/osquery-attck

Mapping the MITRE ATT&CK Matrix with Osquery

Apache License 2.0Apache-2.0

Osquery-ATT&CK

Osquery-ATT&CK

The goal of this repository is to try to map the MITRE ATT&CK with the Osquery for enterprise threat hunting.

Each conf file is a Query Pack that can be used enterprise threat hunting wit osquery.

Mapping the MITRE ATT&CK Matrix with Osquery

I try to create Osquery pack that can cover some elements of the ATT&CK

Windows Query Pack Description

  • windows-registry-monitoring.conf : Track all the change in the registry for malware persistency. The registry path are the path that can be find here: https://attack.mitre.org/wiki/Persistence. A second article that explain some persistency method https://www.countercept.com/our-thinking/hunting-for-application-shim-databases
  • windows-incorrect_parent_process.conf : This check verify if some attackers or malware try to execute a legitimate process in a malicious way
  • windows-incorrect_path_process.conf : This check verify if some attackers or malware try to execute a legitimate process in a wrong path.. so it looks suspicious :)
  • windows-process_no_disk_binary.conf : This check retrieve events related to prcesso that do not have binary file on disk.
  • windows_powershell_events.conf : This check retrieve events generated by PowerShell from the powershell_events table. Osquery reads the Microsoft-Windows-PowerShell eventlog channel, so you need to enable (http://bit.ly/2LvjSXn) Script block logging.
  • windows_system_running_processes.conf : This check retrieve the running process on the system.
  • windows_persistence-startup_items.conf : This check retrieve the program that start when the OS start.
  • windows_service-persistence.conf : This check retrive the service that start automatically
  • windows_critical_service_status.conf : This check retrive critical service status change. So is possible to catch the attackers that stop a critical service like Windows Firewall Service.
  • windows_scheduled_tasks.conf : This check retrive scheduled tasks of the system
  • network_connection_listening.conf : This check retrive the network connection of the system and the listening port
  • windows_anomaly_process-execution.conf : This Check try to catch anomaly process execution in the Enterprise environment.
  • windows_generic_detection.conf : This is a generic detection query pack.
  • windows_browsere-extensions.conf : This check retrive the IExplorer and Chrome Browser browsere extensions.
  • windows_new_dir_relevant_infection_path.conf : This check retrive new directory creation under common path used by the malware for install and store file.
  • windows_new_file_relevant_infection_path.conf : This check retrive new file creation under common path used by the malware for install and store file. This check return also the MD5 so you can double check with your Threat Intelligence, Virustotal website or other tools.

Windows ATT&CK MAPPING

  • windows-registry-monitoring.conf
    • ATT&CK: T1015,T1138,T1131,T1037,T1128,T1060,T1180,T1004,T1058,T1103,T1112
  • windows-incorrect_parent_process.conf
    • ATT&CK: T1173,T1086,T1204,T1183
  • windows_powershell_events.conf
    • ATT&CK: T1086,T1064
  • windows_system_running_processes.conf
    • ATT&CK: T1034,T1121,T1117,T1085
  • windows_persistence-startup_items.conf
    • ATT&CK: T1060
  • windows_service-persistence.conf
    • ATT&CK: T1050
  • windows_critical_service_status.conf
    • ATT&CK: T1089
  • windows_scheduled_tasks.conf
    • ATT&CK: T1053
  • network_connection_listening.conf
    • ATT&CK: T1086,T1093,T1020,T1041,T1011,T1029,T1043,T1090,T1094,T1024,T1008,T1219,T1105,T1065
  • windows_anomaly_process-execution.conf
    • ATT&CK: T1191,T1118,T1059,T1170,T1086,T1117,T1053,T1035,T1197,T1128,T1134,T1126,T1087,T1201,T1069,T1057,T1012,T1018,T1063,T1082,T1049,T1007,T1124,T1076
  • windows_generic_detection.conf
    • ATT&CK: T1136,T1078,T1116,T1075,T1097
  • windows_browsere-extensions.conf
    • ATT&CK: T1176
  • windows_new_dir_relevant_infection_path.conf
    • ATT&CK: T1034,T1074,T1044,T1060,T1023
  • windows_new_file_relevant_infection_path.conf
    • ATT&CK: T1034,T1074,T1044,T1060,T1023

Notes

  • The query interval of each conf file is not tuned, so please test it in a test environment (suggestions are welcome)
  • Suggestions and improvements are welcome for each query pack conf file.
  • All the query output must sent to system like ELK or Splunk that correlate and alert.
  • The project has just started, so stick around ;)