2022-10-20 11:04:18 +00:00
|
|
|
-- Unexpected programs communicating over non-HTTPS protocols (state-based)
|
|
|
|
--
|
|
|
|
-- This query is a bit awkward and hobbled due to the lack of osquery support
|
|
|
|
-- for looking up binary signatures in Linux.
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
2022-10-17 12:43:29 +00:00
|
|
|
-- tags: transient state net rapid
|
2022-10-13 18:59:32 +00:00
|
|
|
-- platform: linux
|
2022-10-20 11:04:18 +00:00
|
|
|
SELECT s.remote_address,
|
2022-09-22 09:18:03 +00:00
|
|
|
p.name,
|
|
|
|
p.path,
|
|
|
|
p.cmdline AS child_cmd,
|
|
|
|
p.cwd,
|
2022-09-22 17:18:16 +00:00
|
|
|
pp.path AS parent_path,
|
2022-09-22 09:18:03 +00:00
|
|
|
p.parent AS parent_pid,
|
|
|
|
pp.cmdline AS parent_cmd,
|
2022-10-20 11:04:18 +00:00
|
|
|
s.state,
|
2022-09-22 09:18:03 +00:00
|
|
|
hash.sha256,
|
2022-10-20 11:04:18 +00:00
|
|
|
-- This intentionally avoids file.path, as it won't join across mount namespaces
|
2022-09-24 15:12:23 +00:00
|
|
|
CONCAT (
|
2022-09-22 09:18:03 +00:00
|
|
|
MIN(s.remote_port, 32768),
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-10-20 11:04:18 +00:00
|
|
|
s.protocol,
|
|
|
|
',',
|
|
|
|
MIN(p.euid, 500),
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-10-20 11:04:18 +00:00
|
|
|
REPLACE(
|
|
|
|
REGEX_MATCH(p.path, '(/.*?)/', 1),
|
|
|
|
'/nix',
|
|
|
|
'/usr'
|
|
|
|
),
|
|
|
|
'/',
|
|
|
|
REGEX_MATCH(p.path, '.*/(.*?)$', 1),
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-10-20 11:04:18 +00:00
|
|
|
MIN(f.uid, 500),
|
|
|
|
'u,',
|
|
|
|
MIN(f.gid, 500),
|
|
|
|
'g,',
|
2022-09-22 09:18:03 +00:00
|
|
|
p.name
|
|
|
|
) AS exception_key
|
2022-10-19 21:07:52 +00:00
|
|
|
FROM process_open_sockets s
|
2022-09-22 09:18:03 +00:00
|
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
2022-10-20 11:04:18 +00:00
|
|
|
LEFT JOIN file f ON p.path = f.path
|
2022-09-22 09:18:03 +00:00
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
2022-10-19 21:07:52 +00:00
|
|
|
WHERE protocol > 0
|
2022-09-22 09:18:03 +00:00
|
|
|
AND s.remote_port > 0
|
2022-10-20 11:04:18 +00:00
|
|
|
-- See unexpected-https-client
|
|
|
|
AND NOT (
|
|
|
|
s.remote_port = 443
|
|
|
|
AND protocol IN (6, 17)
|
|
|
|
)
|
|
|
|
-- See unexpected-dns-traffic
|
|
|
|
AND NOT (
|
|
|
|
s.remote_port = 53
|
|
|
|
AND protocol IN (6, 17)
|
|
|
|
)
|
|
|
|
AND s.remote_address NOT IN (
|
|
|
|
'127.0.0.1',
|
|
|
|
'::ffff:127.0.0.1',
|
|
|
|
'::1',
|
|
|
|
'::',
|
|
|
|
'0.0.0.0'
|
|
|
|
)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND s.remote_address NOT LIKE 'fe80:%'
|
|
|
|
AND s.remote_address NOT LIKE '127.%'
|
|
|
|
AND s.remote_address NOT LIKE '192.168.%'
|
|
|
|
AND s.remote_address NOT LIKE '172.1%'
|
|
|
|
AND s.remote_address NOT LIKE '172.2%'
|
|
|
|
AND s.remote_address NOT LIKE '172.30.%'
|
|
|
|
AND s.remote_address NOT LIKE '172.31.%'
|
|
|
|
AND s.remote_address NOT LIKE '::ffff:172.%'
|
|
|
|
AND s.remote_address NOT LIKE '10.%'
|
|
|
|
AND s.remote_address NOT LIKE '::ffff:10.%'
|
|
|
|
AND s.remote_address NOT LIKE 'fc00:%'
|
2022-10-20 11:04:18 +00:00
|
|
|
AND p.path != ''
|
|
|
|
AND NOT exception_key IN (
|
|
|
|
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
|
|
|
|
'5228,6,500,/opt/chrome,0u,0g,chrome',
|
|
|
|
'4070,6,500,/opt/spotify,0u,0g,spotify',
|
|
|
|
'22000,6,500,/usr/syncthing,0u,0g,syncthing',
|
2022-10-20 11:59:17 +00:00
|
|
|
'123,17,500,/usr/chronyd,0u,0g,chronyd',
|
2022-10-20 11:04:18 +00:00
|
|
|
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra'
|
2022-10-19 21:07:52 +00:00
|
|
|
)
|
|
|
|
AND NOT (
|
|
|
|
p.name = 'syncthing'
|
2022-10-20 11:04:18 +00:00
|
|
|
AND f.filename = 'syncthing'
|
|
|
|
AND s.remote_port > 1024
|
|
|
|
AND s.protocol = 6
|
|
|
|
AND p.euid > 500
|
2022-10-18 00:57:56 +00:00
|
|
|
)
|
2022-10-19 21:07:52 +00:00
|
|
|
GROUP BY p.cmdline
|