osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql

367 lines
8.2 KiB
SQL

-- Programs communicating over the network in unexpected ways (state-based)
--
-- references:
-- * https://attack.mitre.org/techniques/T1071/
--
-- tags: transient state net often
-- platform: linux
SELECT
s.family,
protocol,
s.local_port,
s.remote_port,
s.local_address,
s.remote_address,
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
s.pid,
s.net_namespace,
pp.path AS parent_path,
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
hash.sha256,
CONCAT (
MIN(s.remote_port, 32768),
',',
protocol,
',',
MIN(p.uid, 500),
',',
p.name
) AS exception_key
FROM
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
WHERE
protocol > 0
AND s.remote_port > 0
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND s.state != 'LISTEN' -- DNS clients
AND NOT (
remote_port = 53
AND protocol IN (6, 17)
AND p.name IN (
'1password',
'apt',
'apt-get',
'Brackets',
'chainctl',
'chrome',
'chronyd',
'cloud_sql_proxy',
'code',
'containerd',
'controlplane',
'crc',
'curl',
'dig',
'dnf',
'electron',
'firefox',
'.firefox-wrappe',
'flameshot',
'gh',
'git-remote-http',
'gitsign',
'gnome-software',
'go',
'grafana-server',
'grype',
'host',
'htop',
'istioctl',
'jcef_helper',
'k6',
'k9s',
'ko',
'kolide-pipeline',
'launcher',
'NetworkManager',
'ngrok',
'nix',
'node',
'nscd',
'obs',
'obs-browser-page',
'obs-ffmpeg-mux',
'obsidian',
'opera',
'pacman',
'ping',
'podman',
'prometheus',
'rootlessport',
'signal-desktop',
'slack',
'slirp4netns',
'snapd',
'snap-store',
'Socket Process',
'spotify',
'ssh',
'steam',
'steamwebhelper',
'syncthing',
'systemd-resolve',
'tailscaled',
'.tailscaled-wra',
'terraform',
'terraform-provi',
'tkn',
'traceroute',
'vcluster',
'wget',
'whois',
'xmobar',
'yay',
'zoom'
)
) -- General exceptions
AND NOT exception_key IN (
'123,17,,',
'123,17,500,chronyd',
'22067,6,500,syncthing',
'22,6,,',
'22,6,500,ssh',
'27024,6,500,steam',
'3100,6,500,firefox',
'3100,6,500,k6',
'32768,6,0,tailscaled',
'3307,6,500,cloud_sql_proxy',
'4070,6,500,spotify',
'443,17,500,chrome',
'443,17,500,electron',
'443,17,500,jcef_helper',
'443,17,500,slack',
'443,17,500,spotify',
'443,6,0,apk',
'443,6,0,containerd',
'443,6,0,depmod',
'443,6,0,dirmngr',
'443,6,0,dnf',
'443,6,0,dockerd',
'443,6,0,influxd',
'443,6,0,launcher',
'443,6,0,nix',
'443,6,0,nix-daemon',
'443,6,0,packagekitd',
'443,6,0,pacman',
'443,6,0,snapd',
'443,6,0,systemctl',
'443,6,0,tailscaled',
'443,6,0,.tailscaled-wra',
'443,6,0,yum',
'443,6,105,https',
'443,6,472,grafana-server',
'443,6,500,1password',
'443,6,500,authentik-proxy',
'443,6,500,aws',
'443,6,500,Brackets',
'443,6,500,celery',
'443,6,500,chainctl',
'443,6,500,chrome',
'443,6,500,cloud_sql_proxy',
'443,6,500,code',
'443,6,500,containerd',
'443,6,500,controlplane',
'443,6,500,cosign',
'443,6,500,crane',
'443,6,500,CrBrowserMain',
'443,6,500,crc',
'443,6,500,CrUtilityMain',
'443,6,500,curl',
'443,6,500,Discord',
'443,6,500,electron',
'443,6,500,emacs',
'443,6,500,firefox',
'443,6,500,.firefox-wrappe',
'443,6,500,flameshot',
'443,6,500,geoclue',
'443,6,500,gh',
'443,6,500,git-remote-http',
'443,6,500,gitsign',
'443,6,500,gnome-shell',
'443,6,500,gnome-software',
'443,6,500,go',
'443,6,500,___go_build_github_com_anchore_grype,a.out,',
'443,6,500,grafana-server',
'443,6,500,grype',
'443,6,500,gunicorn',
'443,6,500,gvfsd-http',
'443,6,500,htop',
'443,6,500,influxd',
'443,6,500,istioctl',
'443,6,500,java',
'443,6,500,jcef_helper',
'443,6,500,jetbrains-toolb',
'443,6,500,k6',
'443,6,500,k9s',
'443,6,500,ko',
'443,6,500,kolide-pipeline',
'443,6,500,kubectl',
'443,6,500,minicli',
'443,6,500,ngrok',
'443,6,500,nix',
'443,6,500,node',
'443,6,500,obs',
'443,6,500,obs-browser-page',
'443,6,500,obs-ffmpeg-mux',
'443,6,500,obsidian',
'443,6,500,pingsender',
'443,6,500,pip',
'443,6,500,podman',
'443,6,500,signal-desktop',
'443,6,500,slack',
'443,6,500,slirp4netns',
'443,6,500,snap-store',
'443,6,500,Socket Process',
'443,6,500,spotify',
'443,6,500,steamwebhelper',
'443,6,500,teams',
'443,6,500,terraform',
'443,6,500,terraform-provi',
'443,6,500,tkn',
'443,6,500,.tox-wrapped',
'443,6,500,trivy',
'443,6,500,vcluster',
'443,6,500,vim',
'443,6,500,WebKitNetworkPr',
'443,6,500,wget',
'443,6,500,wineserver',
'443,6,500,x11-ssh-askpass',
'443,6,500,xmobar',
'443,6,500,yay',
'443,6,500,zoom',
'5228,6,500,chrome',
'6000,6,500,ssh',
'80,6,0,mkinitcpio',
'67,17,0,NetworkManager',
'7903,6,500,syncthing',
'8006,6,500,chrome',
'80,6,0,dnf',
'80,6,0,gdk-pixbuf-quer',
'80,6,0,NetworkManager',
'80,6,0,pacman',
'80,6,0,tailscaled',
'80,6,0,.tailscaled-wra',
'443,6,0,yay',
'80,6,0,yum',
'443,6,500,rustup',
'443,6,500,cargo',
'80,6,500,thunderbird',
'80,6,105,http',
'80,6,500,curl',
'80,6,500,firefox',
'80,6,500,.firefox-wrappe',
'80,6,500,gitsign',
'80,6,500,slack',
'80,6,500,spotify',
'80,6,500,steam',
'80,6,500,steamwebhelper',
'80,6,500,syncthing',
'8801,17,500,zoom',
'9090,6,500,firefox',
'9090,6,500,k6',
'9090,6,500,prometheus',
'9090,6,500,rootlessport'
) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
AND NOT (
(
remote_address LIKE '151.101.%'
OR remote_address LIKE '140.82.%'
)
AND remote_port = 443
AND protocol = 6
AND (
parent_path LIKE '/nix/%/bin/bash'
OR parent_path LIKE '/nix/%/bin/zsh'
OR parent_path LIKE '%/bin/nix'
OR p.path LIKE '/nix/store/%'
)
)
AND NOT p.cmdline LIKE 'bash --rcfile /tmp/nix-shell.%' -- Other more complicated situations
AND NOT (
p.name = 'rootlessport'
AND remote_port > 1024
)
AND NOT (
p.name = 'syncthing'
AND (
remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
OR remote_port > 1024
)
)
AND NOT (
p.name IN (
'chrome',
'Google Chrome Helper',
'Brave Browser Helper',
'Chromium Helper',
'Opera Helper'
)
AND remote_port IN (
53,
3100,
443,
80,
8006,
9000,
5004,
8009,
8080,
8888,
8443,
5228,
32211,
53,
10001,
3478,
19305,
19306,
19307,
19308,
19309
)
)
AND NOT (
p.name IN ('thunderbird')
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
)
AND NOT (
p.name IN ('spotify', 'Spotify Helper', 'Spotify')
AND remote_port IN (53, 443, 8009, 4070, 32211)
)
AND NOT (
remote_port IN (443, 53)
AND p.name LIKE 'terraform-provider-%'
)
AND NOT (
remote_port IN (443, 53)
AND p.name LIKE 'npm exec %'
)
AND NOT (
remote_port iN (443, 53)
AND p.name LIKE 'kubectl.%'
)
AND NOT (
p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'
AND remote_port IN (80, 53, 443)
)
GROUP BY
p.cmdline