cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Find potential reverse shell or TTY abuse

Description:

This query searches for socat or scripting connections to TTYs as non-root users. There may be cases of sysadmins using socat for legitimate reasons, but this should be rare. An example of potential misuse of socat is shown by the POC exploit for CVE-2019-18634 here: https://github.com/Plazmaz/CVE-2019-18634. Other examples of scripts connecting to ptys are shown here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

What The Data Shows: Rows that return could indicate reverse shells or other abuse.

| pid  | path           | cmdline 
| 9558 | /usr/bin/perl  | perl -e use Socket;$i="10.0.0.1";$p=1234;socket(S,PF
| 9525 | /usr/bin/python| python -c import pty; pty.spawn("/bin/bash")
| 9556 | /usr/bin/python| python -c import socket,subprocess,os;s=socket.socket
| 4491 | socat          | ./socat pty,link=/tmp/pty,waitslave exec:perl xpl.pl

SQL:

select distinct processes.pid, processes.path, processes.cmdline,
                processes.parent, processes.pgroup, processes.uid
from processes
inner join process_open_files
      on process_open_files.pid = processes.pid
where ( process_open_files.path in ('/dev/ptmx', '/dev/tty')
        or process_open_files.path like '/dev/pts/%' )
and processes.name in ( 'socat', 'python', 'python2', 'python3',
                        'perl', 'php', 'ruby' );

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

Keep 'em coming!