mig/doc/cheatsheet.rst.html

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <link href="docstyle.css" rel="stylesheet" />
    <title>Mozilla InvestiGator Cheat Sheet</title>
    <meta content="Guillaume Destuynder &lt;kang@mozilla.com&gt;" name="author" />
</head>
<body>
    <h1>Mozilla InvestiGator Cheat Sheet</h1>
    <aside class="topic contents" id="table-of-contents">
        <h1>Table of Contents</h1>
        <ul class="auto-toc">
            <li>
                <p><a href="#file-module">1   File module</a></p>
                <ul class="auto-toc">
                    <li><a href="#find-files-in-etc-cron-d-that-contain-mysql-on-hosts-buildbot">1.1   Find files in /etc/cron.d that contain "mysql://" on hosts "<em>buildbot</em>"</a></li>
                    <li><a href="#find-files-etc-passwd-that-have-been-modified-in-the-past-2-days">1.2   Find files /etc/passwd that have been modified in the past 2 days</a></li>
                    <li><a href="#find-endpoints-with-high-uptime">1.3   Find endpoints with high uptime</a></li>
                    <li><a href="#find-endpoints-running-process-sbin-auditd">1.4   Find endpoints running process "/sbin/auditd"</a></li>
                    <li><a href="#find-which-machines-have-a-specific-usb-device-connected">1.5   Find which machines have a specific USB device connected</a></li>
                </ul>
            </li>
            <li>
                <p><a href="#netstat-module">2   Netstat module</a></p>
                <ul class="auto-toc">
                    <li><a href="#searching-for-a-fraudulent-ip">2.1   Searching for a fraudulent IP</a></li>
                    <li><a href="#locating-a-device-by-its-mac-address">2.2   Locating a device by its mac address</a></li>
                    <li><a href="#listing-endpoints-that-have-active-connections-to-the-internet">2.3   Listing endpoints that have active connections to the Internet</a></li>
                </ul>
            </li>
            <li>
                <p><a href="#advanced-targetting">3   Advanced targetting</a></p>
                <ul class="auto-toc">
                    <li><a href="#target-agents-that-found-results-in-a-previous-action">3.1   Target agents that found results in a previous action</a></li>
                </ul>
            </li>
        </ul>
    </aside>
    <p>This is a list of common operations you may want to run with MIG.</p>
    <section id="file-module">
        <h2>1   File module</h2>
        <p>You can find detailled documentation by running <cite>mig file help</cite> or in the online doc at <cite>doc/module_file.html</cite>.</p>
        <section id="find-files-in-etc-cron-d-that-contain-mysql-on-hosts-buildbot">
            <h3>1.1   Find files in /etc/cron.d that contain "mysql://" on hosts "<em>buildbot</em>"</h3>
            <p>This is a simple file content check that looks into all the files contained in <cite>/etc/cron.d</cite> for a string that matched <cite>mysql://</cite>.</p>
            <pre><code class="bash">mig file -t <span class="s2">"queueloc LIKE 'linux.%' AND name LIKE '%buildbot%'"</span> -path /etc/cron.d/ -content <span class="s2">"mysql://"</span></code></pre>
        </section>
        <section id="find-files-etc-passwd-that-have-been-modified-in-the-past-2-days">
            <h3>1.2   Find files /etc/passwd that have been modified in the past 2 days</h3>
            <p>The <cite>mtime</cite> check of the file module matches against the last modified timestamp of a file.</p>
            <pre><code class="bash">mig file -t <span class="s2">"queueloc LIKE 'linux.%'"</span> -path /etc/passwd -mtime &lt;2d</code></pre>
        </section>
        <section id="find-endpoints-with-high-uptime">
            <h3>1.3   Find endpoints with high uptime</h3>
            <p>On Linux and MacOS, the uptime of a host is kept in <cite>/proc/uptime</cite>. We can apply a regex on that file to list hosts with an uptime larger or lower than any amount.</p>
            <p>Note the search target that uses postgres's regex format <cite>~*</cite>.</p>
            <pre><code class="bash">mig file -t <span class="s2">"queueloc ~* '^(linux|darwin).%'"</span> -path /proc/uptime -content <span class="s2">"^[5-9]{1}[0-9]{7,}\\."</span></code></pre>
        </section>
        <section id="find-endpoints-running-process-sbin-auditd">
            <h3>1.4   Find endpoints running process "/sbin/auditd"</h3>
            <p>Here, the '^' in the content regex is important to prevent mig from listing itself while searching for the command line.</p>
            <pre><code class="bash">mig file -t <span class="s2">"queueloc LIKE 'linux.%'"</span> -path /proc/ -name cmdline -content <span class="s2">"^/sbin/auditd"</span></code></pre>
            <p>Another option, if using '^' is not possible, is to enclose one of the letter of the process name into brackets:</p>
            <pre><code class="bash"><span class="nv">$ </span>mig file -t <span class="s2">"tags-&gt;&gt;'operator'='IT'"</span> -path /proc -name <span class="s2">"^cmdline$"</span> -maxdepth 2 -content <span class="s2">"[a]rcsight"</span></code></pre>
        </section>
        <section id="find-which-machines-have-a-specific-usb-device-connected">
            <h3>1.5   Find which machines have a specific USB device connected</h3>
            <p>In this example, we'll look for the CryptoStick USB device (vendor:product 20a0:4107). You can find more device id's with the command <cite>lsusb</cite>.</p>
            <pre><code class="bash">mig file -matchany -path /sys/devices/ -name <span class="s2">"^uevent$"</span> -content <span class="s2">"PRODUCT=20a0/4107"</span></code></pre>
        </section>
    </section>
    <section id="netstat-module">
        <h2>2   Netstat module</h2>
        <p>You can find detailled documentation by running <cite>mig netstat help</cite>.</p>
        <section id="searching-for-a-fraudulent-ip">
            <h3>2.1   Searching for a fraudulent IP</h3>
            <p>Given an ip 1.2.3.4 associated with fraudulent traffic, we can use the netstat module to verify that the IP isn't currently connected to any endpoint.</p>
            <pre><code class="bash">mig netstat -ci 1.2.3.4</code></pre>
            <p><cite>-ci</cite> stands for connected IP, and accepts an IP or a CIDR, in v4 or v6.</p>
        </section>
        <section id="locating-a-device-by-its-mac-address">
            <h3>2.2   Locating a device by its mac address</h3>
            <p>MIG <cite>netstat</cite> can be used to find endpoints that have a given mac address in their arp tables, which helps geographically locating an endpoint.</p>
            <pre><code class="bash">mig netstat -nm 8c:70:5a:c8:be:50</code></pre>
            <p><cite>-nm</cite> stands for neighbor mac and takes a regex (ex: <cite>^8c:70:[0-9a-f]</cite>).</p>
        </section>
        <section id="listing-endpoints-that-have-active-connections-to-the-internet">
            <h3>2.3   Listing endpoints that have active connections to the Internet</h3>
            <p>The search below tells the <cite>netstat</cite> module to capture all connections with one IP in a public CIDR. The list of CIDR is rather long, because it avoid private CIDR (the netstat module doesn't have an <cite>exclude</cite> option).</p>
            <pre><code class="bash">mig netstat -e 60s  -ci 1.0.0.0/8       -ci 2.0.0.0/7       -ci 4.0.0.0/6   -ci 8.0.0.0/7 <span class="se">\
</span>-ci 11.0.0.0/8      -ci 12.0.0.0/6      -ci 16.0.0.0/4      -ci 32.0.0.0/3  -ci 64.0.0.0/3 <span class="se">\
</span>-ci 96.0.0.0/4      -ci 112.0.0.0/5     -ci 120.0.0.0/6     -ci 124.0.0.0/7 -ci 126.0.0.0/8 <span class="se">\
</span>-ci 128.0.0.0/3     -ci 160.0.0.0/5     -ci 168.0.0.0/6     -ci 172.0.0.0/12 <span class="se">\
</span>-ci 172.32.0.0/11   -ci 172.64.0.0/10   -ci 172.128.0.0/9   -ci 173.0.0.0/8 <span class="se">\
</span>-ci 174.0.0.0/7     -ci 176.0.0.0/4     -ci 192.0.0.0/9     -ci 192.128.0.0/11 <span class="se">\
</span>-ci 192.160.0.0/13  -ci 192.169.0.0/16  -ci 192.170.0.0/15  -ci 192.172.0.0/14 <span class="se">\
</span>-ci 192.176.0.0/12  -ci 192.192.0.0/10  -ci 193.0.0.0/8     -ci 194.0.0.0/7 <span class="se">\
</span>-ci 196.0.0.0/6     -ci 200.0.0.0/5     -ci 208.0.0.0/4</code></pre>
        </section>
    </section>
    <section id="advanced-targetting">
        <h2>3   Advanced targetting</h2>
        <p>MIG can use complex queries to target specific agents. The following examples outline some of the capabilities. At the core, the <cite>target</cite> parameter is just a WHERE condition executed against the agent table of the MIG database, so if you know the DB schema, you can craft any targetting you want.</p>
        <section id="target-agents-that-found-results-in-a-previous-action">
            <h3>3.1   Target agents that found results in a previous action</h3>
            <p>Useful to run a second action on the agents that returned positive results in a first one. The query is a bit complex because it uses Postgres JSON array processing.</p>
            <p>Given an action with ID 12345 that was run and returned results, we want to run a new action on the agents that matched action 12345. To do so, use the target that follows:</p>
            <pre><code class="bash">mig file -t <span class="s2">"id IN ( \
    SELECT agentid FROM commands, json_array_elements(commands.results) AS r \
    WHERE commands.actionid = 12345 AND r#&gt;&gt;'{foundanything}' = 'true')"</span> <span class="se">\
</span>-path /etc/passwd -content <span class="s2">"^spongebob"</span></code></pre>
            <p>The subquery select command results for action 12345 and return the ID of agents that have at least one <cite>foundanything</cite> set to true. Since command results are an array, and each entry of the array contains a foundanything value, the query iterates through each entry of the array using postgres's <cite>json_array_elements</cite> function.</p>
        </section>
    </section>
</body>
</html>