Do you have critical services exposed to the internet?

Description: Service misconfigurations oftentimes expose critical services to the internet or other VLAN’s in which they should not be exposed to. This osquery SQL query will allow you to audit for these critical services and determine which hosts they are connected to. This might need a little tailoring based on your local environment and services.

SQL:

SELECT process_open_sockets.local_address,
process_open_sockets.local_port,
process_open_sockets.remote_address,
processes.path, processes.cmdline
FROM process_open_sockets JOIN processes using (pid)
WHERE process_open_sockets.local_port in (3389, 5985, 5986, 9200, 6379, 1433, 22)
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
AND process_open_sockets.remote_address NOT LIKE '127.0.0.1'
AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
AND process_open_sockets.remote_address NOT LIKE '::'
AND process_open_sockets.remote_address NOT LIKE '0';

Operating Systems: Windows, Linux, Apple, FreeBSD

References:

List of TCP and UDP port numbers – Wikipedia

https://defensivedepth.com/2019/12/16/detecting-internet-exposed-services-that-shouldnt-be/

Leave a Reply 0

Your email address will not be published. Required fields are marked *