2022-10-13 18:59:32 +00:00
|
|
|
-- Catch DNS traffic going to machines other than the host-configured DNS server (event-based)
|
2022-10-12 01:53:36 +00:00
|
|
|
--
|
2022-10-13 18:59:32 +00:00
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1071/004/ (C2: Application Layer Protocol: DNS)
|
|
|
|
--
|
|
|
|
-- interval: 120
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent events net
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
|
|
|
-- NOTE: The interval above must match WHERE clause to avoid missing events
|
|
|
|
--
|
|
|
|
-- This only supports IPv4 traffic due to an osquery bug with 'dns_resolvers'
|
2022-09-22 09:28:36 +00:00
|
|
|
-- The non-event version is unexpected-dns-traffic.sql
|
2022-09-23 13:33:44 +00:00
|
|
|
SELECT
|
2022-09-22 09:28:36 +00:00
|
|
|
protocol,
|
|
|
|
s.remote_port,
|
|
|
|
s.remote_address,
|
2023-02-08 15:12:44 +00:00
|
|
|
s.local_port,
|
|
|
|
s.local_address,
|
2023-01-09 20:10:48 +00:00
|
|
|
s.action,
|
|
|
|
s.status,
|
2022-09-22 09:28:36 +00:00
|
|
|
p.name,
|
|
|
|
p.path,
|
|
|
|
p.cmdline AS child_cmd,
|
|
|
|
p.cwd,
|
|
|
|
s.pid,
|
|
|
|
p.parent AS parent_pid,
|
|
|
|
pp.cmdline AS parent_cmd,
|
|
|
|
hash.sha256,
|
2022-10-13 18:59:32 +00:00
|
|
|
CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key
|
2022-09-24 15:12:23 +00:00
|
|
|
FROM
|
|
|
|
socket_events s
|
2022-09-22 09:28:36 +00:00
|
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
2022-09-24 15:12:23 +00:00
|
|
|
WHERE
|
2022-10-13 18:59:32 +00:00
|
|
|
s.time > (strftime('%s', 'now') -120)
|
2022-09-22 09:28:36 +00:00
|
|
|
AND remote_port IN (53, 5353)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND remote_address NOT LIKE '%:%'
|
|
|
|
AND s.remote_address NOT LIKE '172.1%'
|
|
|
|
AND s.remote_address NOT LIKE '172.2%'
|
|
|
|
AND s.remote_address NOT LIKE '172.30.%'
|
|
|
|
AND s.remote_address NOT LIKE '172.31.%'
|
|
|
|
AND s.remote_address NOT LIKE '10.%'
|
|
|
|
AND s.remote_address NOT LIKE '192.168.%'
|
|
|
|
AND s.remote_address NOT LIKE '127.%'
|
2022-09-22 09:28:36 +00:00
|
|
|
AND remote_address NOT IN (
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT DISTINCT
|
|
|
|
address
|
|
|
|
FROM
|
|
|
|
dns_resolvers
|
|
|
|
WHERE
|
2022-10-13 18:59:32 +00:00
|
|
|
type = 'nameserver'
|
|
|
|
and address != ''
|
2022-09-22 09:28:36 +00:00
|
|
|
)
|
|
|
|
-- systemd-resolve sometimes shows up this way
|
2022-10-13 18:59:32 +00:00
|
|
|
-- If we could narrow this down using 'sys_resolvers' I would, but it is misuse of GROUP_CONCAT
|
2022-09-24 15:12:23 +00:00
|
|
|
AND NOT (
|
|
|
|
s.pid = -1
|
|
|
|
AND s.remote_port = 53
|
2022-10-13 18:59:32 +00:00
|
|
|
and p.parent = ''
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-09-22 23:35:24 +00:00
|
|
|
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
|
|
|
|
AND s.remote_address NOT IN (
|
2022-11-04 15:52:39 +00:00
|
|
|
'100.100.100.100', -- Tailscale Magic DNS
|
2022-10-13 18:59:32 +00:00
|
|
|
'1.1.1.1', -- Cloudflare
|
|
|
|
'1.1.1.2', -- Cloudflare
|
|
|
|
'8.8.8.8', -- Google
|
|
|
|
'8.8.4.4', -- Google (backup)
|
2023-01-06 21:01:35 +00:00
|
|
|
'4.2.2.1', -- Level 3
|
|
|
|
'4.2.2.2', -- Level 3
|
|
|
|
'4.2.2.3', -- Level 3
|
|
|
|
'4.2.2.4', -- Level 3
|
|
|
|
'4.2.2.5', -- Level 3
|
|
|
|
'4.2.2.6', -- Level 3
|
2022-11-23 12:10:03 +00:00
|
|
|
'208.67.220.220', -- OpenDNS
|
2022-10-13 18:59:32 +00:00
|
|
|
'208.67.222.222', -- OpenDNS
|
2022-11-08 01:36:37 +00:00
|
|
|
'208.67.222.123', -- OpenDNS
|
2023-02-15 00:46:36 +00:00
|
|
|
'208.67.220.123', -- OpenDNS FamilyShield
|
2022-10-13 18:59:32 +00:00
|
|
|
'75.75.75.75', -- Comcast
|
|
|
|
'75.75.76.76', -- Comcast
|
2022-12-15 21:51:58 +00:00
|
|
|
'68.105.28.13', -- Cox
|
|
|
|
'80.248.7.1' -- 21st Century (NG)
|
2022-09-22 23:35:24 +00:00
|
|
|
)
|
2022-09-23 13:33:44 +00:00
|
|
|
-- Exceptions that specifically talk to one server
|
2022-09-26 22:27:43 +00:00
|
|
|
AND exception_key NOT IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'coredns,0.0.0.0,53',
|
2022-10-28 23:24:00 +00:00
|
|
|
'syncthing,46.162.192.181,53',
|
2022-11-16 16:02:29 +00:00
|
|
|
'Code Helper,208.67.222.123,53',
|
2023-02-08 20:12:10 +00:00
|
|
|
'Opera Helper,77.111.247.77,53',
|
2023-01-20 22:55:48 +00:00
|
|
|
'chrome,74.125.250.47,53',
|
2022-10-28 23:24:00 +00:00
|
|
|
'Jabra Direct Helper,208.67.222.123,53'
|
2022-09-26 22:27:43 +00:00
|
|
|
)
|
2023-02-09 01:06:26 +00:00
|
|
|
AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53'
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.name != 'nessusd'
|
2022-09-23 13:33:44 +00:00
|
|
|
-- Local DNS servers and custom clients go here
|
2023-03-03 12:24:42 +00:00
|
|
|
-- Electron apps
|
|
|
|
AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper'
|
2022-09-27 15:54:17 +00:00
|
|
|
AND p.path NOT IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'/Library/Nessus/run/sbin/nessusd',
|
2023-01-20 22:55:48 +00:00
|
|
|
'/opt/google/chrome/chrome',
|
2023-03-03 12:24:42 +00:00
|
|
|
'/usr/bin/apko',
|
|
|
|
'/usr/lib/systemd/systemd-resolved'
|
2022-09-27 15:54:17 +00:00
|
|
|
)
|
2023-01-09 14:04:38 +00:00
|
|
|
-- Chromium apps can send stray DNS packets
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
|
2023-01-09 14:04:38 +00:00
|
|
|
AND p.path NOT LIKE '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/%/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper'
|
2023-02-15 01:16:02 +00:00
|
|
|
AND p.path NOT LIKE '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/%/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'
|
2022-09-24 15:12:23 +00:00
|
|
|
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
|
|
|
|
GROUP BY
|
|
|
|
s.remote_address,
|
2022-09-22 09:28:36 +00:00
|
|
|
s.remote_port
|
2022-09-24 15:12:23 +00:00
|
|
|
HAVING
|
2022-10-13 18:59:32 +00:00
|
|
|
remote_address != ''
|