RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-21 20:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12 from chainguard-dev/icmp-events

Browse Source 
Add events-based detector for ICMP sockets
This commit is contained in:
Thomas Strömberg 2022-10-20 14:03:03 -04:00 committed by GitHub
commit 0c1bf8043e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
detection/c2/unexpected-icmp-socket-events.sql Normal file
View File

@ -0,0 +1,19 @@
-- Unexpected programs speaking over ICMP (event-based)
--
-- references:
-- *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
--
-- interval: 30
-- tags: transient events net
SELECT
se.*,
p.path,
p.cmdline
FROM
socket_events se
LEFT JOIN processes p ON se.pid = p.pid
WHERE
se.time > (strftime('%s', 'now') -30)
AND family = 2 -- PF_INET
AND protocol = 1 -- ICMP
AND p.name NOT IN ('ping')