osquery-defense-kit/detection/execution/unexpected-raw-socket.sql

-- Find unexpected use of raw sockets in executables, sometimes used for C&C communications
--
-- false positives:
--   * operating-system network managers
--
-- tags: transient process state
-- platform: posix
SELECT
  pop.pid,
  p.path,
  p.cmdline,
  p.name,
  hash.sha256
FROM
  process_open_sockets pop
  JOIN processes p ON pop.pid = p.pid
  JOIN hash ON p.path = hash.path
WHERE
  family = 17 -- PF_PACKET
  AND name NOT IN (
    'wpa_supplicant',
    'NetworkManager',
    'dhcpcd',
    'tcpdump'
  )
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Find unexpected use of raw sockets in executables, sometimes used for C&C communications`
			`--`
			`-- false positives:`
			`-- * operating-system network managers`
			`--`
			`-- tags: transient process state`
			`-- platform: posix`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`pop.pid,`
			`p.path,`
			`p.cmdline,`
			`p.name,`
			`hash.sha256`
			`FROM`
			`process_open_sockets pop`
			`JOIN processes p ON pop.pid = p.pid`
			`JOIN hash ON p.path = hash.path`
			`WHERE`
			`family = 17 -- PF_PACKET`
			`AND name NOT IN (`
More tuning, more scripts 2022-09-11 19:07:54 +00:00			`'wpa_supplicant',`
			`'NetworkManager',`
Monday morning tuning 2022-09-12 15:17:51 +00:00			`'dhcpcd',`
			`'tcpdump'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`)`