Add events and extra tags to relevant event-based queries

chainguard-dev · Sep 24, 2024 · 6aab8fd · 6aab8fd
1 parent d6b17a0
commit 6aab8fd
Show file tree

Hide file tree

Showing 26 changed files with 28 additions and 99 deletions.
diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
--- tags: transient state net extra
+-- tags: transient state net extra events
 -- interval: 601
 -- platform: posix
 SELECT

diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql
@@ -3,7 +3,7 @@
 -- refs:
 --   * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery)
 --
--- tags: transient process state often
+-- tags: transient process state often extra events
 -- platform: linux
 -- interval: 300
 SELECT

diff --git a/detection/discovery/unexpected-netutil-calls-macos.sql b/detection/discovery/unexpected-netutil-calls-macos.sql
@@ -3,7 +3,7 @@
 -- refs:
 --   * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery)
 --
--- tags: transient process state often
+-- tags: transient process state often extra events
 -- platform: darwin
 -- interval: 600
 SELECT

diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql
@@ -9,7 +9,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
 --
--- tags: transient extra
+-- tags: transient extra events
 -- platform: linux
 -- interval: 600
 SELECT

diff --git a/detection/execution/exec-failed-launch-constraint-violation.sql b/detection/execution/exec-failed-launch-constraint-violation.sql
@@ -5,7 +5,7 @@
 --
 -- interval: 900
 -- platform: darwin
--- tags: filesystem events
+-- tags: filesystem events extra
 SELECT
   s.identifier AS s_id,
   s.authority AS s_auth,

diff --git a/detection/execution/unexpected-chmod-exec-event-linux.sql b/detection/execution/unexpected-chmod-exec-event-linux.sql
@@ -103,6 +103,9 @@ WHERE
       AND syscall = "execve"
       AND (
         cmdline LIKE '%chmod% 7%'
+        OR cmdline LIKE '%chmod 5%'
+        OR cmdline LIKE '%chmod 1%'
+        OR cmdline LIKE '%chmod +%x'
         OR cmdline LIKE '%chmod% +rwx%'
         OR cmdline LIKE '%chmod% +x%'
         OR cmdline LIKE '%chmod% u+x%'

diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql
@@ -8,7 +8,7 @@
 --
 -- interval: 300
 -- platform: linux
--- tags: process events
+-- tags: process events extra
 SELECT -- Child
   pe.path AS p0_path,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,

diff --git a/detection/execution/unexpected-fetcher-parent-events.sql b/detection/execution/unexpected-fetcher-parent-events.sql
@@ -3,7 +3,7 @@
 -- refs:
 --   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
 --
--- tags: transient process state often
+-- tags: transient process state often extra events
 -- platform: posix
 -- interval: 450
 SELECT

diff --git a/detection/execution/unexpected-file-made-executable.sql b/detection/execution/unexpected-file-made-executable.sql
diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql
@@ -11,7 +11,7 @@
 --
 -- interval: 300
 -- platform: darwin
--- tags: process events
+-- tags: process events extra
 SELECT
   -- Child
   pe.path AS p0_path,

diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql
@@ -2,7 +2,7 @@
 --
 -- platform: darwin
 -- interval: 900
--- tags: transient seldom process state
+-- tags: transient seldom events extra
 -- Canonical example of including process parents from process_events
 SELECT
   f.directory AS dir,

diff --git a/detection/execution/unexpected-sysutils-linux.sql b/detection/execution/unexpected-sysutils-linux.sql
@@ -1,10 +1,11 @@
--- Unexpected calls to sysctl (event-based)
+-- Unexpected calls to system utilities (event-based)
 --
 -- refs:
 --   * https://attack.mitre.org/techniques/T1497/001/ (Virtualization/Sandbox Evasion: System Checks)
 --
 -- platform: linux
 -- interval: 600
+-- tags: events extra
 SELECT -- Child
   pe.path AS p0_path,
   pe.time AS p0_time,

diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql
@@ -6,6 +6,7 @@
 --
 -- platform: darwin
 -- interval: 900
+-- tags: events extra
 SELECT
   REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH (
     COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),

diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql
@@ -5,7 +5,7 @@
 --
 -- interval: 300
 -- platform: darwin
--- tags: process events
+-- tags: process events extra
 SELECT
   -- Child
   pe.path AS p0_path,

diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -7,7 +7,7 @@
 --   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
 --   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --
--- tags: process events
+-- tags: process events extra
 -- interval: 300
 -- platform: posix
 SELECT

diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql
@@ -2,6 +2,7 @@
 --
 -- platform: posix
 -- interval: 300
+-- tags: events
 SELECT
   file.mode AS p0_binary_mode,
   pe.cmdline_size AS p0_cmd_size,

diff --git a/incident_response/disk_events_macos.sql b/incident_response/disk_events_macos.sql
@@ -1,6 +1,6 @@
 -- Retrieves disk image (DMG) events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: darwin
 SELECT
   *

diff --git a/incident_response/es_process_events.sql b/incident_response/es_process_events.sql
@@ -1,6 +1,7 @@
 -- Dump a list of process execution events from EndpointSecurity
 --
 -- platform: darwin
+-- tags: events extra
 SELECT
   *
 FROM

diff --git a/incident_response/file_events.sql b/incident_response/file_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of watched file events (must be configured)
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: posix
 -- interval: 900
 SELECT

diff --git a/incident_response/hardware_events.sql b/incident_response/hardware_events.sql
@@ -1,6 +1,6 @@
 -- Return hardware events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: posix
 SELECT
   *

diff --git a/incident_response/process_events.sql b/incident_response/process_events.sql
@@ -2,6 +2,7 @@
 --
 -- interval: 600
 -- platform: posix
+-- tags: events extra
 SELECT
   pe.*,
   -- pe.cwd is often blank

diff --git a/incident_response/seccomp_events.sql b/incident_response/seccomp_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of seccomp events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: linux
 SELECT
   *

diff --git a/incident_response/selinux_events.sql b/incident_response/selinux_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of SELinux events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: linux
 SELECT
   *

diff --git a/incident_response/socket_events.sql b/incident_response/socket_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of socket events
 --
--- tags: postmortem
+-- tags: postmortem events extra
 -- platform: posix
 -- interval: 600
 SELECT

diff --git a/incident_response/syslog_events.sql b/incident_response/syslog_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of syslog events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: linux
 SELECT
   *

diff --git a/incident_response/user_events.sql b/incident_response/user_events.sql
@@ -1,6 +1,6 @@
 -- Return the list of audit user events
 --
--- tags: postmortem
+-- tags: postmortem events
 -- platform: linux
 SELECT
   *