osquery-defense-kit/detection/evasion/ssh-notty.sql

-- Find ssh sessions that are hiding from 'w'/'who'
--
-- tags: transient process state
-- platform: posix
SELECT * FROM (
    SELECT p.pid,p.name,p.cmdline,GROUP_CONCAT(DISTINCT pof.path) AS open_files
    FROM processes p
    LEFT JOIN process_open_files pof ON p.pid = pof.pid
    WHERE p.name = 'sshd'
    GROUP BY p.pid
)
WHERE INSTR(cmdline, '@notty') > 0
OR
(
    open_files != '/dev/null' AND INSTR(open_files, '/dev/ptmx') = 0
)
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`-- Find ssh sessions that are hiding from 'w'/'who'`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
			`-- tags: transient process state`
			`-- platform: posix`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT * FROM (`
			`SELECT p.pid,p.name,p.cmdline,GROUP_CONCAT(DISTINCT pof.path) AS open_files`
			`FROM processes p`
			`LEFT JOIN process_open_files pof ON p.pid = pof.pid`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`WHERE p.name = 'sshd'`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`GROUP BY p.pid`
			`)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`WHERE INSTR(cmdline, '@notty') > 0`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`OR`
Remove sshd listener false positive 2022-10-13 22:02:14 +00:00			`(`
Use single quotes 2022-10-13 22:31:36 +00:00			`open_files != '/dev/null' AND INSTR(open_files, '/dev/ptmx') = 0`
Remove sshd listener false positive 2022-10-13 22:02:14 +00:00			`)`