Built off the open source project Osquery
Description:
This query searches for socat or scripting connections to TTYs as non-root users. There may be cases of sysadmins using socat for legitimate reasons, but this should be rare. An example of potential misuse of socat is shown by the POC exploit for CVE-2019-18634 here: https://github.com/Plazmaz/CVE-2019-18634. Other examples of scripts connecting to ptys are shown here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
What The Data Shows: Rows that return could indicate reverse shells or other abuse.
| pid | path | cmdline
| 9558 | /usr/bin/perl | perl -e use Socket;$i="10.0.0.1";$p=1234;socket(S,PF
| 9525 | /usr/bin/python| python -c import pty; pty.spawn("/bin/bash")
| 9556 | /usr/bin/python| python -c import socket,subprocess,os;s=socket.socket
| 4491 | socat | ./socat pty,link=/tmp/pty,waitslave exec:perl xpl.pl
SQL:
select distinct processes.pid, processes.path, processes.cmdline,
processes.parent, processes.pgroup, processes.uid
from processes
inner join process_open_files
on process_open_files.pid = processes.pid
where ( process_open_files.path in ('/dev/ptmx', '/dev/tty')
or process_open_files.path like '/dev/pts/%' )
and processes.name in ( 'socat', 'python', 'python2', 'python3',
'perl', 'php', 'ruby' );
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.