Unexpected Icmp Socket Events

osquery

Unexpected programs speaking over ICMP (event-based)

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Unexpected programs speaking over ICMP (event-based)
--
-- references:
--   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
--
-- interval: 300
-- tags: transient events net extra
SELECT
  se.*,
  p.path,
  p.cwd,
  p.euid,
  p.cmdline
FROM
  socket_events se
  LEFT JOIN processes p ON se.pid = p.pid
WHERE
  se.time > (strftime('%s', 'now') -300)
  AND family = 2 -- PF_INET
  AND protocol = 1 -- ICMP
  AND p.name NOT IN ('ping')

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit