From ac5decde20ff0e39bc625c0a32171b0fee927779 Mon Sep 17 00:00:00 2001 From: AndrewB Date: Mon, 13 Sep 2021 19:27:41 -0400 Subject: [PATCH] Update standard-query-library.yml (#2036) * Update standard-query-library.yml Added new queries to library * sentence-case capitalization + standardize first word in name * andrewbare => alphabrevity (so your picture shows up correctly on the website) Co-authored-by: Mike McNeil --- .../standard-query-library.yml | 55 ++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml index 4260aebbb0..6ba2f3ddd8 100644 --- a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml @@ -440,9 +440,62 @@ spec: apiVersion: v1 kind: query spec: - name: Find deleted files from disk + name: Get processes that no longer exist on disk platforms: Linux, macOS, Windows description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence. query: SELECT name, path, pid FROM processes WHERE on_disk = 0; purpose: Incident response contributors: alphabrevity + --- +apiVersion: v1 +kind: query +spec: + name: Get user files matching a specific hash + platforms: macOS, Linux + Description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.) + query: SELECT path,sha256 FROM hash WHERE path in (SELECT path FROM file WHERE size < 50000000 AND path LIKE ""/Users/%/Documents/%%"") AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75""; + purpose: Informational + contributors: alphabrevity +--- +apiVersion: v1 +kind: query +spec: + name: Get local administrator accounts on macOS + platforms: macOS + description: The query allows you to check macOS systems for local administrator accounts. + query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid; + purpose: Informational + contributors: alphabrevity +—-- +apiVersion: v1 +kind: query +spec: + name: Get all listening ports, by process + platforms: Linux, macOS, Windows + Description: List ports that are listening on all interfaces, along with the process to which they are attached. + query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0"; + purpose: Informational + contributors: alphabrevity +--- +apiVersion: v1 +kind: query +spec: + name: Detect if TeamViewer is installed/running + platforms: Windows + description: Description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine. + query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%"; + purpose: Detection + contributors: alphabrevity +--- +apiVersion: v1 +kind: query +spec: + name: Get malicious Python backdoors + platforms: macOS, Linux, Windows + description: Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html) + query: select case cnt when 0 then "NONE_INSTALLED" else "INSTALLED" end as "Malicious Python Packages",package_name,package_version from (select count(name) as cnt,nameas package_name,version as package_version,path as package_pathfrom python_packages where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib')); + purpose: Informational + contributors: alphabrevity +--- + +