osquery-defense-kit/process/empty_environ.sql

-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
SELECT COUNT(*) AS count,
    p.pid,
    p.path,
    p.cmdline
FROM process_envs pe
    JOIN processes p ON pe.pid = p.pid
GROUP BY p.pid
HAVING count == 0;
Query reorganization 2022-09-08 13:53:43 +00:00			`-- Inspired by BPFdoor`
			`-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/`
			`SELECT COUNT(*) AS count,`
			`p.pid,`
			`p.path,`
			`p.cmdline`
			`FROM process_envs pe`
			`JOIN processes p ON pe.pid = p.pid`
			`GROUP BY p.pid`
			`HAVING count == 0;`