osquery-defense-kit/detection/execution/sketchy-fetcher.sql
2022-10-27 10:23:15 -04:00

89 lines
2.7 KiB
SQL

-- Suspicious URL requests by built-in fetching tools (state-based)
--
-- refs:
-- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
-- * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
--
-- tags: transient process state
-- platform: posix
SELECT
p.pid,
p.path,
p.name,
p.cmdline,
REGEX_MATCH (p.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_address,
REGEX_MATCH (p.cmdline, '/(:\d+\/)/', 1) AS remote_port,
p.cwd,
p.euid,
p.parent,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256
FROM
processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
WHERE
-- NOTE: Sync remaining portion with sketchy-fetcher-events
(
INSTR(p.cmdline, 'wget ') > 0
OR INSTR(p.cmdline, 'curl ') > 0
)
AND (
remote_address NOT IN ('', '127.0.0.1', '::1')
OR remote_port != ''
OR p.cmdline LIKE '%.onion%'
OR p.cmdline LIKE '%tor2web%'
OR p.cmdline LIKE '%aliyun%'
OR p.cmdline LIKE '%pastebin%'
OR p.cmdline LIKE '%curl %--user-agent%'
OR p.cmdline LIKE '%curl -k%'
OR p.cmdline LIKE '%curl -sL %'
OR p.cmdline LIKE '%curl%--insecure%'
OR p.cmdline LIKE '%wget %--user-agent%'
OR p.cmdline LIKE '%wget %--no-check-certificate%'
OR p.cmdline LIKE '%curl%--connect-timeout%'
OR p.cmdline LIKE '%wget -nc%'
OR p.cmdline LIKE '%wget -t%'
OR (
p.cmdline LIKE '%wget %'
AND p.euid < 500
)
OR (
p.cmdline LIKE '%curl %'
AND p.euid < 500
AND p.cmdline NOT LIKE "%./configure %--with-curl%"
)
)
-- Exceptions for all calls
AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
AND NOT (
p.euid > 500
AND (
p.cmdline LIKE '%--dump-header%'
OR p.cmdline LIKE '%/api/v%'
OR p.cmdline LIKE '%curl -X %'
OR p.cmdline LIKE '%go mod %'
OR p.cmdline LIKE '%application/json%'
OR p.cmdline LIKE '%grpcurl%'
OR p.cmdline LIKE '%Homebrew%'
OR p.cmdline LIKE '%Nixpkgs/%'
OR p.cmdline LIKE '%If-None-Match%'
OR p.cmdline LIKE '%ctlog%'
OR p.cmdline LIKE '%.well-known/openid-configuration%'
OR p.cmdline LIKE '%/openid/v1/jwks%'
OR p.cmdline LIKE '%--progress-bar%'
OR parent_cmdline LIKE '%brew.rb%'
OR parent_cmdline LIKE '%brew.sh%'
OR parent_cmdline LIKE '/nix/store/%-builder.sh'
OR p.cmdline LIKE 'git %'
OR p.cmdline LIKE '%LICENSES/vendor/%'
OR p.cmdline LIKE 'curl -sL wttr.in%'
OR p.cmdline LIKE '%localhost:%'
OR p.cmdline LIKE '%127.0.0.1:%'
OR p.name IN ('apko')
)
)