def find_suspicious_chrome_extensions():
"""Detecting Chrome extensions which are at high risk"""
instance = osquery.SpawnInstance()
instance.open()
process_list = []
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
result_process = instance.client.query(
"SELECT uid,name,identifier,permissions,optional_permissions from chrome_extensions WHERE \
chrome_extensions.uid IN (SELECT uid FROM users) AND (permissions LIKE('%clipboardWrite%') \
OR permissions LIKE ('%<all_urls>%') OR permissions LIKE ('%tabs%') \
OR permissions LIKE ('%cookies%') OR permissions like ('%://*/%'))")
response = result_process.response
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['identifier'] = entry['identifier']
url = "https://chrome.google.com/webstore/detail/{}".format(entry['identifier'])
request = requests.get(url)
if request.status_code == 200:
process['is_website_exist'] = 'yes'
else:
process['is_website_exist'] = 'no'
process['permissions'] = entry['permissions']
process['optional_permissions'] = entry['optional_permissions']
process_list.append(process)
return process_list
def processes_running_binary_deleted(hw_type):
"""Find processes running with binary deleted"""
instance = osquery.SpawnInstance()
instance.open()
process_list = []
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
# Find Processes whose binary has been deleted from the disk
result_process = instance.client.query("SELECT name, path, pid FROM processes WHERE on_disk = 0")
response = result_process.response
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['pid'] = entry['pid']
process['path'] = entry['path']
process['memory'], process['disk_bytes_read'], process['disk_bytes_written'] = \
check_processes_disksize(entry['pid'])
process['cpu_usage'] = check_processes_cpu(entry['pid'])
process_list.append(process)
if "Apple" in hw_type:
final_process_list = check_network_traffic(process_list)
return final_process_list
else:
return process_list
def Crontab():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query("select * from crontab;")
if not ret.response:
return
HeaderMess('Crontab', ret.response)
def check_processes_large_resident_memory(hw_type):
"""Find Processes that has the largest resident memory"""
instance = osquery.SpawnInstance()
instance.open()
process_list = []
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
# Find Processes which has the largest resident memory
result_process = instance.client.query("select pid, name, uid, resident_size from processes \
order by resident_size desc limit 10")
response = result_process.response
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['pid'] = entry['pid']
process['resident_size'] = entry['resident_size']
process_list.append(process)
if "Apple" in hw_type:
final_process_list = check_network_traffic(process_list)
return final_process_list
else:
return process_list
def check_hardware_vendor():
"""Find the hardware vendor of the system"""
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("SELECT hardware_vendor from system_info")
response = result.response
return response[0]['hardware_vendor']
def Processes():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query("select pid,name,path,cmdline from processes;")
if not ret.response:
return
HeaderMess('Processes', ret.response)
def insert(self):
self.token = ""
instance = osquery.SpawnInstance()
instance.open()
while True:
try:
time.sleep(60)
ret = instance.client.query(
"select command as cmd from crontab")
res_s = ret.response
joinstr = ""
for item in res_s:
joinstr = joinstr + item['cmd']
joinstr = joinstr + '192.168.1.5'
import hashlib
m1 = hashlib.md5()
m1.update(joinstr)
token = m1.hexdigest()
import DataCenter
log = DataCenter.Syslog("192.168.1.5")
message_info = '{"source":"192.168.1.5","cnt":5,' + '"token":"' + token + '"}'
log.send(message_info, syslog_client.Level.INFO)
print(token)
except KeyboardInterrupt:
break
def Log_user():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query(
"select uid,gid,username,description,directory,shell from users;")
if not ret.response:
return
HeaderMess('Log_user', ret.response)
def check_processes_disksize(pid):
"""Find the disk read and write by a process"""
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("select resident_size,disk_bytes_read,disk_bytes_written from processes \
where pid='%s'" % pid)
response = result.response
for entry in response:
return [entry['resident_size'], entry['disk_bytes_read'], entry['disk_bytes_written']]
def Bean_shell():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query(
"SELECT DISTINCT(processes.pid), processes.name,processes.path, processes.cmdline, processes.root,process_open_sockets.remote_address,process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE remote_address NOT IN ('0.0.0.0','::','') and name in ('sh','bash','nc') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';"
)
if not ret.response:
return
HeaderMess('Bean_shell', ret.response)
def Open_Port():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query(
"select p.name, p.path, lp.port, lp.address,lp.pid from listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0 AND p.name != '';"
)
if not ret.response:
return
HeaderMess('Open_Port', ret.response)
def Shell_TTY():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query(
"select DISTINCT p.name, p.path, pos.remote_address, pos.remote_port from process_open_sockets pos LEFT JOIN processes p ON pos.pid = p.pid WHERE pos.remote_port != 0 AND p.name != '';"
)
if not ret.response:
return
HeaderMess('Shell_TTY', ret.response)
def Hidden():
instance = osquery.SpawnInstance()
instance.open()
ret = instance.client.query(
"SELECT hash.sha1, fi.path, fi.filename, datetime(fi.btime, 'unixepoch', 'UTC') as btime, datetime(fi.atime, 'unixepoch', 'UTC') as atime, datetime(fi.ctime, 'unixepoch', 'UTC') as ctime, datetime(fi.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file fi USING (path) where ((fi.path like '/home/%%/.%') OR (fi.path like '/root/.%')) AND type='regular';"
)
if not ret.response:
return
HeaderMess('Hidden', ret.response)
def dev():
q = request.values.get('q')
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query(q)
output = str(result.status)+"<br>\r\n"
for row in result.response:
output += str(row)+"<br>\r\n"
return str(output)
def check_processes_cpu(pid):
"""Find the CPU utilized by the process"""
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("SELECT pid, uid, name, \
ROUND(((user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)) * 100, 2)\
AS percentage FROM processes, (SELECT (SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) \
AS tsb,SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb FROM cpu_time) AS cpu_time where\
pid='%s'" % pid)
response = result.response
for entry in response:
return entry['percentage'] + '%'
def process_by_username():
instance = osquery.SpawnInstance()
instance.open()
a = str(
instance.client.query(
"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY start_time"
))
aSplited = a.rsplit("response=")
#print(aSplited[0][:-2]) #This is the statusContext
data = aSplited[1][:-1] #This is the conetent
data = data.replace("'", '"')
return data
def process_by_memory():
#SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS used FROM processes ORDER BY total_size DESC LIMIT 5;
instance = osquery.SpawnInstance()
instance.open()
a = str(
instance.client.query(
"SELECT pid, name, ROUND((total_size * '10e-7'), 2)\
AS used FROM processes ORDER BY total_size DESC;"))
aSplited = a.rsplit("response=")
#print(aSplited[0][:-2]) #This is the statusContext
data = aSplited[1][:-1] #This is the conetent
data = data.replace("'", '"')
# print(data)
return data
def __init__(self):
self.instance = osquery.SpawnInstance()
try:
self.instance.open()
except Exception as e:
logging.error(e)
self.uuid = self.__identifier()
self.hostname = self.__hostname()
self.operating_system = self.__fetch_os_info()
self.private_ip, self.public_ip = self.__fetch_network_info()
self.kernel_version = self.__fetch_kernel_info()
self.installed_packages = self.__fetch_installed_packages()
self.API_URL = 'https://api.lookout.network'
def prod():
name = request.values.get('username')
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("select username, description from users where username='******'")
status = result.status
results = result.response
output = str(status)+"<br>"
output += "<table border='1'>"
output += "<tr><td>username</td><td>description</td></tr>"
for user in results:
output += "<tr><td>"+user['username']+"</td><td>"+user['description']+"</td></tr>"
output += "</table>"
return str(output)
def suspicious_process_to_unknown_ports(hw_type, api_key, api_key_type):
""" Lists processes with IP traffic to remote ports not in (80, 443) and this can potentially \
identify suspicious outbound network activity. We can cross verify this external IP address \
with API VOID if its connected to known malicious IP address and list only those process.\
If no API key is available all processes that meets the above criteria will be listed"""
instance = osquery.SpawnInstance()
instance.open()
# Query local host for processes established to port other than 80 and 443
result_ip = instance.client.query(
"select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port \
from process_open_sockets s join processes p on s.pid = p.pid where remote_port not in (80, 443) \
and remote_address != '127.0.0.1' and s.state = 'ESTABLISHED'")
process_list = []
response = result_ip.response
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['local_address'] = entry['local_address']
process['local_port'] = entry['local_port']
process['remote_address'] = entry['remote_address']
process['remote_port'] = entry['remote_port']
process['pid'] = entry['pid']
# Check memory and CPU usage of each process
process['memory'], process['disk_bytes_read'], process['disk_bytes_written'] = \
check_processes_disksize(entry['pid'])
process['cpu_usage'] = check_processes_cpu(entry['pid'])
process_list.append(process)
# Check whether the remote_address is a known malicious IP address if API Key is provided
if 'none' not in api_key:
if 'apivoid' in api_key_type:
process_list = check_apivoid(api_key, process_list)
else:
process_list = check_vt(api_key, process_list)
if "Apple" in hw_type:
final_process_list = check_network_traffic(process_list)
return final_process_list
else:
return process_list
def query(q):
#https://github.com/osquery/osquery-python/blob/master/examples/spawn.py
INSTANCE = osquery.SpawnInstance(
os.getenv('osquery_socket',
'C:/Program Files/osquery/osqueryd/osqueryd.exe'))
INSTANCE.open()
RESULTS = INSTANCE.client.query(q)
INSTANCE.connection = None
if RESULTS.status.code != 0:
print("Error running the query: %s" % RESULTS.status.message)
host_queries.queryresults = pd.DataFrame()
host_queries.query_error = str("Error running the query: %s" %
RESULTS.status.message)
return
else:
data = RESULTS.response
host_queries.queryresults = pd.DataFrame(data)
def process_by_cpu_from_bootup():
instance = osquery.SpawnInstance()
instance.open()
a = str(
instance.client.query("SELECT pid, uid, name, ROUND((\
(user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)\
) * 100, 2) AS percentage\
FROM processes, (\
SELECT (\
SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb,\
SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb\
FROM cpu_time\
) AS cpu_time\
ORDER BY user_time+system_time DESC;"))
aSplited = a.rsplit("response=")
#print(aSplited[0][:-2]) #This is the statusContext
data = aSplited[1][:-1] #This is the conetent
data = data.replace("'", '"')
print(data)
return data
def processes_exposed_network_attack(hw_type):
"""Very often Malware listens on port to provide command and control (C&C) \
or direct shell access for an attacker.Running this query periodically and diffing \
with the last known good results will help the security team to identify malicious \
running in any endpoints"""
instance = osquery.SpawnInstance()
instance.open() # This may raise an exception
process_list = []
# Find processes that is listening on 0.0.0.0 and exposing ur network for attack
result = instance.client.query("SELECT DISTINCT process.name, listening.port, process.pid FROM processes AS \
process JOIN listening_ports AS listening ON process.pid = listening.pid WHERE \
listening.address = '0.0.0.0'")
response = result.response
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
# List all that process
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['port'] = entry['port']
# Get the bytes read , written and memory used
process['pid'] = entry['pid']
process['memory'], process['disk_bytes_read'], process['disk_bytes_written'] = \
check_processes_disksize(entry['pid'])
process['cpu_usage'] = check_processes_cpu(entry['pid'])
process_list.append(process)
if "Apple" in hw_type:
final_process_list = check_network_traffic(process_list)
return final_process_list
else:
return process_list
def check_application_version():
instance = osquery.SpawnInstance()
instance.open()
process_list = []
# Parse today's date and time
today = date.today()
d1 = today.strftime("%d/%m/%Y")
t = time.localtime()
current_time = time.strftime("%H:%M:%S", t)
# Find Processes which has the largest resident memory
result_process = instance.client.query("select name,bundle_version,\
category from apps")
response = result_process.response
for entry in response:
for entry in response:
process = {}
process['date'] = d1
process['current_time'] = current_time
process['name'] = entry['name']
process['bundle_version'] = entry['bundle_version']
process['category'] = entry['category']
process_list.append(process)
return process_list
import osquery
if __name__ == "__main__":
# Spawn an osquery process using an ephemeral extension socket.
instance = osquery.SpawnInstance()
instance.open() # This may raise an exception
# Issues queries and call osquery Thrift APIs.
instance.client.query("select timestamp from time")
def makeQuery(self, query):
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query(query)
return result.response
def makeQuery():
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("SELECT version FROM os_version")
return jsonify(result.response[0])
#!/usr/bin/env python
"""
simple script which runs a query from the command-line by spawning osqueryd
"""
import sys
import osquery
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: %s \"query\"" % sys.argv[0])
sys.exit(1)
INSTANCE = osquery.SpawnInstance()
INSTANCE.open()
RESULTS = INSTANCE.client.query(sys.argv[1])
if RESULTS.status.code != 0:
print("Error running the query: %s" % RESULTS.status.message)
sys.exit(1)
for row in RESULTS.response:
print("=" * 80)
for key, val in row.iteritems():
print("%s => %s" % (key, val))
if len(RESULTS.response) > 0:
print("=" * 80)
def Query3():
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("SELECT memory_total FROM memory_info")
return jsonify(result.response[0])
def QueryU():
instance = osquery.SpawnInstance()
instance.open()
result = instance.client.query("SELECT * FROM users")
return jsonify(result.response[0])
