Skip to content

Commit c53bdda

Browse files
skyopsaiskyopsai
committed
add skill ir/forensics-osquery
1 parent 1f5fdae commit c53bdda

11 files changed

Lines changed: 2869 additions & 0 deletions

File tree

skills/incident-response/forensics-osquery/SKILL.md

Lines changed: 492 additions & 0 deletions
Large diffs are not rendered by default.

skills/incident-response/forensics-osquery/assets/.gitkeep

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# Assets Directory
2+
3+
Place files that will be used in the output Claude produces:
4+
- Templates
5+
- Configuration files
6+
- Images/logos
7+
- Boilerplate code
8+
9+
These files are NOT loaded into context but copied/modified in output.

skills/incident-response/forensics-osquery/assets/forensic-packs/credential-access.conf

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
{
2+
"platform": "all",
3+
"version": "1.0.0",
4+
"description": "Detect credential dumping and credential access techniques",
5+
"queries": {
6+
"mimikatz_execution": {
7+
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
8+
"interval": 300,
9+
"description": "Mimikatz execution detection",
10+
"platform": "windows"
11+
},
12+
"lsass_process_access": {
13+
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
14+
"interval": 300,
15+
"description": "LSASS memory dumping tools",
16+
"platform": "windows"
17+
},
18+
"credential_file_access": {
19+
"query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
20+
"interval": 300,
21+
"description": "Access to credential storage files"
22+
},
23+
"shadow_file_reads": {
24+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
25+
"interval": 300,
26+
"description": "Unauthorized /etc/shadow access",
27+
"platform": "posix"
28+
},
29+
"sam_registry_access": {
30+
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
31+
"interval": 600,
32+
"description": "SAM registry key access",
33+
"platform": "windows"
34+
},
35+
"password_search": {
36+
"query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
37+
"interval": 300,
38+
"description": "Searching for password files"
39+
},
40+
"credential_files": {
41+
"query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
42+
"interval": 3600,
43+
"description": "Credential-related files"
44+
},
45+
"browser_credential_theft": {
46+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
47+
"interval": 300,
48+
"description": "Browser credential database access"
49+
},
50+
"keychain_access": {
51+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
52+
"interval": 300,
53+
"description": "macOS Keychain access",
54+
"platform": "darwin"
55+
},
56+
"dpapi_access": {
57+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
58+
"interval": 300,
59+
"description": "Windows DPAPI credential access",
60+
"platform": "windows"
61+
},
62+
"ntds_dit_access": {
63+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
64+
"interval": 300,
65+
"description": "Active Directory database access",
66+
"platform": "windows"
67+
},
68+
"kerberos_ticket_theft": {
69+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
70+
"interval": 300,
71+
"description": "Kerberos ticket manipulation"
72+
},
73+
"sudo_without_password": {
74+
"query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
75+
"interval": 300,
76+
"description": "Sudo usage potentially leveraging cached credentials",
77+
"platform": "posix"
78+
},
79+
"sudoers_file_access": {
80+
"query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
81+
"interval": 3600,
82+
"description": "Sudoers file modification monitoring",
83+
"platform": "posix"
84+
},
85+
"ssh_private_keys": {
86+
"query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
87+
"interval": 3600,
88+
"description": "SSH private key files",
89+
"platform": "posix"
90+
},
91+
"powershell_credential_access": {
92+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
93+
"interval": 300,
94+
"description": "PowerShell credential access commands",
95+
"platform": "windows"
96+
},
97+
"registry_credential_storage": {
98+
"query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
99+
"interval": 3600,
100+
"description": "Credentials stored in registry",
101+
"platform": "windows"
102+
}
103+
}
104+
}

skills/incident-response/forensics-osquery/assets/forensic-packs/ir-triage.conf

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"platform": "all",
3+
"version": "1.0.0",
4+
"description": "Incident response triage queries for rapid forensic collection",
5+
"queries": {
6+
"system_info_snapshot": {
7+
"query": "SELECT * FROM system_info;",
8+
"interval": 0,
9+
"snapshot": true,
10+
"description": "Complete system information snapshot"
11+
},
12+
"users_snapshot": {
13+
"query": "SELECT uid, gid, username, description, directory, shell FROM users;",
14+
"interval": 0,
15+
"snapshot": true,
16+
"description": "All user accounts"
17+
},
18+
"logged_in_users": {
19+
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
20+
"interval": 300,
21+
"description": "Currently logged-in users"
22+
},
23+
"last_logins": {
24+
"query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
25+
"interval": 600,
26+
"description": "Recent login history"
27+
},
28+
"running_processes": {
29+
"query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
30+
"interval": 300,
31+
"description": "All running processes with metadata"
32+
},
33+
"processes_deleted_binary": {
34+
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
35+
"interval": 300,
36+
"description": "Processes with deleted executables (malware indicator)"
37+
},
38+
"network_connections": {
39+
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
40+
"interval": 300,
41+
"description": "Active external network connections"
42+
},
43+
"listening_ports": {
44+
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
45+
"interval": 600,
46+
"description": "Network services listening on external interfaces"
47+
},
48+
"interface_addresses": {
49+
"query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
50+
"interval": 3600,
51+
"description": "Network interface configuration"
52+
},
53+
"arp_cache": {
54+
"query": "SELECT address, mac, interface, permanent FROM arp_cache;",
55+
"interval": 600,
56+
"description": "ARP cache entries"
57+
},
58+
"dns_resolvers": {
59+
"query": "SELECT * FROM dns_resolvers;",
60+
"interval": 3600,
61+
"description": "Configured DNS resolvers"
62+
},
63+
"tmp_directory_files": {
64+
"query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
65+
"interval": 900,
66+
"description": "Files in temporary directories",
67+
"snapshot": true
68+
},
69+
"recent_file_modifications": {
70+
"query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
71+
"interval": 3600,
72+
"description": "Recently modified system files (last 24 hours)"
73+
},
74+
"user_groups": {
75+
"query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
76+
"interval": 3600,
77+
"description": "Users in privileged groups"
78+
}
79+
}
80+
}

skills/incident-response/forensics-osquery/assets/forensic-packs/lateral-movement.conf

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
{
2+
"platform": "all",
3+
"version": "1.0.0",
4+
"description": "Detect lateral movement and remote access indicators",
5+
"queries": {
6+
"ssh_outbound_connections": {
7+
"query": "SELECT p.pid, p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 22 AND p.name = 'ssh';",
8+
"interval": 300,
9+
"description": "Outbound SSH connections",
10+
"platform": "posix"
11+
},
12+
"rdp_connections": {
13+
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port = 3389 OR p.name LIKE '%mstsc%' OR p.name LIKE '%rdp%';",
14+
"interval": 300,
15+
"description": "RDP connection attempts",
16+
"platform": "windows"
17+
},
18+
"smb_connections": {
19+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%\\\\\\\\%\\\\admin$%' OR cmdline LIKE '%\\\\\\\\%\\\\c$%' OR cmdline LIKE '%net use%';",
20+
"interval": 300,
21+
"description": "SMB/Windows Admin Share connections",
22+
"platform": "windows"
23+
},
24+
"psexec_indicators": {
25+
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name LIKE '%psexec%' OR cmdline LIKE '%psexec%' OR path LIKE '%ADMIN$%';",
26+
"interval": 300,
27+
"description": "PsExec execution indicators",
28+
"platform": "windows"
29+
},
30+
"remote_wmi_execution": {
31+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%/node:%';",
32+
"interval": 300,
33+
"description": "Remote WMI execution",
34+
"platform": "windows"
35+
},
36+
"winrm_activity": {
37+
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port IN (5985, 5986);",
38+
"interval": 300,
39+
"description": "WinRM connections",
40+
"platform": "windows"
41+
},
42+
"unusual_login_locations": {
43+
"query": "SELECT username, tty, host, time FROM logged_in_users WHERE host NOT IN ('localhost', '127.0.0.1', '') ORDER BY time DESC;",
44+
"interval": 600,
45+
"description": "Remote login sessions"
46+
},
47+
"multiple_ssh_sessions": {
48+
"query": "SELECT user, COUNT(*) AS session_count, GROUP_CONCAT(host) AS hosts FROM logged_in_users WHERE tty LIKE 'pts/%' GROUP BY user HAVING session_count > 2;",
49+
"interval": 600,
50+
"description": "Users with multiple SSH sessions",
51+
"platform": "posix"
52+
},
53+
"ssh_authorized_keys": {
54+
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/authorized_keys' OR path LIKE '/root/.ssh/authorized_keys' OR path LIKE '/Users/%/.ssh/authorized_keys';",
55+
"interval": 3600,
56+
"description": "SSH authorized_keys file monitoring",
57+
"platform": "posix"
58+
},
59+
"ssh_known_hosts": {
60+
"query": "SELECT path, filename, mtime, size FROM file WHERE path LIKE '/home/%/.ssh/known_hosts' OR path LIKE '/root/.ssh/known_hosts' OR path LIKE '/Users/%/.ssh/known_hosts';",
61+
"interval": 3600,
62+
"description": "SSH known_hosts file monitoring",
63+
"platform": "posix"
64+
},
65+
"smb_sessions": {
66+
"query": "SELECT pid, name, cmdline, remote_address FROM process_open_sockets ps JOIN processes p ON ps.pid = p.pid WHERE ps.remote_port IN (445, 139);",
67+
"interval": 300,
68+
"description": "Active SMB connections"
69+
},
70+
"admin_shares_access": {
71+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ADMIN$%' OR cmdline LIKE '%IPC$%' OR cmdline LIKE '%C$%';",
72+
"interval": 300,
73+
"description": "Access to Windows admin shares",
74+
"platform": "windows"
75+
},
76+
"remote_registry_access": {
77+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%reg%' AND cmdline LIKE '%\\\\\\\\%';",
78+
"interval": 300,
79+
"description": "Remote registry access attempts",
80+
"platform": "windows"
81+
},
82+
"remote_scheduled_tasks": {
83+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%schtasks%' AND cmdline LIKE '%/s%';",
84+
"interval": 300,
85+
"description": "Remote scheduled task creation",
86+
"platform": "windows"
87+
},
88+
"remote_service_creation": {
89+
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%sc%' AND cmdline LIKE '%\\\\\\\\%' AND cmdline LIKE '%create%';",
90+
"interval": 300,
91+
"description": "Remote service creation",
92+
"platform": "windows"
93+
},
94+
"vnc_connections": {
95+
"query": "SELECT p.pid, p.name, ps.remote_address, ps.remote_port FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_port >= 5900 AND ps.remote_port <= 5999;",
96+
"interval": 300,
97+
"description": "VNC connection attempts"
98+
},
99+
"suspicious_network_tools": {
100+
"query": "SELECT pid, name, path, cmdline FROM processes WHERE name IN ('nmap', 'masscan', 'nc', 'netcat', 'socat', 'proxychains') OR cmdline LIKE '%nmap%' OR cmdline LIKE '%nc %-%';",
101+
"interval": 300,
102+
"description": "Network reconnaissance tools"
103+
}
104+
}
105+
}

0 commit comments

Comments
 (0)