osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql

40 lines
958 B
SQL

-- Unexpected /etc/hosts entries
--
-- false positives:
-- * developers adding entries for their own use
--
-- references:
-- * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
--
-- tags: persistent seldom filesystem net
SELECT
*
FROM
etc_hosts
WHERE
hostnames NOT IN (
'localhost',
'localhost ip6-localhost ip6-loopback',
'localhost localhost.localdomain localhost4 localhost4.localdomain4',
'ip6-allnodes',
'ip6-allrouters',
'kubernetes'
)
AND address NOT IN (
'::1',
'ff02::1',
'ff02::2',
'255.255.255.255',
'fe00::0',
'ff00::0'
)
AND address NOT LIKE '127.%'
AND hostnames NOT LIKE 'localhost.%'
AND hostnames NOT LIKE '%.svc'
AND hostnames NOT LIKE '%.%-%.%.dev'
AND hostnames NOT LIKE '%.wtf'
AND hostnames NOT LIKE '%.test'
AND hostnames NOT LIKE '%.internal'
AND hostnames NOT LIKE '%.local'
AND hostnames NOT LIKE 'ip6-%'