T1136 Create Account-File

T1136

Required Tables

• process_events
• file_events

Returned Fields

Query

SELECT
	FROM_UNIXTIME(unix_nano_timestamp/1e9),
	file_events.path,
	process_events.path AS process_path,
	process_events.username
FROM file_events
LEFT JOIN (
	SELECT 
		process_c8id,
		path,
		username
	FROM process_events
	GROUP BY  process_c8id, path, username
) AS process_events
	ON file_events.process_c8id = process_events.process_c8id
WHERE
	file_events.path IN (
		'/etc/group',
		'/etc/gshadow',
		'/etc/passwd',
		'/etc/security/opasswd',
		'/etc/shadow'
	) AND (
		NOT (
			process_events.path LIKE '%usermod'
			OR process_events.path LIKE '%userdel'
			OR process_events.path LIKE '%chfn'
			OR process_events.path LIKE '%groupadd'
			OR process_events.path LIKE '%groupdel'
			OR process_events.path LIKE '%groupmod'
			OR process_events.path LIKE '%passwd'
		)
	)