Ssh Notty
osquery
Find ssh sessions that are hiding from ‘w’/‘who’
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Find ssh sessions that are hiding from 'w'/'who'
--
-- false positives:
-- * ssh-driven automation which disables the terminal, such as Znapzend
--
-- references:
-- * https://attack.mitre.org/techniques/T1021/004/ (Remote Services: SSH)
-- * https://attack.mitre.org/techniques/T1564/ (Hide Artifacts)
--
-- tags: transient process state
-- platform: posix
SELECT
*
FROM
(
SELECT
p.pid,
p.name,
p.cmdline AS cmd,
p.start_time,
p.cwd,
cp.name AS child_name,
cp.cmdline AS child_cmd,
gcp.name AS grandchild_name,
gcp.cmdline AS grandchild_cmd,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM
processes p
LEFT JOIN process_open_files pof ON p.pid = pof.pid
LEFT JOIN processes cp ON p.pid = cp.parent
LEFT JOIN processes gcp ON cp.pid = gcp.parent
WHERE
p.name = 'sshd'
GROUP BY
p.pid
)
WHERE
(
INSTR(cmd, '@notty') > 0
OR (
open_files != '/dev/null'
AND INSTR(open_files, '/dev/ptmx') = 0
)
)
-- You must specifically check for NULL here, or risk inadvertently filtering everything out.
AND (
grandchild_name IS NULL
OR grandchild_name != 'zfs'
)
AND child_name IS NOT NULL
AND child_name NOT IN ('', 'zfs')
AND child_cmd NOT LIKE '%osquery-defense-kit%make verify'
AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify'
AND grandchild_name NOT IN ('unison')
AND cmd != 'sshd: docker@notty'tags: SStagSS