osquery-defense-kit/process/reverse-shell-socket.sql

24 lines
778 B
MySQL
Raw Normal View History

2022-09-14 14:51:56 +00:00
-- An alternate way to discover reverse shells, inspired by the osxattack pack
SELECT DISTINCT(processes.pid),
processes.parent,
processes.name,
processes.path,
processes.cmdline,
processes.cwd,
processes.root,
processes.uid,
processes.gid,
processes.start_time,
process_open_sockets.remote_address,
process_open_sockets.remote_port,
(
SELECT cmdline
FROM processes AS parent_cmdline
WHERE pid = processes.parent
) AS parent_cmdline
FROM processes
JOIN process_open_sockets USING (pid)
LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid
WHERE name IN ('sh', 'bash', 'perl', 'python')
AND process_open_files.pid IS NULL
AND process_open_sockets.remote_port > 0;