2022-10-20 18:02:06 +00:00
|
|
|
-- Unexpected programs speaking over ICMP (event-based)
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
|
|
|
|
--
|
2023-02-01 21:17:36 +00:00
|
|
|
-- interval: 300
|
2022-10-20 18:02:06 +00:00
|
|
|
-- tags: transient events net
|
|
|
|
SELECT
|
|
|
|
se.*,
|
|
|
|
p.path,
|
2023-02-01 18:55:55 +00:00
|
|
|
p.cwd,
|
|
|
|
p.euid,
|
2022-10-20 18:02:06 +00:00
|
|
|
p.cmdline
|
|
|
|
FROM
|
|
|
|
socket_events se
|
|
|
|
LEFT JOIN processes p ON se.pid = p.pid
|
|
|
|
WHERE
|
2023-02-01 21:17:36 +00:00
|
|
|
se.time > (strftime('%s', 'now') -300)
|
2022-10-20 18:02:06 +00:00
|
|
|
AND family = 2 -- PF_INET
|
|
|
|
AND protocol = 1 -- ICMP
|
2022-10-20 18:56:16 +00:00
|
|
|
AND p.name NOT IN ('ping')
|