osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql

94 lines
2.4 KiB
MySQL
Raw Normal View History

2022-10-20 11:04:18 +00:00
-- Unexpected programs communicating over non-HTTPS protocols (state-based)
--
-- This query is a bit awkward and hobbled due to the lack of osquery support
-- for looking up binary signatures in Linux.
--
-- references:
2022-10-19 20:56:32 +00:00
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net rapid
-- platform: linux
2022-10-20 11:04:18 +00:00
SELECT s.remote_address,
2022-09-22 09:18:03 +00:00
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
2022-09-22 17:18:16 +00:00
pp.path AS parent_path,
2022-09-22 09:18:03 +00:00
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
2022-10-20 11:04:18 +00:00
s.state,
2022-09-22 09:18:03 +00:00
hash.sha256,
2022-10-20 11:04:18 +00:00
-- This intentionally avoids file.path, as it won't join across mount namespaces
CONCAT (
2022-09-22 09:18:03 +00:00
MIN(s.remote_port, 32768),
',',
2022-10-20 11:04:18 +00:00
s.protocol,
',',
MIN(p.euid, 500),
',',
2022-10-20 11:04:18 +00:00
REPLACE(
REGEX_MATCH(p.path, '(/.*?)/', 1),
'/nix',
'/usr'
),
'/',
REGEX_MATCH(p.path, '.*/(.*?)$', 1),
',',
2022-10-20 11:04:18 +00:00
MIN(f.uid, 500),
'u,',
MIN(f.gid, 500),
'g,',
2022-09-22 09:18:03 +00:00
p.name
) AS exception_key
2022-10-19 21:07:52 +00:00
FROM process_open_sockets s
2022-09-22 09:18:03 +00:00
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
2022-10-20 11:04:18 +00:00
LEFT JOIN file f ON p.path = f.path
2022-09-22 09:18:03 +00:00
LEFT JOIN hash ON p.path = hash.path
2022-10-19 21:07:52 +00:00
WHERE protocol > 0
2022-09-22 09:18:03 +00:00
AND s.remote_port > 0
2022-10-20 11:04:18 +00:00
-- See unexpected-https-client
AND NOT (
s.remote_port = 443
AND protocol IN (6, 17)
)
-- See unexpected-dns-traffic
AND NOT (
s.remote_port = 53
AND protocol IN (6, 17)
)
AND s.remote_address NOT IN (
'127.0.0.1',
'::ffff:127.0.0.1',
'::1',
'::',
'0.0.0.0'
)
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE 'fc00:%'
2022-10-20 11:04:18 +00:00
AND p.path != ''
AND NOT exception_key IN (
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
'5228,6,500,/opt/chrome,0u,0g,chrome',
'4070,6,500,/opt/spotify,0u,0g,spotify',
'22000,6,500,/usr/syncthing,0u,0g,syncthing',
2022-10-20 11:59:17 +00:00
'123,17,500,/usr/chronyd,0u,0g,chronyd',
2022-10-20 11:04:18 +00:00
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra'
2022-10-19 21:07:52 +00:00
)
AND NOT (
p.name = 'syncthing'
2022-10-20 11:04:18 +00:00
AND f.filename = 'syncthing'
AND s.remote_port > 1024
AND s.protocol = 6
AND p.euid > 500
2022-10-18 00:57:56 +00:00
)
2022-10-19 21:07:52 +00:00
GROUP BY p.cmdline