osquery-defense-kit/detection/c2/unexpected-icmp-socket-even...

22 lines
463 B
SQL

-- Unexpected programs speaking over ICMP (event-based)
--
-- references:
-- *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
--
-- interval: 300
-- tags: transient events net
SELECT
se.*,
p.path,
p.cwd,
p.euid,
p.cmdline
FROM
socket_events se
LEFT JOIN processes p ON se.pid = p.pid
WHERE
se.time > (strftime('%s', 'now') -300)
AND family = 2 -- PF_INET
AND protocol = 1 -- ICMP
AND p.name NOT IN ('ping')