diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md index fb90f03f8b0..32d9bb87220 100644 --- a/packages/osquery_manager/artifacts_matrix.md +++ b/packages/osquery_manager/artifacts_matrix.md @@ -2,10 +2,10 @@ This document tracks the coverage of forensic artifacts in Osquery. -**Last Updated**: 2025-11-07 -**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants -**Total Queries**: 30 (3 core forensic variants + 27 additional) -**Completion Rate**: 2.2% (1/46 core artifacts fully supported) +**Last Updated**: 2025-12-02 +**Total Core Artifacts**: 4 available + 36 in progress + 6 not available = 46 total variants +**Total Queries**: 32 (26 original + 6 new process queries) +**Completion Rate**: 8.7% (4/46 core artifacts fully supported) --- @@ -13,8 +13,8 @@ This document tracks the coverage of forensic artifacts in Osquery. | Status | Count | Percentage | |--------|-------|------------| -| ✅ Available (Fully Supported) | 0 | 0% | -| ⚠️ In Progress (Needs Validation) | 39 | 87.0% | +| ✅ Available (Fully Supported) | 4 | 8.7% | +| ⚠️ In Progress (Needs Validation) | 36 | 78.3% | | ❌ Not Available (Requires Extensions) | 6 | 13.0% | --- @@ -55,9 +55,9 @@ This document tracks the coverage of forensic artifacts in Osquery. | 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | | 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table | | 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table | -| 17 | Process Listing | ⚠️ | Win | - | - | processes table | -| 17a | Process Listing | ⚠️ | Linux | - | - | processes table | -| 17b | Process Listing | ⚠️ | Mac | - | - | processes table | +| 17 | Process Listing | ✅ | Win | process_listing_windows_elastic | [8be8](kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json) | Full forensic listing + suspicious detection query | +| 17a | Process Listing | ✅ | Linux | process_listing_linux_elastic | [a0c7](kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json) | Full forensic listing + suspicious detection query | +| 17b | Process Listing | ✅ | Mac | process_listing_macos_elastic | [888a](kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json) | Full forensic listing + suspicious detection query | | 18 | Registry | ⚠️ | Win | - | - | registry table | | 19 | Shell History | ⚠️ | Linux | - | - | shell_history table | | 19a | Shell History | ⚠️ | Mac | - | - | shell_history table | @@ -105,6 +105,12 @@ These queries existed in the original repository and provide additional coverage | 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration | | 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration | | 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration | +| 27 | process_listing_windows | ✅ | Win | [8be8](kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json) | Full forensic process listing with parent chain, hashes, code signatures | +| 27a | process_listing_linux | ✅ | Linux | [a0c7](kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json) | Full forensic process listing with parent chain, hashes, username | +| 27b | process_listing_macos | ✅ | Mac | [888a](kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json) | Full forensic process listing with parent chain, hashes, code signatures | +| 27c | suspicious_processes_windows | ✅ | Win | [4537](kibana/osquery_saved_query/osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d.json) | Suspicious process detection: LOLBins, unsigned, unusual paths (MITRE T1059, T1218) | +| 27d | suspicious_processes_linux | ✅ | Linux | [4da8](kibana/osquery_saved_query/osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab.json) | Suspicious process detection: reverse shells, crypto-miners, container escapes (MITRE T1059, T1496, T1611) | +| 27e | suspicious_processes_macos | ✅ | Mac | [2b1b](kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json) | Suspicious process detection: unsigned, osascript abuse, quarantine bypass (MITRE T1059, T1553.001) | **Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery. @@ -185,7 +191,7 @@ While some artifacts are not directly available, the existing queries provide st ### System Information - ⚠️ Disks & Volumes (All platforms: disk_info table) -- ⚠️ Process Listing (All platforms: processes table) +- ✅ Process Listing (All platforms: processes table) - Full forensic listing + suspicious detection queries available - ❌ Open Handles (Not Available - PR #7835 open, EclecticIQ extension available) --- diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json new file mode 100644 index 00000000000..7def9645bc2 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Identifies macOS processes with suspicious characteristics: unsigned executables, execution from /tmp or hidden directories, osascript abuse, quarantine bypass, crypto-miners, and suspicious interpreters. Enriched with code signatures and file hashes for threat intelligence correlation. MITRE ATT&CK: T1059 (Command and Scripting Interpreter), T1553.001 (Gatekeeper Bypass), T1059.002 (AppleScript), T1496 (Resource Hijacking).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.kind", + "value": { + "value": "signal" + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.group.id", + "value": { + "field": "gid" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "process.code_signature.status", + "value": { + "field": "signing_status" + } + }, + { + "key": "process.code_signature.subject_name", + "value": { + "field": "authority" + } + }, + { + "key": "process.code_signature.team_id", + "value": { + "field": "team_identifier" + } + }, + { + "key": "tags", + "value": { + "value": ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1553_001", "mitre_t1059_002", "mitre_t1496"] + } + } + ], + "id": "suspicious_processes_macos_elastic", + "interval": "3600", + "platform": "darwin", + "query": "-- macOS Suspicious Process Detection\n-- Identifies processes with potentially malicious characteristics\n-- MITRE ATT&CK: T1059, T1553.001, T1059.002, T1496\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n p.gid,\n p.euid,\n p.egid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.on_disk,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n s.signed AS signing_status,\n s.authority,\n s.identifier AS bundle_identifier,\n s.team_identifier,\n CASE\n WHEN s.signed = 0 OR s.signed IS NULL THEN 'unsigned_binary'\n WHEN p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' THEN 'suspicious_path_tmp'\n WHEN p.path LIKE '/private/tmp/%' THEN 'suspicious_path_private_tmp'\n WHEN p.path LIKE '/Users/Shared/%' THEN 'suspicious_path_shared'\n WHEN p.path LIKE '%/.%' THEN 'hidden_path'\n WHEN p.path LIKE '/Users/%/Library/%' AND s.signed = 0 THEN 'unsigned_in_library'\n WHEN p.name = 'osascript' AND (p.cmdline LIKE '%JavaScript%' OR p.cmdline LIKE '%do shell script%') THEN 'osascript_abuse'\n WHEN p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%') THEN 'curl_pipe_shell'\n WHEN p.cmdline LIKE '%xattr -d com.apple.quarantine%' OR p.cmdline LIKE '%xattr -c%' THEN 'quarantine_removal'\n WHEN p.name IN ('python', 'python3', 'perl', 'ruby') AND p.cmdline LIKE '%socket%' THEN 'script_socket'\n WHEN p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%' THEN 'base64_decode'\n WHEN p.name LIKE '.%' THEN 'hidden_process_name'\n WHEN p.cmdline LIKE '%stratum%' OR p.cmdline LIKE '%xmr%' OR p.cmdline LIKE '%monero%' OR p.cmdline LIKE '%nicehash%' OR p.cmdline LIKE '%pool.%' THEN 'crypto_miner'\n WHEN p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' THEN 'root_unusual_path'\n WHEN p.on_disk = 0 THEN 'process_not_on_disk'\n ELSE 'other_suspicious'\n END AS detection_reason\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN hash h ON p.path = h.path\nLEFT JOIN signature s ON p.path = s.path\nWHERE p.path != ''\nAND (\n -- Unsigned or ad-hoc signed binaries\n s.signed = 0 OR s.signed IS NULL\n -- Suspicious execution paths\n OR p.path LIKE '/tmp/%'\n OR p.path LIKE '/var/tmp/%'\n OR p.path LIKE '/private/tmp/%'\n OR p.path LIKE '/Users/Shared/%'\n OR p.path LIKE '%/.%'\n -- osascript abuse (AppleScript for command execution)\n OR (p.name = 'osascript' AND (\n p.cmdline LIKE '%JavaScript%'\n OR p.cmdline LIKE '%do shell script%'\n OR p.cmdline LIKE '%NSAppleScript%'\n ))\n -- Download and execute patterns\n OR (p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))\n OR (p.name = 'wget' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))\n -- Quarantine attribute removal (Gatekeeper bypass)\n OR p.cmdline LIKE '%xattr -d com.apple.quarantine%'\n OR p.cmdline LIKE '%xattr -c%'\n OR p.cmdline LIKE '%xattr -r -d%'\n -- Script interpreters with network activity\n OR (p.name IN ('python', 'python3', 'python2', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%')\n -- Base64 decode (obfuscation)\n OR (p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%')\n -- Hidden process names\n OR p.name LIKE '.%'\n -- Running from memory\n OR p.on_disk = 0\n -- Crypto-miner indicators (T1496 Resource Hijacking)\n OR p.cmdline LIKE '%stratum%'\n OR p.cmdline LIKE '%xmr%'\n OR p.cmdline LIKE '%monero%'\n OR p.cmdline LIKE '%nicehash%'\n OR p.cmdline LIKE '%pool.%mining%'\n OR p.cmdline LIKE '%cryptonight%'\n OR p.cmdline LIKE '%randomx%'\n -- Root processes from unusual locations\n OR (p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' AND p.path NOT LIKE '/Library/%')\n);", + "timeout": 180, + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d.json new file mode 100644 index 00000000000..f732c02154f --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Identifies Windows processes with suspicious characteristics: unsigned executables, unusual paths (temp, public, downloads), LOLBin abuse, UAC bypass tools, and suspicious parent-child relationships. Enriched with code signatures and file hashes for threat intelligence correlation. MITRE ATT&CK: T1059 (Command and Scripting Interpreter), T1036 (Masquerading), T1055 (Process Injection), T1218 (System Binary Proxy Execution), T1548.002 (UAC Bypass).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.kind", + "value": { + "value": "signal" + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "process.code_signature.status", + "value": { + "field": "signature_status" + } + }, + { + "key": "process.code_signature.subject_name", + "value": { + "field": "signer" + } + }, + { + "key": "tags", + "value": { + "value": ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1036", "mitre_t1055", "mitre_t1218", "mitre_t1548_002"] + } + } + ], + "id": "suspicious_processes_windows_elastic", + "interval": "3600", + "platform": "windows", + "query": "-- Windows Suspicious Process Detection\n-- Identifies processes with potentially malicious characteristics\n-- MITRE ATT&CK: T1059, T1036, T1055, T1218, T1548.002\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.on_disk,\n p.elevated_token,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n a.result AS signature_status,\n a.subject_name AS signer,\n CASE\n WHEN a.result IS NOT NULL AND a.result != 'trusted' THEN 'untrusted_signature'\n WHEN a.result IS NULL AND p.path NOT LIKE 'C:\\\\Windows\\\\%' THEN 'unsigned_non_system'\n WHEN p.path LIKE '%\\\\Temp\\\\%' OR p.path LIKE '%\\\\tmp\\\\%' THEN 'suspicious_path_temp'\n WHEN p.path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' THEN 'suspicious_path_appdata_temp'\n WHEN p.path LIKE '%\\\\Users\\\\Public\\\\%' THEN 'suspicious_path_public'\n WHEN p.path LIKE '%\\\\Downloads\\\\%' THEN 'suspicious_path_downloads'\n WHEN p.name IN ('powershell.exe', 'pwsh.exe') AND (p.cmdline LIKE '%encodedcommand%' OR p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-enc %' OR p.cmdline LIKE '%bypass%' OR p.cmdline LIKE '%hidden%') THEN 'powershell_suspicious_args'\n WHEN p.name = 'cmd.exe' AND (p.cmdline LIKE '%/c %' OR p.cmdline LIKE '%/k %') AND pp.name NOT IN ('explorer.exe', 'cmd.exe', 'powershell.exe', 'pwsh.exe') THEN 'cmd_unusual_parent'\n WHEN p.name IN ('mshta.exe', 'wscript.exe', 'cscript.exe') THEN 'script_host_execution'\n WHEN p.name IN ('certutil.exe', 'bitsadmin.exe') AND (p.cmdline LIKE '%http%' OR p.cmdline LIKE '%ftp%' OR p.cmdline LIKE '%decode%' OR p.cmdline LIKE '%urlcache%') THEN 'lolbin_download'\n WHEN p.name = 'rundll32.exe' AND (p.cmdline LIKE '%javascript%' OR p.cmdline LIKE '%vbscript%') THEN 'rundll32_script'\n WHEN p.name IN ('regsvr32.exe', 'msiexec.exe') AND p.cmdline LIKE '%http%' THEN 'lolbin_remote_payload'\n WHEN p.name IN ('msbuild.exe', 'installutil.exe', 'regasm.exe', 'regsvcs.exe') THEN 'dotnet_lolbin'\n WHEN p.name IN ('eventvwr.exe', 'fodhelper.exe', 'computerdefaults.exe', 'sdclt.exe') AND pp.name NOT IN ('explorer.exe', 'svchost.exe') THEN 'uac_bypass_tool'\n WHEN p.name = 'wmic.exe' AND (p.cmdline LIKE '%process%call%create%' OR p.cmdline LIKE '%/node:%') THEN 'wmic_execution'\n WHEN pp.name = 'wmiprvse.exe' OR pp.name = 'wsmprovhost.exe' THEN 'remote_execution_parent'\n WHEN p.on_disk = 0 THEN 'process_not_on_disk'\n ELSE 'other_suspicious'\n END AS detection_reason\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN hash h ON p.path = h.path\nLEFT JOIN authenticode a ON p.path = a.path\nWHERE p.path != ''\nAND (\n -- Untrusted signatures (explicit non-trusted result)\n (a.result IS NOT NULL AND a.result != 'trusted')\n -- Unsigned non-system binaries\n OR (a.result IS NULL AND p.path NOT LIKE 'C:\\\\Windows\\\\%' AND p.path NOT LIKE 'C:\\\\Program Files\\\\%' AND p.path NOT LIKE 'C:\\\\Program Files (x86)\\\\%')\n -- Suspicious execution paths (narrowed to reduce noise)\n OR p.path LIKE '%\\\\Temp\\\\%'\n OR p.path LIKE '%\\\\tmp\\\\%'\n OR p.path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%'\n OR p.path LIKE '%\\\\Users\\\\Public\\\\%'\n OR p.path LIKE '%\\\\Downloads\\\\%'\n -- PowerShell abuse patterns\n OR (p.name IN ('powershell.exe', 'pwsh.exe') AND (\n p.cmdline LIKE '%encodedcommand%'\n OR p.cmdline LIKE '%-e %'\n OR p.cmdline LIKE '%-enc %'\n OR p.cmdline LIKE '%bypass%'\n OR p.cmdline LIKE '%hidden%'\n OR p.cmdline LIKE '%downloadstring%'\n OR p.cmdline LIKE '%iex%'\n OR p.cmdline LIKE '%invoke-expression%'\n OR p.cmdline LIKE '%webclient%'\n ))\n -- Script host execution\n OR p.name IN ('mshta.exe', 'wscript.exe', 'cscript.exe')\n -- LOLBin download/decode\n OR (p.name IN ('certutil.exe', 'bitsadmin.exe') AND (p.cmdline LIKE '%http%' OR p.cmdline LIKE '%decode%' OR p.cmdline LIKE '%urlcache%'))\n -- Rundll32 script execution\n OR (p.name = 'rundll32.exe' AND (p.cmdline LIKE '%javascript%' OR p.cmdline LIKE '%vbscript%'))\n -- Remote payload LOLBins\n OR (p.name IN ('regsvr32.exe', 'msiexec.exe') AND p.cmdline LIKE '%http%')\n -- .NET LOLBins (AppLocker bypass)\n OR p.name IN ('msbuild.exe', 'installutil.exe', 'regasm.exe', 'regsvcs.exe')\n -- UAC bypass tools with unusual parents\n OR (p.name IN ('eventvwr.exe', 'fodhelper.exe', 'computerdefaults.exe', 'sdclt.exe') AND pp.name NOT IN ('explorer.exe', 'svchost.exe'))\n -- WMIC lateral movement / execution\n OR (p.name = 'wmic.exe' AND (p.cmdline LIKE '%process%call%create%' OR p.cmdline LIKE '%/node:%'))\n -- Remote execution indicators\n OR pp.name IN ('wmiprvse.exe', 'wsmprovhost.exe')\n -- Process running from memory (not on disk)\n OR p.on_disk = 0\n);", + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab.json new file mode 100644 index 00000000000..1eba49969d8 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Identifies Linux processes with suspicious characteristics: execution from /tmp, /dev/shm, or /var/tmp, reverse shell patterns, suspicious interpreters, crypto-miners, container escapes, and unusual binary locations. Enriched with file hashes for threat intelligence correlation. MITRE ATT&CK: T1059 (Command and Scripting Interpreter), T1036 (Masquerading), T1105 (Ingress Tool Transfer), T1496 (Resource Hijacking), T1611 (Container Escape).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.kind", + "value": { + "value": "signal" + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.group.id", + "value": { + "field": "gid" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "tags", + "value": { + "value": ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1036", "mitre_t1105", "mitre_t1496", "mitre_t1611"] + } + } + ], + "id": "suspicious_processes_linux_elastic", + "interval": "3600", + "platform": "linux", + "query": "-- Linux Suspicious Process Detection\n-- Identifies processes with potentially malicious characteristics\n-- MITRE ATT&CK: T1059, T1036, T1105, T1496, T1611\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n p.gid,\n p.euid,\n p.egid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.on_disk,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n CASE\n WHEN p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' THEN 'suspicious_path_tmp'\n WHEN p.path LIKE '/dev/shm/%' THEN 'suspicious_path_devshm'\n WHEN p.path LIKE '/home/%/.%' THEN 'hidden_in_home'\n WHEN p.cmdline LIKE '%/dev/tcp/%' OR p.cmdline LIKE '%/dev/udp/%' THEN 'reverse_shell_devtcp'\n WHEN p.cmdline LIKE '%nc %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %') THEN 'netcat_shell'\n WHEN p.cmdline LIKE '%ncat %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %') THEN 'ncat_shell'\n WHEN p.cmdline LIKE '%bash -i%' OR p.cmdline LIKE '%sh -i%' THEN 'interactive_shell'\n WHEN p.name IN ('python', 'python3', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%' THEN 'script_socket'\n WHEN p.cmdline LIKE '%curl%|%sh%' OR p.cmdline LIKE '%wget%|%sh%' OR p.cmdline LIKE '%curl%|%bash%' OR p.cmdline LIKE '%wget%|%bash%' THEN 'download_and_execute'\n WHEN p.cmdline LIKE '%base64 -d%' OR p.cmdline LIKE '%base64 --decode%' THEN 'base64_decode'\n WHEN p.name LIKE '.%' THEN 'hidden_process_name'\n WHEN p.cmdline LIKE '%stratum%' OR p.cmdline LIKE '%xmr%' OR p.cmdline LIKE '%monero%' OR p.cmdline LIKE '%nicehash%' OR p.cmdline LIKE '%pool.%' THEN 'crypto_miner'\n WHEN p.cmdline LIKE '%nsenter%' OR p.cmdline LIKE '%--target 1%' THEN 'container_escape'\n WHEN p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' THEN 'root_unusual_path'\n WHEN p.on_disk = 0 THEN 'process_not_on_disk'\n ELSE 'other_suspicious'\n END AS detection_reason\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN hash h ON p.path = h.path\nWHERE p.path != ''\nAND (\n -- Suspicious execution paths\n p.path LIKE '/tmp/%'\n OR p.path LIKE '/var/tmp/%'\n OR p.path LIKE '/dev/shm/%'\n OR p.path LIKE '/home/%/.%'\n -- Reverse shell patterns\n OR p.cmdline LIKE '%/dev/tcp/%'\n OR p.cmdline LIKE '%/dev/udp/%'\n -- Netcat reverse shells\n OR (p.cmdline LIKE '%nc %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %'))\n OR (p.cmdline LIKE '%ncat %' AND (p.cmdline LIKE '%-e %' OR p.cmdline LIKE '%-c %'))\n OR (p.cmdline LIKE '%socat %' AND p.cmdline LIKE '%exec%')\n -- Interactive shell spawning\n OR p.cmdline LIKE '%bash -i%'\n OR p.cmdline LIKE '%sh -i%'\n -- Script interpreters with network activity\n OR (p.name IN ('python', 'python3', 'python2', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%')\n -- Download and execute patterns\n OR p.cmdline LIKE '%curl%|%sh%'\n OR p.cmdline LIKE '%wget%|%sh%'\n OR p.cmdline LIKE '%curl%|%bash%'\n OR p.cmdline LIKE '%wget%|%bash%'\n -- Base64 decode (often used in obfuscation)\n OR (p.cmdline LIKE '%base64%' AND (p.cmdline LIKE '%-d%' OR p.cmdline LIKE '%--decode%'))\n -- Hidden process names\n OR p.name LIKE '.%'\n -- Running from memory\n OR p.on_disk = 0\n -- Crypto-miner indicators (T1496 Resource Hijacking)\n OR p.cmdline LIKE '%stratum%'\n OR p.cmdline LIKE '%xmr%'\n OR p.cmdline LIKE '%monero%'\n OR p.cmdline LIKE '%nicehash%'\n OR p.cmdline LIKE '%pool.%mining%'\n OR p.cmdline LIKE '%cryptonight%'\n OR p.cmdline LIKE '%randomx%'\n -- Container escape indicators (T1611)\n OR p.cmdline LIKE '%nsenter%'\n OR (p.cmdline LIKE '%--target%' AND p.cmdline LIKE '%--mount%')\n OR (p.cmdline LIKE '%--target 1%')\n -- Root processes from unusual locations\n OR (p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/opt/%' AND p.path NOT LIKE '/lib/%')\n);", + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json new file mode 100644 index 00000000000..7feac12e765 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Comprehensive macOS process listing with parent process context, code signatures, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "process.thread.count", + "value": { + "field": "threads" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "user.group.id", + "value": { + "field": "gid" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "process.code_signature.status", + "value": { + "field": "signing_status" + } + }, + { + "key": "process.code_signature.subject_name", + "value": { + "field": "authority" + } + }, + { + "key": "process.code_signature.team_id", + "value": { + "field": "team_identifier" + } + } + ], + "id": "process_listing_macos_elastic", + "interval": "3600", + "platform": "darwin", + "query": "-- macOS Process Listing with Full Forensic Context\n-- Provides comprehensive process information including parent chain, hashes, code signatures, and username\n-- Use for: Threat hunting, incident response, baseline analysis\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n u.username,\n p.gid,\n p.euid,\n p.egid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.resident_size,\n p.total_size,\n p.threads,\n p.nice,\n p.on_disk,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n s.signed AS signing_status,\n s.authority,\n s.identifier AS bundle_identifier,\n s.team_identifier\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN users u ON p.uid = u.uid\nLEFT JOIN hash h ON p.path = h.path\nLEFT JOIN signature s ON p.path = s.path\nWHERE p.path != '';", + "timeout": 180, + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-888ac365-4095-4de8-9990-41d96a792356", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json new file mode 100644 index 00000000000..57c7f51173c --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Comprehensive Windows process listing with parent process context, code signatures, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "process.thread.count", + "value": { + "field": "threads" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "process.code_signature.status", + "value": { + "field": "signature_status" + } + }, + { + "key": "process.code_signature.subject_name", + "value": { + "field": "signer" + } + } + ], + "id": "process_listing_windows_elastic", + "interval": "3600", + "platform": "windows", + "query": "-- Windows Process Listing with Full Forensic Context\n-- Provides comprehensive process information including parent chain, hashes, code signatures, and username\n-- Use for: Threat hunting, incident response, baseline analysis\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n u.username,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.resident_size,\n p.total_size,\n p.threads,\n p.handle_count,\n p.on_disk,\n p.elevated_token,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n a.result AS signature_status,\n a.subject_name AS signer\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN users u ON p.uid = u.uid\nLEFT JOIN hash h ON p.path = h.path\nLEFT JOIN authenticode a ON p.path = a.path\nWHERE p.path != '';", + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json new file mode 100644 index 00000000000..8e76fe1c49a --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "created_at": "2025-01-06T10:00:00.000Z", + "created_by": "elastic", + "description": "Comprehensive Linux process listing with parent process context, file hashes, and username resolution. Provides full forensic visibility for threat hunting, incident response, and baseline analysis. Returns all running processes for complete system state assessment.", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "process.pid", + "value": { + "field": "pid" + } + }, + { + "key": "process.name", + "value": { + "field": "name" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "cmdline" + } + }, + { + "key": "process.working_directory", + "value": { + "field": "cwd" + } + }, + { + "key": "process.parent.pid", + "value": { + "field": "ppid" + } + }, + { + "key": "process.parent.name", + "value": { + "field": "parent_name" + } + }, + { + "key": "process.parent.executable", + "value": { + "field": "parent_path" + } + }, + { + "key": "process.parent.command_line", + "value": { + "field": "parent_cmdline" + } + }, + { + "key": "process.start", + "value": { + "field": "start_time" + } + }, + { + "key": "process.thread.count", + "value": { + "field": "threads" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "user.group.id", + "value": { + "field": "gid" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "process.hash.sha256", + "value": { + "field": "sha256" + } + } + ], + "id": "process_listing_linux_elastic", + "interval": "3600", + "platform": "linux", + "query": "-- Linux Process Listing with Full Forensic Context\n-- Provides comprehensive process information including parent chain, hashes, and username\n-- Use for: Threat hunting, incident response, baseline analysis\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n u.username,\n p.gid,\n p.euid,\n p.egid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.resident_size,\n p.total_size,\n p.threads,\n p.nice,\n p.on_disk,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN users u ON p.uid = u.uid\nLEFT JOIN hash h ON p.path = h.path\nWHERE p.path != '';", + "updated_at": "2025-01-06T10:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.8.0", + "id": "osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-01-06T10:00:00.000Z", + "version": "WzEsMV0=" +}