diff --git a/packages/osquery_manager/changelog.yml b/packages/osquery_manager/changelog.yml index d8f4ec86977..434ab0ae71e 100644 --- a/packages/osquery_manager/changelog.yml +++ b/packages/osquery_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add packs and dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/2851 - version: "1.1.0" changes: - description: Upgrade schema and readme to match osquery 5.2.2. diff --git a/packages/osquery_manager/kibana/dashboard/osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/dashboard/osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..cda8feccf9d --- /dev/null +++ b/packages/osquery_manager/kibana/dashboard/osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05.json @@ -0,0 +1,54 @@ +{ + "attributes": { + "description": "Dashboard for visualizing the data collected by the Osquery compliance pack.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.module:osquery_manager\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":28,\"x\":20,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"4\",\"w\":11,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":9,\"x\":11,\"y\":4},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":20,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Osquery Manager] Compliance pack", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05", + "name": "panel_0", + "type": "search" + }, + { + "id": "osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05", + "name": "panel_2", + "type": "search" + }, + { + "id": "osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040", + "name": "panel_5", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxOSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/dashboard/osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/dashboard/osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..8a55ba06852 --- /dev/null +++ b/packages/osquery_manager/kibana/dashboard/osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "description": "This dashboard shows data collected by the OSSEC rootkit pack from osquery", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.module:osquery_manager\"},\"version\":true,\"filter\":[]}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":7,\"y\":0,\"w\":24,\"h\":5,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_1\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":0,\"w\":6,\"h\":5,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_2\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":0,\"w\":6,\"h\":5,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_3\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":5,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"8.2.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":5,\"w\":43,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]", + "timeRestore": false, + "title": "[Osquery Manager] OSSEC rootkit pack", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040", + "name": "5:panel_5", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2022-03-18T16:52:59.542Z", + "version": "WzE2Nzk2MSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..6668e6131f0 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,249 @@ +{ + "attributes": { + "name": "windows-hardening", + "version": 1, + "queries": [ + { + "id": "OpenType_Font_Driver_Vulnerability", + "interval": 3600, + "platform": "windows", + "query": "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';", + "version": "2.2.1" + }, + { + "id": "Protecting_Against_Weak_Crypto_Algo", + "interval": 3600, + "platform": "windows", + "query": "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';", + "version": "2.2.1" + }, + { + "id": "UAC_Disabled", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;", + "version": "2.2.1" + }, + { + "id": "SecureBoot", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State\\UEFISecureBootEnabled'" + }, + { + "id": "FontBlocking", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions\\MitigationOptions_FontBlocking'" + }, + { + "id": "DepPolicy", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemStartOptions'" + }, + { + "id": "MitigationOptions", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions'" + }, + { + "id": "MoveImages", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\moveImages'" + }, + { + "id": "KernelSehopEnabled", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\KernelSEHOPEnabled'" + }, + { + "id": "EnableCertPaddingCheck", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'" + }, + { + "id": "EnableCertPaddingCheck_wow64", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'" + }, + { + "id": "CwdIllegalInDllSearch", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\CWDIllegalInDllSearch'" + }, + { + "id": "DisabledExceptionChainValidation", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\DisableExceptionChainValidation'" + }, + { + "id": "EnableLowVaAccess", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableLowVaAccess'" + }, + { + "id": "ControlFlowGuard", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableCfg'" + }, + { + "id": "App_ExecuteOptions", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\executeOptions'" + }, + { + "id": "App_MitigationOptions", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\MitigationOptions'" + }, + { + "id": "AppCompat", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers'" + }, + { + "id": "App_disabledExceptionChainValidation", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\DisableExceptionChainValidation'" + }, + { + "id": "DefaultLevelMachine", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'" + }, + { + "id": "DefaultLevelUser", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'" + }, + { + "id": "PolicyScopeMachine", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'" + }, + { + "id": "PolicyScopeUser", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'" + }, + { + "id": "ExecutableTryMachine", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'" + }, + { + "id": "ExecutableTryUser", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'" + }, + { + "id": "TransparentEnabledMachine", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'" + }, + { + "id": "TransparentEnabledUser", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'" + }, + { + "id": "Unrestricted", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144'" + }, + { + "id": "Unrestricted_Paths", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths'" + }, + { + "id": "Unrestricted_Paths_ItemData", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths\\%\\ItemData'" + }, + { + "id": "Disallowed", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0'" + }, + { + "id": "Disallowed_Paths", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths'" + }, + { + "id": "Disallowed_Paths_ItemData", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\%\\ItemData'" + }, + { + "id": "SaferFlags", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\%\\%\\%\\SaferFlags'" + }, + { + "id": "RuleSetEnforcementMode", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\EnforcementMode'" + }, + { + "id": "Rule", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\%\\Value'" + }, + { + "id": "AuditSpecialGroups", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit'" + }, + { + "id": "SysmonConfig", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CCS\\Services\\SysmonDrv\\Parameters'" + }, + { + "id": "DeveloperMode", + "interval": 86400, + "platform": "windows", + "query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-07fe8000-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-07fe8000-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..2a5bcafba0f --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-07fe8000-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "name": "windows-attacks", + "version": 1, + "queries": [ + { + "id": "CCleaner_Trojan.Floxif", + "interval": 3600, + "platform": "windows", + "query": "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';", + "version": "2.2.1" + }, + { + "id": "CCleaner_Trojan_stage2.Floxif", + "interval": 3600, + "platform": "windows", + "query": "select h.md5, h.sha1, h.sha256, s.name, s.service_type, s.display_name, s.module_path, s.user_account from services s, hash h where h.path = s.module_path and ((s.module_path like '%GeeSetup_x86%' and h.sha256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83') or (s.module_path like '%EFACli64%' and h.sha256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f') or (s.module_path like '%TSMSISrv%' and h.sha256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902'));", + "version": "2.1.0" + }, + { + "id": "Winsecurity_info_1", + "interval": 3600, + "platform": "windows", + "query": "select * from programs where name = 'Winsecurity.info';", + "version": "2.2.1" + }, + { + "id": "Winsecurity_info_2", + "interval": 3600, + "platform": "windows", + "query": "select * from chrome_extensions join users using (uid) where name = 'Winsecurity.info';", + "version": "2.2.1" + }, + { + "id": "unTabs_1", + "interval": 3600, + "platform": "windows", + "query": "select * from programs where name like 'unTabs%';", + "version": "2.2.1" + }, + { + "id": "unTabs_2", + "interval": 3600, + "platform": "windows", + "query": "select * from chrome_extensions join users using (uid) where name like 'unTabs%';", + "version": "2.2.1" + }, + { + "id": "StickyKeys_File_Replace_Backdoor", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM hash WHERE (path='c:\\windows\\system32\\osk.exe' OR path='c:\\windows\\system32\\sethc.exe' OR path='c:\\windows\\system32\\narrator.exe' OR path='c:\\windows\\system32\\magnify.exe' OR path='c:\\windows\\system32\\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\\windows\\system32\\cmd.exe' OR path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' OR path='c:\\windows\\system32\\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';", + "version": "2.2.1" + }, + { + "id": "StickyKeys_Registry_Backdoor", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' and name='Debugger';", + "version": "2.2.1" + }, + { + "id": "conhost.exe_incorrect_path", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';", + "version": "2.2.1" + }, + { + "id": "dllhost.exe_incorrect_path", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';", + "version": "2.2.1" + }, + { + "id": "lsass.exe_incorrect_path", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';", + "version": "2.2.1" + }, + { + "id": "services.exe_incorrect_parent_process", + "interval": 3600, + "platform": "windows", + "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';", + "version": "2.2.1" + }, + { + "id": "svchost.exe_incorrect_path", + "interval": 3600, + "platform": "windows", + "query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';", + "version": "2.2.1" + }, + { + "id": "svchost.exe_incorrect_parent_process", + "interval": 3600, + "platform": "windows", + "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe') AND LOWER(name)!='services.exe';", + "version": "2.2.1" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-07fe8000-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0c09a800-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0c09a800-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..d3b67a2d3a2 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0c09a800-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "name": "vuln-management", + "version": 1, + "queries": [ + { + "id": "kernel_info", + "interval": 86400, + "query": "select * from kernel_info;", + "version": "1.4.5" + }, + { + "id": "os_version", + "interval": 86400, + "query": "select * from os_version;", + "version": "1.4.5" + }, + { + "id": "kextstat", + "interval": 86400, + "platform": "darwin", + "query": "select * from kernel_extensions;", + "version": "1.4.5" + }, + { + "id": "kernel_modules", + "interval": 86400, + "platform": "linux", + "query": "select * from kernel_modules;", + "version": "1.4.5" + }, + { + "id": "installed_applications", + "interval": 86400, + "platform": "darwin", + "query": "select * from apps;", + "version": "1.4.5" + }, + { + "id": "browser_plugins", + "interval": 86400, + "platform": "darwin", + "query": "select browser_plugins.* from users join browser_plugins using (uid);", + "version": "1.6.1" + }, + { + "id": "safari_extensions", + "interval": 86400, + "platform": "darwin", + "query": "select safari_extensions.* from users join safari_extensions using (uid);", + "version": "1.6.1" + }, + { + "id": "opera_extensions", + "interval": 86400, + "platform": "darwin,linux", + "query": "select opera_extensions.* from users join opera_extensions using (uid);", + "version": "1.6.1" + }, + { + "id": "chrome_extensions", + "interval": 86400, + "query": "select chrome_extensions.* from users join chrome_extensions using (uid);", + "version": "1.6.1" + }, + { + "id": "firefox_addons", + "interval": 86400, + "platform": "darwin,linux", + "query": "select firefox_addons.* from users join firefox_addons using (uid);", + "version": "1.6.1" + }, + { + "id": "homebrew_packages", + "interval": 86400, + "platform": "darwin", + "query": "select * from homebrew_packages;", + "version": "1.4.5" + }, + { + "id": "package_receipts", + "interval": 86400, + "platform": "darwin", + "query": "select * from package_receipts;", + "version": "1.4.5" + }, + { + "id": "deb_packages", + "interval": 86400, + "platform": "linux", + "query": "select * from deb_packages;", + "version": "1.4.5" + }, + { + "id": "apt_sources", + "interval": 86400, + "platform": "linux", + "query": "select * from apt_sources;", + "version": "1.4.5" + }, + { + "id": "portage_packages", + "interval": 86400, + "platform": "linux", + "query": "select * from portage_packages;", + "version": "2.0.0" + }, + { + "id": "rpm_packages", + "interval": 86400, + "platform": "linux", + "query": "select * from rpm_packages;", + "version": "1.4.5" + }, + { + "id": "unauthenticated_sparkle_feeds", + "interval": 86400, + "platform": "darwin", + "query": "select feeds.*, p2.value as sparkle_version from (select a.name as app_name, a.path as app_path, a.bundle_identifier as bundle_id, p.value as feed_url from (select name, path, bundle_identifier from apps) a, plist p where p.path = a.path || '/Contents/Info.plist' and p.key = 'SUFeedURL' and feed_url like 'http://%') feeds left outer join plist p2 on p2.path = app_path || '/Contents/Frameworks/Sparkle.framework/Resources/Info.plist' where (p2.key = 'CFBundleShortVersionString' OR coalesce(p2.key, '') = '');", + "version": "1.4.5" + }, + { + "id": "backdoored_python_packages", + "interval": 86400, + "platform": "darwin,linux", + "query": "select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';", + "version": "1.4.5" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-0c09a800-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0f652f10-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0f652f10-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..c6fba4a1dc6 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-0f652f10-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "name": "unwanted-chrome-extensions", + "version": 1, + "queries": [ + { + "id": "BetternetVPN", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gjknjjomckknofjidppipffbpoekiipm';" + }, + { + "id": "Chrometana", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='kaicbfmipfpfpjmlbpejaoaflfdnabnc';" + }, + { + "id": "CopyFish", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='eenjdnjldapjajjofmldgmkjaienebbj';" + }, + { + "id": "HolaVPN", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gkojfkhlekighikafcpjkiklfbnlmeio';" + }, + { + "id": "InfinityNewTab", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='dbfmnekepjoapopniengjbcpnbljalfg';" + }, + { + "id": "SocialFixer", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='ifmhoabcaeehkljcfclfiieohkohdgbb';" + }, + { + "id": "TouchVPN", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bihmplhobchoageeokmgbdihknkjbknd';" + }, + { + "id": "WebDeveloper", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';" + }, + { + "id": "WebPaint", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='emeokgokialpjadjaoeiplmnkjoaegng';" + }, + { + "id": "MacOSInstallCore", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='hinehnlkkmckjblijjpbpamhljokoohh';" + }, + { + "id": "User-Agent Switcher", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='clddifkhlkcojbojppdojfeeikdkgiae';" + }, + { + "id": "Nano Adblocker", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gabbbocakeomblphkmmnoamkioajlkfo';" + }, + { + "id": "Nano Defender ", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='ggolfgbegefeeoocgjbmkembbncoadlb';" + }, + { + "id": "Forcepoint Endpoint Chrome Extension", + "interval": 3600, + "platform": "windows,darwin", + "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='fmfjhicbjecfchfmpelfnifijeigelme';" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-0f652f10-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-135ccf10-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-135ccf10-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..29141628c3b --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-135ccf10-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,530 @@ +{ + "attributes": { + "name": "osx-attacks", + "version": 1, + "queries": [ + { + "id": "WireLurker", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.machook_damon.plist' OR name = 'com.apple.globalupdate.plist' OR name = 'com.apple.appstore.plughelper.plist' OR name = 'com.apple.MailServiceAgentHelper.plist' OR name = 'com.apple.systemkeychain-helper.plist' OR name = 'com.apple.periodic-dd-mm-yy.plist';", + "version": "1.4.5" + }, + { + "id": "Leverage-A_1", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where path like '%UserEvent.System.plist';", + "version": "1.4.5" + }, + { + "id": "Leverage-A_2", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path = '/Users/Shared/UserEvent.app';", + "version": "1.4.5" + }, + { + "id": "Leverage-A_3", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.GetFlashPlayer.plist';", + "version": "1.4.5" + }, + { + "id": "Tibet.D", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where path like '%com.apple.AudioService.plist';", + "version": "1.4.5" + }, + { + "id": "DevilRobber", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';", + "version": "1.4.5" + }, + { + "id": "XSLCmd", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.service.clipboardd.plist';", + "version": "1.4.5" + }, + { + "id": "Olyx", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';", + "version": "1.4.5" + }, + { + "id": "Imuler", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'checkflr.plist';", + "version": "1.4.5" + }, + { + "id": "iWorkServ", + "interval": 3600, + "platform": "darwin", + "query": "select * from startup_items where path like '%iWorkServices%';", + "version": "1.4.5" + }, + { + "id": "Morcut", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.mdworker.plist';", + "version": "1.4.5" + }, + { + "id": "BlazingKeylogger", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.BT.BPK.plist';", + "version": "1.4.5" + }, + { + "id": "Icefog", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';", + "version": "1.4.5" + }, + { + "id": "Careto", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where path like '%com.apple.launchport.plist';", + "version": "1.4.5" + }, + { + "id": "Inqtana", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';", + "version": "1.4.5" + }, + { + "id": "MacKontrol", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.FolderActionsxl.plist';", + "version": "1.4.5" + }, + { + "id": "PubSab", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.PubSabAgent.plist';", + "version": "1.4.5" + }, + { + "id": "Dockster", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'mac.Dockset.deman.plist';", + "version": "1.4.5" + }, + { + "id": "CallMe", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'realPlayerUpdate.plist';", + "version": "1.4.5" + }, + { + "id": "Whitesmoke", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.whitesmoke.uploader.plist';", + "version": "1.4.5" + }, + { + "id": "Codecm", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.codecm.uploader.plist';", + "version": "1.4.5" + }, + { + "id": "iWorm", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.JavaW.plist';", + "version": "1.4.5" + }, + { + "id": "iWorm_1", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path like '/Library/Application Support/JavaW%';", + "version": "1.4.5" + }, + { + "id": "SniperSpy", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.rxs.syslogagent.plist';", + "version": "1.4.5" + }, + { + "id": "Vsearch", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.vsearch.agent.plist' OR name = 'com.vsearch.daemon.plist' OR name = 'com.vsearch.helper.plist' OR name = 'Jack.plist' OR program_arguments = '/etc/run_upd.sh' OR program_arguments LIKE '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';", + "version": "1.4.5" + }, + { + "id": "Buca", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';", + "version": "1.4.5" + }, + { + "id": "Conduit", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';", + "version": "1.4.5" + }, + { + "id": "Genieo", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.genieo.completer.download.plist' OR name = 'com.genieo.completer.update.plist' OR name = 'com.genieo.completer.ltvbit.plist' OR name = 'com.installer.completer.download.plist' OR name = 'com.installer.completer.update.plist' OR name = 'com.installer.completer.ltvbit.plist' OR name = 'com.genieoinnovation.macextension.plist' OR name = 'com.genieoinnovation.macextension.client.plist' OR name = 'com.genieo.engine.plist';", + "version": "1.4.5" + }, + { + "id": "GenieoPart2", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';", + "version": "1.4.5" + }, + { + "id": "HackingTeam_Mac_RAT1", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path = '/dev/ptmx0';", + "version": "1.4.5" + }, + { + "id": "HackingTeam_Mac_RAT2", + "interval": 3600, + "platform": "darwin", + "query": "select * from apps where bundle_identifier = 'com.ht.RCSMac';", + "version": "1.4.5" + }, + { + "id": "HackingTeam_Mac_RAT3", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where label = 'com.ht.RCSMac' OR name = 'com.apple.loginStoreagent.plist' OR name = 'com.apple.mdworker.plist' OR name = 'com.apple.UIServerLogin.plist';", + "version": "1.4.5" + }, + { + "id": "HackingTeam_Mac_Persistence", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';", + "version": "1.4.5" + }, + { + "id": "xprotect_reports", + "interval": 1200, + "platform": "darwin", + "query": "select * from xprotect_reports;", + "version": "1.4.5" + }, + { + "id": "Keranger_1", + "interval": 3600, + "platform": "darwin", + "query": "select * from processes where name = 'kernel_service';", + "version": "1.4.5" + }, + { + "id": "Keranger_2", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path LIKE '/Users/%/Library/.kernel_%' OR path LIKE '/Users/%/Library/kernel_service';", + "version": "1.4.5" + }, + { + "id": "PremierOpinion", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';", + "version": "1.4.5" + }, + { + "id": "Bundlore", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';", + "version": "1.4.5" + }, + { + "id": "Spigot", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name like 'com.spigot.%.plist';", + "version": "1.4.5" + }, + { + "id": "SearchInstUpdater", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Pirrit", + "interval": 3600, + "platform": "darwin", + "query": "select * from plist where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';", + "version": "1.4.5" + }, + { + "id": "Backdoor_MAC_Eleanor", + "interval": 3600, + "platform": "darwin", + "query": "SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');", + "version": "1.4.5" + }, + { + "id": "EliteKeylogger", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';", + "version": "1.4.5" + }, + { + "id": "Aobo_Keylogger", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name like 'com.ab.kl%.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Keydnap", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name IN ('com.apple.iCloud.sync.daemon', 'com.geticloud.icloud.photo');", + "version": "1.4.5" + }, + { + "id": "Java_Adwind_Trojan", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';", + "version": "1.4.5" + }, + { + "id": "OSX_Backdoor_Mokes", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path LIKE '/Users/%/Library/App Store/storeuserd' OR path LIKE '/Users/%/Library/com.apple.spotlight/SpotlightHelper' OR path LIKE '/Users/%/Library/Dock/com.apple.dock.cache' OR path LIKE '/Users/%/Library/Dropbox/DropboxCache' OR path LIKE '/Users/%/Library/Skype/SkypeHelper' OR path LIKE '/Users/%/Library/Google/Chrome/nacld' OR path LIKE '/Users/%/Library/Firefox/Profiles/profiled';", + "version": "1.4.5" + }, + { + "id": "OSX_Komplex", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path = '/Users/Shared/.local/kext' or path = '/Users/Shared/com.apple.updates.plist' or path = '/Users/Shared/start.sh';", + "version": "1.4.5" + }, + { + "id": "OceanLotus_launchagent", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.google.plugins.plist';", + "version": "1.4.5" + }, + { + "id": "OceanLotus_dropped_file_1", + "interval": 3600, + "platform": "darwin", + "query": "select * from file, ( select '/Library/Logs/.Logs/corevideosd' ioc union select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union select '/Library/Parallels/.cfg' ioc union select '/Library/Preferences/.fDTYuRs' ioc union select '/Library/Hash/.Hashtag/.hash' ioc union select '/Library/Hash/.hash' ioc ) iocs where file.path LIKE '/Users/%/' || ioc OR file.path = iocs.ioc OR file.path LIKE '/tmp/crunzip.temp.%';", + "version": "1.4.5" + }, + { + "id": "XcodeGhost", + "interval": 3600, + "platform": "darwin", + "query": "select * from ( select apps.bundle_short_version as xcode_version, apps.path as xcode_path, file.path, file.type as file_type from apps, file where apps.bundle_name='Xcode' and file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') ) join hash using (path) where file_type = 'regular';", + "version": "1.4.5" + }, + { + "id": "Quimitchin_Backdoor", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.client.client.plist';", + "version": "1.4.5" + }, + { + "id": "Pronto", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'pronto.notification.plist' or name = 'pronto.update.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_DOK_1", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.Safari.proxy.plist' or name = 'com.apple.Safari.proxy.pac';", + "version": "1.4.5" + }, + { + "id": "OSX_DOK_2", + "interval": 3600, + "platform": "darwin", + "query": "select common_name, sha1, subject_key_id from certificates where subject_key_id = 'e637d656f9f088ddca3b3b55c4fe698d8c97a552';", + "version": "1.4.5" + }, + { + "id": "OSX_DOK_3", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path = '/Users/Shared/AppStore.app';", + "version": "1.4.5" + }, + { + "id": "OSX_DOK_4", + "interval": 3600, + "platform": "darwin", + "query": "select * from apps where bundle_name = 'Truesteer.AppStore';", + "version": "1.4.5" + }, + { + "id": "OSX_Snake", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path = '/Library/LaunchDaemons/com.adobe.update.plist' OR path = '/Library/Scripts/installd.sh' OR path = '/Library/Scripts/queue' OR path = '/tmp/.gdm-socket' OR path = '/tmp/.gdm-selinux' OR path LIKE '/var/tmp/.ur-%%';", + "version": "1.4.5" + }, + { + "id": "OSX_Proton_Files", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path like '/Users/%/Library/RenderFiles/activity_agent.app/' OR path like '/Users/%/Library/LaunchAgents/fr.handbrake.activity_agent.plist' OR path='/tmp/Updater.app' OR path='/Library/.rand/updateragent.app' OR path='/Library/LaunchAgents/com.apple.xpcd.plist' OR path='/Library/.cachedir' OR path='/Library/.random';", + "version": "1.4.5" + }, + { + "id": "OSX_Proton_Launchd", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name='com.Eltima.UpdaterAgent.plist' OR name='com.apple.xpcd.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Proton_Process", + "interval": 3600, + "platform": "darwin", + "query": "select * from processes where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';", + "version": "1.4.5" + }, + { + "id": "EmPyre_Agent", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.proxy.initialize.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_FruitFly", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.client.client.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Mughthesec", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.Mughthesec.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_HiddenLotus", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.hidd.shared.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_MaMi_DNS_Servers", + "interval": 3600, + "platform": "darwin", + "query": "select * from dns_resolvers where type = 'nameserver' and address in ('82.163.143.135', '82.163.142.137');", + "version": "2.8.0" + }, + { + "id": "OSX_MaMi_Certificate", + "interval": 3600, + "platform": "darwin", + "query": "select * from certificates where common_name like '%cloudguard.me%' and not_valid_after = '2352216315';", + "version": "2.8.0" + }, + { + "id": "Behavioral_Reverse_Shell", + "interval": 3600, + "platform": "darwin", + "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND process_open_files.pid IS NULL;", + "version": "2.8.0" + }, + { + "id": "OSX_ColdRoot_RAT_Launchd", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd where name = 'com.apple.audio.driver.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_ColdRoot_RAT_Files", + "interval": 3600, + "platform": "darwin", + "query": "select * from file where path in ('/private/var/tmp/com.apple.audio.driver.app/', '/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/conx.wol');", + "version": "1.4.5" + }, + { + "id": "MacSearch_Adware", + "interval": 3600, + "platform": "darwin", + "query": "SELECT * FROM launchd WHERE path='/Library/LaunchAgents/tapufind.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Dummy_Launchd", + "interval": 3600, + "platform": "darwin", + "query": "SELECT * FROM launchd WHERE name = 'com.startup.plist';", + "version": "1.4.5" + }, + { + "id": "OSX_Dummy_Files", + "interval": 3600, + "platform": "darwin", + "query": "SELECT * FROM file WHERE path = '/Library/LaunchDaemons/com.startup.plist' OR path = '/var/root/script.sh' OR path = '/Users/Shared/dumpdummy' OR path = '/tmp/script.sh' OR path = '/tmp/com.startup.plist' OR path = '/tmp/dumpdummy';", + "version": "1.4.5" + }, + { + "id": "OSX_SearchAwesome", + "interval": 3600, + "platform": "darwin", + "query": "SELECT * FROM file WHERE path = '/Applications/spi.app' OR path = '/Users/%/Library/LaunchAgents/spid-uninstall.plist' OR path = '/Users/%/Library/LaunchAgents/spid.plist' OR path = '/Users/%/Library/SPI';", + "version": "1.4.5" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-135ccf10-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-190860a0-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-190860a0-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..a3c6b449694 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-190860a0-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,438 @@ +{ + "attributes": { + "name": "ossec-rootkit", + "version": 1, + "queries": [ + { + "id": "bash_door", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');", + "version": "1.4.5" + }, + { + "id": "slapper_installed", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');", + "version": "1.4.5" + }, + { + "id": "mithra`s_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/locale/uboot');", + "version": "1.4.5" + }, + { + "id": "omega_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/chr');", + "version": "1.4.5" + }, + { + "id": "kenga3_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/include/. .');", + "version": "1.4.5" + }, + { + "id": "sadmind/iis_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/cuc');", + "version": "1.4.5" + }, + { + "id": "rsha", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');", + "version": "1.4.5" + }, + { + "id": "old_rootkits", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');", + "version": "1.4.5" + }, + { + "id": "telekit_trojan", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');", + "version": "1.4.5" + }, + { + "id": "tc2_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');", + "version": "1.4.5" + }, + { + "id": "shitc", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');", + "version": "1.4.5" + }, + { + "id": "rh_sharpe", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');", + "version": "1.4.5" + }, + { + "id": "showtee_/_romanian_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');", + "version": "1.4.5" + }, + { + "id": "lrk_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/ida/.inet');", + "version": "1.4.5" + }, + { + "id": "zk_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');", + "version": "1.4.5" + }, + { + "id": "ramen_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');", + "version": "1.4.5" + }, + { + "id": "maniac_rk", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/bin/mailrc');", + "version": "1.4.5" + }, + { + "id": "bmbl_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');", + "version": "1.4.5" + }, + { + "id": "suckit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/.x', '/lib/sk');", + "version": "1.4.5" + }, + { + "id": "adore_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');", + "version": "1.4.5" + }, + { + "id": "ldp_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');", + "version": "1.4.5" + }, + { + "id": "romanian_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');", + "version": "1.4.5" + }, + { + "id": "illogic_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');", + "version": "1.4.5" + }, + { + "id": "bobkit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');", + "version": "1.4.5" + }, + { + "id": "monkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/defs');", + "version": "1.4.5" + }, + { + "id": "override_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');", + "version": "1.4.5" + }, + { + "id": "madalin_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');", + "version": "1.4.5" + }, + { + "id": "solaris_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');", + "version": "1.4.5" + }, + { + "id": "phalanx_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');", + "version": "1.4.5" + }, + { + "id": "ark_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/ptyxx');", + "version": "1.4.5" + }, + { + "id": "tribe_bot", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/wd4');", + "version": "1.4.5" + }, + { + "id": "cback_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');", + "version": "1.4.5" + }, + { + "id": "optickit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');", + "version": "1.4.5" + }, + { + "id": "anonoiyng_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');", + "version": "1.4.5" + }, + { + "id": "loc_rookit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');", + "version": "1.4.5" + }, + { + "id": "showtee", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');", + "version": "1.4.5" + }, + { + "id": "zarwt_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/bin/imin', '/bin/imout');", + "version": "1.4.5" + }, + { + "id": "lion_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');", + "version": "1.4.5" + }, + { + "id": "suspicious_file", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');", + "version": "1.4.5" + }, + { + "id": "apa_kit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/share/.aPa');", + "version": "1.4.5" + }, + { + "id": "enye_sec_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');", + "version": "1.4.5" + }, + { + "id": "rk17", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');", + "version": "1.4.5" + }, + { + "id": "trk_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');", + "version": "1.4.5" + }, + { + "id": "scalper_installed", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');", + "version": "1.4.5" + }, + { + "id": "hidr00tkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/var/lib/games/.k');", + "version": "1.4.5" + }, + { + "id": "beastkit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');", + "version": "1.4.5" + }, + { + "id": "shv5_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');", + "version": "1.4.5" + }, + { + "id": "esrk_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/tcl5.3');", + "version": "1.4.5" + }, + { + "id": "shkit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');", + "version": "1.4.5" + }, + { + "id": "knark_installed", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');", + "version": "1.4.5" + }, + { + "id": "volc_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');", + "version": "1.4.5" + }, + { + "id": "fu_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');", + "version": "1.4.5" + }, + { + "id": "ajakit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');", + "version": "1.4.5" + }, + { + "id": "monkit_found", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/lib/libpikapp.a');", + "version": "1.4.5" + }, + { + "id": "t0rn_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');", + "version": "1.4.5" + }, + { + "id": "adore_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');", + "version": "1.4.5" + }, + { + "id": "55808.a_worm", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');", + "version": "1.4.5" + }, + { + "id": "tuxkit_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');", + "version": "1.4.5" + }, + { + "id": "reptile_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/reptile/reptile_cmd', '/lib/udev/reptile');", + "version": "1.4.5" + }, + { + "id": "beurk_rootkit", + "interval": 3600, + "platform": "linux", + "query": "select * from file where path in ('/lib/libselinux.so');", + "version": "1.4.5" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-190860a0-a6df-11ec-b2f9-c732a3845c54", + "references": [ + { + "id": "osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05", + "name": "pack_dashboard", + "type": "dashboard" + } + ], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-1fc03210-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-1fc03210-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..f8cd9592f94 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-1fc03210-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "name": "osquery-monitoring", + "version": 1, + "queries": [ + { + "id": "schedule", + "interval": 7200, + "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed, denylisted from osquery_schedule;", + "version": "2.11.0" + }, + { + "id": "events", + "interval": 86400, + "query": "select name, publisher, type, subscriptions, events, active from osquery_events;", + "version": "1.5.3" + }, + { + "id": "osquery_info", + "interval": 600, + "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;", + "version": "1.2.2" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-1fc03210-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-35f10af0-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-35f10af0-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..f4b0e9b4e73 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-35f10af0-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,236 @@ +{ + "attributes": { + "name": "it-compliance", + "version": 2, + "queries": [ + { + "id": "osquery_info", + "interval": 86400, + "query": "select * from time, osquery_info;", + "version": "1.4.5" + }, + { + "id": "ad_config", + "interval": 86400, + "platform": "darwin", + "query": "select * from ad_config;", + "version": "1.4.5" + }, + { + "id": "kernel_info", + "interval": 86400, + "query": "select * from kernel_info;", + "version": "1.4.5" + }, + { + "id": "os_version", + "interval": 86400, + "query": "select * from os_version;", + "version": "1.4.5" + }, + { + "id": "alf", + "interval": 86400, + "platform": "darwin", + "query": "select * from alf;", + "version": "1.4.5" + }, + { + "id": "alf_exceptions", + "interval": 86400, + "platform": "darwin", + "query": "select * from alf_exceptions;", + "version": "1.4.5" + }, + { + "id": "alf_services", + "interval": 86400, + "platform": "darwin", + "query": "select * from alf_services;", + "version": "1.4.5" + }, + { + "id": "alf_explicit_auths", + "interval": 86400, + "platform": "darwin", + "query": "select * from alf_explicit_auths;", + "version": "1.4.5" + }, + { + "id": "mounts", + "interval": 86400, + "query": "select * from mounts;", + "version": "1.4.5" + }, + { + "id": "nfs_shares", + "interval": 86400, + "platform": "darwin", + "query": "select * from nfs_shares;", + "version": "1.4.5" + }, + { + "id": "windows_shared_resources", + "interval": 86400, + "platform": "windows", + "query": "select * from shared_resources;", + "version": "2.0.0" + }, + { + "id": "browser_plugins", + "interval": 86400, + "platform": "darwin", + "query": "select * from users join browser_plugins using (uid);", + "version": "1.4.5" + }, + { + "id": "safari_extensions", + "interval": 86400, + "platform": "darwin", + "query": "select * from users join safari_extensions using (uid);", + "version": "1.4.5" + }, + { + "id": "chrome_extensions", + "interval": 86400, + "query": "select * from users join chrome_extensions using (uid);", + "version": "1.4.5" + }, + { + "id": "firefox_addons", + "interval": 86400, + "platform": "darwin", + "query": "select * from users join firefox_addons using (uid);", + "version": "1.4.5" + }, + { + "id": "homebrew_packages", + "interval": 86400, + "platform": "darwin", + "query": "select * from homebrew_packages;", + "version": "1.4.5" + }, + { + "id": "windows_programs", + "interval": 86400, + "platform": "windows", + "query": "select * from programs;", + "version": "2.0.0" + }, + { + "id": "windows_patches", + "interval": 86400, + "platform": "windows", + "query": "select * from patches;", + "version": "2.2.0" + }, + { + "id": "package_receipts", + "interval": 86400, + "platform": "darwin", + "query": "select * from package_receipts;", + "version": "1.4.5" + }, + { + "id": "usb_devices", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from usb_devices;", + "version": "1.4.5" + }, + { + "id": "keychain_items", + "interval": 86400, + "platform": "darwin", + "query": "select * from keychain_items;", + "version": "1.4.5" + }, + { + "id": "deb_packages", + "interval": 86400, + "platform": "linux", + "query": "select * from deb_packages;", + "version": "1.4.5" + }, + { + "id": "apt_sources", + "interval": 86400, + "platform": "linux", + "query": "select * from apt_sources;", + "version": "1.4.5" + }, + { + "id": "portage_packages", + "interval": 86400, + "query": "select * from portage_use;", + "version": "2.0.0" + }, + { + "id": "kernel_modules", + "interval": 86400, + "platform": "linux", + "query": "select * from kernel_modules;", + "version": "1.4.5" + }, + { + "id": "windows_drivers", + "interval": 86400, + "platform": "windows", + "query": "select * from drivers;", + "version": "2.2.0" + }, + { + "id": "rpm_packages", + "interval": 86400, + "platform": "linux", + "query": "select * from rpm_packages;", + "version": "1.4.5" + }, + { + "id": "installed_applications", + "interval": 86400, + "platform": "darwin", + "query": "select * from apps;", + "version": "1.4.5" + }, + { + "id": "disk_encryption", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from disk_encryption;", + "version": "1.4.5" + }, + { + "id": "launchd", + "interval": 86400, + "platform": "darwin", + "query": "select * from launchd;", + "version": "1.4.5" + }, + { + "id": "iptables", + "interval": 86400, + "platform": "linux", + "query": "select * from iptables;", + "version": "1.4.5" + }, + { + "id": "sip_config", + "interval": 86400, + "platform": "darwin", + "query": "select * from sip_config;", + "version": "1.7.0" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-35f10af0-a6df-11ec-b2f9-c732a3845c54", + "references": [ + { + "id": "osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05", + "name": "pack_dashboard", + "type": "dashboard" + } + ], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3b28cc10-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3b28cc10-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..479041fcfa5 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3b28cc10-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,256 @@ +{ + "attributes": { + "name": "incident-response", + "version": 1, + "queries": [ + { + "id": "launchd", + "interval": 3600, + "platform": "darwin", + "query": "select * from launchd;", + "version": "1.4.5" + }, + { + "id": "startup_items", + "interval": 86400, + "platform": "darwin", + "query": "select * from startup_items;", + "version": "1.4.5" + }, + { + "id": "crontab", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from crontab;", + "version": "1.4.5" + }, + { + "id": "loginwindow1", + "interval": 86400, + "platform": "darwin", + "query": "select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';", + "version": "1.4.5" + }, + { + "id": "loginwindow2", + "interval": 86400, + "platform": "darwin", + "query": "select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';", + "version": "1.4.5" + }, + { + "id": "loginwindow3", + "interval": 86400, + "platform": "darwin", + "query": "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';", + "version": "1.4.5" + }, + { + "id": "loginwindow4", + "interval": 86400, + "platform": "darwin", + "query": "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';", + "version": "1.4.5" + }, + { + "id": "alf", + "interval": 3600, + "platform": "darwin", + "query": "select * from alf;", + "version": "1.4.5" + }, + { + "id": "alf_exceptions", + "interval": 3600, + "platform": "darwin", + "query": "select * from alf_exceptions;", + "version": "1.4.5" + }, + { + "id": "alf_services", + "interval": 3600, + "platform": "darwin", + "query": "select * from alf_services;", + "version": "1.4.5" + }, + { + "id": "alf_explicit_auths", + "interval": 3600, + "platform": "darwin", + "query": "select * from alf_explicit_auths;", + "version": "1.4.5" + }, + { + "id": "etc_hosts", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from etc_hosts;", + "version": "1.4.5" + }, + { + "id": "kextstat", + "interval": 3600, + "platform": "darwin", + "query": "select * from kernel_extensions;", + "version": "1.4.5" + }, + { + "id": "kernel_modules", + "interval": 3600, + "platform": "linux", + "query": "select * from kernel_modules;", + "version": "1.4.5" + }, + { + "id": "last", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from last;", + "version": "1.4.5" + }, + { + "id": "installed_applications", + "interval": 3600, + "platform": "darwin", + "query": "select * from apps;", + "version": "1.4.5" + }, + { + "id": "open_sockets", + "interval": 86400, + "platform": "darwin,linux", + "query": "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path \u003c\u003e '' or remote_address \u003c\u003e '';", + "version": "1.4.5" + }, + { + "id": "open_files", + "interval": 86400, + "platform": "darwin,linux", + "query": "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');", + "version": "1.4.5" + }, + { + "id": "logged_in_users", + "interval": 3600, + "platform": "darwin,linux", + "query": "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;", + "version": "1.4.5" + }, + { + "id": "ip_forwarding", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';", + "version": "1.4.5" + }, + { + "id": "process_env", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from process_envs;", + "version": "1.4.5" + }, + { + "id": "mounts", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from mounts;", + "version": "1.4.5" + }, + { + "id": "nfs_shares", + "interval": 3600, + "platform": "darwin", + "query": "select * from nfs_shares;", + "version": "1.4.5" + }, + { + "id": "shell_history", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from users join shell_history using (uid);", + "version": "1.4.5" + }, + { + "id": "recent_items", + "interval": 86400, + "platform": "darwin", + "query": "select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';", + "version": "1.4.5" + }, + { + "id": "ramdisk", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from block_devices where type = 'Virtual Interface';", + "version": "1.4.5" + }, + { + "id": "listening_ports", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from listening_ports;", + "version": "1.4.5" + }, + { + "id": "suid_bin", + "interval": 3600, + "platform": "darwin,linux", + "query": "select * from suid_bin;", + "version": "1.4.5" + }, + { + "id": "process_memory", + "interval": 86400, + "platform": "linux", + "query": "select * from process_memory_map;", + "version": "1.4.5" + }, + { + "id": "arp_cache", + "interval": 3600, + "query": "select * from arp_cache;", + "version": "1.4.5" + }, + { + "id": "wireless_networks", + "interval": 3600, + "platform": "darwin", + "query": "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;", + "version": "1.6.0" + }, + { + "id": "disk_encryption", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from disk_encryption;", + "version": "1.4.5" + }, + { + "id": "iptables", + "interval": 3600, + "platform": "linux", + "query": "select * from iptables;", + "version": "1.4.5" + }, + { + "id": "app_schemes", + "interval": 86400, + "platform": "darwin", + "query": "select * from app_schemes;", + "version": "1.4.7" + }, + { + "id": "sandboxes", + "interval": 86400, + "platform": "darwin", + "query": "select * from sandboxes;", + "version": "1.4.7" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-3b28cc10-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3f96fba0-a6df-11ec-b2f9-c732a3845c54.json b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3f96fba0-a6df-11ec-b2f9-c732a3845c54.json new file mode 100644 index 00000000000..b33e059714e --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_pack_asset/osquery_manager-3f96fba0-a6df-11ec-b2f9-c732a3845c54.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "name": "hardware-monitoring", + "version": 1, + "queries": [ + { + "id": "acpi_tables", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from acpi_tables;", + "version": "1.3.0" + }, + { + "id": "cpuid", + "interval": 86400, + "query": "select feature, value, output_register, output_bit, input_eax from cpuid;", + "version": "1.0.4" + }, + { + "id": "smbios_tables", + "interval": 86400, + "platform": "darwin,linux", + "query": "select * from smbios_tables;", + "version": "1.3.0" + }, + { + "id": "nvram", + "interval": 7200, + "platform": "darwin", + "query": "select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');", + "version": "1.0.2" + }, + { + "id": "kernel_info", + "interval": 7200, + "query": "select * from kernel_info join hash using (path);", + "version": "1.4.0" + }, + { + "id": "pci_devices", + "interval": 7200, + "platform": "darwin,linux", + "query": "select * from pci_devices;", + "version": "1.0.4" + }, + { + "id": "fan_speeds", + "interval": 7200, + "platform": "darwin", + "query": "select * from fan_speed_sensors;", + "version": "1.7.1" + }, + { + "id": "temperatures", + "interval": 7200, + "platform": "darwin", + "query": "select * from temperature_sensors;", + "version": "1.7.1" + }, + { + "id": "usb_devices", + "interval": 7200, + "platform": "darwin,linux", + "query": "select * from usb_devices;", + "version": "1.2.0" + }, + { + "id": "hardware_events", + "interval": 7200, + "platform": "darwin,linux", + "query": "select * from hardware_events where path \u003c\u003e '' or model \u003c\u003e '';", + "version": "1.4.5" + }, + { + "id": "darwin_kernel_system_controls", + "interval": 7200, + "platform": "darwin", + "query": "select * from system_controls where subsystem = 'kern' and (name like '%boot%' or name like '%secure%' or name like '%single%');", + "version": "1.4.3" + }, + { + "id": "iokit_devicetree", + "interval": 86400, + "platform": "darwin", + "query": "select * from iokit_devicetree;", + "version": "1.3.0" + }, + { + "id": "efi_file_hashes", + "interval": 7200, + "platform": "darwin", + "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, md5, sha1, sha256 from (select * from file where path like '/System/Library/CoreServices/%.efi' union select * from file where path like '/System/Library/LaunchDaemons/com.apple%efi%') file join hash using (path);", + "version": "1.6.1" + }, + { + "id": "kernel_extensions", + "interval": 7200, + "platform": "darwin", + "query": "select * from kernel_extensions;", + "version": "1.4.5" + }, + { + "id": "kernel_modules", + "interval": 7200, + "platform": "linux", + "query": "select * from kernel_modules;", + "version": "1.4.5" + }, + { + "id": "windows_drivers", + "interval": 7200, + "platform": "windows", + "query": "select * from drivers;", + "version": "2.2.0" + }, + { + "id": "device_nodes", + "interval": 7200, + "platform": "darwin,linux", + "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, block_size, type from file where directory = '/dev/';", + "version": "1.6.0" + } + ] + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-3f96fba0-a6df-11ec-b2f9-c732a3845c54", + "references": [], + "type": "osquery-pack-asset" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/search/osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/search/osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..4950978ff21 --- /dev/null +++ b/packages/osquery_manager/kibana/search/osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "action_id", + "osquery.path", + "agent.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"action_id:pack_ossec-rootkit\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "OSSEC Rootkits [Osquery Manager]", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkyMSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/search/osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/search/osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..5570f08ede0 --- /dev/null +++ b/packages/osquery_manager/kibana/search/osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "osquery.name", + "osquery.version", + "osquery.revision" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"action_id:pack_it-compliance_deb_packages\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "DEB packages installed [Osquery Manager]", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxMyw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/search/osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/search/osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..a1a3952c55e --- /dev/null +++ b/packages/osquery_manager/kibana/search/osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "osquery.path", + "osquery.type", + "osquery.flags" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"action_id:pack_it-compliance_mounts\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Mounts [Osquery Manager]", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxMSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/search/osquery_manager-b5d6baa0-eb02-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/search/osquery_manager-b5d6baa0-eb02-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..931ef14b4ba --- /dev/null +++ b/packages/osquery_manager/kibana/search/osquery_manager-b5d6baa0-eb02-11e7-8f04-51231daa5b05.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "columns": [ + "action_id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"action_id:pack_it-compliance_os_version\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "OS versions [Osquery Manager]", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-b5d6baa0-eb02-11e7-8f04-51231daa5b05", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxNCw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/search/osquery_manager-f59e21e0-eb03-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/search/osquery_manager-f59e21e0-eb03-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..c23bb0dec5e --- /dev/null +++ b/packages/osquery_manager/kibana/search/osquery_manager-f59e21e0-eb03-11e7-8f04-51231daa5b05.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "action_id", + "osquery.name", + "osquery.status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"action_id:pack_it-compliance_kernel_integrations\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Kernel integrations [Osquery Manager]", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-f59e21e0-eb03-11e7-8f04-51231daa5b05", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxNiw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/visualization/osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..83aa058b7e0 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "OS versions [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"host.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"osquery.platform_like\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"osquery.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"osquery.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\"},\"title\":\"OS versions [Osquery Manager]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [ + { + "id": "osquery_manager-b5d6baa0-eb02-11e7-8f04-51231daa5b05", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxNSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/visualization/osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..9f50f051ba8 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"osquery.status\",\"negate\":false,\"params\":{\"query\":\"Live\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"Live\"},\"query\":{\"match\":{\"osquery.status\":{\"query\":\"Live\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Number of Kernel integrations [Osquery Manager]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Live Kernel integrations\",\"field\":\"osquery.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"horizontal\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"Number of Kernel integrations [Osquery Manager]\",\"type\":\"gauge\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "osquery_manager-f59e21e0-eb03-11e7-8f04-51231daa5b05", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxNyw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/visualization/osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..b05af44b654 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "title": "Navigation [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Navigation [Osquery Manager]\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"[Compilance](#/dashboard/osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05) | [OSSEC Rootkit](#/dashboard/osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040)\",\"openLinksInNewTab\":false}}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2022-03-18T16:53:19.189Z", + "version": "WzE2Nzk2OSw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/visualization/osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..12c4baf64ba --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Info OSSEC rootkit [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"This dashboard shows data collected by the ossec-rootkit pack from osquery.\"},\"title\":\"Info OSSEC rootkit [Osquery Manager]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkyMCw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05.json b/packages/osquery_manager/kibana/visualization/osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05.json new file mode 100644 index 00000000000..dce215b2b03 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Mounts by type [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"osquery.path\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"osquery.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\"},\"title\":\"Mounts by type [Osquery Manager]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [ + { + "id": "osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkxMiw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/visualization/osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..73e47dac248 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Number of hosts infected [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"agent.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Number of hosts infected [Osquery Manager]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [ + { + "id": "osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkyMyw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/kibana/visualization/osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040.json b/packages/osquery_manager/kibana/visualization/osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040.json new file mode 100644 index 00000000000..be0596b2705 --- /dev/null +++ b/packages/osquery_manager/kibana/visualization/osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Number of rootkits found [Osquery Manager]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Rootkits\",\"field\":\"action_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Number of rootkits found [Osquery Manager]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.2.0", + "id": "osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040", + "migrationVersion": { + "visualization": "8.1.0" + }, + "references": [ + { + "id": "osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2022-03-18T16:51:37.575Z", + "version": "WzE2NzkyMiw2XQ==" +} \ No newline at end of file diff --git a/packages/osquery_manager/manifest.yml b/packages/osquery_manager/manifest.yml index 3194ef87184..5f81adf456a 100755 --- a/packages/osquery_manager/manifest.yml +++ b/packages/osquery_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: osquery_manager title: Osquery Manager -version: 1.1.0 +version: 1.2.0 license: basic description: Deploy osquery with Elastic Agent, then run and schedule queries in Kibana type: integration