-- An alternate way to discover reverse shells, inspired by the osxattack pack SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, ( SELECT cmdline FROM processes AS parent_cmdline WHERE pid = processes.parent ) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE name IN ('sh', 'bash', 'perl', 'python') AND process_open_files.pid IS NULL AND process_open_sockets.remote_port > 0;