osquery-defense-kit/detection/c2/unexpected-https-client-lin...

-- Unexpected programs communicating over HTTPS (state-based)
--
-- This query is a bit awkward and hobbled due to the lack of osquery support
-- for looking up binary signatures in Linux.
--
-- references:
--   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net rapid
-- platform: linux
SELECT s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
  s.state,
  hash.sha256,
  -- This intentionally avoids file.path, as it won't join across mount namespaces
  CONCAT (
    MIN(p.euid, 500),
    ',',
    REPLACE(
      REPLACE(
        REGEX_MATCH (p.path, '(/.*?)/', 1),
        '/nix',
        '/usr'
      ),
      '/snap',
      '/opt'
    ) '/',
    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
    'u,',
    MIN(f.gid, 500),
    'g,',
    p.name
  ) AS exception_key
FROM process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
WHERE protocol IN (6, 17)
  AND s.remote_port = 443
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
  AND s.remote_address NOT LIKE '127.%'
  AND s.remote_address NOT LIKE '192.168.%'
  AND s.remote_address NOT LIKE '172.1%'
  AND s.remote_address NOT LIKE '172.2%'
  AND s.remote_address NOT LIKE '172.30.%'
  AND s.remote_address NOT LIKE '172.31.%'
  AND s.remote_address NOT LIKE '::ffff:172.%'
  AND s.remote_address NOT LIKE '10.%'
  AND s.remote_address NOT LIKE '::ffff:10.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND p.path != ''
  AND NOT exception_key IN (
    '0,/usr/dockerd,0u,0g,dockerd',
    '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
    '0,/usr/launcher,0u,0g,launcher',
    '0,/usr/packagekitd,0u,0g,packagekitd',
    '0,/usr/tailscaled,0u,0g,tailscaled',
    '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
    '500,/app/slack,u,g,slack',
    '500,/app/zoom.real,u,g,zoom.real',
    '500,/home/chainctl,500u,500g,chainctl',
    '500,/ko-app/chainctl,u,g,chainctl',
    '500,/ko-app/controlplane,u,g,controlplane',
    '500,/opt/chrome,0u,0g,chrome',
    '500,/opt/firefox,0u,0g,firefox',
    '500,/opt/slack,0u,0g,slack',
    '500,/opt/spotify,0u,0g,spotify',
    '500,/usr/chrome,0u,0g,chrome',
    '500,/usr/code,0u,0g,code',
    '500,/usr/curl,0u,0g,curl',
    '500,/usr/electron,0u,0g,electron',
    '500,/usr/firefox,0u,0g,firefox',
    '500,/usr/firefox,0u,0g,.firefox-wrappe',
    '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
    '500,/usr/geoclue,0u,0g,geoclue',
    '500,/usr/gitsign,0u,0g,gitsign',
    '500,/usr/gnome-software,0u,0g,gnome-software',
    '500,/usr/kubectl,500u,500g,kubectl',
    '500,/usr/slack,0u,0g,slack',
    '500,/usr/syncthing,0u,0g,syncthing'
  ) -- stay weird, NixOS (Fastly nix mirror)
  AND NOT child_cmd = '/run/current-system/sw/bin/bash'
GROUP BY p.cmdline
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`-- Unexpected programs communicating over HTTPS (state-based)`
			`--`
			`-- This query is a bit awkward and hobbled due to the lack of osquery support`
			`-- for looking up binary signatures in Linux.`
			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)`
			`--`
			`-- tags: transient state net rapid`
			`-- platform: linux`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`SELECT s.remote_address,`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`p.name,`
			`p.path,`
			`p.cmdline AS child_cmd,`
			`p.cwd,`
			`pp.path AS parent_path,`
			`p.parent AS parent_pid,`
			`pp.cmdline AS parent_cmd,`
			`s.state,`
			`hash.sha256,`
			`-- This intentionally avoids file.path, as it won't join across mount namespaces`
			`CONCAT (`
			`MIN(p.euid, 500),`
			`',',`
			`REPLACE(`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`REPLACE(`
			`REGEX_MATCH (p.path, '(/.*?)/', 1),`
			`'/nix',`
			`'/usr'`
			`),`
			`'/snap',`
			`'/opt'`
			`) '/',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`REGEX_MATCH (p.path, './(.?)$', 1),`
			`',',`
			`MIN(f.uid, 500),`
			`'u,',`
			`MIN(f.gid, 500),`
			`'g,',`
			`p.name`
			`) AS exception_key`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`FROM process_open_sockets s`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`LEFT JOIN processes p ON s.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN file f ON p.path = f.path`
			`LEFT JOIN hash ON p.path = hash.path`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`WHERE protocol IN (6, 17)`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`AND s.remote_port = 443`
			`AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')`
			`AND s.remote_address NOT LIKE 'fe80:%'`
			`AND s.remote_address NOT LIKE '127.%'`
			`AND s.remote_address NOT LIKE '192.168.%'`
			`AND s.remote_address NOT LIKE '172.1%'`
			`AND s.remote_address NOT LIKE '172.2%'`
			`AND s.remote_address NOT LIKE '172.30.%'`
			`AND s.remote_address NOT LIKE '172.31.%'`
			`AND s.remote_address NOT LIKE '::ffff:172.%'`
			`AND s.remote_address NOT LIKE '10.%'`
			`AND s.remote_address NOT LIKE '::ffff:10.%'`
			`AND s.remote_address NOT LIKE 'fc00:%'`
			`AND p.path != ''`
			`AND NOT exception_key IN (`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'0,/usr/dockerd,0u,0g,dockerd',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'0,/usr/launcher,0u,0g,launcher',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'0,/usr/packagekitd,0u,0g,packagekitd',`
			`'0,/usr/tailscaled,0u,0g,tailscaled',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',`
			`'500,/app/slack,u,g,slack',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/app/zoom.real,u,g,zoom.real',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'500,/home/chainctl,500u,500g,chainctl',`
			`'500,/ko-app/chainctl,u,g,chainctl',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/ko-app/controlplane,u,g,controlplane',`
			`'500,/opt/chrome,0u,0g,chrome',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'500,/opt/firefox,0u,0g,firefox',`
			`'500,/opt/slack,0u,0g,slack',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/opt/spotify,0u,0g,spotify',`
			`'500,/usr/chrome,0u,0g,chrome',`
			`'500,/usr/code,0u,0g,code',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/usr/curl,0u,0g,curl',`
Linux: Add electron as an HTTPS client 2022-10-20 17:53:18 +00:00			`'500,/usr/electron,0u,0g,electron',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/firefox,0u,0g,firefox',`
			`'500,/usr/firefox,0u,0g,.firefox-wrappe',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/geoclue,0u,0g,geoclue',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/usr/gitsign,0u,0g,gitsign',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/gnome-software,0u,0g,gnome-software',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'500,/usr/kubectl,500u,500g,kubectl',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/slack,0u,0g,slack',`
			`'500,/usr/syncthing,0u,0g,syncthing'`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`) -- stay weird, NixOS (Fastly nix mirror)`
linux talkers: Add snap Slack and NixOS bash exception 2022-10-20 17:44:09 +00:00			`AND NOT child_cmd = '/run/current-system/sw/bin/bash'`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`GROUP BY p.cmdline`