RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 03:24:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
e09e410407
osquery-defense-kit/detection/evasion/empty_environ.sql
Thomas Stromberg d2bdffe89e
Add support for interval tags
2022-10-14 14:19:13 -04:00

19 lines
371 B
SQL
Raw Blame History

-- Find programs which have cleared their environment
--
-- references:
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- tags: persistent state daemon process
SELECT
COUNT(*) AS count,
p.pid,
p.path,
p.cmdline
FROM
process_envs pe
JOIN processes p ON pe.pid = p.pid
GROUP BY
p.pid
HAVING
count == 0;
Reference in New Issue View Git Blame Copy Permalink