osquery-defense-kit/process/reverse-shell-socket.sql

-- An alternate way to discover reverse shells, inspired by the osxattack pack
SELECT DISTINCT
  (p.pid),
  p.parent,
  p.name,
  p.path,
  p.cmdline,
  p.cwd,
  p.root,
  p.uid,
  p.gid,
  p.start_time,
  pos.remote_address,
  pos.remote_port,
  pp.cmdline,
  pp.path
  FROM process_open_files pof
  JOIN process_open_sockets pos USING (pid)
  LEFT JOIN processes p ON pof.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid
WHERE
  p.name IN ('sh', 'bash', 'perl', 'python')
  AND pof.pid IS NULL
  AND pos.remote_port > 0
  AND NOT (p.path="/usr/bin/bash" AND pp.cmdline LIKE "pacman -S%")
More tuning 2022-09-14 14:51:56 +00:00			`-- An alternate way to discover reverse shells, inspired by the osxattack pack`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT DISTINCT`
Remove more false positives, add more detail to sensitive file access 2022-10-05 20:15:40 +00:00			`(p.pid),`
			`p.parent,`
			`p.name,`
			`p.path,`
			`p.cmdline,`
			`p.cwd,`
			`p.root,`
			`p.uid,`
			`p.gid,`
			`p.start_time,`
			`pos.remote_address,`
			`pos.remote_port,`
			`pp.cmdline,`
			`pp.path`
			`FROM process_open_files pof`
			`JOIN process_open_sockets pos USING (pid)`
			`LEFT JOIN processes p ON pof.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`WHERE`
Remove more false positives, add more detail to sensitive file access 2022-10-05 20:15:40 +00:00			`p.name IN ('sh', 'bash', 'perl', 'python')`
			`AND pof.pid IS NULL`
			`AND pos.remote_port > 0`
			`AND NOT (p.path="/usr/bin/bash" AND pp.cmdline LIKE "pacman -S%")`