T1040
Required Tables
Returned Fields
| username |
username of who created the process event |
| path |
path of the process event |
Query
SELECT
username,
path
FROM process_events
WHERE reverse(split_part(reverse(path), '/', 1))
IN (
'tcpdump', 'tshark', 'bettercap', 'bittwist', 'capfuzz',
'cdpsnarf', 'cottontail', 'creds', 'darkstat', 'dsniff',
'eigrp', 'ettercap', 'firstorder', 'hexinject', 'httpry',
'httpsniff', 'hubbit', 'hungry', 'issniff', 'junkie',
'katsnoop', 'mfsniffer', 'mitmproxy', 'mitmer', 'mots',
'net', 'netsniff', 'nsntrace', 'ofp', 'ostinato',
'passivedns', 'pcapteller', 'pth', 'pytacle', 'sipffer',
'snapception', 'sniffglue', 'ssl', 'ssldump', 'sslsniff',
'stenographer', 'tcpick', 'wifi', 'wireshark', 'xcavator'
) ORDER BY unix_nano_timestamp
Comments
0 comments
Please sign in to leave a comment.