T1542.003
Required Tables
Returned Fields
| timestamp |
date timestamp as a string |
| file_events.path |
path of the file event |
| process_events.path |
process event's path |
| process_events.username |
username of who created the process event |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
file_events.path,
process_events.path,
process_events.username
FROM file_events
LEFT JOIN (
SELECT
path,
username,
process_c8id
FROM process_events
GROUP BY path, username, process_c8id
) AS process_events
ON process_events.process_c8id = file_events.process_c8id
WHERE file_events.event_type != 4
AND process_events.path NOT IN (
'/usr/bin/dpkg',
'/usr/bin/yum',
'/usr/sbin/grub-mkconfig',
'/usr/sbin/mkinitramfs',
'/etc/init.d/grub-common'
)
AND file_events.path LIKE '/boot/%'
ORDER BY file_events.unix_nano_timestamp DESC
Comments
0 comments
Please sign in to leave a comment.