osquery-defense-kit/detection/execution/sketchy-fetcher.sql
Thomas Stromberg f72e6424c0 Run reformat
2024-02-16 17:21:00 -05:00

166 lines
4.6 KiB
SQL

-- Suspicious URL requests by built-in fetching tools (state-based)
--
-- refs:
-- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
-- * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
--
-- tags: transient process state
-- platform: posix
SELECT
REGEX_MATCH (p0.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
REGEX_MATCH (p0.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (p0.cmdline, ':(\d+)', 1) AS port,
REGEX_MATCH (p0.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
REGEX_MATCH (p0.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
-- NOTE: Sync remaining portion with sketchy-fetcher-events
(
INSTR(p0.cmdline, 'wget ') > 0
OR INSTR(p0.cmdline, 'curl ') > 0
)
-- Sketchy fetcher events always seem to contain a switch
AND p0.cmdline LIKE '%-%'
AND p0.cmdline LIKE '%/%'
AND (
ip NOT IN ('', '127.0.0.1', '::1')
OR port != ''
OR tld NOT IN (
'',
'app',
'ca',
'cloud',
'com',
'de',
'dev',
'edu',
'fun',
'gov',
'io',
'md',
'mil',
'net',
'org',
'se',
'sh',
'so',
'uk'
)
OR p0.cmdline LIKE '%chmod%'
OR p0.cmdline LIKE '%.onion%'
OR p0.cmdline LIKE '%tor2web%'
OR p0.cmdline LIKE '%aliyun%'
OR p0.cmdline LIKE '%pastebin%'
OR p0.cmdline LIKE '%curl %--user-agent%'
OR p0.cmdline LIKE '%curl -k%'
OR p0.cmdline LIKE '%curl -sL %'
OR p0.cmdline LIKE '%curl%-o-%'
OR p0.cmdline LIKE '%curl%--insecure%'
OR p0.cmdline LIKE '%wget %--user-agent%'
OR p0.cmdline LIKE '%wget %--no-check-certificate%'
OR p0.cmdline LIKE '%curl%--connect-timeout%'
OR p0.cmdline LIKE '%wget -nc%'
OR p0.cmdline LIKE '%wget -t%'
OR p0.cmdline LIKE '%wget -q%'
OR (
p0.cmdline LIKE '%wget %'
AND p0.euid < 500
-- TODO: Update this query to understand containers
AND p1.path NOT IN (
"/usr/bin/bwrap",
"/bin/busybox",
"/usr/bin/melange"
)
)
OR (
p0.cmdline LIKE '%curl %'
AND p0.euid < 500
AND p0.cmdline NOT LIKE "%./configure %--with-curl%"
)
)
-- Exceptions for all calls
AND p1.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
AND NOT (
p0.euid > 500
AND (
p0.cmdline LIKE '%--dump-header%'
OR p0.cmdline LIKE '%/api/v%'
OR p0.cmdline LIKE '%curl -X %'
OR p0.cmdline LIKE '%go mod %'
OR p0.cmdline LIKE '%application/json%'
OR p0.cmdline LIKE '%grpcurl%'
OR p0.cmdline LIKE '%Homebrew%'
OR p0.cmdline LIKE '%Nixpkgs/%'
OR p0.cmdline LIKE '%If-None-Match%'
OR p0.cmdline LIKE '%ctlog%'
OR p0.cmdline LIKE '%.well-known/openid-configuration%'
OR p0.cmdline LIKE '%/openid/v1/jwks%'
OR p0.cmdline LIKE '%--progress-bar%'
OR p1.cmdline LIKE '%brew.rb%'
OR p1.cmdline LIKE '%brew.sh%'
OR p1.cmdline LIKE '/nix/store/%-builder.sh'
OR p0.cmdline LIKE 'git %'
OR p0.cmdline LIKE '%LICENSES/vendor/%'
OR p0.cmdline LIKE 'curl -sL wttr.in%'
OR p0.cmdline LIKE '%localhost:%'
OR p0.cmdline LIKE '%127.0.0.1:%'
OR p0.name IN ('apko')
)
)
-- These are typically curl -k calls
-- We need the addr "IS NOT NULL" to avoid filtering out
-- NULL entries
AND NOT (
addr IS NOT NULL
AND (
addr IN (
'releases.hashicorp.com',
'github.com',
'dl.enforce.dev'
)
-- Ignore local addresses (Docker development)
OR addr NOT LIKE '%.%'
OR ip LIKE '172.21.%'
OR ip LIKE '192.168.%'
)
)
-- Qualys Cloud Agent
AND NOT (
addr = "169.254.169.254"
AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
)
-- Elastic Agent
AND NOT p0.path LIKE '/Library/Elastic/Agent/%'
AND NOt p0.cmdline LIKE '%/osqueryd %'