24 lines
778 B
SQL
24 lines
778 B
SQL
-- An alternate way to discover reverse shells, inspired by the osxattack pack
|
|
SELECT DISTINCT(processes.pid),
|
|
processes.parent,
|
|
processes.name,
|
|
processes.path,
|
|
processes.cmdline,
|
|
processes.cwd,
|
|
processes.root,
|
|
processes.uid,
|
|
processes.gid,
|
|
processes.start_time,
|
|
process_open_sockets.remote_address,
|
|
process_open_sockets.remote_port,
|
|
(
|
|
SELECT cmdline
|
|
FROM processes AS parent_cmdline
|
|
WHERE pid = processes.parent
|
|
) AS parent_cmdline
|
|
FROM processes
|
|
JOIN process_open_sockets USING (pid)
|
|
LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid
|
|
WHERE name IN ('sh', 'bash', 'perl', 'python')
|
|
AND process_open_files.pid IS NULL
|
|
AND process_open_sockets.remote_port > 0; |