Reverse Shell Socket

osquery

Uncover reverse-shell processes

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Uncover reverse-shell processes
--
-- refs:
--   * https://www.invicti.com/blog/web-security/understanding-reverse-shells/
--   * https://attack.mitre.org/techniques/T1059/ (Command & Scripting Interpreter)
--
-- false-positives:
--   * none known
--
-- tags: transient process state often
-- platform: posix
SELECT DISTINCT
  (p.pid),
  p.parent,
  p.name,
  p.path,
  p.cmdline,
  p.cwd,
  p.root,
  p.uid,
  p.gid,
  p.start_time,
  pos.remote_address,
  pos.remote_port,
  pos.local_address,
  pos.local_port,
  pp.cmdline,
  pp.path
FROM
  process_open_files pof
  JOIN process_open_sockets pos USING (pid)
  LEFT JOIN processes p ON pof.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid
WHERE
  p.name IN ('sh', 'bash', 'perl', 'python')
  AND pof.pid IS NULL
  AND pos.remote_port > 0
  AND NOT (
    p.path = '/usr/bin/bash'
    AND pp.cmdline LIKE 'pacman -S%'
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit