Showing results for 
Show  only  | Search instead for 
Did you mean: 

Find potential reverse shell or TTY abuse


This query searches for socat or scripting connections to TTYs as non-root users. There may be cases of sysadmins using socat for legitimate reasons, but this should be rare. An example of potential misuse of socat is shown by the POC exploit for CVE-2019-18634 here: Other examples of scripts connecting to ptys are shown here:

What The Data Shows: Rows that return could indicate reverse shells or other abuse.

| pid  | path           | cmdline 
| 9558 | /usr/bin/perl  | perl -e use Socket;$i="";$p=1234;socket(S,PF
| 9525 | /usr/bin/python| python -c import pty; pty.spawn("/bin/bash")
| 9556 | /usr/bin/python| python -c import socket,subprocess,os;s=socket.socket
| 4491 | socat          | ./socat pty,link=/tmp/pty,waitslave exec:perl


select distinct, processes.path, processes.cmdline,
                processes.parent, processes.pgroup, processes.uid
from processes
inner join process_open_files
      on =
where ( process_open_files.path in ('/dev/ptmx', '/dev/tty')
        or process_open_files.path like '/dev/pts/%' )
and in ( 'socat', 'python', 'python2', 'python3',
                        'perl', 'php', 'ruby' );


1 Comment
Carbon Black Employee
Status changed to: Approved

Keep 'em coming!