diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index ec72250..206bf38 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -10,10 +10,11 @@ SELECT pe.pid, pe.cmdline, - REGEX_MATCH (pe.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_ip, - REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS remote_port, - REGEX_MATCH (pe.cmdline, '/(\w+[\.-]\w+)[:/]', 1) AS remote_addr, - REGEX_MATCH (pe.cmdline, '\.(\w+)[:/]', 1) AS remote_tld, + REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url, + REGEX_MATCH (pe.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, + REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port, + REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr, + REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld, pe.cwd, pe.euid, pe.parent, @@ -36,14 +37,14 @@ WHERE pe.time > (strftime('%s', 'now') -60) -- NOTE: Sync remaining portion with sketchy-fetchers AND ( - INSTR(p.cmdline, 'wget ') > 0 - OR INSTR(p.cmdline, 'curl ') > 0 + INSTR(pe.cmdline, 'wget ') > 0 + OR INSTR(pe.cmdline, 'curl ') > 0 ) AND ( -- If it's an IP or port, it's suspicious - remote_ip NOT IN ('', '127.0.0.1', '::1') - OR remote_port != '' - OR remote_tld NOT IN ( + ip NOT IN ('', '127.0.0.1', '::1') + OR port != '' + OR tld NOT IN ( '', 'app', 'ca', @@ -73,6 +74,7 @@ WHERE OR pe.cmdline LIKE '%curl %--user-agent%' OR pe.cmdline LIKE '%curl -k%' OR pe.cmdline LIKE '%curl -sL %' + OR pe.cmdline LIKE '%curl%-o-%' OR pe.cmdline LIKE '%curl%--connect-timeout%' OR pe.cmdline LIKE '%curl%--output /dev/null%' OR pe.cmdline LIKE '%curl%--O /dev/null%' @@ -80,6 +82,7 @@ WHERE OR pe.cmdline LIKE '%wget %--user-agent%' OR pe.cmdline LIKE '%wget %--no-check-certificate%' OR pe.cmdline LIKE '%wget -nc%' + OR pe.cmdline LIKE '%wget -q%' OR pe.cmdline LIKE '%wget -t%' -- Or anything launched by a system user OR ( @@ -124,4 +127,10 @@ WHERE ) ) -- These are typically curl -k calls - AND remote_addr NOT IN ('releases.hashicorp.com', 'github.com') + -- We need the addr "IS NOT NULL" to avoid filtering out + -- NULL entries + AND NOT ( + addr IS NOT NULL + AND addr IN ('releases.hashicorp.com', 'github.com') + ) + diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index 45eb567..d596fbd 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -11,10 +11,11 @@ SELECT p.path, p.name, p.cmdline, - REGEX_MATCH (p.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_ip, - REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS remote_port, - REGEX_MATCH (p.cmdline, '/(\w+[\.-]\w+)[:/]', 1) AS remote_addr, - REGEX_MATCH (p.cmdline, '\.(\w+)[:/]', 1) AS remote_tld, + REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url, + REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, + REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port, + REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr, + REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld, p.cwd, p.euid, p.parent, @@ -39,9 +40,9 @@ WHERE OR INSTR(p.cmdline, 'curl ') > 0 ) AND ( - remote_ip NOT IN ('', '127.0.0.1', '::1') - OR remote_port != '' - OR remote_tld NOT IN ( + ip NOT IN ('', '127.0.0.1', '::1') + OR port != '' + OR tld NOT IN ( '', 'app', 'ca', @@ -69,12 +70,14 @@ WHERE OR p.cmdline LIKE '%curl %--user-agent%' OR p.cmdline LIKE '%curl -k%' OR p.cmdline LIKE '%curl -sL %' + OR p.cmdline LIKE '%curl%-o-%' OR p.cmdline LIKE '%curl%--insecure%' OR p.cmdline LIKE '%wget %--user-agent%' OR p.cmdline LIKE '%wget %--no-check-certificate%' OR p.cmdline LIKE '%curl%--connect-timeout%' OR p.cmdline LIKE '%wget -nc%' OR p.cmdline LIKE '%wget -t%' + OR p.cmdline LIKE '%wget -q%' OR ( p.cmdline LIKE '%wget %' AND p.euid < 500 @@ -121,4 +124,9 @@ WHERE ) ) -- These are typically curl -k calls - AND remote_addr NOT IN ('releases.hashicorp.com', 'github.com') + -- We need the addr "IS NOT NULL" to avoid filtering out + -- NULL entries + AND NOT ( + addr IS NOT NULL + AND addr IN ('releases.hashicorp.com', 'github.com') + )