- 352 | apiVersion: v1 353 | kind: query 354 | spec: 355 | description: showtee 356 | name: showtee 357 | query: select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', 358 | '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h'); 359 | --- 360 | apiVersion: v1 361 | kind: query 362 | spec: 363 | description: rk17 364 | name: rk17 365 | query: select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', 366 | '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o'); 367 | --- 368 | apiVersion: v1 369 | kind: query 370 | spec: 371 | description: scalper_installed 372 | name: scalper_installed 373 | query: select * from file where path in ('/tmp/.uua', '/tmp/.a'); 374 | --- 375 | apiVersion: v1 376 | kind: query 377 | spec: 378 | description: shv5_rootkit 379 | name: shv5_rootkit 380 | query: select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh'); 381 | --- 382 | apiVersion: v1 383 | kind: query 384 | spec: 385 | description: monkit 386 | name: monkit 387 | query: select * from file where path in ('/lib/defs'); 388 | --- 389 | apiVersion: v1 390 | kind: query 391 | spec: 392 | description: shitc 393 | name: shitc 394 | query: select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind'); 395 | --- 396 | apiVersion: v1 397 | kind: query 398 | spec: 399 | description: romanian_rootkit 400 | name: romanian_rootkit 401 | query: select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps'); 402 | --- 403 | apiVersion: v1 404 | kind: query 405 | spec: 406 | description: cback_worm 407 | name: cback_worm 408 | query: select * from file where path in ('/tmp/cback', '/tmp/derfiq'); 409 | --- 410 | apiVersion: v1 411 | kind: query 412 | spec: 413 | description: volc_rootkit 414 | name: volc_rootkit 415 | query: select * from file where path in ('/usr/lib/volc', '/usr/bin/volc'); 416 | --- 417 | apiVersion: v1 418 | kind: query 419 | spec: 420 | description: telekit_trojan 421 | name: telekit_trojan 422 | query: select * from file where path in ('/dev/hda06', '/usr/info/libc1.so'); 423 | --- 424 | apiVersion: v1 425 | kind: query 426 | spec: 427 | description: lrk_rootkit 428 | name: lrk_rootkit 429 | query: select * from file where path in ('/dev/ida/.inet'); 430 | --- 431 | apiVersion: v1 432 | kind: query 433 | spec: 434 | description: zk_rootkit 435 | name: zk_rootkit 436 | query: select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', 437 | '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', 438 | '/etc/sysconfig/console/load.zk'); 439 | --- 440 | apiVersion: v1 441 | kind: query 442 | spec: 443 | description: optickit 444 | name: optickit 445 | query: select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', 446 | '/usr/bin/xchk'); 447 | --- 448 | apiVersion: v1 449 | kind: query 450 | spec: 451 | description: hidr00tkit 452 | name: hidr00tkit 453 | query: select * from file where path in ('/var/lib/games/.k'); 454 | --- 455 | apiVersion: v1 456 | kind: query 457 | spec: 458 | description: knark_installed 459 | name: knark_installed 460 | query: select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', 461 | '/dev/.pula'); 462 | --- 463 | apiVersion: v1 464 | kind: query 465 | spec: 466 | description: fu_rootkit 467 | name: fu_rootkit 468 | query: select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib'); 469 | --- 470 | apiVersion: v1 471 | kind: query 472 | spec: 473 | description: kenga3_rootkit 474 | name: kenga3_rootkit 475 | query: select * from file where path in ('/usr/include/. .'); 476 | --- 477 | apiVersion: v1 478 | kind: query 479 | spec: 480 | description: ajakit_rootkit 481 | name: ajakit_rootkit 482 | query: select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', 483 | '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file'); 484 | --- 485 | apiVersion: v1 486 | kind: query 487 | spec: 488 | description: esrk_rootkit 489 | name: esrk_rootkit 490 | query: select * from file where path in ('/usr/lib/tcl5.3'); 491 | --- 492 | apiVersion: v1 493 | kind: query 494 | spec: 495 | description: apa_kit 496 | name: apa_kit 497 | query: select * from file where path in ('/usr/share/.aPa'); 498 | --- 499 | apiVersion: v1 500 | kind: query 501 | spec: 502 | description: adore_worm 503 | name: adore_worm 504 | query: select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', 505 | '/usr/bin/adore'); 506 | --- 507 | apiVersion: v1 508 | kind: query 509 | spec: 510 | description: phalanx_rootkit 511 | name: phalanx_rootkit 512 | query: select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', 513 | '/etc/host.ph1', '/bin/host.ph1'); 514 | --- 515 | apiVersion: v1 516 | kind: query 517 | spec: 518 | description: zarwt_rootkit 519 | name: zarwt_rootkit 520 | query: select * from file where path in ('/bin/imin', '/bin/imout'); 521 | --- 522 | apiVersion: v1 523 | kind: query 524 | spec: 525 | description: beastkit_rootkit 526 | name: beastkit_rootkit 527 | query: select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', 528 | '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd'); 529 | --- 530 | apiVersion: v1 531 | kind: query 532 | spec: 533 | description: t0rn_rootkit 534 | name: t0rn_rootkit 535 | query: select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', 536 | '/etc/ttyhash', '/sbin/xlogin'); 537 | --- 538 | apiVersion: v1 539 | kind: query 540 | spec: 541 | description: 55808.a_worm 542 | name: 55808.a_worm 543 | query: select * from file where path in ('/tmp/.../a', '/tmp/.../r'); 544 | --- 545 | apiVersion: v1 546 | kind: query 547 | spec: 548 | description: ramen_worm 549 | name: ramen_worm 550 | query: select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', 551 | '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp'); 552 | --- 553 | apiVersion: v1 554 | kind: query 555 | spec: 556 | description: bobkit_rootkit 557 | name: bobkit_rootkit 558 | query: select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', 559 | '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-'); 560 | --- 561 | apiVersion: v1 562 | kind: query 563 | spec: 564 | description: enye_sec_rootkit 565 | name: enye_sec_rootkit 566 | query: select * from file where path in ('/etc/.enyelkmHIDE^IT.ko'); 567 | --- 568 | apiVersion: v1 569 | kind: query 570 | spec: 571 | description: trk_rootkit 572 | name: trk_rootkit 573 | query: select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask'); 574 | --- 575 | apiVersion: v1 576 | kind: query 577 | spec: 578 | description: ldp_worm 579 | name: ldp_worm 580 | query: select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps'); 581 | --- 582 | apiVersion: v1 583 | kind: query 584 | spec: 585 | description: bmbl_rootkit 586 | name: bmbl_rootkit 587 | query: select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk'); 588 | --- 589 | apiVersion: v1 590 | kind: query 591 | spec: 592 | description: suckit_rootkit 593 | name: suckit_rootkit 594 | query: select * from file where path in ('/lib/.x', '/lib/sk'); 595 | --- 596 | apiVersion: v1 597 | kind: query 598 | spec: 599 | description: lion_worm 600 | name: lion_worm 601 | query: select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', 602 | '/bin/in.telnetd', '/usr/info/torn'); 603 | --- 604 | apiVersion: v1 605 | kind: query 606 | spec: 607 | description: shkit_rootkit 608 | name: shkit_rootkit 609 | query: select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash'); 610 | --- 611 | apiVersion: v1 612 | kind: query 613 | spec: 614 | description: slapper_installed 615 | name: slapper_installed 616 | query: select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', 617 | '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', 618 | '/tmp/.cinik'); 619 | --- 620 | apiVersion: v1 621 | kind: query 622 | spec: 623 | description: old_rootkits 624 | name: old_rootkits 625 | query: select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ 626 | ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', 627 | '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol'); 628 | --- 629 | apiVersion: v1 630 | kind: query 631 | spec: 632 | description: anonoiyng_rootkit 633 | name: anonoiyng_rootkit 634 | query: select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd'); 635 | --- 636 | apiVersion: v1 637 | kind: query 638 | spec: 639 | description: omega_worm 640 | name: omega_worm 641 | query: select * from file where path in ('/dev/chr'); 642 | --- 643 | apiVersion: v1 644 | kind: query 645 | spec: 646 | description: tribe_bot 647 | name: tribe_bot 648 | query: select * from file where path in ('/dev/wd4'); 649 | --- 650 | apiVersion: v1 651 | kind: query 652 | spec: 653 | description: loc_rookit 654 | name: loc_rookit 655 | query: select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0'); 656 | --- 657 | apiVersion: v1 658 | kind: query 659 | spec: 660 | description: adore_rootkit 661 | name: adore_rootkit 662 | query: select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava'); 663 | --- 664 | apiVersion: v1 665 | kind: query 666 | spec: 667 | description: solaris_worm 668 | name: solaris_worm 669 | query: select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', 670 | '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp'); 671 | --- 672 | apiVersion: v1 673 | kind: query 674 | spec: 675 | description: ark_rootkit 676 | name: ark_rootkit 677 | query: select * from file where path in ('/dev/ptyxx'); 678 | --- 679 | apiVersion: v1 680 | kind: query 681 | spec: 682 | description: rh_sharpe 683 | name: rh_sharpe 684 | query: select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', 685 | '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', 686 | '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', 687 | '/usr/include/rpcsvc/du'); 688 | --- 689 | apiVersion: v1 690 | kind: query 691 | spec: 692 | description: rsha 693 | name: rsha 694 | query: select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', 695 | '/usr/bin/slice2', '/etc/rc.d/rsha'); 696 | --- 697 | apiVersion: v1 698 | kind: query 699 | spec: 700 | description: showtee_/_romanian_rootkit 701 | name: showtee_/_romanian_rootkit 702 | query: select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', 703 | '/usr/include/syslogs.h', '/usr/include/proc.h'); 704 | --- 705 | apiVersion: v1 706 | kind: query 707 | spec: 708 | description: maniac_rk 709 | name: maniac_rk 710 | query: select * from file where path in ('/usr/bin/mailrc'); 711 | --- 712 | apiVersion: v1 713 | kind: query 714 | spec: 715 | description: madalin_rootkit 716 | name: madalin_rootkit 717 | query: select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', 718 | '/usr/include/iceseed.h'); 719 | --- 720 | apiVersion: v1 721 | kind: query 722 | spec: 723 | description: suspicious_file 724 | name: suspicious_file 725 | query: select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', 726 | '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', 727 | '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', 728 | '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', 729 | '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', 730 | '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', 731 | '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', 732 | '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', 733 | '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', 734 | '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', 735 | '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic'); 736 | --- 737 | apiVersion: v1 738 | kind: query 739 | spec: 740 | description: bash_door 741 | name: bash_door 742 | query: select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa'); 743 | -------------------------------------------------------------------------------- /Fleet/Endpoints/Windows/osquery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: windows-pack 6 | queries: 7 | - description: System info snapshot query 8 | interval: 28800 9 | name: system_info_snapshot 10 | platform: windows 11 | query: system_info_snapshot 12 | snapshot: true 13 | - description: List in-use Windows drivers 14 | interval: 3600 15 | name: drivers 16 | platform: windows 17 | query: drivers 18 | - description: Displays shared resources on a computer system running Windows. This 19 | may be a disk drive, printer, interprocess communication, or other sharable 20 | device. 21 | interval: 3600 22 | name: shared_resources 23 | platform: windows 24 | query: shared_resources 25 | - description: Lists all the patches applied 26 | interval: 3600 27 | name: patches 28 | platform: windows 29 | query: patches 30 | removed: false 31 | - description: Pipes snapshot query 32 | interval: 28800 33 | name: pipes_snapshot 34 | platform: windows 35 | query: pipes_snapshot 36 | snapshot: true 37 | - description: Programs snapshot query 38 | interval: 28800 39 | name: programs_snapshot 40 | platform: windows 41 | query: programs_snapshot 42 | snapshot: true 43 | - description: Services snapshot query 44 | interval: 28800 45 | name: services_snapshot 46 | platform: windows 47 | query: services_snapshot 48 | snapshot: true 49 | - description: WMI CommandLineEventConsumer, which can be used for persistence on 50 | Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf 51 | for more details. 52 | interval: 3600 53 | name: wmi_cli_event_consumers 54 | platform: windows 55 | query: wmi_cli_event_consumers 56 | - description: Lists the relationship between event consumers and filters. 57 | interval: 3600 58 | name: wmi_filter_consumer_binding 59 | platform: windows 60 | query: wmi_filter_consumer_binding 61 | - description: Snapshot query for Chrome extensions 62 | interval: 3600 63 | name: chrome_extensions_snapshot 64 | platform: windows 65 | query: chrome_extensions_snapshot 66 | - description: Retrieve the interface name, IP address, and MAC address for all 67 | interfaces on the host. 68 | interval: 600 69 | name: network_interfaces_snapshot 70 | platform: windows 71 | query: network_interfaces_snapshot 72 | snapshot: true 73 | - description: Local system users. 74 | interval: 3600 75 | name: users 76 | platform: windows 77 | query: users 78 | - description: Snapshot query for WMI event consumers. 79 | interval: 28800 80 | name: wmi_cli_event_consumers_snapshot 81 | platform: windows 82 | query: wmi_cli_event_consumers_snapshot 83 | snapshot: true 84 | - description: List all certificates in the trust store 85 | interval: 3600 86 | name: certificates 87 | platform: windows 88 | query: certificates 89 | removed: false 90 | - description: Drivers snapshot query 91 | interval: 28800 92 | name: drivers_snapshot 93 | platform: windows 94 | query: drivers_snapshot 95 | snapshot: true 96 | - description: Lists WMI event filters. 97 | interval: 3600 98 | name: wmi_event_filters 99 | platform: windows 100 | query: wmi_event_filters 101 | - description: List installed Internet Explorer extensions 102 | interval: 3600 103 | name: ie_extensions 104 | platform: windows 105 | query: ie_extensions 106 | - description: List the kernel path, version, etc. 107 | interval: 3600 108 | name: kernel_info 109 | platform: windows 110 | query: kernel_info 111 | - description: List the version of the resident operating system 112 | interval: 3600 113 | name: os_version 114 | platform: windows 115 | query: os_version 116 | - description: Patches snapshot query 117 | interval: 28800 118 | name: patches_snapshot 119 | platform: windows 120 | query: patches_snapshot 121 | snapshot: true 122 | - description: Named and Anonymous pipes. 123 | interval: 3600 124 | name: pipes 125 | platform: windows 126 | query: pipes 127 | removed: false 128 | - description: Lists installed programs 129 | interval: 0 130 | name: programs 131 | platform: windows 132 | query: programs 133 | - description: List all certificates in the trust store (snapshot query) 134 | interval: 0 135 | name: certificates_snapshot 136 | platform: windows 137 | query: certificates_snapshot 138 | snapshot: true 139 | - description: List the contents of the Windows hosts file 140 | interval: 3600 141 | name: etc_hosts 142 | platform: windows 143 | query: etc_hosts 144 | - description: Lists all of the tasks in the Windows task scheduler 145 | interval: 3600 146 | name: scheduled_tasks 147 | platform: windows 148 | query: scheduled_tasks 149 | - description: Extracted information from Windows crash logs (Minidumps). 150 | interval: 3600 151 | name: windows_crashes 152 | platform: windows 153 | query: windows_crashes 154 | removed: false 155 | - description: System uptime 156 | interval: 3600 157 | name: uptime 158 | platform: windows 159 | query: uptime 160 | snapshot: true 161 | - description: Snapshot query for WMI script event consumers. 162 | interval: 3600 163 | name: wmi_script_event_consumers 164 | platform: windows 165 | query: wmi_script_event_consumers 166 | snapshot: true 167 | - description: List installed Chocolatey packages 168 | interval: 3600 169 | name: chocolatey_packages 170 | platform: windows 171 | query: chocolatey_packages 172 | - description: Shared resources snapshot query 173 | interval: 28800 174 | name: shared_resources_snapshot 175 | platform: windows 176 | query: shared_resources_snapshot 177 | snapshot: true 178 | - description: Lists all installed services configured to start automatically at 179 | boot 180 | interval: 3600 181 | name: services 182 | platform: windows 183 | query: services 184 | - description: Users snapshot query 185 | interval: 28800 186 | name: users_snapshot 187 | platform: windows 188 | query: users_snapshot 189 | snapshot: true 190 | - description: List installed Chrome Extensions for all users 191 | interval: 3600 192 | name: chrome_extensions 193 | platform: windows 194 | query: chrome_extensions 195 | - description: Operating system version snapshot query 196 | interval: 28800 197 | name: os_version_snapshot 198 | platform: windows 199 | query: os_version_snapshot 200 | snapshot: true 201 | - description: System information for identification. 202 | interval: 3600 203 | name: system_info 204 | platform: windows 205 | query: system_info 206 | - description: Snapshot query for WMI event filters. 207 | interval: 28800 208 | name: wmi_event_filters_snapshot 209 | platform: windows 210 | query: wmi_event_filters_snapshot 211 | snapshot: true 212 | - description: Snapshot query for WMI filter consumer bindings. 213 | interval: 28800 214 | name: wmi_filter_consumer_binding_snapshot 215 | platform: windows 216 | query: wmi_filter_consumer_binding_snapshot 217 | snapshot: true 218 | - description: Information about the resident osquery process 219 | interval: 28800 220 | name: osquery_info 221 | platform: windows 222 | query: osquery_info 223 | snapshot: true 224 | - description: Scheduled Tasks snapshot query 225 | interval: 28800 226 | name: scheduled_tasks_snapshot 227 | platform: windows 228 | query: scheduled_tasks_snapshot 229 | snapshot: true 230 | - description: Appcompat shims (.sdb files) installed on Windows hosts. 231 | interval: 3600 232 | name: appcompat_shims 233 | platform: windows 234 | query: appcompat_shims 235 | - description: Disk encryption status and information snapshot query. 236 | interval: 28800 237 | name: bitlocker_info_snapshot 238 | platform: windows 239 | query: bitlocker_info_snapshot 240 | snapshot: true 241 | targets: 242 | labels: 243 | - MS Windows 244 | --- 245 | apiVersion: v1 246 | kind: query 247 | spec: 248 | description: Appcompat shims (.sdb files) installed on Windows hosts. 249 | name: appcompat_shims 250 | query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND 251 | executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe'); 252 | --- 253 | apiVersion: v1 254 | kind: query 255 | spec: 256 | description: Disk encryption status and information snapshot query. 257 | name: bitlocker_info_snapshot 258 | query: SELECT * FROM bitlocker_info; 259 | --- 260 | apiVersion: v1 261 | kind: query 262 | spec: 263 | description: System info snapshot query 264 | name: system_info_snapshot 265 | query: SELECT * FROM system_info; 266 | --- 267 | apiVersion: v1 268 | kind: query 269 | spec: 270 | description: List in-use Windows drivers 271 | name: drivers 272 | query: SELECT * FROM drivers; 273 | --- 274 | apiVersion: v1 275 | kind: query 276 | spec: 277 | description: Displays shared resources on a computer system running Windows. This 278 | may be a disk drive, printer, interprocess communication, or other sharable device. 279 | name: shared_resources 280 | query: SELECT * FROM shared_resources; 281 | --- 282 | apiVersion: v1 283 | kind: query 284 | spec: 285 | description: Lists all the patches applied 286 | name: patches 287 | query: SELECT * FROM patches; 288 | --- 289 | apiVersion: v1 290 | kind: query 291 | spec: 292 | description: Pipes snapshot query 293 | name: pipes_snapshot 294 | query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, 295 | pipes.name, pid FROM pipes JOIN processes USING (pid); 296 | --- 297 | apiVersion: v1 298 | kind: query 299 | spec: 300 | description: Programs snapshot query 301 | name: programs_snapshot 302 | query: SELECT * FROM programs; 303 | --- 304 | apiVersion: v1 305 | kind: query 306 | spec: 307 | description: Services snapshot query 308 | name: services_snapshot 309 | query: SELECT * FROM services; 310 | --- 311 | apiVersion: v1 312 | kind: query 313 | spec: 314 | description: WMI CommandLineEventConsumer, which can be used for persistence on 315 | Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf 316 | for more details. 317 | name: wmi_cli_event_consumers 318 | query: SELECT * FROM wmi_cli_event_consumers; 319 | --- 320 | apiVersion: v1 321 | kind: query 322 | spec: 323 | description: Lists the relationship between event consumers and filters. 324 | name: wmi_filter_consumer_binding 325 | query: SELECT * FROM wmi_filter_consumer_binding; 326 | --- 327 | apiVersion: v1 328 | kind: query 329 | spec: 330 | description: Snapshot query for Chrome extensions 331 | name: chrome_extensions_snapshot 332 | query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); 333 | --- 334 | apiVersion: v1 335 | kind: query 336 | spec: 337 | description: Retrieve the interface name, IP address, and MAC address for all interfaces 338 | on the host. 339 | name: network_interfaces_snapshot 340 | query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details 341 | d USING (interface); 342 | --- 343 | apiVersion: v1 344 | kind: query 345 | spec: 346 | description: Local system users. 347 | name: users 348 | query: SELECT * FROM users; 349 | --- 350 | apiVersion: v1 351 | kind: query 352 | spec: 353 | description: Snapshot query for WMI event consumers. 354 | name: wmi_cli_event_consumers_snapshot 355 | query: SELECT * FROM wmi_cli_event_consumers; 356 | --- 357 | apiVersion: v1 358 | kind: query 359 | spec: 360 | description: List all certificates in the trust store 361 | name: certificates 362 | query: SELECT * FROM certificates WHERE path != 'Other People'; 363 | --- 364 | apiVersion: v1 365 | kind: query 366 | spec: 367 | description: Drivers snapshot query 368 | name: drivers_snapshot 369 | query: SELECT * FROM drivers; 370 | --- 371 | apiVersion: v1 372 | kind: query 373 | spec: 374 | description: Lists WMI event filters. 375 | name: wmi_event_filters 376 | query: SELECT * FROM wmi_event_filters; 377 | --- 378 | apiVersion: v1 379 | kind: query 380 | spec: 381 | description: List installed Internet Explorer extensions 382 | name: ie_extensions 383 | query: SELECT * FROM ie_extensions; 384 | --- 385 | apiVersion: v1 386 | kind: query 387 | spec: 388 | description: List the kernel path, version, etc. 389 | name: kernel_info 390 | query: SELECT * FROM kernel_info; 391 | --- 392 | apiVersion: v1 393 | kind: query 394 | spec: 395 | description: List the version of the resident operating system 396 | name: os_version 397 | query: SELECT * FROM os_version; 398 | --- 399 | apiVersion: v1 400 | kind: query 401 | spec: 402 | description: Patches snapshot query 403 | name: patches_snapshot 404 | query: SELECT * FROM patches; 405 | --- 406 | apiVersion: v1 407 | kind: query 408 | spec: 409 | description: Named and Anonymous pipes. 410 | name: pipes 411 | query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, 412 | pipes.name, pid FROM pipes JOIN processes USING (pid); 413 | --- 414 | apiVersion: v1 415 | kind: query 416 | spec: 417 | description: Lists installed programs 418 | name: programs 419 | query: SELECT * FROM programs; 420 | --- 421 | apiVersion: v1 422 | kind: query 423 | spec: 424 | description: List all certificates in the trust store (snapshot query) 425 | name: certificates_snapshot 426 | query: SELECT * FROM certificates WHERE path != 'Other People'; 427 | --- 428 | apiVersion: v1 429 | kind: query 430 | spec: 431 | description: List the contents of the Windows hosts file 432 | name: etc_hosts 433 | query: SELECT * FROM etc_hosts; 434 | --- 435 | apiVersion: v1 436 | kind: query 437 | spec: 438 | description: Lists all of the tasks in the Windows task scheduler 439 | name: scheduled_tasks 440 | query: SELECT * FROM scheduled_tasks; 441 | --- 442 | apiVersion: v1 443 | kind: query 444 | spec: 445 | description: Extracted information from Windows crash logs (Minidumps). 446 | name: windows_crashes 447 | query: SELECT * FROM windows_crashes; 448 | --- 449 | apiVersion: v1 450 | kind: query 451 | spec: 452 | description: System uptime 453 | name: uptime 454 | query: SELECT * FROM uptime; 455 | --- 456 | apiVersion: v1 457 | kind: query 458 | spec: 459 | description: Snapshot query for WMI script event consumers. 460 | name: wmi_script_event_consumers 461 | query: SELECT * FROM wmi_script_event_consumers; 462 | --- 463 | apiVersion: v1 464 | kind: query 465 | spec: 466 | description: List installed Chocolatey packages 467 | name: chocolatey_packages 468 | query: SELECT * FROM chocolatey_packages; 469 | --- 470 | apiVersion: v1 471 | kind: query 472 | spec: 473 | description: Shared resources snapshot query 474 | name: shared_resources_snapshot 475 | query: SELECT * FROM shared_resources; 476 | --- 477 | apiVersion: v1 478 | kind: query 479 | spec: 480 | description: Lists all installed services configured to start automatically at boot 481 | name: services 482 | query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START'; 483 | --- 484 | apiVersion: v1 485 | kind: query 486 | spec: 487 | description: Users snapshot query 488 | name: users_snapshot 489 | query: SELECT * FROM users; 490 | --- 491 | apiVersion: v1 492 | kind: query 493 | spec: 494 | description: List installed Chrome Extensions for all users 495 | name: chrome_extensions 496 | query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); 497 | --- 498 | apiVersion: v1 499 | kind: query 500 | spec: 501 | description: Operating system version snapshot query 502 | name: os_version_snapshot 503 | query: SELECT * FROM os_version; 504 | --- 505 | apiVersion: v1 506 | kind: query 507 | spec: 508 | description: System information for identification. 509 | name: system_info 510 | query: SELECT * FROM system_info; 511 | --- 512 | apiVersion: v1 513 | kind: query 514 | spec: 515 | description: Snapshot query for WMI event filters. 516 | name: wmi_event_filters_snapshot 517 | query: SELECT * FROM wmi_event_filters; 518 | --- 519 | apiVersion: v1 520 | kind: query 521 | spec: 522 | description: Snapshot query for WMI filter consumer bindings. 523 | name: wmi_filter_consumer_binding_snapshot 524 | query: SELECT * FROM wmi_filter_consumer_binding; 525 | --- 526 | apiVersion: v1 527 | kind: query 528 | spec: 529 | description: Information about the resident osquery process 530 | name: osquery_info 531 | query: SELECT * FROM osquery_info; 532 | --- 533 | apiVersion: v1 534 | kind: query 535 | spec: 536 | description: Scheduled Tasks snapshot query 537 | name: scheduled_tasks_snapshot 538 | query: SELECT * FROM scheduled_tasks; 539 | -------------------------------------------------------------------------------- /Fleet/Endpoints/options.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: options 3 | spec: 4 | config: 5 | decorators: 6 | load: 7 | - SELECT uuid AS host_uuid FROM system_info; 8 | - SELECT hostname AS hostname FROM system_info; 9 | file_paths: 10 | binaries: 11 | - /usr/bin/%% 12 | - /usr/sbin/%% 13 | - /bin/%% 14 | - /sbin/%% 15 | - /usr/local/bin/%% 16 | - /usr/local/sbin/%% 17 | - /opt/bin/%% 18 | - /opt/sbin/%% 19 | configuration: 20 | - /etc/%% 21 | efi: 22 | - /System/Library/CoreServices/boot.efi 23 | options: 24 | disable_distributed: false 25 | disable_tables: windows_events 26 | distributed_interval: 10 27 | distributed_plugin: tls 28 | distributed_tls_max_attempts: 3 29 | distributed_tls_read_endpoint: /api/v1/osquery/distributed/read 30 | distributed_tls_write_endpoint: /api/v1/osquery/distributed/write 31 | logger_plugin: tls 32 | logger_snapshot_event_type: true 33 | logger_tls_endpoint: /api/v1/osquery/log 34 | logger_tls_period: 10 35 | pack_delimiter: / 36 | schedule_splay_percent: 10 37 | overrides: {} 38 | -------------------------------------------------------------------------------- /Fleet/Endpoints/packs/performance-metrics.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: performance-metrics 6 | queries: 7 | - description: Records the CPU time and memory usage for each individual query. 8 | Helpful for identifying queries that may impact performance. 9 | interval: 1800 10 | name: per_query_perf 11 | query: per_query_perf 12 | snapshot: true 13 | - description: Track the amount of CPU time used by osquery. 14 | interval: 1800 15 | name: runtime_perf 16 | query: runtime_perf 17 | snapshot: true 18 | - description: Track the percentage of total CPU time utilized by $endpoint_security_tool 19 | interval: 1800 20 | name: endpoint_security_tool_perf 21 | query: endpoint_security_tool_perf 22 | snapshot: true 23 | - description: Track the percentage of total CPU time utilized by $backup_tool 24 | interval: 1800 25 | name: backup_tool_perf 26 | query: backup_tool_perf 27 | snapshot: true 28 | targets: 29 | labels: 30 | - MS Windows 31 | - macOS 32 | --- 33 | apiVersion: v1 34 | kind: query 35 | spec: 36 | description: Records the CPU time and memory usage for each individual query. Helpful 37 | for identifying queries that may impact performance. 38 | name: per_query_perf 39 | query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions) 40 | AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory 41 | FROM osquery_schedule; 42 | --- 43 | apiVersion: v1 44 | kind: query 45 | spec: 46 | description: Track the amount of CPU time used by osquery. 47 | name: runtime_perf 48 | query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename 49 | AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes 50 | AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov, 51 | processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT 52 | value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE 53 | path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; 54 | --- 55 | apiVersion: v1 56 | kind: query 57 | spec: 58 | description: Track the percentage of total CPU time utilized by $endpoint_security_tool 59 | name: endpoint_security_tool_perf 60 | query: SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM 61 | processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time 62 | FROM processes WHERE name='endpoint_security_tool'); 63 | --- 64 | apiVersion: v1 65 | kind: query 66 | spec: 67 | description: Track the percentage of total CPU time utilized by $backup_tool 68 | name: backup_tool_perf 69 | query: SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct 70 | FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) 71 | AS backuptool_time FROM processes WHERE name='backup_tool'); 72 | -------------------------------------------------------------------------------- /Fleet/Endpoints/packs/security-tooling-checks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: security-tooling-checks 6 | queries: 7 | - description: Returns an event if a EndpointSecurityTool process is not found running 8 | from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' 9 | (Windows) 10 | interval: 28800 11 | name: endpoint_security_tool_not_running 12 | platform: windows,darwin 13 | query: endpoint_security_tool_not_running 14 | snapshot: true 15 | - description: "Returns an event if a BackupTool process is not found running from 16 | '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" 17 | interval: 28800 18 | name: backup_tool_not_running 19 | platform: windows,darwin 20 | query: backup_tool_not_running 21 | snapshot: true 22 | - description: Returns the content of the key if the backend server does not match 23 | the expected value 24 | interval: 3600 25 | name: endpoint_security_tool_backend_server_registry_misconfigured 26 | platform: windows 27 | query: endpoint_security_tool_backend_server_registry_misconfigured 28 | targets: 29 | labels: 30 | - MS Windows 31 | - macOS 32 | --- 33 | apiVersion: v1 34 | kind: query 35 | spec: 36 | description: Returns an event if a EndpointSecurityTool process is not found running 37 | from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' 38 | (Windows) 39 | name: endpoint_security_tool_not_running 40 | query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as 41 | process_count from processes where path='/Applications/EndpointSecurityTool' OR 42 | lower(path)='c:\endpointsecuritytool.exe') where process_exists!=1; 43 | --- 44 | apiVersion: v1 45 | kind: query 46 | spec: 47 | description: "Returns an event if a BackupTool process is not found running from 48 | '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" 49 | name: backup_tool_not_running 50 | query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as 51 | process_count from processes where path='/Applications/BackupTool' OR lower(path) 52 | LIKE 'c:\backuptool.exe') where process_exists!=1; 53 | --- 54 | apiVersion: v1 55 | kind: query 56 | spec: 57 | description: Returns the content of the key if the backend server does not match 58 | the expected value 59 | name: endpoint_security_tool_backend_server_registry_misconfigured 60 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\EndpointSecurityTool\BackendServerLocation' 61 | AND data!='https://expected_endpoint.local'; 62 | -------------------------------------------------------------------------------- /Fleet/Endpoints/packs/windows-application-security.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: windows-application-security 6 | queries: 7 | - description: Controls Bitlocker full-disk encryption settings. 8 | interval: 3600 9 | name: bitlocker_autoencrypt_settings_registry 10 | platform: windows 11 | query: bitlocker_autoencrypt_settings_registry 12 | - description: Controls Bitlocker full-disk encryption settings. 13 | interval: 3600 14 | name: bitlocker_fde_settings_registry 15 | platform: windows 16 | query: bitlocker_fde_settings_registry 17 | - description: Controls Google Chrome plugins that are forcibly installed. 18 | interval: 3600 19 | name: chrome_extension_force_list_registry 20 | platform: windows 21 | query: chrome_extension_force_list_registry 22 | - description: Controls EMET-protected applications and system settings. 23 | interval: 3600 24 | name: emet_settings_registry 25 | platform: windows 26 | query: emet_settings_registry 27 | - description: Controls Local Administrative Password Solution (LAPS) settings. 28 | interval: 3600 29 | name: microsoft_laps_settings_registry 30 | platform: windows 31 | query: microsoft_laps_settings_registry 32 | - description: Controls Windows Passport for Work (Hello) settings. 33 | interval: 3600 34 | name: passport_for_work_settings_registry 35 | platform: windows 36 | query: passport_for_work_settings_registry 37 | - description: Controls UAC. A setting of 0 indicates that UAC is disabled. 38 | interval: 3600 39 | name: uac_settings_registry 40 | platform: windows 41 | query: uac_settings_registry 42 | targets: 43 | labels: 44 | - MS Windows 45 | --- 46 | apiVersion: v1 47 | kind: query 48 | spec: 49 | description: Controls Bitlocker full-disk encryption settings. 50 | name: bitlocker_autoencrypt_settings_registry 51 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Bitlocker\%%'; 52 | --- 53 | apiVersion: v1 54 | kind: query 55 | spec: 56 | description: Controls Bitlocker full-disk encryption settings. 57 | name: bitlocker_fde_settings_registry 58 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\%%'; 59 | --- 60 | apiVersion: v1 61 | kind: query 62 | spec: 63 | description: Controls Google Chrome plugins that are forcibly installed. 64 | name: chrome_extension_force_list_registry 65 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist'; 66 | --- 67 | apiVersion: v1 68 | kind: query 69 | spec: 70 | description: Controls EMET-protected applications and system settings. 71 | name: emet_settings_registry 72 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\%%'; 73 | --- 74 | apiVersion: v1 75 | kind: query 76 | spec: 77 | description: Controls Local Administrative Password Solution (LAPS) settings. 78 | name: microsoft_laps_settings_registry 79 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft 80 | Services\AdmPwd'; 81 | --- 82 | apiVersion: v1 83 | kind: query 84 | spec: 85 | description: Controls Windows Passport for Work (Hello) settings. 86 | name: passport_for_work_settings_registry 87 | query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\%%'; 88 | --- 89 | apiVersion: v1 90 | kind: query 91 | spec: 92 | description: Controls UAC. A setting of 0 indicates that UAC is disabled. 93 | name: uac_settings_registry 94 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'; 95 | -------------------------------------------------------------------------------- /Fleet/Endpoints/packs/windows-compliance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: windows-compliance 6 | queries: 7 | - description: 'This key does not exist by default and controls enabling/disabling 8 | error reporting display. Some malware creates this key and sets the value to 9 | 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 10 | interval: 3600 11 | name: error_display_ui_registry 12 | platform: windows 13 | query: error_display_ui_registry 14 | - description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename 15 | and delayed-delete capabilities. Sometimes used as a self-deletion technique 16 | for malware. 17 | interval: 3600 18 | name: filerenameoperations_registry 19 | platform: windows 20 | query: filerenameoperations_registry 21 | - description: Controls which security packages store credentials in LSA memory, 22 | secure boot, etc. 23 | interval: 3600 24 | name: local_security_authority_registry 25 | platform: windows 26 | query: local_security_authority_registry 27 | - description: 'This key exists by default and has a default value of 1. Setting 28 | this key to 0 disables logging errors/crashes to the System event channel. Some 29 | malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 30 | interval: 3600 31 | name: log_errors_registry 32 | platform: windows 33 | query: log_errors_registry 34 | - description: Controls Windows security provider configurations 35 | interval: 3600 36 | name: security_providers_registry 37 | platform: windows 38 | query: security_providers_registry 39 | - description: Controls Windows Update server location and installation behavior. 40 | interval: 3600 41 | name: windows_update_settings_registry 42 | platform: windows 43 | query: windows_update_settings_registry 44 | - description: 'Controls enabling/disabling crash dumps. This key has a default 45 | value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 46 | interval: 3600 47 | name: crash_dump_registry 48 | platform: windows 49 | query: crash_dump_registry 50 | - description: 'This registry key specifies the path to a DLL to be loaded by a 51 | Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' 52 | interval: 3600 53 | name: dns_plugin_dll_registry 54 | platform: windows 55 | query: dns_plugin_dll_registry 56 | - description: The KnownDlls key defines the set of DLLs that are first searched 57 | during system startup. 58 | interval: 3600 59 | name: knowndlls_registry 60 | platform: windows 61 | query: knowndlls_registry 62 | - description: This key exists by default and has a default value of 1. Terminal 63 | service connections are allowed to the host when the key value is set to 0 64 | interval: 3600 65 | name: terminal_service_deny_registry 66 | platform: windows 67 | query: terminal_service_deny_registry 68 | - description: Controls Windows command-line auditing 69 | interval: 3600 70 | name: command_line_auditing_registry 71 | platform: windows 72 | query: command_line_auditing_registry 73 | - description: 'This key (and subkeys) exist by default and are required to allow 74 | post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 75 | interval: 3600 76 | name: dr_watson_registry 77 | platform: windows 78 | query: dr_watson_registry 79 | - description: Controls how many simultaneous terminal services sessions can use 80 | the same account 81 | interval: 3600 82 | name: per_user_ts_session_registry 83 | platform: windows 84 | query: per_user_ts_session_registry 85 | - description: Controls Powershell execution policy, script execution, logging, 86 | and more. 87 | interval: 3600 88 | name: powershell_settings_registry 89 | platform: windows 90 | query: powershell_settings_registry 91 | - description: Controls enabling/disabling SMBv1. Setting this key to 0 disables 92 | the SMBv1 protocol on the host. 93 | interval: 3600 94 | name: smbv1_registry 95 | platform: windows 96 | query: smbv1_registry 97 | - description: Lists information about SecureBoot status. 98 | interval: 3600 99 | name: secure_boot_registry 100 | platform: windows 101 | query: secure_boot_registry 102 | - description: This key does not exist by default and controls enabling/disabling 103 | error reporting. Some malware creates this key sets the value to 0 (disables 104 | error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx 105 | and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html 106 | interval: 3600 107 | name: error_report_registry 108 | platform: windows 109 | query: error_report_registry 110 | - description: Controls behavior, size, and rotation strategy for primary windows 111 | event log files. 112 | interval: 3600 113 | name: event_log_settings_registry 114 | platform: windows 115 | query: event_log_settings_registry 116 | - description: Controls system TPM settings 117 | interval: 3600 118 | name: tpm_registry 119 | platform: windows 120 | query: tpm_registry 121 | - description: Controls local WinRM client configuration and security. 122 | interval: 3600 123 | name: winrm_settings_registry 124 | platform: windows 125 | query: winrm_settings_registry 126 | - description: 'Controls the suppression of error dialog boxes. The default value 127 | is 0 (all messages are visible), but some malware sets this value to 2 (all 128 | messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 129 | interval: 3600 130 | name: error_mode_registry 131 | platform: windows 132 | query: error_mode_registry 133 | - description: Controls sending administrative notifications after a crash. Some 134 | malware sets this value to 0 135 | interval: 3600 136 | name: send_error_alert_registry 137 | platform: windows 138 | query: send_error_alert_registry 139 | targets: 140 | labels: 141 | - MS Windows 142 | --- 143 | apiVersion: v1 144 | kind: query 145 | spec: 146 | description: 'This key does not exist by default and controls enabling/disabling 147 | error reporting display. Some malware creates this key and sets the value to 0. 148 | See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 149 | name: error_display_ui_registry 150 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; 151 | --- 152 | apiVersion: v1 153 | kind: query 154 | spec: 155 | description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename 156 | and delayed-delete capabilities. Sometimes used as a self-deletion technique for 157 | malware. 158 | name: filerenameoperations_registry 159 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 160 | Manager\FileRenameOperations'; 161 | --- 162 | apiVersion: v1 163 | kind: query 164 | spec: 165 | description: Controls which security packages store credentials in LSA memory, secure 166 | boot, etc. 167 | name: local_security_authority_registry 168 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\%%'; 169 | --- 170 | apiVersion: v1 171 | kind: query 172 | spec: 173 | description: 'This key exists by default and has a default value of 1. Setting this 174 | key to 0 disables logging errors/crashes to the System event channel. Some malware 175 | sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 176 | name: log_errors_registry 177 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent'; 178 | --- 179 | apiVersion: v1 180 | kind: query 181 | spec: 182 | description: Controls Windows security provider configurations 183 | name: security_providers_registry 184 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\%%'; 185 | --- 186 | apiVersion: v1 187 | kind: query 188 | spec: 189 | description: Controls Windows Update server location and installation behavior. 190 | name: windows_update_settings_registry 191 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\%%'; 192 | --- 193 | apiVersion: v1 194 | kind: query 195 | spec: 196 | description: 'Controls enabling/disabling crash dumps. This key has a default value 197 | of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 198 | name: crash_dump_registry 199 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled'; 200 | --- 201 | apiVersion: v1 202 | kind: query 203 | spec: 204 | description: 'This registry key specifies the path to a DLL to be loaded by a Windows 205 | DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' 206 | name: dns_plugin_dll_registry 207 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; 208 | --- 209 | apiVersion: v1 210 | kind: query 211 | spec: 212 | description: The KnownDlls key defines the set of DLLs that are first searched during 213 | system startup. 214 | name: knowndlls_registry 215 | query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 216 | Manager\KnownDLLs\%%'; 217 | --- 218 | apiVersion: v1 219 | kind: query 220 | spec: 221 | description: This key exists by default and has a default value of 1. Terminal service 222 | connections are allowed to the host when the key value is set to 0 223 | name: terminal_service_deny_registry 224 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 225 | Server\fDenyTSConnections'; 226 | --- 227 | apiVersion: v1 228 | kind: query 229 | spec: 230 | description: Controls Windows command-line auditing 231 | name: command_line_auditing_registry 232 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit'; 233 | --- 234 | apiVersion: v1 235 | kind: query 236 | spec: 237 | description: 'This key (and subkeys) exist by default and are required to allow 238 | post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 239 | name: dr_watson_registry 240 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 241 | NT\CurrentVersion\AeDebug'; 242 | --- 243 | apiVersion: v1 244 | kind: query 245 | spec: 246 | description: Controls how many simultaneous terminal services sessions can use the 247 | same account 248 | name: per_user_ts_session_registry 249 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 250 | Server\fSingleSessionPerUser'; 251 | --- 252 | apiVersion: v1 253 | kind: query 254 | spec: 255 | description: Controls Powershell execution policy, script execution, logging, and 256 | more. 257 | name: powershell_settings_registry 258 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\%%'; 259 | --- 260 | apiVersion: v1 261 | kind: query 262 | spec: 263 | description: Controls enabling/disabling SMBv1. Setting this key to 0 disables the 264 | SMBv1 protocol on the host. 265 | name: smbv1_registry 266 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1'; 267 | --- 268 | apiVersion: v1 269 | kind: query 270 | spec: 271 | description: Lists information about SecureBoot status. 272 | name: secure_boot_registry 273 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot'; 274 | --- 275 | apiVersion: v1 276 | kind: query 277 | spec: 278 | description: This key does not exist by default and controls enabling/disabling 279 | error reporting. Some malware creates this key sets the value to 0 (disables error 280 | reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx 281 | and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html 282 | name: error_report_registry 283 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DoReport'; 284 | --- 285 | apiVersion: v1 286 | kind: query 287 | spec: 288 | description: Controls behavior, size, and rotation strategy for primary windows 289 | event log files. 290 | name: event_log_settings_registry 291 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\%%'; 292 | --- 293 | apiVersion: v1 294 | kind: query 295 | spec: 296 | description: Controls system TPM settings 297 | name: tpm_registry 298 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM'; 299 | --- 300 | apiVersion: v1 301 | kind: query 302 | spec: 303 | description: Controls local WinRM client configuration and security. 304 | name: winrm_settings_registry 305 | query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\%%'; 306 | --- 307 | apiVersion: v1 308 | kind: query 309 | spec: 310 | description: 'Controls the suppression of error dialog boxes. The default value 311 | is 0 (all messages are visible), but some malware sets this value to 2 (all messages 312 | are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' 313 | name: error_mode_registry 314 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode'; 315 | --- 316 | apiVersion: v1 317 | kind: query 318 | spec: 319 | description: Controls sending administrative notifications after a crash. Some malware 320 | sets this value to 0 321 | name: send_error_alert_registry 322 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; 323 | -------------------------------------------------------------------------------- /Fleet/Endpoints/packs/windows-registry-monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: windows-registry-monitoring 6 | queries: 7 | - description: Technique used by attackers to prevent computer accounts from changing 8 | their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) 9 | interval: 3600 10 | name: computer_password_change_disabled_registry 11 | platform: windows 12 | query: computer_password_change_disabled_registry 13 | - description: Returns 0 as a result if the registry key does not exist 14 | interval: 3600 15 | name: error_mode_registry_missing 16 | platform: windows 17 | query: error_mode_registry_missing 18 | - description: Returns 0 as a result if the registry key does not exist 19 | interval: 3600 20 | name: per_user_ts_session_registry_missing 21 | platform: windows 22 | query: per_user_ts_session_registry_missing 23 | - description: Returns 0 as a result if the registry key does not exist 24 | interval: 3600 25 | name: powershell_invocationheader_registry_missing 26 | platform: windows 27 | query: powershell_invocationheader_registry_missing 28 | - description: Returns the content of the key if it does not match the expected 29 | value 30 | interval: 3600 31 | name: bitlocker_encryption_settings_registry_misconfigured 32 | platform: windows 33 | query: bitlocker_encryption_settings_registry_misconfigured 34 | - description: Returns the content of the key if it does not match the expected 35 | value 36 | interval: 3600 37 | name: bitlocker_mbam_registry_misconfigured 38 | platform: windows 39 | query: bitlocker_mbam_registry_misconfigured 40 | - description: Returns the content of this key if it exists, which it shouldn't 41 | by default 42 | interval: 3600 43 | name: dns_plugin_dll_registry_exists 44 | platform: windows 45 | query: dns_plugin_dll_registry_exists 46 | - description: Returns the content of this key if it exists, which it shouldn't 47 | by default 48 | interval: 3600 49 | name: error_display_ui_registry_exists 50 | platform: windows 51 | query: error_display_ui_registry_exists 52 | - description: Returns the content of the key if it does not match the expected 53 | value 54 | interval: 3600 55 | name: log_errors_registry_misconfigured 56 | platform: windows 57 | query: log_errors_registry_misconfigured 58 | - description: Returns the content of the key if it does not match the expected 59 | value 60 | interval: 3600 61 | name: subscription_manager_registry_misconfigured 62 | platform: windows 63 | query: subscription_manager_registry_misconfigured 64 | - description: Returns 0 as a result if the registry key does not exist 65 | interval: 3600 66 | name: subscription_manager_registry_missing 67 | platform: windows 68 | query: subscription_manager_registry_missing 69 | - description: Returns the content of the key if it does not match the expected 70 | value 71 | interval: 3600 72 | name: command_line_auditing_registry_misconfigured 73 | platform: windows 74 | query: command_line_auditing_registry_misconfigured 75 | - description: Returns 0 as a result if the registry key does not exist 76 | interval: 3600 77 | name: crash_dump_registry_missing 78 | platform: windows 79 | query: crash_dump_registry_missing 80 | - description: Returns the content of the key if it does not match the expected 81 | value 82 | interval: 3600 83 | name: error_mode_registry_misconfigured 84 | platform: windows 85 | query: error_mode_registry_misconfigured 86 | - description: Returns 0 as a result if the registry key does not exist 87 | interval: 3600 88 | name: log_errors_registry_missing 89 | platform: windows 90 | query: log_errors_registry_missing 91 | - description: Returns the content of the key if it does not match the expected 92 | value 93 | interval: 3600 94 | name: winrm_settings_registry_misconfigured 95 | platform: windows 96 | query: winrm_settings_registry_misconfigured 97 | - description: Returns the content of the key if it does not match the expected 98 | value 99 | interval: 3600 100 | name: crash_dump_registry_misconfigured 101 | platform: windows 102 | query: crash_dump_registry_misconfigured 103 | - description: Detect a registry based persistence mechanism that allows an attacker 104 | to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) 105 | interval: 3600 106 | name: physicalstore_dll_registry_persistence 107 | platform: windows 108 | query: physicalstore_dll_registry_persistence 109 | - description: Returns the content of the key if it does not match the expected 110 | value 111 | interval: 3600 112 | name: powershell_logging_registry_misconfigured 113 | platform: windows 114 | query: powershell_logging_registry_misconfigured 115 | - description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' 116 | interval: 3600 117 | name: amsi_disabled_registry 118 | platform: windows 119 | query: amsi_disabled_registry 120 | - description: Controls how often to rotate the local computer password (defaults 121 | to 30 days). A modification of this value may be an indicator of attacker activity. 122 | interval: 3600 123 | name: computer_maximum_password_age_changed_registry 124 | platform: windows 125 | query: computer_maximum_password_age_changed_registry 126 | - description: Returns 0 as a result if the registry key does not exist 127 | interval: 3600 128 | name: dr_watson_registry_missing 129 | platform: windows 130 | query: dr_watson_registry_missing 131 | - description: Returns the content of the key if it does not match the expected 132 | value 133 | interval: 3600 134 | name: per_user_ts_session_registry_misconfigured 135 | platform: windows 136 | query: per_user_ts_session_registry_misconfigured 137 | - description: Registry based persistence mechanism to load DLLs at reboot time 138 | and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). 139 | Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will 140 | remain. 141 | interval: 3600 142 | name: runonceex_persistence_registry 143 | platform: windows 144 | query: runonceex_persistence_registry 145 | - description: Returns 0 as a result if the registry key does not exist 146 | interval: 3600 147 | name: smbv1_registry_missing 148 | platform: windows 149 | query: smbv1_registry_missing 150 | - description: Returns 0 as a result if the registry key does not exist 151 | interval: 3600 152 | name: powershell_transcription_logging_registry_missing 153 | platform: windows 154 | query: powershell_transcription_logging_registry_missing 155 | - description: Returns 0 as a result if the registry key does not exist 156 | interval: 3600 157 | name: powershell_module_logging_registry_missing 158 | platform: windows 159 | query: powershell_module_logging_registry_missing 160 | - description: Returns 0 as a result if the registry key does not exist 161 | interval: 3600 162 | name: powershell_scriptblock_logging_registry_missing 163 | platform: windows 164 | query: powershell_scriptblock_logging_registry_missing 165 | - description: Returns the content of the key if it does not match the expected 166 | value 167 | interval: 3600 168 | name: bitlocker_mbam_endpoint_registry_misconfigured 169 | platform: windows 170 | query: bitlocker_mbam_endpoint_registry_misconfigured 171 | - description: Returns 0 as a result if the registry key does not exist 172 | interval: 3600 173 | name: command_line_auditing_registry_missing 174 | platform: windows 175 | query: command_line_auditing_registry_missing 176 | - description: "" 177 | interval: 3600 178 | name: smbv1_registry_misconfigured 179 | platform: windows 180 | query: smbv1_registry_misconfigured 181 | - description: Returns the content of this key if it exists, which it shouldn't 182 | by default 183 | interval: 3600 184 | name: send_error_alert_registry_exists 185 | platform: windows 186 | query: send_error_alert_registry_exists 187 | targets: 188 | labels: 189 | - MS Windows 190 | --- 191 | apiVersion: v1 192 | kind: query 193 | spec: 194 | description: Technique used by attackers to prevent computer accounts from changing 195 | their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) 196 | name: computer_password_change_disabled_registry 197 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange' 198 | AND data!=0; 199 | --- 200 | apiVersion: v1 201 | kind: query 202 | spec: 203 | description: Returns 0 as a result if the registry key does not exist 204 | name: error_mode_registry_missing 205 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 206 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode') 207 | WHERE key_exists!=1; 208 | --- 209 | apiVersion: v1 210 | kind: query 211 | spec: 212 | description: Returns 0 as a result if the registry key does not exist 213 | name: per_user_ts_session_registry_missing 214 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 215 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 216 | Server\fSingleSessionPerUser') WHERE key_exists!=1; 217 | --- 218 | apiVersion: v1 219 | kind: query 220 | spec: 221 | description: Returns 0 as a result if the registry key does not exist 222 | name: powershell_invocationheader_registry_missing 223 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 224 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') 225 | WHERE key_exists!=1; 226 | --- 227 | apiVersion: v1 228 | kind: query 229 | spec: 230 | description: Returns the content of the key if it does not match the expected value 231 | name: bitlocker_encryption_settings_registry_misconfigured 232 | query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ShouldEncryptOSDrive' 233 | OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\OSDriveProtector') 234 | AND data!=1; 235 | --- 236 | apiVersion: v1 237 | kind: query 238 | spec: 239 | description: Returns the content of the key if it does not match the expected value 240 | name: bitlocker_mbam_registry_misconfigured 241 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\UseMBAMServices' 242 | AND data!=1; 243 | --- 244 | apiVersion: v1 245 | kind: query 246 | spec: 247 | description: Returns the content of this key if it exists, which it shouldn't by 248 | default 249 | name: dns_plugin_dll_registry_exists 250 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; 251 | --- 252 | apiVersion: v1 253 | kind: query 254 | spec: 255 | description: Returns the content of this key if it exists, which it shouldn't by 256 | default 257 | name: error_display_ui_registry_exists 258 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; 259 | --- 260 | apiVersion: v1 261 | kind: query 262 | spec: 263 | description: Returns the content of the key if it does not match the expected value 264 | name: log_errors_registry_misconfigured 265 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent' 266 | AND data!=1; 267 | --- 268 | apiVersion: v1 269 | kind: query 270 | spec: 271 | description: Returns the content of the key if it does not match the expected value 272 | name: subscription_manager_registry_misconfigured 273 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1' 274 | AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' 275 | AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC'); 276 | --- 277 | apiVersion: v1 278 | kind: query 279 | spec: 280 | description: Returns 0 as a result if the registry key does not exist 281 | name: subscription_manager_registry_missing 282 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 283 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1') 284 | WHERE key_exists!=1; 285 | --- 286 | apiVersion: v1 287 | kind: query 288 | spec: 289 | description: Returns the content of the key if it does not match the expected value 290 | name: command_line_auditing_registry_misconfigured 291 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled' 292 | AND data!=1; 293 | --- 294 | apiVersion: v1 295 | kind: query 296 | spec: 297 | description: Returns 0 as a result if the registry key does not exist 298 | name: crash_dump_registry_missing 299 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 300 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled') 301 | WHERE key_exists!=1; 302 | --- 303 | apiVersion: v1 304 | kind: query 305 | spec: 306 | description: Returns the content of the key if it does not match the expected value 307 | name: error_mode_registry_misconfigured 308 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode' 309 | AND data=2; 310 | --- 311 | apiVersion: v1 312 | kind: query 313 | spec: 314 | description: Returns 0 as a result if the registry key does not exist 315 | name: log_errors_registry_missing 316 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 317 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent') 318 | WHERE key_exists!=1; 319 | --- 320 | apiVersion: v1 321 | kind: query 322 | spec: 323 | description: Returns the content of the key if it does not match the expected value 324 | name: winrm_settings_registry_misconfigured 325 | query: 'SELECT * FROM registry WHERE (path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic'' 326 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowCredSSP'' 327 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic'' 328 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest'' 329 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic'' 330 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP'' 331 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic'' 332 | OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess'') 333 | AND data!=0; ' 334 | --- 335 | apiVersion: v1 336 | kind: query 337 | spec: 338 | description: Returns the content of the key if it does not match the expected value 339 | name: crash_dump_registry_misconfigured 340 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled' 341 | AND data=0; 342 | --- 343 | apiVersion: v1 344 | kind: query 345 | spec: 346 | description: Detect a registry based persistence mechanism that allows an attacker 347 | to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) 348 | name: physicalstore_dll_registry_persistence 349 | query: SELECT key, path, name, mtime, username FROM registry r, users WHERE path 350 | LIKE 'HKEY_USERS\'||uuid||'\Software\Microsoft\SystemCertificates\CA\PhysicalStores\%%' 351 | OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 352 | 0\CertDllOpenStoreProv\%%' AND name!='#16' AND name!='Ldap'; 353 | --- 354 | apiVersion: v1 355 | kind: query 356 | spec: 357 | description: Returns the content of the key if it does not match the expected value 358 | name: powershell_logging_registry_misconfigured 359 | query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging' 360 | OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging' 361 | OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting' 362 | OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') 363 | AND data!=1; 364 | --- 365 | apiVersion: v1 366 | kind: query 367 | spec: 368 | description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' 369 | name: amsi_disabled_registry 370 | query: SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users 371 | WHERE path = 'HKEY_USERS\'||uuid||'\Software\Microsoft\Windows Script\Settings\AmsiEnable' 372 | AND data=0; 373 | --- 374 | apiVersion: v1 375 | kind: query 376 | spec: 377 | description: Controls how often to rotate the local computer password (defaults 378 | to 30 days). A modification of this value may be an indicator of attacker activity. 379 | name: computer_maximum_password_age_changed_registry 380 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge' 381 | and data!=30; 382 | --- 383 | apiVersion: v1 384 | kind: query 385 | spec: 386 | description: Returns 0 as a result if the registry key does not exist 387 | name: dr_watson_registry_missing 388 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 389 | FROM registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug') 390 | WHERE key_exists!=2; 391 | --- 392 | apiVersion: v1 393 | kind: query 394 | spec: 395 | description: Returns the content of the key if it does not match the expected value 396 | name: per_user_ts_session_registry_misconfigured 397 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 398 | Server\fSingleSessionPerUser' AND data!=1; 399 | --- 400 | apiVersion: v1 401 | kind: query 402 | spec: 403 | description: Registry based persistence mechanism to load DLLs at reboot time and 404 | avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). 405 | Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will 406 | remain. 407 | name: runonceex_persistence_registry 408 | query: SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx'; 409 | --- 410 | apiVersion: v1 411 | kind: query 412 | spec: 413 | description: Returns 0 as a result if the registry key does not exist 414 | name: smbv1_registry_missing 415 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 416 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1') 417 | WHERE key_exists!=1; 418 | --- 419 | apiVersion: v1 420 | kind: query 421 | spec: 422 | description: Returns 0 as a result if the registry key does not exist 423 | name: powershell_transcription_logging_registry_missing 424 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 425 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting') 426 | WHERE key_exists!=1; 427 | --- 428 | apiVersion: v1 429 | kind: query 430 | spec: 431 | description: Returns 0 as a result if the registry key does not exist 432 | name: powershell_module_logging_registry_missing 433 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 434 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging') 435 | WHERE key_exists!=1; 436 | --- 437 | apiVersion: v1 438 | kind: query 439 | spec: 440 | description: Returns 0 as a result if the registry key does not exist 441 | name: powershell_scriptblock_logging_registry_missing 442 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 443 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging') 444 | WHERE key_exists!=1; 445 | --- 446 | apiVersion: v1 447 | kind: query 448 | spec: 449 | description: Returns the content of the key if it does not match the expected value 450 | name: bitlocker_mbam_endpoint_registry_misconfigured 451 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\KeyRecoveryServiceEndPoint' 452 | AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc'; 453 | --- 454 | apiVersion: v1 455 | kind: query 456 | spec: 457 | description: Returns 0 as a result if the registry key does not exist 458 | name: command_line_auditing_registry_missing 459 | query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count 460 | FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled') 461 | WHERE key_exists!=1; 462 | --- 463 | apiVersion: v1 464 | kind: query 465 | spec: 466 | name: smbv1_registry_misconfigured 467 | query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' 468 | AND data!=0; 469 | --- 470 | apiVersion: v1 471 | kind: query 472 | spec: 473 | description: Returns the content of this key if it exists, which it shouldn't by 474 | default 475 | name: send_error_alert_registry_exists 476 | query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; 477 | -------------------------------------------------------------------------------- /Fleet/Servers/Linux/osquery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: pack 4 | spec: 5 | name: LinuxPack 6 | queries: 7 | - description: Retrieves all the jobs scheduled in crontab in the target system. 8 | interval: 86400 9 | name: crontab_snapshot 10 | platform: linux 11 | query: crontab_snapshot 12 | snapshot: true 13 | - description: Various Linux kernel integrity checked attributes. 14 | interval: 86400 15 | name: kernel_integrity 16 | platform: linux 17 | query: kernel_integrity 18 | - description: Linux kernel modules both loaded and within the load search path. 19 | interval: 3600 20 | name: kernel_modules 21 | platform: linux 22 | query: kernel_modules 23 | - description: Retrieves the current list of mounted drives in the target system. 24 | interval: 86400 25 | name: mounts 26 | platform: linux 27 | query: mounts 28 | - description: Socket events collected from the audit framework 29 | interval: 10 30 | name: socket_events 31 | platform: linux 32 | query: socket_events 33 | - description: Record the network interfaces and their associated IP and MAC addresses 34 | interval: 600 35 | name: network_interfaces_snapshot 36 | platform: linux 37 | query: network_interfaces_snapshot 38 | snapshot: true 39 | - description: Information about the running osquery configuration 40 | interval: 86400 41 | name: osquery_info 42 | platform: linux 43 | query: osquery_info 44 | snapshot: true 45 | - description: Display all installed RPM packages 46 | interval: 86400 47 | name: rpm_packages 48 | platform: centos 49 | query: rpm_packages 50 | snapshot: true 51 | - description: Record shell history for all users on system (instead of just root) 52 | interval: 3600 53 | name: shell_history 54 | platform: linux 55 | query: shell_history 56 | - description: File events collected from file integrity monitoring 57 | interval: 10 58 | name: file_events 59 | platform: linux 60 | query: file_events 61 | removed: false 62 | - description: Retrieve the EC2 metadata for this endpoint 63 | interval: 3600 64 | name: ec2_instance_metadata 65 | platform: linux 66 | query: ec2_instance_metadata 67 | - description: Retrieve the EC2 tags for this endpoint 68 | interval: 3600 69 | name: ec2_instance_tags 70 | platform: linux 71 | query: ec2_instance_tags 72 | - description: Snapshot query to retrieve the EC2 tags for this instance 73 | interval: 86400 74 | name: ec2_instance_tags_snapshot 75 | platform: linux 76 | query: ec2_instance_tags_snapshot 77 | snapshot: true 78 | - description: Retrieves the current filters and chains per filter in the target 79 | system. 80 | interval: 86400 81 | name: iptables 82 | platform: linux 83 | query: iptables 84 | - description: Display any SUID binaries that are owned by root 85 | interval: 86400 86 | name: suid_bin 87 | platform: linux 88 | query: suid_bin 89 | - description: Display all installed DEB packages 90 | interval: 86400 91 | name: deb_packages 92 | platform: ubuntu 93 | query: deb_packages 94 | snapshot: true 95 | - description: Find shell processes that have open sockets 96 | interval: 600 97 | name: behavioral_reverse_shell 98 | platform: linux 99 | query: behavioral_reverse_shell 100 | - description: Retrieves all the jobs scheduled in crontab in the target system. 101 | interval: 3600 102 | name: crontab 103 | platform: linux 104 | query: crontab 105 | - description: Local system users. 106 | interval: 86400 107 | name: users 108 | platform: linux 109 | query: users 110 | - description: Process events collected from the audit framework 111 | interval: 10 112 | name: process_events 113 | platform: linux 114 | query: process_events 115 | - description: Retrieves the list of the latest logins with PID, username and timestamp. 116 | interval: 3600 117 | name: last 118 | platform: linux 119 | query: last 120 | - description: Any processes that run with an LD_PRELOAD environment variable 121 | interval: 60 122 | name: ld_preload 123 | platform: linux 124 | query: ld_preload 125 | snapshot: true 126 | - description: Information about the system hardware and name 127 | interval: 86400 128 | name: system_info 129 | platform: linux 130 | query: system_info 131 | snapshot: true 132 | - description: Returns the private keys in the users ~/.ssh directory and whether 133 | or not they are encrypted 134 | interval: 86400 135 | name: user_ssh_keys 136 | platform: linux 137 | query: user_ssh_keys 138 | - description: Local system users. 139 | interval: 86400 140 | name: users_snapshot 141 | platform: linux 142 | query: users_snapshot 143 | snapshot: true 144 | - description: DNS resolvers used by the host 145 | interval: 3600 146 | name: dns_resolvers 147 | platform: linux 148 | query: dns_resolvers 149 | - description: Retrieves information from the current kernel in the target system. 150 | interval: 86400 151 | name: kernel_info 152 | platform: linux 153 | query: kernel_info 154 | snapshot: true 155 | - description: Linux kernel modules both loaded and within the load search path. 156 | interval: 86400 157 | name: kernel_modules_snapshot 158 | platform: linux 159 | query: kernel_modules_snapshot 160 | snapshot: true 161 | - description: Generates an event if ld.so.preload is present - used by rootkits 162 | such as Jynx 163 | interval: 3600 164 | name: ld_so_preload_exists 165 | platform: linux 166 | query: ld_so_preload_exists 167 | snapshot: true 168 | - description: Records system/user time, db size, and many other system metrics 169 | interval: 1800 170 | name: runtime_perf 171 | platform: linux 172 | query: runtime_perf 173 | - description: Retrieves all the entries in the target system /etc/hosts file. 174 | interval: 86400 175 | name: etc_hosts_snapshot 176 | platform: linux 177 | query: etc_hosts_snapshot 178 | snapshot: true 179 | - description: Snapshot query to retrieve the EC2 metadata for this endpoint 180 | interval: 86400 181 | name: ec2_instance_metadata_snapshot 182 | platform: linux 183 | query: ec2_instance_metadata_snapshot 184 | snapshot: true 185 | - description: "" 186 | interval: 10 187 | name: hardware_events 188 | platform: linux 189 | query: hardware_events 190 | removed: false 191 | - description: Information about memory usage on the system 192 | interval: 3600 193 | name: memory_info 194 | platform: linux 195 | query: memory_info 196 | - description: Displays information from /proc/stat file about the time the CPU 197 | cores spent in different parts of the system 198 | interval: 3600 199 | name: cpu_time 200 | platform: linux 201 | query: cpu_time 202 | - description: Retrieves all the entries in the target system /etc/hosts file. 203 | interval: 3600 204 | name: etc_hosts 205 | platform: linux 206 | query: etc_hosts 207 | - description: Retrieves information from the Operating System where osquery is 208 | currently running. 209 | interval: 86400 210 | name: os_version 211 | platform: linux 212 | query: os_version 213 | snapshot: true 214 | - description: A snapshot of all processes running on the host. Useful for outlier 215 | analysis. 216 | interval: 86400 217 | name: processes_snapshot 218 | platform: linux 219 | query: processes_snapshot 220 | snapshot: true 221 | - description: Retrieves the current list of USB devices in the target system. 222 | interval: 120 223 | name: usb_devices 224 | platform: linux 225 | query: usb_devices 226 | - description: A line-delimited authorized_keys table. 227 | interval: 86400 228 | name: authorized_keys 229 | platform: linux 230 | query: authorized_keys 231 | - description: Display apt package manager sources. 232 | interval: 86400 233 | name: apt_sources 234 | platform: ubuntu 235 | query: apt_sources 236 | snapshot: true 237 | - description: Gather information about processes that are listening on a socket. 238 | interval: 86400 239 | name: listening_ports 240 | platform: linux 241 | query: listening_ports 242 | snapshot: true 243 | - description: Display yum package manager sources. 244 | interval: 86400 245 | name: yum_sources 246 | platform: centos 247 | query: yum_sources 248 | snapshot: true 249 | targets: 250 | labels: 251 | - Ubuntu Linux 252 | - CentOS Linux 253 | --- 254 | apiVersion: v1 255 | kind: query 256 | spec: 257 | description: Retrieves all the jobs scheduled in crontab in the target system. 258 | name: crontab_snapshot 259 | query: SELECT * FROM crontab; 260 | --- 261 | apiVersion: v1 262 | kind: query 263 | spec: 264 | description: Various Linux kernel integrity checked attributes. 265 | name: kernel_integrity 266 | query: SELECT * FROM kernel_integrity; 267 | --- 268 | apiVersion: v1 269 | kind: query 270 | spec: 271 | description: Linux kernel modules both loaded and within the load search path. 272 | name: kernel_modules 273 | query: SELECT * FROM kernel_modules; 274 | --- 275 | apiVersion: v1 276 | kind: query 277 | spec: 278 | description: Retrieves the current list of mounted drives in the target system. 279 | name: mounts 280 | query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts; 281 | --- 282 | apiVersion: v1 283 | kind: query 284 | spec: 285 | description: Socket events collected from the audit framework 286 | name: socket_events 287 | query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address, 288 | remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN 289 | ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', 290 | '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 291 | 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000'); 292 | --- 293 | apiVersion: v1 294 | kind: query 295 | spec: 296 | description: Record the network interfaces and their associated IP and MAC addresses 297 | name: network_interfaces_snapshot 298 | query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details 299 | d USING (interface); 300 | --- 301 | apiVersion: v1 302 | kind: query 303 | spec: 304 | description: Information about the running osquery configuration 305 | name: osquery_info 306 | query: SELECT * FROM osquery_info; 307 | --- 308 | apiVersion: v1 309 | kind: query 310 | spec: 311 | description: Display all installed RPM packages 312 | name: rpm_packages 313 | query: SELECT name, version, release, arch FROM rpm_packages; 314 | --- 315 | apiVersion: v1 316 | kind: query 317 | spec: 318 | description: Record shell history for all users on system (instead of just root) 319 | name: shell_history 320 | query: SELECT * FROM users CROSS JOIN shell_history USING (uid); 321 | --- 322 | apiVersion: v1 323 | kind: query 324 | spec: 325 | description: File events collected from file integrity monitoring 326 | name: file_events 327 | query: SELECT * FROM file_events; 328 | --- 329 | apiVersion: v1 330 | kind: query 331 | spec: 332 | description: Retrieve the EC2 metadata for this endpoint 333 | name: ec2_instance_metadata 334 | query: SELECT * FROM ec2_instance_metadata; 335 | --- 336 | apiVersion: v1 337 | kind: query 338 | spec: 339 | description: Retrieve the EC2 tags for this endpoint 340 | name: ec2_instance_tags 341 | query: SELECT * FROM ec2_instance_tags; 342 | --- 343 | apiVersion: v1 344 | kind: query 345 | spec: 346 | description: Snapshot query to retrieve the EC2 tags for this instance 347 | name: ec2_instance_tags_snapshot 348 | query: SELECT * FROM ec2_instance_tags; 349 | --- 350 | apiVersion: v1 351 | kind: query 352 | spec: 353 | description: Retrieves the current filters and chains per filter in the target system. 354 | name: iptables 355 | query: SELECT * FROM iptables; 356 | --- 357 | apiVersion: v1 358 | kind: query 359 | spec: 360 | description: Display any SUID binaries that are owned by root 361 | name: suid_bin 362 | query: SELECT * FROM suid_bin; 363 | --- 364 | apiVersion: v1 365 | kind: query 366 | spec: 367 | description: Display all installed DEB packages 368 | name: deb_packages 369 | query: SELECT * FROM deb_packages; 370 | --- 371 | apiVersion: v1 372 | kind: query 373 | spec: 374 | description: Find shell processes that have open sockets 375 | name: behavioral_reverse_shell 376 | query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, 377 | processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, 378 | processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, 379 | (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS 380 | parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER 381 | JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' 382 | OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address 383 | NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%'; 384 | --- 385 | apiVersion: v1 386 | kind: query 387 | spec: 388 | description: Retrieves all the jobs scheduled in crontab in the target system. 389 | name: crontab 390 | query: SELECT * FROM crontab; 391 | --- 392 | apiVersion: v1 393 | kind: query 394 | spec: 395 | description: Local system users. 396 | name: users 397 | query: SELECT * FROM users; 398 | --- 399 | apiVersion: v1 400 | kind: query 401 | spec: 402 | description: Process events collected from the audit framework 403 | name: process_events 404 | query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, 405 | uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', 406 | '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', 407 | '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline 408 | NOT LIKE '%secret%'; 409 | --- 410 | apiVersion: v1 411 | kind: query 412 | spec: 413 | description: Retrieves the list of the latest logins with PID, username and timestamp. 414 | name: last 415 | query: SELECT * FROM last; 416 | --- 417 | apiVersion: v1 418 | kind: query 419 | spec: 420 | description: Any processes that run with an LD_PRELOAD environment variable 421 | name: ld_preload 422 | query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, 423 | processes.path, processes.cmdline, processes.cwd FROM process_envs join processes 424 | USING (pid) WHERE key = 'LD_PRELOAD'; 425 | --- 426 | apiVersion: v1 427 | kind: query 428 | spec: 429 | description: Information about the system hardware and name 430 | name: system_info 431 | query: SELECT * FROM system_info; 432 | --- 433 | apiVersion: v1 434 | kind: query 435 | spec: 436 | description: Returns the private keys in the users ~/.ssh directory and whether 437 | or not they are encrypted 438 | name: user_ssh_keys 439 | query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); 440 | --- 441 | apiVersion: v1 442 | kind: query 443 | spec: 444 | description: Local system users. 445 | name: users_snapshot 446 | query: SELECT * FROM users; 447 | --- 448 | apiVersion: v1 449 | kind: query 450 | spec: 451 | description: DNS resolvers used by the host 452 | name: dns_resolvers 453 | query: SELECT * FROM dns_resolvers; 454 | --- 455 | apiVersion: v1 456 | kind: query 457 | spec: 458 | description: Retrieves information from the current kernel in the target system. 459 | name: kernel_info 460 | query: SELECT * FROM kernel_info; 461 | --- 462 | apiVersion: v1 463 | kind: query 464 | spec: 465 | description: Linux kernel modules both loaded and within the load search path. 466 | name: kernel_modules_snapshot 467 | query: SELECT * FROM kernel_modules; 468 | --- 469 | apiVersion: v1 470 | kind: query 471 | spec: 472 | description: Generates an event if ld.so.preload is present - used by rootkits such 473 | as Jynx 474 | name: ld_so_preload_exists 475 | query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!=''; 476 | --- 477 | apiVersion: v1 478 | kind: query 479 | spec: 480 | description: Records system/user time, db size, and many other system metrics 481 | name: runtime_perf 482 | query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename 483 | AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes 484 | AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, 485 | processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT 486 | value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE 487 | path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; 488 | --- 489 | apiVersion: v1 490 | kind: query 491 | spec: 492 | description: Retrieves all the entries in the target system /etc/hosts file. 493 | name: etc_hosts_snapshot 494 | query: SELECT * FROM etc_hosts; 495 | --- 496 | apiVersion: v1 497 | kind: query 498 | spec: 499 | description: Snapshot query to retrieve the EC2 metadata for this endpoint 500 | name: ec2_instance_metadata_snapshot 501 | query: SELECT * FROM ec2_instance_metadata; 502 | --- 503 | apiVersion: v1 504 | kind: query 505 | spec: 506 | name: hardware_events 507 | query: SELECT * FROM hardware_events; 508 | --- 509 | apiVersion: v1 510 | kind: query 511 | spec: 512 | description: Information about memory usage on the system 513 | name: memory_info 514 | query: SELECT * FROM memory_info; 515 | --- 516 | apiVersion: v1 517 | kind: query 518 | spec: 519 | description: Displays information from /proc/stat file about the time the CPU cores 520 | spent in different parts of the system 521 | name: cpu_time 522 | query: SELECT * FROM cpu_time; 523 | --- 524 | apiVersion: v1 525 | kind: query 526 | spec: 527 | description: Retrieves all the entries in the target system /etc/hosts file. 528 | name: etc_hosts 529 | query: SELECT * FROM etc_hosts; 530 | --- 531 | apiVersion: v1 532 | kind: query 533 | spec: 534 | description: Retrieves information from the Operating System where osquery is currently 535 | running. 536 | name: os_version 537 | query: SELECT * FROM os_version; 538 | --- 539 | apiVersion: v1 540 | kind: query 541 | spec: 542 | description: A snapshot of all processes running on the host. Useful for outlier 543 | analysis. 544 | name: processes_snapshot 545 | query: select name, path, cmdline, cwd, on_disk from processes; 546 | --- 547 | apiVersion: v1 548 | kind: query 549 | spec: 550 | description: Retrieves the current list of USB devices in the target system. 551 | name: usb_devices 552 | query: SELECT * FROM usb_devices; 553 | --- 554 | apiVersion: v1 555 | kind: query 556 | spec: 557 | description: A line-delimited authorized_keys table. 558 | name: authorized_keys 559 | query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); 560 | --- 561 | apiVersion: v1 562 | kind: query 563 | spec: 564 | description: Display apt package manager sources. 565 | name: apt_sources 566 | query: SELECT * FROM apt_sources; 567 | --- 568 | apiVersion: v1 569 | kind: query 570 | spec: 571 | description: Gather information about processes that are listening on a socket. 572 | name: listening_ports 573 | query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0; 574 | --- 575 | apiVersion: v1 576 | kind: query 577 | spec: 578 | description: Display yum package manager sources. 579 | name: yum_sources 580 | query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources; 581 | -------------------------------------------------------------------------------- /Fleet/Servers/options.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: options 3 | spec: 4 | config: 5 | decorators: 6 | load: 7 | - SELECT uuid AS host_uuid FROM system_info; 8 | - SELECT hostname AS hostname FROM system_info; 9 | file_paths: 10 | binaries: 11 | - /usr/bin/%% 12 | - /usr/sbin/%% 13 | - /bin/%% 14 | - /sbin/%% 15 | - /usr/local/bin/%% 16 | - /usr/local/sbin/%% 17 | configuration: 18 | - /etc/passwd 19 | - /etc/shadow 20 | - /etc/ld.so.preload 21 | - /etc/ld.so.conf 22 | - /etc/ld.so.conf.d/%% 23 | - /etc/pam.d/%% 24 | - /etc/resolv.conf 25 | - /etc/rc%/%% 26 | - /etc/my.cnf 27 | - /etc/modules 28 | - /etc/hosts 29 | - /etc/hostname 30 | - /etc/fstab 31 | - /etc/crontab 32 | - /etc/cron%/%% 33 | - /etc/init/%% 34 | - /etc/rsyslog.conf 35 | options: 36 | audit_allow_config: true 37 | audit_allow_sockets: true 38 | audit_persist: true 39 | disable_audit: false 40 | events_expiry: 1 41 | events_max: 500000 42 | disable_distributed: false 43 | disable_subscribers: user_events 44 | distributed_interval: 10 45 | distributed_plugin: tls 46 | distributed_tls_max_attempts: 3 47 | distributed_tls_read_endpoint: /api/v1/osquery/distributed/read 48 | distributed_tls_write_endpoint: /api/v1/osquery/distributed/write 49 | logger_min_status: 1 50 | logger_plugin: tls 51 | logger_snapshot_event_type: true 52 | logger_tls_endpoint: /api/v1/osquery/log 53 | logger_tls_period: 10 54 | pack_delimiter: / 55 | schedule_splay_percent: 10 56 | watchdog_memory_limit: 350 57 | watchdog_utilization_limit: 130 58 | overrides: {} 59 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # License 2 | MIT License 3 | 4 | Copyright (c) 2017 Palantir Technologies Inc. 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | SOFTWARE. 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Palantir osquery Configuration 2 | 3 | ## About This Repository 4 | This repository is the companion to the [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) blog post. 5 | 6 | The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is 7 | our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is 8 | exactly what we have done with our [unwanted-chrome-extensions](https://github.com/facebook/osquery/pull/3889) query pack and [additions](https://github.com/facebook/osquery/pull/3922) to the windows-attacks pack. 9 | 10 | However, we have included additional query packs 11 | that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when 12 | operators have carefully considered the datasets to be collected and the potential use-cases for that data. 13 | * [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf) 14 | * [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf) 15 | * [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf) 16 | * [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf) 17 | * [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf) 18 | 19 | 20 | **Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below: 21 | * [ossec-rootkit.conf](https://github.com/facebook/osquery/blob/master/packs/ossec-rootkit.conf) 22 | * [osx-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/osx-attacks.conf) 23 | * [unwanted-chrome-extensions.conf](https://github.com/facebook/osquery/blob/master/packs/unwanted-chrome-extensions.conf) 24 | * [windows-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/windows-attacks.conf) 25 | 26 | ## Repository Layout 27 | This repository is organized as follows: 28 | * At the top level, there are two directories titled "Classic" and "Fleet" 29 | * The [Classic](./Classic/) directory contains configuration files for a standard osquery deployment 30 | * The [Fleet](./Fleet/) directory contains YAML files to be imported into Kolide's [Fleet](https://github.com/kolide/fleet) osquery management tool 31 | 32 | Within each of those folders, you will find the following subdirectories: 33 | * **Endpoints**: The contents of this folder are tailored towards monitoring MacOS and Windows endpoints that are not expected to be online at all times. You may notice the interval of many queries in this folder set to 28800. We purposely set the interval to this value because the interval timer only moves forward when a host is online and we would only expect an endpoint to be online for about 8 hours, or 28800 seconds, per day. 34 | * **Servers**: The contents of this folder are tailored towards monitoring Linux servers. This configuration has process and network auditing enabled, so expect an exponentially higher volume of logs to be returned from the agent. 35 | 36 | 37 | ## Using This Repository 38 | **Note**: We recommend that you spin up a lab environment before deploying any of these configurations to a production 39 | environment. 40 | 41 | **Endpoints Configuration Overview** 42 | * The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day 43 | * The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing. 44 | * File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf) 45 | * Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs. 46 | * These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them 47 | 48 | **Servers Configuration Overview** 49 | * This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times 50 | * Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd. 51 | * File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf) 52 | * Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf` 53 | * The subscriber for `user_events` is disabled 54 | 55 | ## Quickstart - Classic 56 | 1. [Install osquery](https://osquery.io/downloads/) 57 | 2. Copy the osquery.conf and osquery.flags files from this repository onto the system and match the directory structure shown below 58 | 3. Start osquery via `sudo osqueryctl start` on Linux/MacOS or `Start-Process osqueryd` on Windows 59 | 4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows) 60 | 61 | ## Quickstart - Fleet 62 | Install Fleet version 2.0.0 or higher 63 | 2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags] 64 | 3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server 65 | 4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: 66 | 67 | ``` 68 | git clone https://github.com/palantir/osquery-configuration.git 69 | fleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yaml 70 | fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml 71 | fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml 72 | for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; 73 | do fleetctl apply -f "$pack" 74 | done 75 | ``` 76 | 77 | The desired osquery directory structure for Linux, MacOS, and Windows is outlined below: 78 | 79 | **Linux** 80 | ``` 81 | $ git clone https://github.com/palantir/osquery-configuration.git 82 | $ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery 83 | $ sudo osqueryctl start 84 | 85 | /etc/osquery 86 | ├── osquery.conf 87 | ├── osquery.db 88 | ├── osquery.flags 89 | └── packs 90 | └── ossec-rootkit.conf 91 | 92 | ``` 93 | **MacOS** 94 | ``` 95 | $ git clone https://github.com/palantir/osquery-configuration.git 96 | $ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery 97 | $ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs 98 | $ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing 99 | $ sudo osqueryctl start 100 | 101 | /var/osquery 102 | ├── certfile.crt [if using TLS endpoint] 103 | ├── osquery.conf 104 | ├── osquery.db 105 | ├── osquery.flags 106 | └── packs 107 | ├── performance-metrics.conf 108 | ├── security-tooling-checks.conf 109 | ├── unwanted-chrome-extensions.conf 110 | └── osx-attacks.conf 111 | ``` 112 | 113 | **Windows** 114 | ``` 115 | PS> git clone https://github.com/palantir/osquery-configuration.git 116 | PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery 117 | PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs 118 | PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing 119 | PS> start-service osqueryd 120 | 121 | c:\ProgramData\osquery 122 | ├── certfile.crt [if using TLS endpoint] 123 | ├── log 124 | ├── osquery.conf 125 | ├── osquery.db 126 | ├── osquery.flags 127 | ├── osqueryi.exe 128 | ├─── osqueryd 129 | | └── osqueryd.exe 130 | └── packs 131 | ├── performance-metrics.conf 132 | ├── security-tooling-checks.conf 133 | ├── unwanted-chrome-extensions.conf 134 | ├── windows-application-security.conf 135 | ├── windows-compliance.conf 136 | ├── windows-registry-monitoring.conf 137 | └── windows-attacks.conf 138 | ``` 139 | 140 | ## Contributing 141 | Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. 142 | 143 | ## License 144 | MIT License 145 | 146 | Copyright (c) 2017 Palantir Technologies Inc. 147 | 148 | Permission is hereby granted, free of charge, to any person obtaining a copy 149 | of this software and associated documentation files (the "Software"), to deal 150 | in the Software without restriction, including without limitation the rights 151 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 152 | copies of the Software, and to permit persons to whom the Software is 153 | furnished to do so, subject to the following conditions: 154 | 155 | The above copyright notice and this permission notice shall be included in all 156 | copies or substantial portions of the Software. 157 | 158 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 159 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 160 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 161 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 162 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 163 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 164 | SOFTWARE. 165 | --------------------------------------------------------------------------------