osquery-defense-kit/process/empty_environ.sql

-- Inspired by BPFdoor
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
SELECT
  COUNT(*) AS count,
  p.pid,
  p.path,
  p.cmdline
FROM
  process_envs pe
  JOIN processes p ON pe.pid = p.pid
GROUP BY
  p.pid
HAVING
  count == 0;
Query reorganization 2022-09-08 13:53:43 +00:00			`-- Inspired by BPFdoor`
			`-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
			`COUNT(*) AS count,`
			`p.pid,`
			`p.path,`
			`p.cmdline`
			`FROM`
			`process_envs pe`
			`JOIN processes p ON pe.pid = p.pid`
			`GROUP BY`
			`p.pid`
			`HAVING`
			`count == 0;`