osquery-defense-kit/detection/execution/reverse-shell-socket.sql

31 lines
684 B
SQL

-- An alternate way to discover reverse shells, inspired by the osxattack pack
SELECT DISTINCT
(p.pid),
p.parent,
p.name,
p.path,
p.cmdline,
p.cwd,
p.root,
p.uid,
p.gid,
p.start_time,
pos.remote_address,
pos.remote_port,
pp.cmdline,
pp.path
FROM
process_open_files pof
JOIN process_open_sockets pos USING (pid)
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid
WHERE
p.name IN ('sh', 'bash', 'perl', 'python')
AND pof.pid IS NULL
AND pos.remote_port > 0
AND NOT (
p.path = '/usr/bin/bash'
AND pp.cmdline LIKE 'pacman -S%'
)