mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-19 07:23:06 +01:00
Fleet Module - Adding some Rule Packs
This commit is contained in:
Mike Reeves
511
salt/fleet/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
Normal file
511
salt/fleet/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
Normal file
@@ -0,0 +1,511 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: pack
|
||||
spec:
|
||||
name: windows-pack
|
||||
queries:
|
||||
- description: System info snapshot query
|
||||
interval: 28800
|
||||
name: system_info_snapshot
|
||||
platform: windows
|
||||
query: system_info_snapshot
|
||||
snapshot: true
|
||||
- description: List in-use Windows drivers
|
||||
interval: 3600
|
||||
name: drivers
|
||||
platform: windows
|
||||
query: drivers
|
||||
- description: Displays shared resources on a computer system running Windows. This
|
||||
may be a disk drive, printer, interprocess communication, or other sharable
|
||||
device.
|
||||
interval: 3600
|
||||
name: shared_resources
|
||||
platform: windows
|
||||
query: shared_resources
|
||||
- description: Lists all the patches applied
|
||||
interval: 3600
|
||||
name: patches
|
||||
platform: windows
|
||||
query: patches
|
||||
removed: false
|
||||
- description: Pipes snapshot query
|
||||
interval: 28800
|
||||
name: pipes_snapshot
|
||||
platform: windows
|
||||
query: pipes_snapshot
|
||||
snapshot: true
|
||||
- description: Programs snapshot query
|
||||
interval: 28800
|
||||
name: programs_snapshot
|
||||
platform: windows
|
||||
query: programs_snapshot
|
||||
snapshot: true
|
||||
- description: Services snapshot query
|
||||
interval: 28800
|
||||
name: services_snapshot
|
||||
platform: windows
|
||||
query: services_snapshot
|
||||
snapshot: true
|
||||
- description: WMI CommandLineEventConsumer, which can be used for persistence on
|
||||
Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
|
||||
for more details.
|
||||
interval: 3600
|
||||
name: wmi_cli_event_consumers
|
||||
platform: windows
|
||||
query: wmi_cli_event_consumers
|
||||
- description: Lists the relationship between event consumers and filters.
|
||||
interval: 3600
|
||||
name: wmi_filter_consumer_binding
|
||||
platform: windows
|
||||
query: wmi_filter_consumer_binding
|
||||
- description: Snapshot query for Chrome extensions
|
||||
interval: 3600
|
||||
name: chrome_extensions_snapshot
|
||||
platform: windows
|
||||
query: chrome_extensions_snapshot
|
||||
- description: Retrieve the interface name, IP address, and MAC address for all
|
||||
interfaces on the host.
|
||||
interval: 600
|
||||
name: network_interfaces_snapshot
|
||||
platform: windows
|
||||
query: network_interfaces_snapshot
|
||||
snapshot: true
|
||||
- description: Local system users.
|
||||
interval: 3600
|
||||
name: users
|
||||
platform: windows
|
||||
query: users
|
||||
- description: Snapshot query for WMI event consumers.
|
||||
interval: 28800
|
||||
name: wmi_cli_event_consumers_snapshot
|
||||
platform: windows
|
||||
query: wmi_cli_event_consumers_snapshot
|
||||
snapshot: true
|
||||
- description: List all certificates in the trust store
|
||||
interval: 3600
|
||||
name: certificates
|
||||
platform: windows
|
||||
query: certificates
|
||||
removed: false
|
||||
- description: Drivers snapshot query
|
||||
interval: 28800
|
||||
name: drivers_snapshot
|
||||
platform: windows
|
||||
query: drivers_snapshot
|
||||
snapshot: true
|
||||
- description: Lists WMI event filters.
|
||||
interval: 3600
|
||||
name: wmi_event_filters
|
||||
platform: windows
|
||||
query: wmi_event_filters
|
||||
- description: List installed Internet Explorer extensions
|
||||
interval: 3600
|
||||
name: ie_extensions
|
||||
platform: windows
|
||||
query: ie_extensions
|
||||
- description: List the kernel path, version, etc.
|
||||
interval: 3600
|
||||
name: kernel_info
|
||||
platform: windows
|
||||
query: kernel_info
|
||||
- description: List the version of the resident operating system
|
||||
interval: 3600
|
||||
name: os_version
|
||||
platform: windows
|
||||
query: os_version
|
||||
- description: Patches snapshot query
|
||||
interval: 28800
|
||||
name: patches_snapshot
|
||||
platform: windows
|
||||
query: patches_snapshot
|
||||
snapshot: true
|
||||
- description: Named and Anonymous pipes.
|
||||
interval: 3600
|
||||
name: pipes
|
||||
platform: windows
|
||||
query: pipes
|
||||
removed: false
|
||||
- description: Lists installed programs
|
||||
interval: 0
|
||||
name: programs
|
||||
platform: windows
|
||||
query: programs
|
||||
- description: List all certificates in the trust store (snapshot query)
|
||||
interval: 0
|
||||
name: certificates_snapshot
|
||||
platform: windows
|
||||
query: certificates_snapshot
|
||||
snapshot: true
|
||||
- description: List the contents of the Windows hosts file
|
||||
interval: 3600
|
||||
name: etc_hosts
|
||||
platform: windows
|
||||
query: etc_hosts
|
||||
- description: Lists all of the tasks in the Windows task scheduler
|
||||
interval: 3600
|
||||
name: scheduled_tasks
|
||||
platform: windows
|
||||
query: scheduled_tasks
|
||||
- description: Extracted information from Windows crash logs (Minidumps).
|
||||
interval: 3600
|
||||
name: windows_crashes
|
||||
platform: windows
|
||||
query: windows_crashes
|
||||
removed: false
|
||||
- description: System uptime
|
||||
interval: 3600
|
||||
name: uptime
|
||||
platform: windows
|
||||
query: uptime
|
||||
snapshot: true
|
||||
- description: Snapshot query for WMI script event consumers.
|
||||
interval: 3600
|
||||
name: wmi_script_event_consumers
|
||||
platform: windows
|
||||
query: wmi_script_event_consumers
|
||||
snapshot: true
|
||||
- description: List installed Chocolatey packages
|
||||
interval: 3600
|
||||
name: chocolatey_packages
|
||||
platform: windows
|
||||
query: chocolatey_packages
|
||||
- description: Shared resources snapshot query
|
||||
interval: 28800
|
||||
name: shared_resources_snapshot
|
||||
platform: windows
|
||||
query: shared_resources_snapshot
|
||||
snapshot: true
|
||||
- description: Lists all installed services configured to start automatically at
|
||||
boot
|
||||
interval: 3600
|
||||
name: services
|
||||
platform: windows
|
||||
query: services
|
||||
- description: Users snapshot query
|
||||
interval: 28800
|
||||
name: users_snapshot
|
||||
platform: windows
|
||||
query: users_snapshot
|
||||
snapshot: true
|
||||
- description: List installed Chrome Extensions for all users
|
||||
interval: 3600
|
||||
name: chrome_extensions
|
||||
platform: windows
|
||||
query: chrome_extensions
|
||||
- description: Operating system version snapshot query
|
||||
interval: 28800
|
||||
name: os_version_snapshot
|
||||
platform: windows
|
||||
query: os_version_snapshot
|
||||
snapshot: true
|
||||
- description: System information for identification.
|
||||
interval: 3600
|
||||
name: system_info
|
||||
platform: windows
|
||||
query: system_info
|
||||
- description: Snapshot query for WMI event filters.
|
||||
interval: 28800
|
||||
name: wmi_event_filters_snapshot
|
||||
platform: windows
|
||||
query: wmi_event_filters_snapshot
|
||||
snapshot: true
|
||||
- description: Snapshot query for WMI filter consumer bindings.
|
||||
interval: 28800
|
||||
name: wmi_filter_consumer_binding_snapshot
|
||||
platform: windows
|
||||
query: wmi_filter_consumer_binding_snapshot
|
||||
snapshot: true
|
||||
- description: Information about the resident osquery process
|
||||
interval: 28800
|
||||
name: osquery_info
|
||||
platform: windows
|
||||
query: osquery_info
|
||||
snapshot: true
|
||||
- description: Scheduled Tasks snapshot query
|
||||
interval: 28800
|
||||
name: scheduled_tasks_snapshot
|
||||
platform: windows
|
||||
query: scheduled_tasks_snapshot
|
||||
snapshot: true
|
||||
targets:
|
||||
labels: null
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: System info snapshot query
|
||||
name: system_info_snapshot
|
||||
query: SELECT * FROM system_info;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List in-use Windows drivers
|
||||
name: drivers
|
||||
query: SELECT * FROM drivers;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Displays shared resources on a computer system running Windows. This
|
||||
may be a disk drive, printer, interprocess communication, or other sharable device.
|
||||
name: shared_resources
|
||||
query: SELECT * FROM shared_resources;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists all the patches applied
|
||||
name: patches
|
||||
query: SELECT * FROM patches;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Pipes snapshot query
|
||||
name: pipes_snapshot
|
||||
query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk,
|
||||
pipes.name, pid FROM pipes JOIN processes USING (pid);
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Programs snapshot query
|
||||
name: programs_snapshot
|
||||
query: SELECT * FROM programs;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Services snapshot query
|
||||
name: services_snapshot
|
||||
query: SELECT * FROM services;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: WMI CommandLineEventConsumer, which can be used for persistence on
|
||||
Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
|
||||
for more details.
|
||||
name: wmi_cli_event_consumers
|
||||
query: SELECT * FROM wmi_cli_event_consumers;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists the relationship between event consumers and filters.
|
||||
name: wmi_filter_consumer_binding
|
||||
query: SELECT * FROM wmi_filter_consumer_binding;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Snapshot query for Chrome extensions
|
||||
name: chrome_extensions_snapshot
|
||||
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Retrieve the interface name, IP address, and MAC address for all interfaces
|
||||
on the host.
|
||||
name: network_interfaces_snapshot
|
||||
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
|
||||
d USING (interface);
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Local system users.
|
||||
name: users
|
||||
query: SELECT * FROM users;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Snapshot query for WMI event consumers.
|
||||
name: wmi_cli_event_consumers_snapshot
|
||||
query: SELECT * FROM wmi_cli_event_consumers;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List all certificates in the trust store
|
||||
name: certificates
|
||||
query: SELECT * FROM certificates WHERE path != 'Other People';
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Drivers snapshot query
|
||||
name: drivers_snapshot
|
||||
query: SELECT * FROM drivers;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists WMI event filters.
|
||||
name: wmi_event_filters
|
||||
query: SELECT * FROM wmi_event_filters;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List installed Internet Explorer extensions
|
||||
name: ie_extensions
|
||||
query: SELECT * FROM ie_extensions;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List the kernel path, version, etc.
|
||||
name: kernel_info
|
||||
query: SELECT * FROM kernel_info;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List the version of the resident operating system
|
||||
name: os_version
|
||||
query: SELECT * FROM os_version;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Patches snapshot query
|
||||
name: patches_snapshot
|
||||
query: SELECT * FROM patches;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Named and Anonymous pipes.
|
||||
name: pipes
|
||||
query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk,
|
||||
pipes.name, pid FROM pipes JOIN processes USING (pid);
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists installed programs
|
||||
name: programs
|
||||
query: SELECT * FROM programs;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List all certificates in the trust store (snapshot query)
|
||||
name: certificates_snapshot
|
||||
query: SELECT * FROM certificates WHERE path != 'Other People';
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List the contents of the Windows hosts file
|
||||
name: etc_hosts
|
||||
query: SELECT * FROM etc_hosts;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists all of the tasks in the Windows task scheduler
|
||||
name: scheduled_tasks
|
||||
query: SELECT * FROM scheduled_tasks;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Extracted information from Windows crash logs (Minidumps).
|
||||
name: windows_crashes
|
||||
query: SELECT * FROM windows_crashes;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: System uptime
|
||||
name: uptime
|
||||
query: SELECT * FROM uptime;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Snapshot query for WMI script event consumers.
|
||||
name: wmi_script_event_consumers
|
||||
query: SELECT * FROM wmi_script_event_consumers;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List installed Chocolatey packages
|
||||
name: chocolatey_packages
|
||||
query: SELECT * FROM chocolatey_packages;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Shared resources snapshot query
|
||||
name: shared_resources_snapshot
|
||||
query: SELECT * FROM shared_resources;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Lists all installed services configured to start automatically at boot
|
||||
name: services
|
||||
query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Users snapshot query
|
||||
name: users_snapshot
|
||||
query: SELECT * FROM users;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: List installed Chrome Extensions for all users
|
||||
name: chrome_extensions
|
||||
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Operating system version snapshot query
|
||||
name: os_version_snapshot
|
||||
query: SELECT * FROM os_version;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: System information for identification.
|
||||
name: system_info
|
||||
query: SELECT * FROM system_info;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Snapshot query for WMI event filters.
|
||||
name: wmi_event_filters_snapshot
|
||||
query: SELECT * FROM wmi_event_filters;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Snapshot query for WMI filter consumer bindings.
|
||||
name: wmi_filter_consumer_binding_snapshot
|
||||
query: SELECT * FROM wmi_filter_consumer_binding;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Information about the resident osquery process
|
||||
name: osquery_info
|
||||
query: SELECT * FROM osquery_info;
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
description: Scheduled Tasks snapshot query
|
||||
name: scheduled_tasks_snapshot
|
||||
query: SELECT * FROM scheduled_tasks;
|
||||
Reference in New Issue
Block a user