Using Capsule8's shell command data it is possible to get a list of all of the shell commands executed by a user, even a user employing history evasion techniques.
Required Tables
- sensors
- shell_commands
- process_events
Input Fields
The username to audit should be placed where the <USERNAME>
text is in the query.
Returned Fields
dt |
Datetime of the alert |
shell_commands.program_filename |
The shell command program information |
shell_commands.program_arguments |
|
sensors.hostname |
The sensor hostname the command was run on |
process_events.username |
The user that ran it |
Query
SELECT FROM_UNIXTIME(alerts.unix_nano_timestamp/1e9) as dt,
shell_commands.program_filename,
shell_commands.program_arguments,
sensors.hostname,
process_events.username
FROM alerts
LEFT JOIN sensors
ON sensors.sensor_id = alerts.sensor_id
LEFT JOIN
(SELECT process_c8id,
username
FROM process_events
GROUP BY username, process_c8id) AS process_events
ON alerts.process_c8id=process_events.process_c8id LEFT OUTER
JOIN shell_commands
ON shell_commands.username = process_events.username
WHERE policy_type = 'InteractiveShell'
AND process_events.username = '<USERNAME>'
ORDER BY alerts.unix_nano_timestamp, hostname, username DESC
Comments
0 comments
Please sign in to leave a comment.