osquery-defense-kit/detection/evasion/ssh-notty.sql

56 lines
1.4 KiB
MySQL
Raw Normal View History

-- Find ssh sessions that are hiding from 'w'/'who'
2022-10-14 18:19:13 +00:00
--
-- false positives:
-- * ssh-driven automation which disables the terminal, such as Znapzend
--
2022-10-19 20:56:32 +00:00
-- references:
-- * https://attack.mitre.org/techniques/T1021/004/ (Remote Services: SSH)
-- * https://attack.mitre.org/techniques/T1564/ (Hide Artifacts)
--
2022-10-14 18:19:13 +00:00
-- tags: transient process state
-- platform: posix
SELECT
*
FROM
(
SELECT
p.pid,
2022-10-17 23:06:17 +00:00
p.name,
p.cmdline AS cmd,
p.start_time,
p.cwd,
2022-10-17 23:06:17 +00:00
cp.name AS child_name,
cp.cmdline AS child_cmd,
gcp.name AS grandchild_name,
gcp.cmdline AS grandchild_cmd,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM
processes p
2022-10-17 23:06:17 +00:00
LEFT JOIN process_open_files pof ON p.pid = pof.pid
LEFT JOIN processes cp ON p.pid = cp.parent
LEFT JOIN processes gcp ON cp.pid = gcp.parent
WHERE
p.name = 'sshd'
GROUP BY
p.pid
2022-10-17 23:06:17 +00:00
)
WHERE
(
2022-10-17 23:06:17 +00:00
INSTR(cmd, '@notty') > 0
OR (
open_files != '/dev/null'
AND INSTR(open_files, '/dev/ptmx') = 0
)
2022-10-17 23:06:17 +00:00
)
2022-10-18 15:40:42 +00:00
-- You must specifically check for NULL here, or risk inadvertently filtering everything out.
AND (
grandchild_name IS NULL
OR grandchild_name != 'zfs'
2022-10-18 15:40:42 +00:00
)
AND child_name IS NOT NULL
AND child_name NOT IN ('', 'zfs')
AND child_cmd NOT LIKE '%osquery-defense-kit%make verify'
AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify'
AND grandchild_name NOT IN ('unison')
AND cmd != 'sshd: docker@notty'