osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql
2023-10-31 11:40:10 -04:00

47 lines
1.2 KiB
SQL

-- Unexpected /etc/hosts entries
--
-- false positives:
-- * developers adding entries for their own use
--
-- references:
-- * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
--
-- tags: persistent seldom filesystem net
SELECT
*
FROM
etc_hosts
WHERE
hostnames NOT IN (
'localhost',
'localhost ip6-localhost ip6-loopback',
'localhost localhost.localdomain localhost4 localhost4.localdomain4',
'ip6-allnodes',
'ip6-allrouters',
'kubernetes'
)
AND address NOT IN (
'::1',
'ff02::1',
'ff02::2',
'255.255.255.255',
'fe00::0',
'ff00::0'
)
AND address NOT LIKE '127.%'
AND address NOT LIKE '172.%'
AND address NOT LIKE '192.168.%'
AND address NOT LIKE '10.%'
AND hostnames NOT LIKE 'localhost.%'
AND hostnames NOT LIKE '%k8s%'
AND hostnames NOT LIKE '%.svc'
AND hostnames NOT LIKE '%.%-%.%.dev'
AND hostnames NOT LIKE '%local%'
AND hostnames NOT LIKE '%.wtf'
AND hostnames NOT LIKE '%.test'
AND hostnames NOT LIKE '%.internal'
AND hostnames NOT LIKE '%.local'
AND hostnames NOT LIKE "%.cloud"
AND hostnames NOT LIKE 'ip6-%'
AND hostnames NOT LIKE "%.example.com"