Python shell launched and caught:
osquery> select distinct(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port from processes join process_open_sockets using (pid) left outer join process_open_files on processes.pid = process_open_files.pid WHERE (name='Python' OR name='sh' OR name='bash') AND process_open_files.pid is null;
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| pid | parent | name | path | cmdline | cwd | root | uid | gid | start_time | remote_address | remote_port |
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| 926 | 33466 | Python | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python | python | /Users/clong | | 501 | 20 | 378997 | 127.0.0.1 | 5555 |
| 927 | 926 | sh | /bin/sh | /bin/sh -i | /Users/clong | | 501 | 20 | 378998 | 127.0.0.1 | 5555 |
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
After Method 1 (python PTY) + Method 3 (Magic) TTY upgrade:
clong@host:~$ nc -lvk 5555
reset
clong@host:~$ export TERM=xterm
clong@host:~$ export SHELL=bash
clong@host:~$ stty rows 16 columns 237
clong@host:~$ tty
/dev/ttys006
osquery> select distinct(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port from processes join process_open_sockets using (pid) left outer join process_open_files on processes.pid = process_open_files.pid WHERE (name='Python' OR name='sh' OR name='bash') AND process_open_files.pid is null;
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| pid | parent | name | path | cmdline | cwd | root | uid | gid | start_time | remote_address | remote_port |
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| 926 | 33466 | Python | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python | python | /Users/clong | | 501 | 20 | 378997 | 127.0.0.1 | 5555 |
| 927 | 926 | sh | /bin/sh | /bin/sh -i | /Users/clong | | 501 | 20 | 378998 | 127.0.0.1 | 5555 |
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
osquery> select * from process_open_files where pid=927;
osquery> select * from process_open_files where pid=926;