RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/c2/unexpected-talker-events.sql

343 lines
11 KiB
SQL
Raw Blame History

-- Unexpected socket events
--
-- references:
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net extra
-- interval: 601
-- platform: posix
SELECT
s.status,
s.family,
s.path,
s.fd,
REPLACE(s.remote_address, "::ffff:", "") AS remote_address,
s.remote_port,
s.local_port,
COALESCE(REGEX_MATCH (s.path, '.*/(.*)', 1), s.path) AS basename,
REPLACE(f.directory, u.directory, '~') AS homedir,
CONCAT (
MIN(s.auid, 500),
",",
MIN(f.uid, 500),
",",
MIN(s.remote_port, 32768),
",",
COALESCE(REGEX_MATCH (s.path, '.*/(.*)', 1), s.path)
) as exception_key,
RTRIM(
COALESCE(
REGEX_MATCH (
REPLACE(f.directory, u.directory, '~'),
'([/~].*?/.*?)/',
1
),
f.directory
),
"/"
) AS top2_dir,
-- Child
s.path AS p0_path,
s.pid AS p0_pid,
s.auid AS p0_euid,
TRIM(COALESCE(p.cmdline, pe.cmdline)) AS p0_cmd,
TRIM(COALESCE(p.cwd, pe.cwd)) AS p0_cwd,
hash.sha256 AS p0_sha256,
-- Parent
COALESCE(p.parent, pe.parent) AS p1_pid
FROM
socket_events AS s
LEFT JOIN process_events pe ON s.pid = pe.pid
AND pe.time > (strftime('%s', 'now') -7200)
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN file f ON s.path = f.path
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN hash ON s.path = hash.path
WHERE
s.time > (strftime('%s', 'now') -600)
AND s.action = "connect"
AND s.remote_port > 10
AND s.remote_address NOT IN (
'127.0.0.1',
'::ffff:127.0.0.1',
'::1',
'::',
'0.0.0.0'
)
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '100.7%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '0000:%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE '::ffff:192.168.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND NOT s.path LIKE '/Applications/%' -- NOTE: Do not filter out /bin (bash) or /usr/bin (nc)
AND NOT s.path LIKE '/private/var/folders/%/T/go-build%'
AND NOT s.path = '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater'
AND NOT top2_dir IN (
'/Library/Apple',
'/Library/Developer',
'/Library/Application Support',
'/Library/Kandji',
'/opt/homebrew',
'/System/Applications',
'/System/Library',
'/System/Volumes',
'/usr/libexec',
'/usr/local',
'/usr/bin',
'/usr/sbin',
'/snap/firefox',
'~/.provisio',
'~/homebrew',
'~/Applications',
'~/Apps',
'~/bin',
'~/code',
'~/github',
'~/go',
'~/src',
'~/work'
)
AND NOT homedir IN (
'~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS',
'/opt/spotify',
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin'
)
AND NOT exception_key IN (
'0,velociraptor,velociraptor,500u,80g',
'500,0,110,syncthing',
'500,0,123,sntp',
'500,0,1234,spotify',
'500,0,20480,com.adguard.mac.adguard.network-extension',
'500,0,20480,io.tailscale.ipn.macsys.network-extension',
'500,0,22,ssh',
'500,0,27668,com.adguard.mac.adguard.network-extension',
'500,0,31488,sntp',
'500,0,32768,Authy',
'500,0,32768,BDLDaemon',
'500,0,32768,com.adguard.mac.adguard.network-extension',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,32768,com.apple.NRD.UpdateBrainService',
'500,0,32768,elastic-endpoint',
'500,0,32768,firefox',
'500,0,32768,git-remote-http',
'500,0,32768,io.tailscale.ipn.macsys.network-extension',
'500,0,32768,ir_agent',
'500,0,32768,ksfetch',
'500,0,32768,networkQuality',
'500,500,80,elastic-agent',
'500,0,80,filebeat',
'500,0,32768,syncthing',
'500,0,3478,firefox',
'500,0,4070,spotify',
'500,0,43,whois',
'500,0,443,Authy',
'500,0,443,BDCoreIssues',
'500,0,443,BDLDaemon',
'500,0,443,BDUpdDaemon',
'500,0,443,Brackets',
'500,0,443,OneDriveStandaloneUpdater',
'500,0,443,Python',
'500,0,443,bdredline',
'500,0,443,chrome',
'500,0,443,chrome_crashpad_handler',
'500,0,443,com.adguard.mac.adguard.network-extension',
'500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,443,com.apple.NRD.UpdateBrainService',
'500,0,443,com.bitdefender.cst.net.dci.dci-network-extension',
'500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
'500,0,443,com.google.one.NetworkExtension',
'500,0,443,curl',
'500,0,443,docker-buildx',
'500,0,443,elastic-agent',
'500,0,443,elastic-endpoint',
'500,0,443,electron',
'500,0,443,filebeat',
'500,0,443,firefox',
'500,0,443,fwupdmgr',
'500,0,443,git-remote-http',
'500,0,443,gnome-software',
'500,0,443,go',
'500,0,443,http',
'500,0,443,incusd',
'500,0,443,io.tailscale.ipn.macsys.network-extension',
'500,0,443,ir_agent',
'500,0,443,kioslave5',
'500,0,443,ksfetch',
'500,0,443,launcher',
'500,0,443,metricbeat',
'500,0,443,nessusd',
'500,500,32768,old',
'500,0,443,networkQuality',
'500,0,443,node',
'500,0,443,packetbeat',
'500,0,443,pingsender',
'500,0,443,rapid7_endpoint_broker',
'500,0,443,slack',
'500,0,443,snapd',
'500,0,443,spotify',
'500,0,443,ssh',
'500,0,443,syncthing',
'500,0,443,terraform',
'500,0,443,velociraptor',
'500,0,443,wget',
'500,0,5228,chrome',
'500,0,443,packetbeat',
'500,0,53,Brackets',
'500,0,53,NetworkManager',
'500,0,53,chrome',
'500,0,53,electron',
'500,0,53,firefox',
'500,0,53,git',
'500,0,53,launcher',
'500,0,53,nessusd',
'500,0,53,slack',
'500,0,53,spotify',
'500,0,53,wget',
'500,0,5632,ssh',
'500,0,80,BDUpdDaemon',
'500,0,27668,com.adguard.mac.adguard.network-extension',
'500,0,80,chrome',
'500,0,80,com.adguard.mac.adguard.network-extension',
'500,0,80,com.apple.NRD.UpdateBrainService',
'500,0,80,com.bitdefender.cst.net.dci.dci-network-extension',
'500,0,80,electron',
'500,0,443,com.docker.backend',
'500,0,80,firefox',
'500,0,80,http',
'500,0,80,incusd',
'500,0,80,io.tailscale.ipn.macsys.network-extension',
'500,0,80,ir_agent',
'500,0,80,ksfetch',
'500,0,80,metricbeat',
'500,0,80,slack',
'500,0,8080,com.bitdefender.cst.net.dci.dci-network-extension',
'500,0,9,launcher',
'500,0,9,snapd',
'500,500,13568,Code Helper',
'500,500,20480,Code Helper',
'500,500,20480,Google Chrome Helper',
'500,500,20480,GoogleUpdater',
'500,500,20480,ksfetch',
'500,500,22,ssh',
'500,500,2304,cloud_sql_proxy',
'500,500,2304,terraform-provider-google_v4.37.0_x5',
'500,500,3024,ZwiftAppSilicon',
'500,500,32768,Chromium Helper',
'500,500,32768,Code Helper',
'500,500,32768,DropboxMacUpdate',
'500,500,32768,Electron',
'500,500,32768,G2MUpdate',
'500,500,32768,GoogleUpdater',
'500,500,32768,Microsoft.VisualStudio.Code.Server',
'500,500,32768,cloud-sql-proxy',
'500,500,32768,java',
'500,500,32768,ksfetch',
'500,500,32768,melange',
'500,500,32768,node',
'500,500,32768,rzls',
'500,500,32768,terraform-ls',
'500,500,3307,cloud_sql_proxy',
'500,500,4318,Code Helper (Plugin)',
'500,500,443,Acrobat Updater',
'500,500,443,Chromium Helper',
'500,500,443,Cisco WebEx Start',
'500,500,443,CleanMyMac X Updater',
'500,500,443,Code Helper (Plugin)',
'500,500,443,Code Helper (Renderer)',
'500,500,443,Code Helper',
'500,500,443,DropboxMacUpdate',
'500,500,443,Electron',
'500,500,443,GitX',
'500,500,443,Google Chrome Helper',
'500,500,443,GoogleUpdater',
'500,500,443,Meeting Center',
'500,500,443,Signal Helper (Renderer)',
'500,500,443,Signal',
'500,500,443,ZwiftAppSilicon',
'500,500,443,apk',
'500,500,443,aws',
'500,500,443,chainctl',
'500,500,443,cloud_sql_proxy',
'500,500,443,copilot-agent-macos-arm64',
'500,500,443,figma_agent',
'500,500,443,gh',
'500,500,443,git-remote-http',
'500,500,443,gitsign',
'500,500,443,go',
'500,500,443,grype',
'500,500,443,istioctl',
'500,500,443,ksfetch',
'500,500,443,kubectl',
'500,500,443,minikube',
'500,500,443,node',
'500,500,443,old',
'500,500,443,sublime_text',
'500,500,443,syft',
'500,500,443,webexmtaV2',
'500,500,443,wolfibump',
'500,500,443,wolfictl',
'500,500,53,Code Helper',
'500,500,53,Google Chrome Helper',
'500,500,53,Meeting Center',
'500,500,53,gitsign',
'500,500,80,Code Helper (Plugin)',
'500,500,80,Code Helper',
'500,500,80,Google Chrome Helper',
'500,500,80,GoogleUpdater',
'500,500,80,cloud_sql_proxy',
'500,500,80,copilot-agent-macos-arm64',
'500,500,80,firefox-bin',
'500,500,80,ksfetch',
'500,500,80,node',
'500,500,9000,Meeting Center',
'500,500,32768,Microsoft.ServiceHub.Controller',
'500,500,32768,Microsoft.VisualStudio.Code.ServiceHost',
'500,99,13568,Slack Helper',
'500,99,32768,Slack Helper',
'500,99,32768,Slack',
'500,99,443,Slack Helper',
'500,99,443,Slack',
'500,99,53,Slack Helper'
)
AND NOT exception_key LIKE '500,500,443,terraform%'
AND NOT exception_key LIKE '500,500,32768,terraform-provider-%'
AND NOT exception_key LIKE '500,500,2304,terraform%'
AND NOT exception_key LIKE '500,500,53,terraform%'
AND NOT exception_key LIKE '500,500,80,terraform%'
AND NOT exception_key LIKE '500,0,%,syncthing'
AND NOT exception_key LIKE '500,0,%,chrome'
AND NOT exception_key LIKE '500,500,443,___%_%'
AND NOT exception_key LIKE '500,500,%,chrome'
AND NOT exception_key LIKE '500,500,%,Google Chrome Helper'
AND NOT exception_key LIKE '500,500,443,kubectl.%'
AND NOT p0_path LIKE '/Users/%/code/%'
AND NOT p0_path LIKE '/Users/%/go/%'
AND NOT p0_path LIKE '/Users/%/src/%'
AND NOT p0_path LIKE '/Users/%/Library/Caches/JetBrains/GoLand%'
AND NOT p0_path LIKE '/Users/%/dev/%'
AND NOT p0_path LIKE '/System/%'
AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%'
AND NOT (
basename = "Python"
AND (
p0_cmd LIKE '%/gcloud.py%'
OR p0_cmd LIKE '%/google-cloud-sdk/%'
OR p0_cmd LIKE '%pip install%'
OR p0_cmd LIKE '%googlecloudsdk/%'
OR p0_cmd LIKE '%/bin/aws%'
OR p0_cmd LIKE "%/gsutil/%"
)
)
GROUP BY
s.pid,
exception_key
Reference in New Issue View Git Blame Copy Permalink