|
16 | 16 | "windows-service-displayname", |
17 | 17 | "windows-scheduled-task", |
18 | 18 | "yara", |
| 19 | + "ip-dst", |
| 20 | + "ip-src", |
| 21 | + "filename", |
| 22 | + "sha256", |
| 23 | + "windows-service-name", |
| 24 | + "named pipe", |
| 25 | + "domain" |
19 | 26 | ] |
20 | 27 |
|
21 | 28 | userConfig = {} |
|
28 | 35 |
|
29 | 36 |
|
30 | 37 | moduleinfo = { |
31 | | - "version": "1.0", |
| 38 | + "version": "1.1", |
32 | 39 | "author": "Julien Bachmann, Hacknowledge", |
33 | 40 | "description": "OSQuery export of a MISP event.", |
34 | 41 | "module-type": ["export"], |
@@ -77,20 +84,58 @@ def handle_service(value): |
77 | 84 |
|
78 | 85 |
|
79 | 86 | def handle_yara(value): |
80 | | - return "not implemented yet, not sure it's easily feasible w/o dropping the sig on the hosts first" |
| 87 | + return "// WARNING make sure you examine and modify the path parameter below otherwise this is a very expensive search" |
| 88 | + return "SELECT * FROM file JOIN yara USING (path) WHERE (path LIKE '/%%' AND type = 'regular' AND size < 8000000 AND sigrule='%s' AND count > 0);" % value |
81 | 89 |
|
82 | 90 |
|
83 | 91 | def handle_scheduledtask(value): |
84 | 92 | return "SELECT * FROM scheduled_tasks WHERE name LIKE '%s';" % value |
85 | 93 |
|
86 | 94 |
|
| 95 | +def handle_ip_dst(value): |
| 96 | + return "SELECT * FROM process_open_sockets where remote_address LIKE '%s';" % value |
| 97 | + |
| 98 | + |
| 99 | +def handle_ip_src(value): |
| 100 | + return "SELECT * FROM process_open_sockets where local_address LIKE '%s';" % value |
| 101 | + |
| 102 | + |
| 103 | +def handle_filename(value): |
| 104 | + return "// WARNING make sure you examine and modify the path parameter below otherwise this is a very expensive search" |
| 105 | + return "select * from file where path LIKE '%s';" % value |
| 106 | + |
| 107 | + |
| 108 | +def handle_sha256(value): |
| 109 | + return "// WARNING make sure you examine and modify the file.directory parameter below otherwise this is a very expensive search" |
| 110 | + return "SELECT *, sha256 FROM file JOIN hash USING (path) WHERE file.directory LIKE '/%%' AND sha256 like '%s' ORDER BY mtime DESC LIMIT 1;" % value |
| 111 | + |
| 112 | + |
| 113 | +def handle_windows_service_name(value): |
| 114 | + return "SELECT * FROM services WHERE service_name LIKE '%s';" % value |
| 115 | + |
| 116 | + |
| 117 | +def handle_named_pipe(value): |
| 118 | + return "SELECT * FROM pipes WHERE name LIKE '%s';" % value |
| 119 | + |
| 120 | + |
| 121 | +def handle_domain(value): |
| 122 | + return "SELECT * FROM dns_cache WHERE name LIKE '%s';" % value |
| 123 | + |
| 124 | + |
87 | 125 | handlers = { |
88 | 126 | "regkey": handle_regkey, |
89 | 127 | "regkey|value": handle_regkeyvalue, |
90 | 128 | "mutex": handle_mutex, |
91 | 129 | "windows-service-displayname": handle_service, |
92 | 130 | "windows-scheduled-task": handle_scheduledtask, |
93 | 131 | "yara": handle_yara, |
| 132 | + "ip-dst": handle_ip_dst, |
| 133 | + "ip-src": handle_ip_src, |
| 134 | + "filename": handle_filename, |
| 135 | + "sha256": handle_sha256, |
| 136 | + "windows-service-name": handle_windows_service_name, |
| 137 | + "named pipe": handle_named_pipe, |
| 138 | + "domain": handle_domain, |
94 | 139 | } |
95 | 140 |
|
96 | 141 |
|
|
0 commit comments