RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/execution/unexpected-raw-socket.sql

26 lines
509 B
SQL
Raw Blame History

-- Find unexpected use of raw sockets in executables, sometimes used for C&C communications
--
-- false positives:
-- * operating-system network managers
--
-- tags: transient process state
-- platform: posix
SELECT
pop.pid,
p.path,
p.cmdline,
p.name,
hash.sha256
FROM
process_open_sockets pop
JOIN processes p ON pop.pid = p.pid
JOIN hash ON p.path = hash.path
WHERE
family = 17 -- PF_PACKET
AND name NOT IN (
'wpa_supplicant',
'NetworkManager',
'dhcpcd',
'tcpdump'
)
Reference in New Issue View Git Blame Copy Permalink