RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql

47 lines
1.2 KiB
MySQL
Raw Normal View History

Add support for interval tags
2022-10-14 18:19:13 +00:00
-- Unexpected /etc/hosts entries
--
-- false positives:
-- * developers adding entries for their own use
--
Add a lot more mitre data
2022-10-19 20:56:32 +00:00
-- references:
-- * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
--
Add support for interval tags
2022-10-14 18:19:13 +00:00
-- tags: persistent seldom filesystem net
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
SELECT
*
FROM
etc_hosts
WHERE
hostnames NOT IN (
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'localhost',
'localhost ip6-localhost ip6-loopback',
Add more localhost entries
2022-10-13 22:08:03 +00:00
'localhost localhost.localdomain localhost4 localhost4.localdomain4',
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'ip6-allnodes',
'ip6-allrouters',
'kubernetes'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
)
AND address NOT IN (
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'::1',
'ff02::1',
'ff02::2',
'255.255.255.255',
'fe00::0',
'ff00::0'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
)
Ignore any /etc/hosts pointing to 127.x.x.x
2022-10-21 21:49:12 +00:00
AND address NOT LIKE '127.%'
fpr: RSA keys, tcpdump, login, crane, souregraph, etc
2023-09-20 13:30:46 +00:00
AND address NOT LIKE '172.%'
Resolve latest reported false positives
2022-12-02 16:20:18 +00:00
AND address NOT LIKE '192.168.%'
AND address NOT LIKE '10.%'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
AND hostnames NOT LIKE 'localhost.%'
fpr: RSA keys, tcpdump, login, crane, souregraph, etc
2023-09-20 13:30:46 +00:00
AND hostnames NOT LIKE '%k8s%'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
AND hostnames NOT LIKE '%.svc'
Filter out vaikas dev hostnames
2022-10-13 21:58:29 +00:00
AND hostnames NOT LIKE '%.%-%.%.dev'
fpr: RSA keys, tcpdump, login, crane, souregraph, etc
2023-09-20 13:30:46 +00:00
AND hostnames NOT LIKE '%local%'
Add *.wtf to allow list
2022-10-13 22:06:07 +00:00
AND hostnames NOT LIKE '%.wtf'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
AND hostnames NOT LIKE '%.test'
AND hostnames NOT LIKE '%.internal'
AND hostnames NOT LIKE '%.local'
fpr: aws, java, arch, cody, google, wireshark, etc
2023-10-31 15:40:10 +00:00
AND hostnames NOT LIKE "%.cloud"
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
AND hostnames NOT LIKE 'ip6-%'
fpr: Brave, Adobe, Signal, Kandji, SteelSeries, etc
2023-06-30 20:38:31 +00:00
AND hostnames NOT LIKE "%.example.com"