Sketchy Fetcher Events

Suspicious URL requests by built-in fetching tools (event-based)

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Suspicious URL requests by built-in fetching tools (event-based)
--
-- refs:
--   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
--   * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port)
--
-- interval: 120
-- tags: transient process events
-- platform: posix
SELECT
  -- Child
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.time AS p0_time,
  p.cgroup_path AS p0_cgroup,
  -- Parent
  pe.parent AS p1_pid,
  p1.cgroup_path AS p1_cgroup,
  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
  COALESCE(p1.path, pe1.path) AS p1_path,
  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
  REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
  -- Grandparent
  COALESCE(p1.parent, pe1.parent) AS p2_pid,
  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
  TRIM(
    COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
  ) AS p2_cmd,
  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
  COALESCE(
    p1_p2_hash.path,
    pe1_p2_hash.path,
    pe1_pe2_hash.path
  ) AS p2_hash,
  REGEX_MATCH (
    COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path),
    '.*/(.*)',
    1
  ) AS p2_name,
  -- Extra fields
  REGEX_MATCH (pe.cmdline, '(\\w+:\\/\\/.*)\\b', 1) AS url,
  REGEX_MATCH (pe.cmdline, '[ /](\\d+\\.\\d+\\.\\d+\\.\\d+)[:/]', 1) AS ip,
  REGEX_MATCH (pe.cmdline, ':(\\d+)', 1) AS port,
  REGEX_MATCH (pe.cmdline, '//([\\w\\-\\.]+)[:/]', 1) AS addr,
  REGEX_MATCH (pe.cmdline, '//[\\w\\-\\.]+\\.(\\w+)[:/]', 1) AS tld
FROM
  process_events pe,
  uptime
  LEFT JOIN processes p ON pe.pid = p.pid
  -- Parents (via two paths)
  LEFT JOIN processes p1 ON pe.parent = p1.pid
  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
  AND pe1.cmdline != ''
  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
  -- Grandparents (via 3 paths)
  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
  AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
  -- Extra fields
WHERE
  pe.time > (strftime('%s', 'now') -120)
  AND pe.cmdline != ''
  -- NOTE: Sync remaining portion with sketchy-fetchers
  AND (
    INSTR(pe.cmdline, 'wget ') > 0
    OR INSTR(pe.cmdline, 'curl ') > 0
  )
  -- Sketchy fetcher events always seem to contain a switch
  AND pe.cmdline LIKE '%-%'
  AND pe.cmdline LIKE '%/%'
  AND (
    -- If it's an IP or port, it's suspicious
    ip NOT IN ('', '127.0.0.1', '0.0.0.0', '::1')
    OR port != ''
    OR tld NOT IN (
      '',
      'app',
      'ca',
      'cloud',
      'com',
      'de',
      'dev',
      'edu',
      'fun',
      'gov',
      'io',
      'md',
      'mil',
      'net',
      'org',
      'se',
      'sh',
      'so',
      'uk',
      'us'
    )
    -- Or if it matches weird keywords we've seen
    OR p.cmdline LIKE '%chmod%'
    OR pe.cmdline LIKE '%.onion%'
    OR pe.cmdline LIKE '%aliyun%'
    OR pe.cmdline LIKE '%curl -k%'
    OR pe.cmdline LIKE '%curl -sL %'
    OR pe.cmdline LIKE '%curl %--user-agent%'
    OR pe.cmdline LIKE '%curl.*—write-out%'
    OR pe.cmdline LIKE '%curl%--connect-timeout%'
    OR pe.cmdline LIKE '%curl%--insecure%'
    OR pe.cmdline LIKE '%curl%--O /dev/null%'
    OR pe.cmdline LIKE '%curl%--output /dev/null%'
    OR pe.cmdline LIKE '%curl%-o-%'
    OR pe.cmdline LIKE '%pastebin%'
    OR pe.cmdline LIKE '%tor2web%'
    OR pe.cmdline LIKE '%wget -nc%'
    OR pe.cmdline LIKE '%wget -q%'
    OR pe.cmdline LIKE '%wget -t%'
    OR pe.cmdline LIKE '%wget %--no-check-certificate%'
    OR pe.cmdline LIKE '%wget %--user-agent%'
    -- Or anything launched by a system user
    OR (
      pe.cmdline LIKE '%wget -%'
      AND pe.euid < 500
      AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
    )
    OR (
      pe.cmdline LIKE '%curl %'
      AND pe.euid < 500
      AND pe.cmdline NOT LIKE "%./configure %--with-curl%"
      AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
    )
  )
  -- Exceptions for all calls
  AND NOT (
    pe.euid > 500
    AND (
      p1_cmd LIKE '%brew.rb%'
      OR p1_cmd LIKE '%brew.sh%'
      OR pe.cmdline LIKE '% localhost:%'
      OR pe.cmdline LIKE '%--dump-header%'
      OR pe.cmdline LIKE '%--progress-bar%'
      OR pe.cmdline LIKE '%.well-known/openid-configuration%'
      OR pe.cmdline LIKE '%/192.168.%:%'
      OR pe.cmdline LIKE '%/chainctl_%'
      OR pe.cmdline LIKE '%/openid/v1/jwks%'
      OR pe.cmdline LIKE '%127.0.0.1:%'
      OR pe.cmdline LIKE '%application/json%'
      OR pe.cmdline LIKE '%Authorization: Bearer%'
      OR pe.cmdline LIKE '%ctlog%'
      OR pe.cmdline LIKE '%curl -X %'
      OR pe.cmdline LIKE '%go mod %'
      OR pe.cmdline LIKE '%grpcurl%'
      OR pe.cmdline LIKE '%Homebrew%'
      OR pe.cmdline LIKE '%https://api.github.com/%'
      OR pe.cmdline LIKE '%If-None-Match%'
      OR pe.cmdline LIKE '%LICENSES/vendor/%'
      OR pe.cmdline LIKE '%localhost:%'
      OR pe.cmdline LIKE 'curl -sL wttr.in%'
      OR pe.cmdline LIKE 'git %'
      OR pe.cmdline LIKE 'wget --no-check-certificate https://github.com/%'
      OR pe.cmdline LIKE "%libcurl%"
    )
  )
  AND NOT (
    pe.euid > 500
    AND pe.cmdline LIKE '%/api'
    AND pe.cmdline NOT LIKE '%-o%'
    AND pe.cmdline NOT LIKE '%-O%'
  )
  AND NOT (
    pe.euid > 500
    -- /usr/bin/curl https://34.117.0.114:443 -k
    AND REGEX_MATCH (pe.cmdline, '(curl https://[\\w\\.\\:\\/]+ -k)$', 1) != ""
  )
  AND NOT (
    pe.euid > 500
    -- /usr/bin/curl -k https://34.117.0.114:443
    AND REGEX_MATCH (pe.cmdline, '(curl -k https://[\\w\\.\\:\\/]+)$', 1) != ""
  )
  -- These are typically curl -k calls
  -- We need the addr "IS NOT NULL" to avoid filtering out
  -- NULL entries
  AND NOT (
    addr IS NOT NULL
    AND (
      addr IN (
        'cdn.zoom.us',
        'dl.enforce.dev',
        'github.com',
        'releases.hashicorp.com',
        'repo1.maven.org'
      )
      -- Ignore local addresses (Docker development)
      OR addr NOT LIKE '%.%'
      OR ip LIKE '172.2%'
      OR ip LIKE '192.168.%'
      OR ip LIKE '127.%'
      OR ip LIKE '10.%'
    )
  )
  AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %'
  AND NOT url in ('https://aur.archlinux.org')

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit