osquery-defense-kit/detection/c2/unexpected-icmp-socket.sql

-- Unexpected programs speaking over ICMP (state-based)
--
-- references:
--   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
--
-- tags: transient state net often
SELECT
  pop.pid,
  p.path,
  p.cmdline
FROM
  process_open_sockets pop
  JOIN processes p ON pop.pid = p.pid
WHERE
  family = 2 -- PF_INET
  AND protocol = 1 -- ICMP
  AND p.name NOT IN ('ping')
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- Unexpected programs speaking over ICMP (state-based)`
			`--`
			`-- references:`
			`-- *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)`
			`--`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- tags: transient state net often`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`pop.pid,`
			`p.path,`
			`p.cmdline`
			`FROM`
			`process_open_sockets pop`
			`JOIN processes p ON pop.pid = p.pid`
			`WHERE`
			`family = 2 -- PF_INET`
			`AND protocol = 1 -- ICMP`
			`AND p.name NOT IN ('ping')`