-- Find ssh sessions that are hiding from 'w'/'who' -- -- false positives: -- * ssh-driven automation which disables the terminal, such as Znapzend -- -- references: -- * https://attack.mitre.org/techniques/T1021/004/ (Remote Services: SSH) -- * https://attack.mitre.org/techniques/T1564/ (Hide Artifacts) -- -- tags: transient process state -- platform: posix SELECT * FROM ( SELECT p.pid, p.name, p.cmdline AS cmd, p.start_time, p.cwd, cp.name AS child_name, cp.cmdline AS child_cmd, gcp.name AS grandchild_name, gcp.cmdline AS grandchild_cmd, GROUP_CONCAT(DISTINCT pof.path) AS open_files FROM processes p LEFT JOIN process_open_files pof ON p.pid = pof.pid LEFT JOIN processes cp ON p.pid = cp.parent LEFT JOIN processes gcp ON cp.pid = gcp.parent WHERE p.name = 'sshd' GROUP BY p.pid ) WHERE ( INSTR(cmd, '@notty') > 0 OR ( open_files != '/dev/null' AND INSTR(open_files, '/dev/ptmx') = 0 ) ) -- You must specifically check for NULL here, or risk inadvertently filtering everything out. AND ( grandchild_name IS NULL OR grandchild_name != 'zfs' ) AND child_name IS NOT NULL AND child_name NOT IN ('', 'zfs') AND child_cmd NOT LIKE '%osquery-defense-kit%make verify' AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify' AND grandchild_name NOT IN ('unison') AND cmd != 'sshd: docker@notty'