osquery-defense-kit/detection/execution/sketchy-fetcher.sql

-- Suspicious URL requests by built-in fetching tools (state-based)
--
-- refs:
--   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
--   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
--
-- tags: transient process state
-- platform: posix
SELECT
  p.pid,
  p.path,
  p.name,
  p.cmdline,
  REGEX_MATCH (p.cmdline, '/(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS remote_ip,
  REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS remote_port,
  REGEX_MATCH (p.cmdline, '/(\w+[\.-]\w+)[:/]', 1) AS remote_addr,
  REGEX_MATCH (p.cmdline, '\.(\w+)[:/]', 1) AS remote_tld,
  p.cwd,
  p.euid,
  p.parent,
  p.cgroup_path,
  pp.path AS parent_path,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline,
  pp.euid AS parent_euid,
  gp.name AS gparent_name,
  gp.cmdline AS gparent_cmdline,
  pp.pid AS gparent_pid,
  hash.sha256 AS parent_sha256
FROM
  processes p
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN processes gp ON pp.parent = gp.pid
  LEFT JOIN hash ON pp.path = hash.path
WHERE
  -- NOTE: Sync remaining portion with sketchy-fetcher-events
  (
    INSTR(p.cmdline, 'wget ') > 0
    OR INSTR(p.cmdline, 'curl ') > 0
  )
  AND (
    remote_ip NOT IN ('', '127.0.0.1', '::1')
    OR remote_port != ''
    OR remote_tld NOT IN (
      '',
      'app',
      'ca',
      'cloud',
      'com',
      'de',
      'dev',
      'edu',
      'fun',
      'gov',
      'io',
      'md',
      'mil',
      'net',
      'org',
      'se',
      'sh',
      'so',
      'uk'
    )
    OR p.cmdline LIKE '%.onion%'
    OR p.cmdline LIKE '%tor2web%'
    OR p.cmdline LIKE '%aliyun%'
    OR p.cmdline LIKE '%pastebin%'
    OR p.cmdline LIKE '%curl %--user-agent%'
    OR p.cmdline LIKE '%curl -k%'
    OR p.cmdline LIKE '%curl -sL %'
    OR p.cmdline LIKE '%curl%--insecure%'
    OR p.cmdline LIKE '%wget %--user-agent%'
    OR p.cmdline LIKE '%wget %--no-check-certificate%'
    OR p.cmdline LIKE '%curl%--connect-timeout%'
    OR p.cmdline LIKE '%wget -nc%'
    OR p.cmdline LIKE '%wget -t%'
    OR (
      p.cmdline LIKE '%wget %'
      AND p.euid < 500
      -- TODO: Update this query to understand containers
      AND pp.path NOT IN (
        "/usr/bin/bwrap",
        "/bin/busybox",
        "/usr/bin/melange"
      )
    )
    OR (
      p.cmdline LIKE '%curl %'
      AND p.euid < 500
      AND p.cmdline NOT LIKE "%./configure %--with-curl%"
    )
  )
  -- Exceptions for all calls
  AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
  AND NOT (
    p.euid > 500
    AND (
      p.cmdline LIKE '%--dump-header%'
      OR p.cmdline LIKE '%/api/v%'
      OR p.cmdline LIKE '%curl -X %'
      OR p.cmdline LIKE '%go mod %'
      OR p.cmdline LIKE '%application/json%'
      OR p.cmdline LIKE '%grpcurl%'
      OR p.cmdline LIKE '%Homebrew%'
      OR p.cmdline LIKE '%Nixpkgs/%'
      OR p.cmdline LIKE '%If-None-Match%'
      OR p.cmdline LIKE '%ctlog%'
      OR p.cmdline LIKE '%.well-known/openid-configuration%'
      OR p.cmdline LIKE '%/openid/v1/jwks%'
      OR p.cmdline LIKE '%--progress-bar%'
      OR parent_cmdline LIKE '%brew.rb%'
      OR parent_cmdline LIKE '%brew.sh%'
      OR parent_cmdline LIKE '/nix/store/%-builder.sh'
      OR p.cmdline LIKE 'git %'
      OR p.cmdline LIKE '%LICENSES/vendor/%'
      OR p.cmdline LIKE 'curl -sL wttr.in%'
      OR p.cmdline LIKE '%localhost:%'
      OR p.cmdline LIKE '%127.0.0.1:%'
      OR p.name IN ('apko')
    )
  )
  -- These are typically curl -k calls
  AND remote_addr NOT IN ('releases.hashicorp.com', 'github.com')