mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-09 15:44:38 +00:00
18 lines
394 B
SQL
18 lines
394 B
SQL
-- Unexpected programs speaking over ICMP (state-based)
|
|
--
|
|
-- references:
|
|
-- *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
|
|
--
|
|
-- tags: transient state net often
|
|
SELECT
|
|
pop.pid,
|
|
p.path,
|
|
p.cmdline
|
|
FROM
|
|
process_open_sockets pop
|
|
JOIN processes p ON pop.pid = p.pid
|
|
WHERE
|
|
family = 2 -- PF_INET
|
|
AND protocol = 1 -- ICMP
|
|
AND p.name NOT IN ('ping')
|