Add events-based detector for ICMP sockets

2025-02-15 08:57:20 +00:00 · 2022-10-20 14:02:06 -04:00 · 2022-10-20 14:02:06 -04:00 · ec1a5b6c17
commit ec1a5b6c17
parent 6d535ddc37
1 changed files with 19 additions and 0 deletions
--- a/detection/c2/unexpected-icmp-socket-events.sql
+++ b/detection/c2/unexpected-icmp-socket-events.sql
@ -0,0 +1,19 @@
+-- Unexpected programs speaking over ICMP (event-based)
+--
+-- references:
+--   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
+--
+-- interval: 30
+-- tags: transient events net
+SELECT
+  se.*,
+  p.path,
+  p.cmdline
+FROM
+  socket_events se
+  LEFT JOIN processes p ON se.pid = p.pid
+WHERE
+  se.time > (strftime('%s', 'now') -30)
+  AND family = 2 -- PF_INET
+  AND protocol = 1 -- ICMP
+  AND p.name NOT IN ('ping')