T1057
Required Tables
Returned Fields
| unix_nano_timestamp |
time in unix nano timestamp format |
| path |
process event path |
| args |
list of process event arguments |
| parent_process_c8id |
unique UUID assign to parent process by Capsule8 |
Query
WITH pe as (
SELECT process_events.unix_nano_timestamp,
process_events.path,
ARRAY_JOIN(process_events.arguments, ' ') as args,
process_events.parent_process_c8id
FROM process_events
)
SELECT pe.* FROM pe WHERE (
(pe.path LIKE '%/cat'OR
pe.path LIKE '%/ls' OR
pe.path LIKE '%/more' OR
pe.path LIKE '%/head' OR
pe.path LIKE '%/tail') AND (
args LIKE '/proc/%' OR args LIKE '% /proc/%')
) AND NOT EXISTS (
SELECT process_events.path
FROM process_events
WHERE process_events.path IN (
'/usr/bin/dnf',
'/usr/bin/dpkg',
'/usr/bin/snap',
'/usr/bin/yum',
'/sbin/service')
AND pe.parent_process_c8id = process_events.process_c8id
)
ORDER BY pe.unix_nano_timestamp DESC
Comments
0 comments
Please sign in to leave a comment.