osquery-defense-kit/net/unexpected-talkers.sql

133 lines
7.4 KiB
MySQL
Raw Normal View History

2022-09-01 18:47:27 +00:00
SELECT
2022-09-08 21:58:56 +00:00
s.family, protocol, s.local_port, s.remote_port, s.local_address,
s.remote_address, p.name, p.path, p.cmdline AS child_cmd, p.cwd, s.pid, s.net_namespace,
2022-09-14 00:46:04 +00:00
p.parent AS parent_pid, pp.cmdline AS parent_cmd, hash.sha256
2022-09-01 18:47:27 +00:00
FROM process_open_sockets s
JOIN processes p ON s.pid = p.pid
2022-09-08 18:20:42 +00:00
JOIN processes pp ON pp.pid = p.parent
2022-09-14 00:46:04 +00:00
JOIN hash ON p.path = hash.path
2022-09-01 18:47:27 +00:00
WHERE protocol > 0
AND s.remote_port > 0
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
AND s.remote_address NOT LIKE 'fe80:%'
2022-09-02 19:04:34 +00:00
AND s.remote_address NOT LIKE '127.%'
2022-09-01 18:47:27 +00:00
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '172.1%'
2022-09-02 14:56:04 +00:00
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
2022-09-01 18:47:27 +00:00
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE 'fc00:%'
2022-09-01 18:47:27 +00:00
AND s.state != 'LISTEN'
2022-09-15 19:34:59 +00:00
AND NOT (remote_port=53 AND protocol=17) -- DNS
2022-09-01 18:47:27 +00:00
AND NOT (p.cmdline LIKE '%.com.flexibits.fantastical2.mac.helper' AND remote_port = 443)
AND NOT (p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' AND remote_port = 443)
AND NOT (p.name = 'launcher' AND p.cwd='/' AND remote_port=443 AND protocol=6)
2022-09-14 00:46:04 +00:00
-- See https://relays.syncthing.net/ for the hella-suspicious ports it connects to
AND NOT (p.name = 'syncthing' AND (remote_port IN (53,80,88,110,443,587,993,3306,7451) OR remote_port > 8000))
2022-09-01 18:47:27 +00:00
AND NOT (p.name = 'zoom.us' AND remote_port IN (443,8801))
2022-09-07 02:08:17 +00:00
AND NOT (p.name = 'avconferenced' AND remote_port = 1234)
AND NOT (p.name IN ('chrome', 'Google Chrome Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (8080,8000,8008,8443,8888) AND remote_address LIKE '192.168.%')
2022-09-08 13:53:43 +00:00
AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (443,80,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,19307,19308,19309))
AND NOT (p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') AND remote_port IN (443,587,465,585,993))
2022-09-14 14:51:56 +00:00
AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (53,443,8009,4070,32211))
2022-09-07 02:08:17 +00:00
AND NOT (p.name='cloud_sql_proxy' AND remote_port IN (443,3307))
2022-09-01 18:47:27 +00:00
AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17)
2022-09-02 00:36:48 +00:00
AND NOT (p.name='java' AND remote_port IN (30031,25565) AND protocol=6)
2022-09-07 02:08:17 +00:00
AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6)
2022-09-14 14:51:56 +00:00
AND NOT (p.name='crc' AND remote_port IN (53,443) AND protocol IN (6,17))
2022-09-07 02:08:17 +00:00
AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)
AND NOT (p.path = '/usr/bin/dnf' AND remote_port IN (80,443))
2022-09-01 18:47:27 +00:00
AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443)
2022-09-07 02:08:17 +00:00
AND NOT (p.path = '/usr/bin/sample' AND remote_port = 443)
2022-09-08 18:20:42 +00:00
AND NOT (p.path = '/usr/lib/snapd/snapd' AND remote_port = 443)
2022-09-01 18:47:27 +00:00
AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6)
2022-09-14 00:46:04 +00:00
AND NOT (p.path IN ('/usr/libexec/timed', '/Applications/Red Hat OpenShift Local.app/Contents/Resources/crc') AND remote_port = 123) AND protocol=17
AND NOT (p.name IN ('chronyd', 'crc') AND remote_port = 123 AND protocol=17)
2022-09-02 00:36:48 +00:00
AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443))
2022-09-01 18:47:27 +00:00
AND NOT (p.path LIKE '/private/var/folders/%/Reflect 2.app/Contents/Frameworks/Reflect Helper.app/Contents/MacOS/Reflect Helper' AND p.cwd='/' AND remote_port=443 AND s.protocol IN (6,17))
2022-09-02 14:56:04 +00:00
AND NOT (p.path LIKE '/private/var/folders/%/Reflect 2.app/Contents/MacOS/Reflect' AND p.cwd='/' AND remote_port=443 AND s.protocol IN (6,17))
2022-09-01 18:47:27 +00:00
AND NOT (p.path LIKE '/Users/%/.cache/trunk/cli/%/trunk' AND remote_port=443 AND s.protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=443 AND protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=9000 AND protocol=17)
2022-09-08 18:20:42 +00:00
AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80) OR remote_port > 1024)
2022-09-02 00:36:48 +00:00
AND NOT (p.path LIKE '%/NetworkManager' AND remote_port IN (67,80))
2022-09-01 18:47:27 +00:00
AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
2022-09-07 02:08:17 +00:00
AND NOT (p.path LIKE '%tailscaled%' AND remote_port > 32000)
2022-09-08 13:53:43 +00:00
AND NOT (p.path LIKE '%Tailscale%' AND remote_port > 32000)
2022-09-01 18:47:27 +00:00
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17)
2022-09-02 15:16:47 +00:00
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17)
2022-09-02 16:56:31 +00:00
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port>5000 AND protocol=6)
AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking' AND remote_port>1023 AND protocol=17)
2022-09-01 18:47:27 +00:00
AND NOT (p.path='/System/Library/PrivateFrameworks/ApplePushService.framework/apsd' AND p.cwd='/' AND remote_port=5223 AND protocol=6)
AND NOT (p.path='/usr/local/libexec/ReceiverHelper.app/Contents/MacOS/ReceiverHelper' AND p.cwd='/' AND remote_port=443 AND protocol=6)
2022-09-07 02:08:17 +00:00
AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.path = '/usr/bin/yay')
2022-09-08 18:20:42 +00:00
AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.cmdline = 'npm update')
2022-09-07 02:08:17 +00:00
AND NOT (remote_port IN (443,53) AND protocol IN (6,17) AND p.path = '/usr/sbin/mDNSResponder')
2022-09-01 18:47:27 +00:00
AND NOT (remote_port = 443 AND protocol=6 AND p.path LIKE '/usr/libexec/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Applications/%.app/Contents/%')
2022-09-07 02:08:17 +00:00
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Library/Apple/System/Library/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.name = 'ksfetch')
2022-09-01 18:47:27 +00:00
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Applications/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Library/%')
2022-09-14 00:46:04 +00:00
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND parent_cmd = '/Applications/Minecraft.app/Contents/MacOS/launcher')
2022-09-14 11:54:39 +00:00
AND NOT (remote_port>49000 AND protocol IN (6,17) AND p.path LIKE '/System/Library/PrivateFrameworks/MobileDevice.framework/%')
2022-09-14 00:46:04 +00:00
AND NOT (remote_port IN (80,443,17) AND p.name='curl')
AND NOT (remote_port IN (53,443) AND protocol IN (6,17) AND p.name IN (
2022-09-07 02:08:17 +00:00
'1password',
'Acrobat Update Helper',
'Adobe Desktop Service',
'Brackets',
2022-09-02 14:56:04 +00:00
'chainctl',
'Arc Helper',
2022-09-14 14:51:56 +00:00
'Code Helper',
2022-09-02 14:56:04 +00:00
'code',
2022-09-02 16:56:31 +00:00
'containerd',
2022-09-02 14:56:04 +00:00
'controlplane',
2022-09-02 16:56:31 +00:00
'electron',
2022-09-07 02:08:17 +00:00
'figma_agent',
'gh',
'git-remote-http',
2022-09-01 18:47:27 +00:00
'gitsign',
2022-09-07 02:08:17 +00:00
'go',
2022-09-02 16:56:31 +00:00
'grype',
2022-09-02 14:56:04 +00:00
'htop',
'istioctl',
'jcef_helper',
'k9s',
2022-09-01 18:47:27 +00:00
'ko',
2022-09-02 16:56:31 +00:00
'kolide-pipeline',
'Evernote Helper',
2022-09-02 14:56:04 +00:00
'ktail',
2022-09-01 18:47:27 +00:00
'kubectl',
2022-09-02 00:36:48 +00:00
'launcher-Helper',
2022-09-07 02:08:17 +00:00
'Microsoft Update Assistant',
2022-09-02 00:36:48 +00:00
'ngrok',
2022-09-07 02:08:17 +00:00
'nix',
2022-09-14 14:51:56 +00:00
'node',
2022-09-08 18:20:42 +00:00
'obs-browser-page',
'obs-ffmpeg-mux',
2022-09-14 14:51:56 +00:00
'obs',
'obsidian',
2022-09-07 02:08:17 +00:00
'pacman',
2022-09-02 14:56:04 +00:00
'pingsender',
2022-09-07 02:08:17 +00:00
'signal-desktop',
2022-09-01 18:47:27 +00:00
'Slack Helper',
2022-09-02 14:56:04 +00:00
'slack',
2022-09-01 18:47:27 +00:00
'Slack',
2022-09-07 02:08:17 +00:00
'snap-store',
2022-09-02 14:56:04 +00:00
'steam_osx',
2022-09-07 02:08:17 +00:00
'terraform-provi',
2022-09-02 16:56:31 +00:00
'terraform',
2022-09-07 02:08:17 +00:00
'tkn',
2022-09-02 16:56:31 +00:00
'vcluster',
2022-09-08 13:53:43 +00:00
'xmobar',
2022-09-14 14:51:56 +00:00
'zoom'
2022-09-01 18:47:27 +00:00
)
)
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')
2022-09-02 00:36:48 +00:00
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'kubectl.%')
2022-09-01 18:47:27 +00:00