140 lines
3.8 KiB
SQL
140 lines
3.8 KiB
SQL
-- Suspicious URL requests by built-in fetching tools (state-based)
|
|
--
|
|
-- refs:
|
|
-- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
|
|
-- * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
|
|
--
|
|
-- tags: transient process state
|
|
-- platform: posix
|
|
SELECT
|
|
p.pid,
|
|
p.path,
|
|
p.name,
|
|
p.cmdline,
|
|
REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
|
|
REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
|
|
REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port,
|
|
REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
|
|
REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
|
|
p.cwd,
|
|
p.euid,
|
|
p.parent,
|
|
p.cgroup_path,
|
|
pp.path AS parent_path,
|
|
pp.name AS parent_name,
|
|
pp.cmdline AS parent_cmdline,
|
|
pp.euid AS parent_euid,
|
|
gp.name AS gparent_name,
|
|
gp.cmdline AS gparent_cmdline,
|
|
pp.pid AS gparent_pid,
|
|
hash.sha256 AS parent_sha256
|
|
FROM
|
|
processes p
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
LEFT JOIN processes gp ON pp.parent = gp.pid
|
|
LEFT JOIN hash ON pp.path = hash.path
|
|
WHERE
|
|
-- NOTE: Sync remaining portion with sketchy-fetcher-events
|
|
(
|
|
INSTR(p.cmdline, 'wget ') > 0
|
|
OR INSTR(p.cmdline, 'curl ') > 0
|
|
)
|
|
AND (
|
|
ip NOT IN ('', '127.0.0.1', '::1')
|
|
OR port != ''
|
|
OR tld NOT IN (
|
|
'',
|
|
'app',
|
|
'ca',
|
|
'cloud',
|
|
'com',
|
|
'de',
|
|
'dev',
|
|
'edu',
|
|
'fun',
|
|
'gov',
|
|
'io',
|
|
'md',
|
|
'mil',
|
|
'net',
|
|
'org',
|
|
'se',
|
|
'sh',
|
|
'so',
|
|
'uk'
|
|
)
|
|
OR p.cmdline LIKE '%.onion%'
|
|
OR p.cmdline LIKE '%tor2web%'
|
|
OR p.cmdline LIKE '%aliyun%'
|
|
OR p.cmdline LIKE '%pastebin%'
|
|
OR p.cmdline LIKE '%curl %--user-agent%'
|
|
OR p.cmdline LIKE '%curl -k%'
|
|
OR p.cmdline LIKE '%curl -sL %'
|
|
OR p.cmdline LIKE '%curl%-o-%'
|
|
OR p.cmdline LIKE '%curl%--insecure%'
|
|
OR p.cmdline LIKE '%wget %--user-agent%'
|
|
OR p.cmdline LIKE '%wget %--no-check-certificate%'
|
|
OR p.cmdline LIKE '%curl%--connect-timeout%'
|
|
OR p.cmdline LIKE '%wget -nc%'
|
|
OR p.cmdline LIKE '%wget -t%'
|
|
OR p.cmdline LIKE '%wget -q%'
|
|
OR (
|
|
p.cmdline LIKE '%wget %'
|
|
AND p.euid < 500
|
|
-- TODO: Update this query to understand containers
|
|
AND pp.path NOT IN (
|
|
"/usr/bin/bwrap",
|
|
"/bin/busybox",
|
|
"/usr/bin/melange"
|
|
)
|
|
)
|
|
OR (
|
|
p.cmdline LIKE '%curl %'
|
|
AND p.euid < 500
|
|
AND p.cmdline NOT LIKE "%./configure %--with-curl%"
|
|
)
|
|
)
|
|
-- Exceptions for all calls
|
|
AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
|
|
AND NOT (
|
|
p.euid > 500
|
|
AND (
|
|
p.cmdline LIKE '%--dump-header%'
|
|
OR p.cmdline LIKE '%/api/v%'
|
|
OR p.cmdline LIKE '%curl -X %'
|
|
OR p.cmdline LIKE '%go mod %'
|
|
OR p.cmdline LIKE '%application/json%'
|
|
OR p.cmdline LIKE '%grpcurl%'
|
|
OR p.cmdline LIKE '%Homebrew%'
|
|
OR p.cmdline LIKE '%Nixpkgs/%'
|
|
OR p.cmdline LIKE '%If-None-Match%'
|
|
OR p.cmdline LIKE '%ctlog%'
|
|
OR p.cmdline LIKE '%.well-known/openid-configuration%'
|
|
OR p.cmdline LIKE '%/openid/v1/jwks%'
|
|
OR p.cmdline LIKE '%--progress-bar%'
|
|
OR parent_cmdline LIKE '%brew.rb%'
|
|
OR parent_cmdline LIKE '%brew.sh%'
|
|
OR parent_cmdline LIKE '/nix/store/%-builder.sh'
|
|
OR p.cmdline LIKE 'git %'
|
|
OR p.cmdline LIKE '%LICENSES/vendor/%'
|
|
OR p.cmdline LIKE 'curl -sL wttr.in%'
|
|
OR p.cmdline LIKE '%localhost:%'
|
|
OR p.cmdline LIKE '%127.0.0.1:%'
|
|
OR p.name IN ('apko')
|
|
)
|
|
)
|
|
-- These are typically curl -k calls
|
|
-- We need the addr "IS NOT NULL" to avoid filtering out
|
|
-- NULL entries
|
|
AND NOT (
|
|
addr IS NOT NULL
|
|
AND (
|
|
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
|
|
-- Ignore local addresses (Docker development)
|
|
OR addr NOT LIKE '%.%'
|
|
OR ip LIKE '172.21.%'
|
|
OR ip LIKE '192.168.%'
|
|
)
|
|
)
|
|
|