mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-16 17:37:06 +00:00
34 lines
1.1 KiB
SQL
34 lines
1.1 KiB
SQL
-- Find ssh sessions that are hiding from 'w'/'who'
|
|
--
|
|
-- false positives:
|
|
-- * ssh-driven automation which disables the terminal, such as Znapzend
|
|
--
|
|
-- tags: transient process state
|
|
-- platform: posix
|
|
SELECT *
|
|
FROM (
|
|
SELECT p.pid,
|
|
p.name,
|
|
p.cmdline AS cmd,
|
|
cp.name AS child_name,
|
|
cp.cmdline AS child_cmd,
|
|
gcp.name AS grandchild_name,
|
|
gcp.cmdline AS grandchild_cmd,
|
|
GROUP_CONCAT(DISTINCT pof.path) AS open_files
|
|
FROM processes p
|
|
LEFT JOIN process_open_files pof ON p.pid = pof.pid
|
|
LEFT JOIN processes cp ON p.pid = cp.parent
|
|
LEFT JOIN processes gcp ON cp.pid = gcp.parent
|
|
WHERE p.name = 'sshd'
|
|
GROUP BY p.pid
|
|
)
|
|
WHERE (
|
|
INSTR(cmd, '@notty') > 0
|
|
OR (
|
|
open_files != '/dev/null'
|
|
AND INSTR(open_files, '/dev/ptmx') = 0
|
|
)
|
|
)
|
|
-- Filter out zfs snapshot reception (false positive)
|
|
AND child_name != 'zfs'
|
|
-- I wanted to filter out grandchild_name as well, but for some reason that filtered everything out (joins?) |