CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Remove files that are no longer in dev

Browse Source
This commit is contained in:
William Wernert
2020-05-04 10:57:46 -04:00
parent 5805d68b58
commit 80aee06a67
200 changed files with 0 additions and 21066 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
salt/fleet/osquery-packages.html
View File

@@ -1,113 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Onion - Hybrid Hunter</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
* {
box-sizing: border-box;
font-family: Arial, Helvetica, sans-serif;
padding-left: 30px;
padding right: 30px;
}
body {
font-family: Arial, Helvetica, sans-serif;
background-color: #2a2a2a;
}
a {
color: #f2f2f2;
text-align: left;
padding: 0px;
}
/* Style the top navigation bar */
.topnav {
overflow: hidden;
background-color: #333;
width: 1080px;
}
/* Style the topnav links */
.topnav a {
float: left;
display: block;
color: #f2f2f2;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
/* Change color on hover */
.topnav a:hover {
background-color: #ddd;
color: black;
}
/* Style the content */
.content {
background-color: #2a2a2a;
padding: 10px;
padding-top: 20px;
padding-left: 60px;
color: #E3DBCC;
width: 1080px;
}
/* Style the footer */
.footer {
background-color: #2a2a2a;
padding: 60px;
color: #E3DBCC;
width: 1080px;
}
</style>
</head>
<body>
<div class="topnav">
<a href="/kibana/" target="_blank">Kibana</a>
<a href="/grafana/" target="_blank">Grafana</a>
<a href="/fleet/" target="_blank">Fleet</a>
<a href="/thehive/" target="_blank">TheHive</a>
<a href="/packages/" target="_blank">Osquery Binaries</a>
<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
<a href="https://blog.securityonion.net" target="_blank">Blog</a>
</div>
<div class="content">
<p><center><h1>Osquery Packages</h1></center><br>
<h2>Notes</h2>
<ul>
<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
<li>Packages are not signed.</li>
</ul>
<BR> <h2>Downloads</h2>
<ul>
Generated: N/A
<BR><BR>Packages:
<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
<li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
<li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
<BR><BR>Config Files:
<li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
<li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
</ul>
<BR><h2>Known Issues</h2>
<ul>
<li>None</li>
</ul>
</p>
</div>
</body>
</html>

0
salt/fleet/packs/PUT.PACKS.IN.HERE
View File

13
salt/fleet/packs/hh/hh-post-login.sh
View File

@@ -1,13 +0,0 @@
#!/bin/sh
echo "Applying Post Configuration for Osquery"
#fleetctl apply -f /packs/hh/osquery.conf
fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
fleetctl apply -f /packs/hh/hhdefault.yml
for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml;
do fleetctl apply -f "$pack"
done
echo ""
echo "You can now exit the container by typing exit"

28
salt/fleet/packs/hh/hhdefault.yml
View File

@@ -1,28 +0,0 @@
apiVersion: v1
kind: query
spec:
name: users
description: Users on the system
query: select * from users;
---
apiVersion: v1
kind: query
spec:
name: chrome-extensions
description: Chrome extensions for all users on the system
query: select users.username,chrome_extensions.*,chrome_extensions.path from users cross join chrome_extensions using (uid) where identifier not in ('aapocclcgogkmnckokdopfmhonfmgoek', 'aohghmighlieiainnegkcijnfilokake', 'apdfllckaahabafndbhieahigkjlhalf','felcaaldnbdncclmgdcncolpebgiejap','pjkljhegncpnkpknbcohdijeoejaedia','pkedcjkdefgpdelpbcmbmeomcjbeemfm','blpcfgokakmgnkcojhhkbfbldkacnbeo','ghbmnnjooekpmoecnnnilnnbdlolhkhi','nmmhkkegccagdldgiimedpiccmgmieda');
---
apiVersion: v1
kind: pack
spec:
name: examples
targets:
labels:
- All Hosts
queries:
- query: users
interval: 180
removed: false
- query: chrome-extensions
interval: 180
removed: false

29
salt/fleet/packs/hh/osquery.conf
View File

@@ -1,29 +0,0 @@
apiVersion: v1
kind: options
spec:
config:
decorators:
always:
- SELECT codename FROM os_version;
- SELECT uuid AS LiveQuery FROM system_info;
- SELECT address AS EndpointIP1 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface desc limit 1;
- SELECT address AS EndpointIP2 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface asc limit 1;
- SELECT hardware_serial FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
decorations_top_level: true
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: _
overrides: {}

694
salt/fleet/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
View File

@@ -1,694 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: mac-pack
queries:
- description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/
which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
interval: 3600
name: emond
platform: darwin
query: emond
- description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/
or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
interval: 28800
name: emond_snapshot
platform: darwin
query: emond_snapshot
snapshot: true
- description: Track time/action changes to files specified in configuration data.
interval: 300
name: file_events
platform: darwin
query: file_events
removed: false
- description: The installed homebrew package database.
interval: 28800
name: homebrew_packages_snapshot
platform: darwin
query: homebrew_packages_snapshot
snapshot: true
- description: List kernel extensions, their signing status, and their hashes (excluding
extensions signed by Apple)
interval: 3600
name: macosx_kextstat
platform: darwin
query: macosx_kextstat
- description: Checks the MD5 hash of /etc/rc.common and records the results if
the hash differs from the default value. /etc/rc.common can be used for persistence.
interval: 3600
name: rc.common
platform: darwin
query: rc.common
- description: Returns information about installed event taps. Can be used to detect
keyloggers
interval: 300
name: event_taps
platform: darwin
query: event_taps
- description: LaunchAgents and LaunchDaemons from default search paths.
interval: 3600
name: launchd
platform: darwin
query: launchd
- description: Snapshot query for launchd
interval: 28800
name: launchd_snapshot
platform: darwin
query: launchd_snapshot
snapshot: true
- description: Detect the presence of the LD_PRELOAD environment variable
interval: 60
name: ld_preload
platform: darwin
query: ld_preload
removed: false
- description: USB devices that are actively plugged into the host system.
interval: 300
name: usb_devices
platform: darwin
query: usb_devices
- description: System mounted devices and filesystems (not process specific).
interval: 3600
name: mounts
platform: darwin
query: mounts
removed: false
- description: Apple NVRAM variable listing.
interval: 3600
name: nvram
platform: darwin
query: nvram
removed: false
- description: Line parsed values from system and user cron/tab.
interval: 3600
name: crontab
platform: darwin
query: crontab
- description: Hardware (PCI/USB/HID) events from UDEV or IOKit.
interval: 300
name: hardware_events
platform: darwin
query: hardware_events
removed: false
- description: The installed homebrew package database.
interval: 3600
name: homebrew_packages
platform: darwin
query: homebrew_packages
- description: OS X applications installed in known search paths (e.g., /Applications).
interval: 3600
name: installed_applications
platform: darwin
query: installed_applications
- description: System logins and logouts.
interval: 3600
name: last
platform: darwin
query: last
removed: false
- description: Snapshot query for macosx_kextstat
interval: 28800
name: macosx_kextstat_snapshot
platform: darwin
query: macosx_kextstat_snapshot
snapshot: true
- description: Checks the MD5 hash of /etc/rc.common and records the results if
the hash differs from the default value. /etc/rc.common can be used for persistence.
interval: 28800
name: rc.common_snapshot
platform: darwin
query: rc.common_snapshot
snapshot: true
- description: Safari browser extension details for all users.
interval: 3600
name: safari_extensions
platform: darwin
query: safari_extensions
- description: suid binaries in common locations.
interval: 28800
name: suid_bin
platform: darwin
query: suid_bin
removed: false
- description: Local system users.
interval: 28800
name: users
platform: darwin
query: users
- description: List authorized_keys for each user on the system
interval: 28800
name: authorized_keys
platform: darwin
query: authorized_keys
- description: Application, System, and Mobile App crash logs.
interval: 3600
name: crashes
platform: darwin
query: crashes
removed: false
- description: Displays the percentage of free space available on the primary disk
partition
interval: 3600
name: disk_free_space_pct
platform: darwin
query: disk_free_space_pct
snapshot: true
- description: Retrieve the interface name, IP address, and MAC address for all
interfaces on the host.
interval: 600
name: network_interfaces_snapshot
platform: darwin
query: network_interfaces_snapshot
snapshot: true
- description: Information about EFI/UEFI/ROM and platform/boot.
interval: 28800
name: platform_info
platform: darwin
query: platform_info
removed: false
- description: System uptime
interval: 1800
name: uptime
platform: darwin
query: uptime
snapshot: true
- description: MD5 hash of boot.efi
interval: 28800
name: boot_efi_hash
platform: darwin
query: boot_efi_hash
- description: Snapshot query for Chrome extensions
interval: 28800
name: chrome_extensions_snapshot
platform: darwin
query: chrome_extensions_snapshot
- description: Snapshot query for installed_applications
interval: 28800
name: installed_applications_snapshot
platform: darwin
query: installed_applications_snapshot
snapshot: true
- description: NFS shares exported by the host.
interval: 3600
name: nfs_shares
platform: darwin
query: nfs_shares
removed: false
- description: List the version of the resident operating system
interval: 28800
name: os_version
platform: darwin
query: os_version
- description: Applications and binaries set as user/login startup items.
interval: 3600
name: startup_items
platform: darwin
query: startup_items
- description: All C/NPAPI browser plugin details for all users.
interval: 3600
name: browser_plugins
platform: darwin
query: browser_plugins
- description: List installed Firefox addons for all users
interval: 3600
name: firefox_addons
platform: darwin
query: firefox_addons
- description: Discover hosts that have IP forwarding enabled
interval: 28800
name: ip_forwarding_enabled
platform: darwin
query: ip_forwarding_enabled
removed: false
- description: Platform info snapshot query
interval: 28800
name: platform_info_snapshot
platform: darwin
query: platform_info_snapshot
- description: Python packages installed in a system.
interval: 3600
name: python_packages
platform: darwin
query: python_packages
- description: List installed Chrome Extensions for all users
interval: 3600
name: chrome_extensions
platform: darwin
query: chrome_extensions
- description: Disk encryption status and information.
interval: 3600
name: disk_encryption
platform: darwin
query: disk_encryption
- description: Local system users.
interval: 28800
name: users_snapshot
platform: darwin
query: users_snapshot
- description: OS X known/remembered Wi-Fi networks list.
interval: 28800
name: wireless_networks
platform: darwin
query: wireless_networks
removed: false
- description: Determine if the host is running the expected EFI firmware version
given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)
interval: 28800
name: efigy
platform: darwin
query: efigy
snapshot: true
- description: List the contents of /etc/hosts
interval: 28800
name: etc_hosts
platform: darwin
query: etc_hosts
- description: Operating system version snapshot query
interval: 28800
name: os_version_snapshot
platform: darwin
query: os_version_snapshot
snapshot: true
- description: Information about the resident osquery process
interval: 28800
name: osquery_info
platform: darwin
query: osquery_info
snapshot: true
- description: Apple's System Integrity Protection (rootless) status.
interval: 3600
name: sip_config
platform: darwin
query: sip_config
- description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
interval: 3600
name: user_ssh_keys
platform: darwin
query: user_ssh_keys
removed: false
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/
which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
name: emond
query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%'
AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6'
AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5'
AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND
sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND
sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND
sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND
sha256!='') OR (path LIKE '/private/var/db/emondClients/%');
---
apiVersion: v1
kind: query
spec:
description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/
or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
name: emond_snapshot
query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%'
AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6'
AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5'
AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND
sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND
sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND
sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND
sha256!='') OR (path LIKE '/private/var/db/emondClients/%');
---
apiVersion: v1
kind: query
spec:
description: Track time/action changes to files specified in configuration data.
name: file_events
query: SELECT * FROM file_events;
---
apiVersion: v1
kind: query
spec:
description: The installed homebrew package database.
name: homebrew_packages_snapshot
query: SELECT name, version FROM homebrew_packages;
---
apiVersion: v1
kind: query
spec:
description: List kernel extensions, their signing status, and their hashes (excluding
extensions signed by Apple)
name: macosx_kextstat
query: SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size,
kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against,
kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash,
signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions
ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature
ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE
signature.authority!='Software Signing';
---
apiVersion: v1
kind: query
spec:
description: Checks the MD5 hash of /etc/rc.common and records the results if the
hash differs from the default value. /etc/rc.common can be used for persistence.
name: rc.common
query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9'
and md5!='';
---
apiVersion: v1
kind: query
spec:
description: Returns information about installed event taps. Can be used to detect
keyloggers
name: event_taps
query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process
= processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE
'%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber'
AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd'
AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%'
AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%'
AND event_taps.enabled=1;
---
apiVersion: v1
kind: query
spec:
description: LaunchAgents and LaunchDaemons from default search paths.
name: launchd
query: SELECT * FROM launchd;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for launchd
name: launchd_snapshot
query: SELECT path, name, label, program, run_at_load, program_arguments FROM launchd
WHERE run_at_load=1;
---
apiVersion: v1
kind: query
spec:
description: Detect the presence of the LD_PRELOAD environment variable
name: ld_preload
query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name,
processes.path, processes.cmdline, processes.cwd FROM process_envs join processes
USING (pid) WHERE key = 'LD_PRELOAD';
---
apiVersion: v1
kind: query
spec:
description: USB devices that are actively plugged into the host system.
name: usb_devices
query: SELECT * FROM usb_devices;
---
apiVersion: v1
kind: query
spec:
description: System mounted devices and filesystems (not process specific).
name: mounts
query: SELECT device, device_alias, path, type, blocks_size FROM mounts;
---
apiVersion: v1
kind: query
spec:
description: Apple NVRAM variable listing.
name: nvram
query: SELECT * FROM nvram;
---
apiVersion: v1
kind: query
spec:
description: Line parsed values from system and user cron/tab.
name: crontab
query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
description: Hardware (PCI/USB/HID) events from UDEV or IOKit.
name: hardware_events
query: SELECT * FROM hardware_events;
---
apiVersion: v1
kind: query
spec:
description: The installed homebrew package database.
name: homebrew_packages
query: SELECT * FROM homebrew_packages;
---
apiVersion: v1
kind: query
spec:
description: OS X applications installed in known search paths (e.g., /Applications).
name: installed_applications
query: SELECT * FROM apps;
---
apiVersion: v1
kind: query
spec:
description: System logins and logouts.
name: last
query: SELECT * FROM last;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for macosx_kextstat
name: macosx_kextstat_snapshot
query: SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path,
signature.signed, signature.identifier, signature.cdhash, signature.team_identifier,
signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE
printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path
LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software
Signing';
---
apiVersion: v1
kind: query
spec:
description: Checks the MD5 hash of /etc/rc.common and records the results if the
hash differs from the default value. /etc/rc.common can be used for persistence.
name: rc.common_snapshot
query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9'
and md5!='';
---
apiVersion: v1
kind: query
spec:
description: Safari browser extension details for all users.
name: safari_extensions
query: SELECT * FROM users JOIN safari_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: suid binaries in common locations.
name: suid_bin
query: SELECT * FROM suid_bin;
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: List authorized_keys for each user on the system
name: authorized_keys
query: SELECT * FROM users JOIN authorized_keys USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Application, System, and Mobile App crash logs.
name: crashes
query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path
FROM users JOIN crashes USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Displays the percentage of free space available on the primary disk
partition
name: disk_free_space_pct
query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1';
---
apiVersion: v1
kind: query
spec:
description: Retrieve the interface name, IP address, and MAC address for all interfaces
on the host.
name: network_interfaces_snapshot
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
d USING (interface);
---
apiVersion: v1
kind: query
spec:
description: Information about EFI/UEFI/ROM and platform/boot.
name: platform_info
query: SELECT * FROM platform_info;
---
apiVersion: v1
kind: query
spec:
description: System uptime
name: uptime
query: SELECT * FROM uptime;
---
apiVersion: v1
kind: query
spec:
description: MD5 hash of boot.efi
name: boot_efi_hash
query: SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for Chrome extensions
name: chrome_extensions_snapshot
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for installed_applications
name: installed_applications_snapshot
query: SELECT name, path, bundle_short_version, bundle_version, display_name FROM
apps;
---
apiVersion: v1
kind: query
spec:
description: NFS shares exported by the host.
name: nfs_shares
query: SELECT * FROM nfs_shares;
---
apiVersion: v1
kind: query
spec:
description: List the version of the resident operating system
name: os_version
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: Applications and binaries set as user/login startup items.
name: startup_items
query: SELECT * FROM startup_items;
---
apiVersion: v1
kind: query
spec:
description: All C/NPAPI browser plugin details for all users.
name: browser_plugins
query: SELECT * FROM users JOIN browser_plugins USING (uid);
---
apiVersion: v1
kind: query
spec:
description: List installed Firefox addons for all users
name: firefox_addons
query: SELECT * FROM users JOIN firefox_addons USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Discover hosts that have IP forwarding enabled
name: ip_forwarding_enabled
query: SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE
'%ip%' AND current_value=1;
---
apiVersion: v1
kind: query
spec:
description: Platform info snapshot query
name: platform_info_snapshot
query: SELECT vendor, version, date, revision from platform_info;
---
apiVersion: v1
kind: query
spec:
description: Python packages installed in a system.
name: python_packages
query: SELECT * FROM python_packages;
---
apiVersion: v1
kind: query
spec:
description: List installed Chrome Extensions for all users
name: chrome_extensions
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Disk encryption status and information.
name: disk_encryption
query: SELECT * FROM disk_encryption;
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users_snapshot
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: OS X known/remembered Wi-Fi networks list.
name: wireless_networks
query: SELECT ssid, network_name, security_type, last_connected, captive_portal,
possibly_hidden, roaming, roaming_profile FROM wifi_networks;
---
apiVersion: v1
kind: query
spec:
description: Determine if the host is running the expected EFI firmware version
given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)
name: efigy
query: SELECT * FROM efigy;
---
apiVersion: v1
kind: query
spec:
description: List the contents of /etc/hosts
name: etc_hosts
query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
description: Operating system version snapshot query
name: os_version_snapshot
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: Information about the resident osquery process
name: osquery_info
query: SELECT * FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
description: Apple's System Integrity Protection (rootless) status.
name: sip_config
query: SELECT * FROM sip_config;
---
apiVersion: v1
kind: query
spec:
description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
name: user_ssh_keys
query: SELECT * FROM users JOIN user_ssh_keys USING (uid);

511
salt/fleet/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
View File

@@ -1,511 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: windows-pack
queries:
- description: System info snapshot query
interval: 28800
name: system_info_snapshot
platform: windows
query: system_info_snapshot
snapshot: true
- description: List in-use Windows drivers
interval: 3600
name: drivers
platform: windows
query: drivers
- description: Displays shared resources on a computer system running Windows. This
may be a disk drive, printer, interprocess communication, or other sharable
device.
interval: 3600
name: shared_resources
platform: windows
query: shared_resources
- description: Lists all the patches applied
interval: 3600
name: patches
platform: windows
query: patches
removed: false
- description: Pipes snapshot query
interval: 28800
name: pipes_snapshot
platform: windows
query: pipes_snapshot
snapshot: true
- description: Programs snapshot query
interval: 28800
name: programs_snapshot
platform: windows
query: programs_snapshot
snapshot: true
- description: Services snapshot query
interval: 28800
name: services_snapshot
platform: windows
query: services_snapshot
snapshot: true
- description: WMI CommandLineEventConsumer, which can be used for persistence on
Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
for more details.
interval: 3600
name: wmi_cli_event_consumers
platform: windows
query: wmi_cli_event_consumers
- description: Lists the relationship between event consumers and filters.
interval: 3600
name: wmi_filter_consumer_binding
platform: windows
query: wmi_filter_consumer_binding
- description: Snapshot query for Chrome extensions
interval: 3600
name: chrome_extensions_snapshot
platform: windows
query: chrome_extensions_snapshot
- description: Retrieve the interface name, IP address, and MAC address for all
interfaces on the host.
interval: 600
name: network_interfaces_snapshot
platform: windows
query: network_interfaces_snapshot
snapshot: true
- description: Local system users.
interval: 3600
name: users
platform: windows
query: users
- description: Snapshot query for WMI event consumers.
interval: 28800
name: wmi_cli_event_consumers_snapshot
platform: windows
query: wmi_cli_event_consumers_snapshot
snapshot: true
- description: List all certificates in the trust store
interval: 3600
name: certificates
platform: windows
query: certificates
removed: false
- description: Drivers snapshot query
interval: 28800
name: drivers_snapshot
platform: windows
query: drivers_snapshot
snapshot: true
- description: Lists WMI event filters.
interval: 3600
name: wmi_event_filters
platform: windows
query: wmi_event_filters
- description: List installed Internet Explorer extensions
interval: 3600
name: ie_extensions
platform: windows
query: ie_extensions
- description: List the kernel path, version, etc.
interval: 3600
name: kernel_info
platform: windows
query: kernel_info
- description: List the version of the resident operating system
interval: 3600
name: os_version
platform: windows
query: os_version
- description: Patches snapshot query
interval: 28800
name: patches_snapshot
platform: windows
query: patches_snapshot
snapshot: true
- description: Named and Anonymous pipes.
interval: 3600
name: pipes
platform: windows
query: pipes
removed: false
- description: Lists installed programs
interval: 0
name: programs
platform: windows
query: programs
- description: List all certificates in the trust store (snapshot query)
interval: 0
name: certificates_snapshot
platform: windows
query: certificates_snapshot
snapshot: true
- description: List the contents of the Windows hosts file
interval: 3600
name: etc_hosts
platform: windows
query: etc_hosts
- description: Lists all of the tasks in the Windows task scheduler
interval: 3600
name: scheduled_tasks
platform: windows
query: scheduled_tasks
- description: Extracted information from Windows crash logs (Minidumps).
interval: 3600
name: windows_crashes
platform: windows
query: windows_crashes
removed: false
- description: System uptime
interval: 3600
name: uptime
platform: windows
query: uptime
snapshot: true
- description: Snapshot query for WMI script event consumers.
interval: 3600
name: wmi_script_event_consumers
platform: windows
query: wmi_script_event_consumers
snapshot: true
- description: List installed Chocolatey packages
interval: 3600
name: chocolatey_packages
platform: windows
query: chocolatey_packages
- description: Shared resources snapshot query
interval: 28800
name: shared_resources_snapshot
platform: windows
query: shared_resources_snapshot
snapshot: true
- description: Lists all installed services configured to start automatically at
boot
interval: 3600
name: services
platform: windows
query: services
- description: Users snapshot query
interval: 28800
name: users_snapshot
platform: windows
query: users_snapshot
snapshot: true
- description: List installed Chrome Extensions for all users
interval: 3600
name: chrome_extensions
platform: windows
query: chrome_extensions
- description: Operating system version snapshot query
interval: 28800
name: os_version_snapshot
platform: windows
query: os_version_snapshot
snapshot: true
- description: System information for identification.
interval: 3600
name: system_info
platform: windows
query: system_info
- description: Snapshot query for WMI event filters.
interval: 28800
name: wmi_event_filters_snapshot
platform: windows
query: wmi_event_filters_snapshot
snapshot: true
- description: Snapshot query for WMI filter consumer bindings.
interval: 28800
name: wmi_filter_consumer_binding_snapshot
platform: windows
query: wmi_filter_consumer_binding_snapshot
snapshot: true
- description: Information about the resident osquery process
interval: 28800
name: osquery_info
platform: windows
query: osquery_info
snapshot: true
- description: Scheduled Tasks snapshot query
interval: 28800
name: scheduled_tasks_snapshot
platform: windows
query: scheduled_tasks_snapshot
snapshot: true
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: System info snapshot query
name: system_info_snapshot
query: SELECT * FROM system_info;
---
apiVersion: v1
kind: query
spec:
description: List in-use Windows drivers
name: drivers
query: SELECT * FROM drivers;
---
apiVersion: v1
kind: query
spec:
description: Displays shared resources on a computer system running Windows. This
may be a disk drive, printer, interprocess communication, or other sharable device.
name: shared_resources
query: SELECT * FROM shared_resources;
---
apiVersion: v1
kind: query
spec:
description: Lists all the patches applied
name: patches
query: SELECT * FROM patches;
---
apiVersion: v1
kind: query
spec:
description: Pipes snapshot query
name: pipes_snapshot
query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk,
pipes.name, pid FROM pipes JOIN processes USING (pid);
---
apiVersion: v1
kind: query
spec:
description: Programs snapshot query
name: programs_snapshot
query: SELECT * FROM programs;
---
apiVersion: v1
kind: query
spec:
description: Services snapshot query
name: services_snapshot
query: SELECT * FROM services;
---
apiVersion: v1
kind: query
spec:
description: WMI CommandLineEventConsumer, which can be used for persistence on
Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
for more details.
name: wmi_cli_event_consumers
query: SELECT * FROM wmi_cli_event_consumers;
---
apiVersion: v1
kind: query
spec:
description: Lists the relationship between event consumers and filters.
name: wmi_filter_consumer_binding
query: SELECT * FROM wmi_filter_consumer_binding;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for Chrome extensions
name: chrome_extensions_snapshot
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Retrieve the interface name, IP address, and MAC address for all interfaces
on the host.
name: network_interfaces_snapshot
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
d USING (interface);
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for WMI event consumers.
name: wmi_cli_event_consumers_snapshot
query: SELECT * FROM wmi_cli_event_consumers;
---
apiVersion: v1
kind: query
spec:
description: List all certificates in the trust store
name: certificates
query: SELECT * FROM certificates WHERE path != 'Other People';
---
apiVersion: v1
kind: query
spec:
description: Drivers snapshot query
name: drivers_snapshot
query: SELECT * FROM drivers;
---
apiVersion: v1
kind: query
spec:
description: Lists WMI event filters.
name: wmi_event_filters
query: SELECT * FROM wmi_event_filters;
---
apiVersion: v1
kind: query
spec:
description: List installed Internet Explorer extensions
name: ie_extensions
query: SELECT * FROM ie_extensions;
---
apiVersion: v1
kind: query
spec:
description: List the kernel path, version, etc.
name: kernel_info
query: SELECT * FROM kernel_info;
---
apiVersion: v1
kind: query
spec:
description: List the version of the resident operating system
name: os_version
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: Patches snapshot query
name: patches_snapshot
query: SELECT * FROM patches;
---
apiVersion: v1
kind: query
spec:
description: Named and Anonymous pipes.
name: pipes
query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk,
pipes.name, pid FROM pipes JOIN processes USING (pid);
---
apiVersion: v1
kind: query
spec:
description: Lists installed programs
name: programs
query: SELECT * FROM programs;
---
apiVersion: v1
kind: query
spec:
description: List all certificates in the trust store (snapshot query)
name: certificates_snapshot
query: SELECT * FROM certificates WHERE path != 'Other People';
---
apiVersion: v1
kind: query
spec:
description: List the contents of the Windows hosts file
name: etc_hosts
query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
description: Lists all of the tasks in the Windows task scheduler
name: scheduled_tasks
query: SELECT * FROM scheduled_tasks;
---
apiVersion: v1
kind: query
spec:
description: Extracted information from Windows crash logs (Minidumps).
name: windows_crashes
query: SELECT * FROM windows_crashes;
---
apiVersion: v1
kind: query
spec:
description: System uptime
name: uptime
query: SELECT * FROM uptime;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for WMI script event consumers.
name: wmi_script_event_consumers
query: SELECT * FROM wmi_script_event_consumers;
---
apiVersion: v1
kind: query
spec:
description: List installed Chocolatey packages
name: chocolatey_packages
query: SELECT * FROM chocolatey_packages;
---
apiVersion: v1
kind: query
spec:
description: Shared resources snapshot query
name: shared_resources_snapshot
query: SELECT * FROM shared_resources;
---
apiVersion: v1
kind: query
spec:
description: Lists all installed services configured to start automatically at boot
name: services
query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';
---
apiVersion: v1
kind: query
spec:
description: Users snapshot query
name: users_snapshot
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: List installed Chrome Extensions for all users
name: chrome_extensions
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Operating system version snapshot query
name: os_version_snapshot
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: System information for identification.
name: system_info
query: SELECT * FROM system_info;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for WMI event filters.
name: wmi_event_filters_snapshot
query: SELECT * FROM wmi_event_filters;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for WMI filter consumer bindings.
name: wmi_filter_consumer_binding_snapshot
query: SELECT * FROM wmi_filter_consumer_binding;
---
apiVersion: v1
kind: query
spec:
description: Information about the resident osquery process
name: osquery_info
query: SELECT * FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
description: Scheduled Tasks snapshot query
name: scheduled_tasks_snapshot
query: SELECT * FROM scheduled_tasks;

46
salt/fleet/packs/palantir/Fleet/Endpoints/options.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: options
spec:
config:
decorators:
always:
- SELECT hostname AS hostname FROM system_info;
- SELECT codename FROM os_version;
- SELECT uuid AS LiveQuery FROM system_info;
- SELECT address AS EndpointIP1 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface desc limit 1;
- SELECT address AS EndpointIP2 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface asc limit 1;
- SELECT hardware_serial FROM system_info;
file_paths:
binaries:
- /usr/bin/%%
- /usr/sbin/%%
- /bin/%%
- /sbin/%%
- /usr/local/bin/%%
- /usr/local/sbin/%%
- /opt/bin/%%
- /opt/sbin/%%
configuration:
- /etc/%%
efi:
- /System/Library/CoreServices/boot.efi
options:
decorations_top_level: true
disable_distributed: false
disable_tables: windows_events
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_plugin: tls
logger_snapshot_event_type: true
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
schedule_splay_percent: 10
overrides: {}

69
salt/fleet/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml
View File

@@ -1,69 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: performance-metrics
queries:
- description: Records the CPU time and memory usage for each individual query.
Helpful for identifying queries that may impact performance.
interval: 1800
name: per_query_perf
query: per_query_perf
snapshot: true
- description: Track the amount of CPU time used by osquery.
interval: 1800
name: runtime_perf
query: runtime_perf
snapshot: true
- description: Track the percentage of total CPU time utilized by $endpoint_security_tool
interval: 1800
name: endpoint_security_tool_perf
query: endpoint_security_tool_perf
snapshot: true
- description: Track the percentage of total CPU time utilized by $backup_tool
interval: 1800
name: backup_tool_perf
query: backup_tool_perf
snapshot: true
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Records the CPU time and memory usage for each individual query. Helpful
for identifying queries that may impact performance.
name: per_query_perf
query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
FROM osquery_schedule;
---
apiVersion: v1
kind: query
spec:
description: Track the amount of CPU time used by osquery.
name: runtime_perf
query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename
AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes
AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov,
processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT
value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE
path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;
---
apiVersion: v1
kind: query
spec:
description: Track the percentage of total CPU time utilized by $endpoint_security_tool
name: endpoint_security_tool_perf
query: SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time
FROM processes WHERE name='endpoint_security_tool');
---
apiVersion: v1
kind: query
spec:
description: Track the percentage of total CPU time utilized by $backup_tool
name: backup_tool_perf
query: SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct
FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time))
AS backuptool_time FROM processes WHERE name='backup_tool');

59
salt/fleet/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml
View File

@@ -1,59 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: security-tooling-checks
queries:
- description: Returns an event if a EndpointSecurityTool process is not found running
from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe'
(Windows)
interval: 28800
name: endpoint_security_tool_not_running
platform: windows,darwin
query: endpoint_security_tool_not_running
snapshot: true
- description: "Returns an event if a BackupTool process is not found running from
'/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)"
interval: 28800
name: backup_tool_not_running
platform: windows,darwin
query: backup_tool_not_running
snapshot: true
- description: Returns the content of the key if the backend server does not match
the expected value
interval: 3600
name: endpoint_security_tool_backend_server_registry_misconfigured
platform: windows
query: endpoint_security_tool_backend_server_registry_misconfigured
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Returns an event if a EndpointSecurityTool process is not found running
from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe'
(Windows)
name: endpoint_security_tool_not_running
query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as
process_count from processes where path='/Applications/EndpointSecurityTool' OR
lower(path)='c:\endpointsecuritytool.exe') where process_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: "Returns an event if a BackupTool process is not found running from
'/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)"
name: backup_tool_not_running
query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as
process_count from processes where path='/Applications/BackupTool' OR lower(path)
LIKE 'c:\backuptool.exe') where process_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if the backend server does not match
the expected value
name: endpoint_security_tool_backend_server_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\EndpointSecurityTool\BackendServerLocation'
AND data!='https://expected_endpoint.local';

93
salt/fleet/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml
View File

@@ -1,93 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: windows-application-security
queries:
- description: Controls Bitlocker full-disk encryption settings.
interval: 3600
name: bitlocker_autoencrypt_settings_registry
platform: windows
query: bitlocker_autoencrypt_settings_registry
- description: Controls Bitlocker full-disk encryption settings.
interval: 3600
name: bitlocker_fde_settings_registry
platform: windows
query: bitlocker_fde_settings_registry
- description: Controls Google Chrome plugins that are forcibly installed.
interval: 3600
name: chrome_extension_force_list_registry
platform: windows
query: chrome_extension_force_list_registry
- description: Controls EMET-protected applications and system settings.
interval: 3600
name: emet_settings_registry
platform: windows
query: emet_settings_registry
- description: Controls Local Administrative Password Solution (LAPS) settings.
interval: 3600
name: microsoft_laps_settings_registry
platform: windows
query: microsoft_laps_settings_registry
- description: Controls Windows Passport for Work (Hello) settings.
interval: 3600
name: passport_for_work_settings_registry
platform: windows
query: passport_for_work_settings_registry
- description: Controls UAC. A setting of 0 indicates that UAC is disabled.
interval: 3600
name: uac_settings_registry
platform: windows
query: uac_settings_registry
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Controls Bitlocker full-disk encryption settings.
name: bitlocker_autoencrypt_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Bitlocker\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls Bitlocker full-disk encryption settings.
name: bitlocker_fde_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls Google Chrome plugins that are forcibly installed.
name: chrome_extension_force_list_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist';
---
apiVersion: v1
kind: query
spec:
description: Controls EMET-protected applications and system settings.
name: emet_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls Local Administrative Password Solution (LAPS) settings.
name: microsoft_laps_settings_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
Services\AdmPwd';
---
apiVersion: v1
kind: query
spec:
description: Controls Windows Passport for Work (Hello) settings.
name: passport_for_work_settings_registry
query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls UAC. A setting of 0 indicates that UAC is disabled.
name: uac_settings_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA';

321
salt/fleet/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml
View File

@@ -1,321 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: windows-compliance
queries:
- description: 'This key does not exist by default and controls enabling/disabling
error reporting display. Some malware creates this key and sets the value to
0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
interval: 3600
name: error_display_ui_registry
platform: windows
query: error_display_ui_registry
- description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename
and delayed-delete capabilities. Sometimes used as a self-deletion technique
for malware.
interval: 3600
name: filerenameoperations_registry
platform: windows
query: filerenameoperations_registry
- description: Controls which security packages store credentials in LSA memory,
secure boot, etc.
interval: 3600
name: local_security_authority_registry
platform: windows
query: local_security_authority_registry
- description: 'This key exists by default and has a default value of 1. Setting
this key to 0 disables logging errors/crashes to the System event channel. Some
malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
interval: 3600
name: log_errors_registry
platform: windows
query: log_errors_registry
- description: Controls Windows security provider configurations
interval: 3600
name: security_providers_registry
platform: windows
query: security_providers_registry
- description: Controls Windows Update server location and installation behavior.
interval: 3600
name: windows_update_settings_registry
platform: windows
query: windows_update_settings_registry
- description: 'Controls enabling/disabling crash dumps. This key has a default
value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
interval: 3600
name: crash_dump_registry
platform: windows
query: crash_dump_registry
- description: 'This registry key specifies the path to a DLL to be loaded by a
Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83'
interval: 3600
name: dns_plugin_dll_registry
platform: windows
query: dns_plugin_dll_registry
- description: The KnownDlls key defines the set of DLLs that are first searched
during system startup.
interval: 3600
name: knowndlls_registry
platform: windows
query: knowndlls_registry
- description: This key exists by default and has a default value of 1. Terminal
service connections are allowed to the host when the key value is set to 0
interval: 3600
name: terminal_service_deny_registry
platform: windows
query: terminal_service_deny_registry
- description: Controls Windows command-line auditing
interval: 3600
name: command_line_auditing_registry
platform: windows
query: command_line_auditing_registry
- description: 'This key (and subkeys) exist by default and are required to allow
post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
interval: 3600
name: dr_watson_registry
platform: windows
query: dr_watson_registry
- description: Controls how many simultaneous terminal services sessions can use
the same account
interval: 3600
name: per_user_ts_session_registry
platform: windows
query: per_user_ts_session_registry
- description: Controls Powershell execution policy, script execution, logging,
and more.
interval: 3600
name: powershell_settings_registry
platform: windows
query: powershell_settings_registry
- description: Controls enabling/disabling SMBv1. Setting this key to 0 disables
the SMBv1 protocol on the host.
interval: 3600
name: smbv1_registry
platform: windows
query: smbv1_registry
- description: Lists information about SecureBoot status.
interval: 3600
name: secure_boot_registry
platform: windows
query: secure_boot_registry
- description: This key does not exist by default and controls enabling/disabling
error reporting. Some malware creates this key sets the value to 0 (disables
error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx
and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html
interval: 3600
name: error_report_registry
platform: windows
query: error_report_registry
- description: Controls behavior, size, and rotation strategy for primary windows
event log files.
interval: 3600
name: event_log_settings_registry
platform: windows
query: event_log_settings_registry
- description: Controls system TPM settings
interval: 3600
name: tpm_registry
platform: windows
query: tpm_registry
- description: Controls local WinRM client configuration and security.
interval: 3600
name: winrm_settings_registry
platform: windows
query: winrm_settings_registry
- description: 'Controls the suppression of error dialog boxes. The default value
is 0 (all messages are visible), but some malware sets this value to 2 (all
messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
interval: 3600
name: error_mode_registry
platform: windows
query: error_mode_registry
- description: Controls sending administrative notifications after a crash. Some
malware sets this value to 0
interval: 3600
name: send_error_alert_registry
platform: windows
query: send_error_alert_registry
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: 'This key does not exist by default and controls enabling/disabling
error reporting display. Some malware creates this key and sets the value to 0.
See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
name: error_display_ui_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI';
---
apiVersion: v1
kind: query
spec:
description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename
and delayed-delete capabilities. Sometimes used as a self-deletion technique for
malware.
name: filerenameoperations_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\FileRenameOperations';
---
apiVersion: v1
kind: query
spec:
description: Controls which security packages store credentials in LSA memory, secure
boot, etc.
name: local_security_authority_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\%%';
---
apiVersion: v1
kind: query
spec:
description: 'This key exists by default and has a default value of 1. Setting this
key to 0 disables logging errors/crashes to the System event channel. Some malware
sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
name: log_errors_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent';
---
apiVersion: v1
kind: query
spec:
description: Controls Windows security provider configurations
name: security_providers_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls Windows Update server location and installation behavior.
name: windows_update_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\%%';
---
apiVersion: v1
kind: query
spec:
description: 'Controls enabling/disabling crash dumps. This key has a default value
of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
name: crash_dump_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled';
---
apiVersion: v1
kind: query
spec:
description: 'This registry key specifies the path to a DLL to be loaded by a Windows
DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83'
name: dns_plugin_dll_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll';
---
apiVersion: v1
kind: query
spec:
description: The KnownDlls key defines the set of DLLs that are first searched during
system startup.
name: knowndlls_registry
query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\KnownDLLs\%%';
---
apiVersion: v1
kind: query
spec:
description: This key exists by default and has a default value of 1. Terminal service
connections are allowed to the host when the key value is set to 0
name: terminal_service_deny_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\fDenyTSConnections';
---
apiVersion: v1
kind: query
spec:
description: Controls Windows command-line auditing
name: command_line_auditing_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit';
---
apiVersion: v1
kind: query
spec:
description: 'This key (and subkeys) exist by default and are required to allow
post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
name: dr_watson_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AeDebug';
---
apiVersion: v1
kind: query
spec:
description: Controls how many simultaneous terminal services sessions can use the
same account
name: per_user_ts_session_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\fSingleSessionPerUser';
---
apiVersion: v1
kind: query
spec:
description: Controls Powershell execution policy, script execution, logging, and
more.
name: powershell_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls enabling/disabling SMBv1. Setting this key to 0 disables the
SMBv1 protocol on the host.
name: smbv1_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1';
---
apiVersion: v1
kind: query
spec:
description: Lists information about SecureBoot status.
name: secure_boot_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot';
---
apiVersion: v1
kind: query
spec:
description: This key does not exist by default and controls enabling/disabling
error reporting. Some malware creates this key sets the value to 0 (disables error
reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx
and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html
name: error_report_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DoReport';
---
apiVersion: v1
kind: query
spec:
description: Controls behavior, size, and rotation strategy for primary windows
event log files.
name: event_log_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\%%';
---
apiVersion: v1
kind: query
spec:
description: Controls system TPM settings
name: tpm_registry
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM';
---
apiVersion: v1
kind: query
spec:
description: Controls local WinRM client configuration and security.
name: winrm_settings_registry
query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\%%';
---
apiVersion: v1
kind: query
spec:
description: 'Controls the suppression of error dialog boxes. The default value
is 0 (all messages are visible), but some malware sets this value to 2 (all messages
are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html'
name: error_mode_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode';
---
apiVersion: v1
kind: query
spec:
description: Controls sending administrative notifications after a crash. Some malware
sets this value to 0
name: send_error_alert_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert';

475
salt/fleet/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml
View File

@@ -1,475 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: windows-registry-monitoring
queries:
- description: Technique used by attackers to prevent computer accounts from changing
their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011)
interval: 3600
name: computer_password_change_disabled_registry
platform: windows
query: computer_password_change_disabled_registry
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: error_mode_registry_missing
platform: windows
query: error_mode_registry_missing
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: per_user_ts_session_registry_missing
platform: windows
query: per_user_ts_session_registry_missing
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: powershell_invocationheader_registry_missing
platform: windows
query: powershell_invocationheader_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: bitlocker_encryption_settings_registry_misconfigured
platform: windows
query: bitlocker_encryption_settings_registry_misconfigured
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: bitlocker_mbam_registry_misconfigured
platform: windows
query: bitlocker_mbam_registry_misconfigured
- description: Returns the content of this key if it exists, which it shouldn't
by default
interval: 3600
name: dns_plugin_dll_registry_exists
platform: windows
query: dns_plugin_dll_registry_exists
- description: Returns the content of this key if it exists, which it shouldn't
by default
interval: 3600
name: error_display_ui_registry_exists
platform: windows
query: error_display_ui_registry_exists
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: log_errors_registry_misconfigured
platform: windows
query: log_errors_registry_misconfigured
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: subscription_manager_registry_misconfigured
platform: windows
query: subscription_manager_registry_misconfigured
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: subscription_manager_registry_missing
platform: windows
query: subscription_manager_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: command_line_auditing_registry_misconfigured
platform: windows
query: command_line_auditing_registry_misconfigured
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: crash_dump_registry_missing
platform: windows
query: crash_dump_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: error_mode_registry_misconfigured
platform: windows
query: error_mode_registry_misconfigured
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: log_errors_registry_missing
platform: windows
query: log_errors_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: winrm_settings_registry_misconfigured
platform: windows
query: winrm_settings_registry_misconfigured
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: crash_dump_registry_misconfigured
platform: windows
query: crash_dump_registry_misconfigured
- description: Detect a registry based persistence mechanism that allows an attacker
to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105)
interval: 3600
name: physicalstore_dll_registry_persistence
platform: windows
query: physicalstore_dll_registry_persistence
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: powershell_logging_registry_misconfigured
platform: windows
query: powershell_logging_registry_misconfigured
- description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)'
interval: 3600
name: amsi_disabled_registry
platform: windows
query: amsi_disabled_registry
- description: Controls how often to rotate the local computer password (defaults
to 30 days). A modification of this value may be an indicator of attacker activity.
interval: 3600
name: computer_maximum_password_age_changed_registry
platform: windows
query: computer_maximum_password_age_changed_registry
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: dr_watson_registry_missing
platform: windows
query: dr_watson_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: per_user_ts_session_registry_misconfigured
platform: windows
query: per_user_ts_session_registry_misconfigured
- description: Registry based persistence mechanism to load DLLs at reboot time
and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/).
Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will
remain.
interval: 3600
name: runonceex_persistence_registry
platform: windows
query: runonceex_persistence_registry
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: smbv1_registry_missing
platform: windows
query: smbv1_registry_missing
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: powershell_transcription_logging_registry_missing
platform: windows
query: powershell_transcription_logging_registry_missing
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: powershell_module_logging_registry_missing
platform: windows
query: powershell_module_logging_registry_missing
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: powershell_scriptblock_logging_registry_missing
platform: windows
query: powershell_scriptblock_logging_registry_missing
- description: Returns the content of the key if it does not match the expected
value
interval: 3600
name: bitlocker_mbam_endpoint_registry_misconfigured
platform: windows
query: bitlocker_mbam_endpoint_registry_misconfigured
- description: Returns 0 as a result if the registry key does not exist
interval: 3600
name: command_line_auditing_registry_missing
platform: windows
query: command_line_auditing_registry_missing
- description: ""
interval: 3600
name: smbv1_registry_misconfigured
platform: windows
query: smbv1_registry_misconfigured
- description: Returns the content of this key if it exists, which it shouldn't
by default
interval: 3600
name: send_error_alert_registry_exists
platform: windows
query: send_error_alert_registry_exists
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Technique used by attackers to prevent computer accounts from changing
their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011)
name: computer_password_change_disabled_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange'
AND data!=0;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: error_mode_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: per_user_ts_session_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\fSingleSessionPerUser') WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: powershell_invocationheader_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: bitlocker_encryption_settings_registry_misconfigured
query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ShouldEncryptOSDrive'
OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\OSDriveProtector')
AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: bitlocker_mbam_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\UseMBAMServices'
AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of this key if it exists, which it shouldn't by
default
name: dns_plugin_dll_registry_exists
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll';
---
apiVersion: v1
kind: query
spec:
description: Returns the content of this key if it exists, which it shouldn't by
default
name: error_display_ui_registry_exists
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI';
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: log_errors_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent'
AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: subscription_manager_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1'
AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC'
AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC');
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: subscription_manager_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: command_line_auditing_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled'
AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: crash_dump_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: error_mode_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode'
AND data=2;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: log_errors_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: winrm_settings_registry_misconfigured
query: 'SELECT * FROM registry WHERE (path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowCredSSP''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic''
OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess'')
AND data!=0; '
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: crash_dump_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled'
AND data=0;
---
apiVersion: v1
kind: query
spec:
description: Detect a registry based persistence mechanism that allows an attacker
to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105)
name: physicalstore_dll_registry_persistence
query: SELECT key, path, name, mtime, username FROM registry r, users WHERE path
LIKE 'HKEY_USERS\'||uuid||'\Software\Microsoft\SystemCertificates\CA\PhysicalStores\%%'
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType
0\CertDllOpenStoreProv\%%' AND name!='#16' AND name!='Ldap';
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: powershell_logging_registry_misconfigured
query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging'
OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging'
OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting'
OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader')
AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)'
name: amsi_disabled_registry
query: SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users
WHERE path = 'HKEY_USERS\'||uuid||'\Software\Microsoft\Windows Script\Settings\AmsiEnable'
AND data=0;
---
apiVersion: v1
kind: query
spec:
description: Controls how often to rotate the local computer password (defaults
to 30 days). A modification of this value may be an indicator of attacker activity.
name: computer_maximum_password_age_changed_registry
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge'
and data!=30;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: dr_watson_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug')
WHERE key_exists!=2;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: per_user_ts_session_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\fSingleSessionPerUser' AND data!=1;
---
apiVersion: v1
kind: query
spec:
description: Registry based persistence mechanism to load DLLs at reboot time and
avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/).
Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will
remain.
name: runonceex_persistence_registry
query: SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx';
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: smbv1_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: powershell_transcription_logging_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: powershell_module_logging_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: powershell_scriptblock_logging_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if it does not match the expected value
name: bitlocker_mbam_endpoint_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\KeyRecoveryServiceEndPoint'
AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc';
---
apiVersion: v1
kind: query
spec:
description: Returns 0 as a result if the registry key does not exist
name: command_line_auditing_registry_missing
query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count
FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled')
WHERE key_exists!=1;
---
apiVersion: v1
kind: query
spec:
name: smbv1_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1'
AND data!=0;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of this key if it exists, which it shouldn't by
default
name: send_error_alert_registry_exists
query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert';

596
salt/fleet/packs/palantir/Fleet/Servers/Linux/osquery.yaml
View File

@@ -1,596 +0,0 @@
---
apiVersion: v1
kind: pack
spec:
name: LinuxPack
queries:
- description: Retrieves all the jobs scheduled in crontab in the target system.
interval: 0
name: crontab_snapshot
platform: linux
query: crontab_snapshot
snapshot: true
- description: Various Linux kernel integrity checked attributes.
interval: 0
name: kernel_integrity
platform: linux
query: kernel_integrity
- description: Linux kernel modules both loaded and within the load search path.
interval: 0
name: kernel_modules
platform: linux
query: kernel_modules
- description: Retrieves the current list of mounted drives in the target system.
interval: 0
name: mounts
platform: linux
query: mounts
- description: The percentage of total CPU time (system+user) consumed by osqueryd
interval: 0
name: osquery_cpu_pct
platform: linux
query: osquery_cpu_pct
snapshot: true
- description: Socket events collected from the audit framework
interval: 0
name: socket_events
platform: linux
query: socket_events
- description: Record the network interfaces and their associated IP and MAC addresses
interval: 0
name: network_interfaces_snapshot
platform: linux
query: network_interfaces_snapshot
snapshot: true
version: 1.4.5
- description: Information about the running osquery configuration
interval: 0
name: osquery_info
platform: linux
query: osquery_info
snapshot: true
- description: Display all installed RPM packages
interval: 0
name: rpm_packages
platform: centos
query: rpm_packages
snapshot: true
- description: Record shell history for all users on system (instead of just root)
interval: 0
name: shell_history
platform: linux
query: shell_history
- description: File events collected from file integrity monitoring
interval: 0
name: file_events
platform: linux
query: file_events
removed: false
- description: Retrieve the EC2 metadata for this endpoint
interval: 0
name: ec2_instance_metadata
platform: linux
query: ec2_instance_metadata
- description: Retrieve the EC2 tags for this endpoint
interval: 0
name: ec2_instance_tags
platform: linux
query: ec2_instance_tags
- description: Snapshot query to retrieve the EC2 tags for this instance
interval: 0
name: ec2_instance_tags_snapshot
platform: linux
query: ec2_instance_tags_snapshot
snapshot: true
- description: Retrieves the current filters and chains per filter in the target
system.
interval: 0
name: iptables
platform: linux
query: iptables
- description: Display any SUID binaries that are owned by root
interval: 0
name: suid_bin
platform: linux
query: suid_bin
- description: Display all installed DEB packages
interval: 0
name: deb_packages
platform: ubuntu
query: deb_packages
snapshot: true
- description: Find shell processes that have open sockets
interval: 0
name: behavioral_reverse_shell
platform: linux
query: behavioral_reverse_shell
- description: Retrieves all the jobs scheduled in crontab in the target system.
interval: 0
name: crontab
platform: linux
query: crontab
- description: Records the system resources used by each query
interval: 0
name: per_query_perf
platform: linux
query: per_query_perf
- description: Records avg rate of socket events since daemon started
interval: 0
name: socket_rates
platform: linux
query: socket_rates
snapshot: true
- description: Local system users.
interval: 0
name: users
platform: linux
query: users
- description: Process events collected from the audit framework
interval: 0
name: process_events
platform: linux
query: process_events
- description: Retrieves the list of the latest logins with PID, username and timestamp.
interval: 0
name: last
platform: linux
query: last
- description: Any processes that run with an LD_PRELOAD environment variable
interval: 0
name: ld_preload
platform: linux
query: ld_preload
- description: Records avg rate of process events since daemon started
interval: 0
name: process_rates
platform: linux
query: process_rates
snapshot: true
- description: Information about the system hardware and name
interval: 0
name: system_info
platform: linux
query: system_info
snapshot: true
- description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted
interval: 0
name: user_ssh_keys
platform: linux
query: user_ssh_keys
- description: Local system users.
interval: 0
name: users_snapshot
platform: linux
query: users_snapshot
snapshot: true
- description: DNS resolvers used by the host
interval: 0
name: dns_resolvers
platform: linux
query: dns_resolvers
- description: Retrieves information from the current kernel in the target system.
interval: 0
name: kernel_info
platform: linux
query: kernel_info
snapshot: true
- description: Linux kernel modules both loaded and within the load search path.
interval: 0
name: kernel_modules_snapshot
platform: linux
query: kernel_modules_snapshot
snapshot: true
- description: Generates an event if ld.so.preload is present - used by rootkits
such as Jynx
interval: 0
name: ld_so_preload_exists
platform: linux
query: ld_so_preload_exists
snapshot: true
- description: Records system/user time, db size, and many other system metrics
interval: 0
name: runtime_perf
platform: linux
query: runtime_perf
- description: Retrieves all the entries in the target system /etc/hosts file.
interval: 0
name: etc_hosts_snapshot
platform: linux
query: etc_hosts_snapshot
snapshot: true
- description: Snapshot query to retrieve the EC2 metadata for this endpoint
interval: 0
name: ec2_instance_metadata_snapshot
platform: linux
query: ec2_instance_metadata_snapshot
snapshot: true
- description: ""
interval: 0
name: hardware_events
platform: linux
query: hardware_events
removed: false
- description: Information about memory usage on the system
interval: 0
name: memory_info
platform: linux
query: memory_info
- description: Displays information from /proc/stat file about the time the CPU
cores spent in different parts of the system
interval: 0
name: cpu_time
platform: linux
query: cpu_time
- description: Retrieves all the entries in the target system /etc/hosts file.
interval: 0
name: etc_hosts
platform: linux
query: etc_hosts
- description: Retrieves information from the Operating System where osquery is
currently running.
interval: 0
name: os_version
platform: linux
query: os_version
snapshot: true
- description: A snapshot of all processes running on the host. Useful for outlier
analysis.
interval: 0
name: processes_snapshot
platform: linux
query: processes_snapshot
snapshot: true
- description: Retrieves the current list of USB devices in the target system.
interval: 0
name: usb_devices
platform: linux
query: usb_devices
- description: A line-delimited authorized_keys table.
interval: 0
name: authorized_keys
platform: linux
query: authorized_keys
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Retrieves all the jobs scheduled in crontab in the target system.
name: crontab_snapshot
query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
description: Various Linux kernel integrity checked attributes.
name: kernel_integrity
query: SELECT * FROM kernel_integrity;
---
apiVersion: v1
kind: query
spec:
description: Linux kernel modules both loaded and within the load search path.
name: kernel_modules
query: SELECT * FROM kernel_modules;
---
apiVersion: v1
kind: query
spec:
description: Retrieves the current list of mounted drives in the target system.
name: mounts
query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;
---
apiVersion: v1
kind: query
spec:
description: The percentage of total CPU time (system+user) consumed by osqueryd
name: osquery_cpu_pct
query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time
FROM processes WHERE name='osqueryd');
---
apiVersion: v1
kind: query
spec:
description: Socket events collected from the audit framework
name: socket_events
query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address,
remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN
('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254',
'', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001',
'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');
---
apiVersion: v1
kind: query
spec:
description: Record the network interfaces and their associated IP and MAC addresses
name: network_interfaces_snapshot
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
d USING (interface);
---
apiVersion: v1
kind: query
spec:
description: Information about the running osquery configuration
name: osquery_info
query: SELECT * FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
description: Display all installed RPM packages
name: rpm_packages
query: SELECT name, version, release, arch FROM rpm_packages;
---
apiVersion: v1
kind: query
spec:
description: Record shell history for all users on system (instead of just root)
name: shell_history
query: SELECT * FROM users JOIN shell_history USING (uid);
---
apiVersion: v1
kind: query
spec:
description: File events collected from file integrity monitoring
name: file_events
query: SELECT * FROM file_events;
---
apiVersion: v1
kind: query
spec:
description: Retrieve the EC2 metadata for this endpoint
name: ec2_instance_metadata
query: SELECT * FROM ec2_instance_metadata;
---
apiVersion: v1
kind: query
spec:
description: Retrieve the EC2 tags for this endpoint
name: ec2_instance_tags
query: SELECT * FROM ec2_instance_tags;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query to retrieve the EC2 tags for this instance
name: ec2_instance_tags_snapshot
query: SELECT * FROM ec2_instance_tags;
---
apiVersion: v1
kind: query
spec:
description: Retrieves the current filters and chains per filter in the target system.
name: iptables
query: SELECT * FROM iptables;
---
apiVersion: v1
kind: query
spec:
description: Display any SUID binaries that are owned by root
name: suid_bin
query: SELECT * FROM suid_bin;
---
apiVersion: v1
kind: query
spec:
description: Display all installed DEB packages
name: deb_packages
query: SELECT * FROM deb_packages;
---
apiVersion: v1
kind: query
spec:
description: Find shell processes that have open sockets
name: behavioral_reverse_shell
query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path,
processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid,
processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port,
(SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS
parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER
JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh'
OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address
NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';
---
apiVersion: v1
kind: query
spec:
description: Retrieves all the jobs scheduled in crontab in the target system.
name: crontab
query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
description: Records the system resources used by each query
name: per_query_perf
query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
FROM osquery_schedule;
---
apiVersion: v1
kind: query
spec:
description: Records avg rate of socket events since daemon started
name: socket_rates
query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now')
- 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: Process events collected from the audit framework
name: process_events
query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time,
uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk',
'/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq',
'/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline
NOT LIKE '%secret%';
---
apiVersion: v1
kind: query
spec:
description: Retrieves the list of the latest logins with PID, username and timestamp.
name: last
query: SELECT * FROM last;
---
apiVersion: v1
kind: query
spec:
description: Any processes that run with an LD_PRELOAD environment variable
name: ld_preload
query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name,
processes.path, processes.cmdline, processes.cwd FROM process_envs join processes
USING (pid) WHERE key = 'LD_PRELOAD';
---
apiVersion: v1
kind: query
spec:
description: Records avg rate of process events since daemon started
name: process_rates
query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now')
- 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
description: Information about the system hardware and name
name: system_info
query: SELECT * FROM system_info;
---
apiVersion: v1
kind: query
spec:
description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted
name: user_ssh_keys
query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users_snapshot
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: DNS resolvers used by the host
name: dns_resolvers
query: SELECT * FROM dns_resolvers;
---
apiVersion: v1
kind: query
spec:
description: Retrieves information from the current kernel in the target system.
name: kernel_info
query: SELECT * FROM kernel_info;
---
apiVersion: v1
kind: query
spec:
description: Linux kernel modules both loaded and within the load search path.
name: kernel_modules_snapshot
query: SELECT * FROM kernel_modules;
---
apiVersion: v1
kind: query
spec:
description: Generates an event if ld.so.preload is present - used by rootkits such
as Jynx
name: ld_so_preload_exists
query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';
---
apiVersion: v1
kind: query
spec:
description: Records system/user time, db size, and many other system metrics
name: runtime_perf
query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename
AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes
AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov,
processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT
value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE
path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;
---
apiVersion: v1
kind: query
spec:
description: Retrieves all the entries in the target system /etc/hosts file.
name: etc_hosts_snapshot
query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query to retrieve the EC2 metadata for this endpoint
name: ec2_instance_metadata_snapshot
query: SELECT * FROM ec2_instance_metadata;
---
apiVersion: v1
kind: query
spec:
name: hardware_events
query: SELECT * FROM hardware_events;
---
apiVersion: v1
kind: query
spec:
description: Information about memory usage on the system
name: memory_info
query: SELECT * FROM memory_info;
---
apiVersion: v1
kind: query
spec:
description: Displays information from /proc/stat file about the time the CPU cores
spent in different parts of the system
name: cpu_time
query: SELECT * FROM cpu_time;
---
apiVersion: v1
kind: query
spec:
description: Retrieves all the entries in the target system /etc/hosts file.
name: etc_hosts
query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
description: Retrieves information from the Operating System where osquery is currently
running.
name: os_version
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: A snapshot of all processes running on the host. Useful for outlier
analysis.
name: processes_snapshot
query: select name, path, cmdline, cwd, on_disk from processes;
---
apiVersion: v1
kind: query
spec:
description: Retrieves the current list of USB devices in the target system.
name: usb_devices
query: SELECT * FROM usb_devices;
---
apiVersion: v1
kind: query
spec:
description: A line-delimited authorized_keys table.
name: authorized_keys
query: SELECT * FROM users JOIN authorized_keys USING (uid);

57
salt/fleet/packs/palantir/Fleet/Servers/options.yaml
View File

@@ -1,57 +0,0 @@
apiVersion: v1
kind: options
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
file_paths:
binaries:
- /usr/bin/%%
- /usr/sbin/%%
- /bin/%%
- /sbin/%%
- /usr/local/bin/%%
- /usr/local/sbin/%%
configuration:
- /etc/passwd
- /etc/shadow
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/rc%/%%
- /etc/my.cnf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/crontab
- /etc/cron%/%%
- /etc/init/%%
- /etc/rsyslog.conf
options:
audit_allow_config: true
audit_allow_sockets: true
audit_persist: true
disable_audit: false
events_expiry: 1
events_max: 500000
disable_distributed: false
disable_subscribers: user_events
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_min_status: 1
logger_plugin: tls
logger_snapshot_event_type: true
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
schedule_splay_percent: 10
watchdog_memory_limit: 350
watchdog_utilization_limit: 130
overrides: {}

22
salt/fleet/packs/palantir/LICENSE.md
View File

@@ -1,22 +0,0 @@
# License
MIT License
Copyright (c) 2017 Palantir Technologies Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

164
salt/fleet/packs/palantir/README.md
View File

@@ -1,164 +0,0 @@
# Palantir osquery Configuration
## About This Repository
This repository is the companion to the [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) blog post.
The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is
our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is
exactly what we have done with our [unwanted-chrome-extensions](https://github.com/facebook/osquery/pull/3889) query pack and [additions](https://github.com/facebook/osquery/pull/3922) to the windows-attacks pack.
However, we have included additional query packs
that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when
operators have carefully considered the datasets to be collected and the potential use-cases for that data.
* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/performance-metrics.conf)
* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/security-tooling-checks.conf)
* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-application-security.conf)
* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-compliance.conf)
* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-registry-monitoring.conf)
**Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below:
* [ossec-rootkit.conf](https://github.com/facebook/osquery/blob/master/packs/ossec-rootkit.conf)
* [osx-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/osx-attacks.conf)
* [unwanted-chrome-extensions.conf](https://github.com/facebook/osquery/blob/master/packs/unwanted-chrome-extensions.conf)
* [windows-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/windows-attacks.conf)
## Repository Layout
This repository is organized as follows:
* At the top level, there are two directories titled "Classic" and "Fleet"
* The [Classic](./Classic/) directory contains configuration files for a standard osquery deployment
* The [Fleet](./Fleet/) directory contains YAML files to be imported into Kolide's [Fleet](https://github.com/kolide/fleet) osquery management tool
Within each of those folders, you will find the following subdirectories:
* **Endpoints**: The contents of this folder are tailored towards monitoring MacOS and Windows endpoints that are not expected to be online at all times. You may notice the interval of many queries in this folder set to 28800. We purposely set the interval to this value because the interval timer only moves forward when a host is online and we would only expect an endpoint to be online for about 8 hours, or 28800 seconds, per day.
* **Servers**: The contents of this folder are tailored towards monitoring Linux servers. This configuration has process and network auditing enabled, so expect an exponentially higher volume of logs to be returned from the agent.
## Using This Repository
**Note**: We recommend that you spin up a lab environment before deploying any of these configurations to a production
environment.
**Endpoints Configuration Overview**
* The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day
* The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing.
* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Endpoints/MacOS/osquery.conf)
* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs.
* These configuration files utilize packs within the [packs](./Endpoints/packs) folder and may generate errors if started without them
**Servers Configuration Overview**
* This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times
* Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd.
* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Servers/Linux/osquery.conf)
* Requires the [ossec-rootkit.conf](./Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf`
* The subscriber for `user_events` is disabled
## Quickstart - Classic
1. [Install osquery](https://osquery.io/downloads/)
2. Copy the osquery.conf and osquery.flags files from this repository onto the system and match the directory structure shown below
3. Start osquery via `sudo osqueryctl start` on Linux/MacOS or `Start-Process osqueryd` on Windows
4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows)
## Quickstart - Fleet
1. Install Fleet version 2.0.0 or higher
2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags](https://github.com/kolide/fleet/blob/master/tools/osquery/example_osquery.flags)
2. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server
3. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:
```
git clone https://github.com/palantir/osquery-configuration.git
fleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml;
do fleetctl apply -f "$pack"
done
```
The desired osquery directory structure for Linux, MacOS, and Windows is outlined below:
**Linux**
```
$ git clone https://github.com/palantir/osquery-configuration.git
$ cp -R osquery-configuration/Servers/Linux/* /etc/osquery
$ sudo osqueryctl start
/etc/osquery
├── osquery.conf
├── osquery.db
├── osquery.flags
└── packs
└── ossec-rootkit.conf
```
**MacOS**
```
$ git clone https://github.com/palantir/osquery-configuration.git
$ cp osquery-configuration/Endpoints/MacOS/* /var/osquery
$ cp osquery-configuration/Endpoints/packs/* /var/osquery/packs
$ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing
$ sudo osqueryctl start
/var/osquery
├── certfile.crt [if using TLS endpoint]
├── osquery.conf
├── osquery.db
├── osquery.flags
└── packs
├── performance-metrics.conf
├── security-tooling-checks.conf
├── unwanted-chrome-extensions.conf
└── osx-attacks.conf
```
**Windows**
```
PS> git clone https://github.com/palantir/osquery-configuration.git
PS> copy-item osquery-configuration/Endpoints/Windows/* c:\ProgramData\osquery
PS> copy-item osquery-configuration/Endpoints/packs/* c:\ProgramData\osquery\packs
PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing
PS> start-service osqueryd
c:\ProgramData\osquery
├── certfile.crt [if using TLS endpoint]
├── log
├── osquery.conf
├── osquery.db
├── osquery.flags
├── osqueryi.exe
├─── osqueryd
| └── osqueryd.exe
└── packs
├── performance-metrics.conf
├── security-tooling-checks.conf
├── unwanted-chrome-extensions.conf
├── windows-application-security.conf
├── windows-compliance.conf
├── windows-registry-monitoring.conf
└── windows-attacks.conf
```
## Contributing
Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request.
## License
MIT License
Copyright (c) 2017 Palantir Technologies Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

53
salt/fleet/so-fleet-setup.sh
View File

@@ -1,53 +0,0 @@
#!/bin/bash
#so-fleet-setup.sh $MasterIP $FleetEmail
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "so-fleet container not running... Exiting..."
exit 1
fi
initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify --url-prefix /fleet
docker exec so-fleet fleetctl setup --email $2 --password $initpw
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
esecret=$(docker exec so-fleet fleetctl get enroll-secret)
#Concat fleet.crt & ca.crt - this is required for launcher connectivity
cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
#Create the output directory
mkdir /opt/so/conf/fleet/packages
#At some point we should version launcher `latest` to avoid hard pinning here
docker run \
--rm \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8080
cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
#Update timestamp on packages webpage
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
# Enable Fleet on all the other parts of the infrastructure
sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/saltstack/pillar/static.sls
# Install osquery locally
#if cat /etc/os-release | grep -q 'debian'; then
# dpkg -i /opt/so/conf/fleet/packages/launcher.deb
#else
# rpm -i /opt/so/conf/fleet/packages/launcher.rpm
#fi
echo "Installing launcher via salt"
salt-call state.apply launcher queue=True > /root/launcher.log
echo "Fleet Setup Complete - Login here: https://$1"
echo "Your username is $2 and your password is $initpw"