The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Find potential reverse shell or TTY abuse

Description:

This query searches for socat or scripting connections to TTYs as non-root users. There may be cases of sysadmins using socat for legitimate reasons, but this should be rare. An example of potential misuse of socat is shown by the POC exploit for CVE-2019-18634 here: https://github.com/Plazmaz/CVE-2019-18634. Other examples of scripts connecting to ptys are shown here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

What The Data Shows: Rows that return could indicate reverse shells or other abuse.

| pid  | path           | cmdline 
| 9558 | /usr/bin/perl  | perl -e use Socket;$i="10.0.0.1";$p=1234;socket(S,PF
| 9525 | /usr/bin/python| python -c import pty; pty.spawn("/bin/bash")
| 9556 | /usr/bin/python| python -c import socket,subprocess,os;s=socket.socket
| 4491 | socat          | ./socat pty,link=/tmp/pty,waitslave exec:perl xpl.pl

SQL:

select distinct processes.pid, processes.path, processes.cmdline,
                processes.parent, processes.pgroup, processes.uid
from processes
inner join process_open_files
      on process_open_files.pid = processes.pid
where ( process_open_files.path in ('/dev/ptmx', '/dev/tty')
        or process_open_files.path like '/dev/pts/%' )
and processes.name in ( 'socat', 'python', 'python2', 'python3',
                        'perl', 'php', 'ruby' );

 

6 Comments
jnelson
Carbon Black Employee
Status changed to: Approved

Keep 'em coming!

chaneldbernal
New Contributor

Is this query annotated in the watchlist under query box? I keep running into errors and wondering if it is because I am leaving any sql terms out.

jnelson
Carbon Black Employee

@chaneldbernal not sure exactly what you mean by "the watchlist under query box". Can you please clairify?

chaneldbernal
New Contributor

Where would I input this query and am I able to create a watchlist to trigger an alert when this query detects the reverse shell. I am testing CB in a Defensive Cyber Operations class in two weeks and with an emulated threat of Empire PS by a Red-team and would like the students to used Carbon Black to detect any rev-shells.

jnelson
Carbon Black Employee
Status changed to: Under Review

@chaneldbernal OK. That makes sense. It sounds to me like you are using Carbon Black Response, which leverages Watchlists, for your class. This query, and all the queries in the Query Exchange, are not Watchlists and are for Carbon Black Live Query.

Unfortunately, there isn't always a direct correlation between a Carbon Black Live Query query and a Watchlist. I would suggest taking a look at the TAU-TINs in the Threat Research section of the User Exchange: https://community.carbonblack.com/t5/Threat-Research/ct-p/threat-research. This should give you some ideas for Watchlists to use in your class.

 

jnelson
Carbon Black Employee
Status changed to: Approved