141 lines
4.7 KiB
SQL
141 lines
4.7 KiB
SQL
-- Unexpected programs communicating over HTTPS (state-based)
|
|
--
|
|
-- This query is a bit awkward and hobbled due to the lack of osquery support
|
|
-- for looking up binary signatures in Linux.
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
|
--
|
|
-- tags: transient state net often
|
|
-- platform: linux
|
|
SELECT
|
|
s.remote_address,
|
|
p.name,
|
|
p.path,
|
|
p.cmdline AS child_cmd,
|
|
p.cwd,
|
|
pp.path AS parent_path,
|
|
p.parent AS parent_pid,
|
|
pp.cmdline AS parent_cmd,
|
|
s.state,
|
|
hash.sha256,
|
|
-- This intentionally avoids file.path, as it won't join across mount namespaces
|
|
CONCAT (
|
|
MIN(p.euid, 500),
|
|
',',
|
|
REPLACE(
|
|
REPLACE(
|
|
REGEX_MATCH (p.path, '(/.*?)/', 1),
|
|
'/nix',
|
|
'/usr'
|
|
),
|
|
'/snap',
|
|
'/opt'
|
|
),
|
|
'/',
|
|
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
|
|
',',
|
|
MIN(f.uid, 500),
|
|
'u,',
|
|
MIN(f.gid, 500),
|
|
'g,',
|
|
p.name
|
|
) AS exception_key
|
|
FROM
|
|
process_open_sockets s
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
LEFT JOIN file f ON p.path = f.path
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
WHERE
|
|
protocol IN (6, 17)
|
|
AND s.remote_port = 443
|
|
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
|
|
AND s.remote_address NOT LIKE 'fe80:%'
|
|
AND s.remote_address NOT LIKE '127.%'
|
|
AND s.remote_address NOT LIKE '192.168.%'
|
|
AND s.remote_address NOT LIKE '172.1%'
|
|
AND s.remote_address NOT LIKE '172.2%'
|
|
AND s.remote_address NOT LIKE '172.30.%'
|
|
AND s.remote_address NOT LIKE '172.31.%'
|
|
AND s.remote_address NOT LIKE '::ffff:172.%'
|
|
AND s.remote_address NOT LIKE '10.%'
|
|
AND s.remote_address NOT LIKE '::ffff:10.%'
|
|
AND s.remote_address NOT LIKE 'fc00:%'
|
|
AND p.path != ''
|
|
AND NOT exception_key IN (
|
|
'0,/opt/snapd,0u,0g,snapd',
|
|
'0,/usr/bash,0u,0g,mkinitcpio',
|
|
'0,/usr/containerd,u,g,containerd',
|
|
'0,/usr/dockerd,0u,0g,dockerd',
|
|
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
|
|
'0,/usr/launcher,0u,0g,launcher',
|
|
'0,/usr/nix,0u,0g,nix',
|
|
'0,/usr/packagekitd,0u,0g,packagekitd',
|
|
'0,/usr/pacman,0u,0g,pacman',
|
|
'0,/usr/python3.10,0u,0g,dnf',
|
|
'0,/usr/tailscaled,0u,0g,tailscaled',
|
|
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
|
'105,/usr/http,0u,0g,https',
|
|
'500,/app/slack,u,g,slack',
|
|
'500,/app/thunderbird,u,g,thunderbird',
|
|
'500,/app/zoom.real,u,g,zoom.real',
|
|
'500,/home/chainctl,500u,100g,chainctl',
|
|
'500,/home/chainctl,500u,500g,chainctl',
|
|
'500,/home/gitsign,500u,500g,gitsign',
|
|
'500,/home/go,500u,500g,go',
|
|
'500,/home/grype,500u,500g,grype',
|
|
'500,/home/jcef_helper,500u,500g,jcef_helper',
|
|
'500,/ko-app/chainctl,u,g,chainctl',
|
|
'500,/ko-app/controlplane,u,g,controlplane',
|
|
'500,/opt/1password,0u,0g,1password',
|
|
'500,/opt/Brackets,0u,0g,Brackets',
|
|
'500,/opt/chrome,0u,0g,chrome',
|
|
'500,/opt/firefox,0u,0g,firefox',
|
|
'500,/opt/firefox,0u,0g,Socket Process',
|
|
'500,/opt/kubectl,0u,0g,kubectl',
|
|
'500,/opt/slack,0u,0g,slack',
|
|
'500,/opt/spotify,0u,0g,spotify',
|
|
'500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
|
'500,/usr/cargo,0u,0g,cargo',
|
|
'500,/usr/chainctl,0u,0g,chainctl',
|
|
'500,/usr/chrome,0u,0g,chrome',
|
|
'500,/usr/code,0u,0g,code',
|
|
'500,/usr/curl,0u,0g,curl',
|
|
'500,/usr/electron,0u,0g,electron',
|
|
'500,/usr/firefox,0u,0g,firefox',
|
|
'500,/usr/firefox,0u,0g,.firefox-wrappe',
|
|
'500,/usr/firefox,0u,0g,Socket Process',
|
|
'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
|
|
'500,/usr/geoclue,0u,0g,geoclue',
|
|
'500,/usr/git-remote-http,0u,0g,git-remote-http',
|
|
'500,/usr/gitsign,0u,0g,gitsign',
|
|
'500,/usr/gnome-recipes,0u,0g,gnome-recipes',
|
|
'500,/usr/gnome-software,0u,0g,gnome-software',
|
|
'500,/usr/go,0u,0g,go',
|
|
'500,/usr/go,500u,500g,go',
|
|
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
|
|
'500,/usr/java,0u,0g,java',
|
|
'500,/usr/kubectl,500u,500g,kubectl',
|
|
'500,/usr/signal-desktop,0u,0g,signal-desktop',
|
|
'500,/usr/slack,0u,0g,slack',
|
|
'500,/usr/syncthing,0u,0g,syncthing',
|
|
'500,/usr/terraform,0u,0g,terraform',
|
|
'500,/usr/trivy,0u,0g,trivy',
|
|
'500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
|
'500,/usr/xmobar,0u,0g,xmobar',
|
|
'500,/usr/yay,0u,0g,yay'
|
|
)
|
|
-- Exceptions where we have to be more flexible for the process name
|
|
AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
|
|
AND NOT exception_key LIKE '500,%/terraform-provider-aws_%,500u,500g,terraform-provi'
|
|
-- stay weird, NixOS (Fastly nix mirror)
|
|
AND NOT (
|
|
pp.cmdline = '/run/current-system/sw/bin/bash'
|
|
AND p.path LIKE '/nix/store/%'
|
|
AND s.remote_address LIKE '151.101.%'
|
|
AND s.state = 'ESTABLISHED'
|
|
)
|
|
GROUP BY
|
|
p.cmdline
|