Skip to main content

T1018 Remote System Discovery Policy

  • Updated

T1018

 

Required Tables

  • process_events

Returned Fields

timestamp date timestamp as a string
path process event's path
process_c8id unique UUID generated by Capsule8 to assign to a process
username username of who created the process event

 

Query

SELECT
	FROM_UNIXTIME(unix_nano_timestamp/1e9),
	path,
	process_c8id,
	username
FROM process_events
WHERE (
	path LIKE '%ping'
	OR path LIKE '%nmap'
	OR path LIKE '%zmap'
	OR path LIKE '%ipscan'
	OR path LIKE '%unicornscan'
	OR path LIKE '%netcat'
	OR path LIKE '%nc'
	OR path LIKE '%ncat'
	OR path LIKE '%fierce'
	OR path LIKE 'openvas%'
	OR path LIKE '%nikto'
	OR path LIKE '%wpscan'
	OR path LIKE '%cmsmap'
	OR path LIKE '%fluxion'
	OR path LIKE '%kismet'
	OR path LIKE '%tshark'
	OR path LIKE '%scapy'
	OR path LIKE '%netstat'
	OR path LIKE '%ss'
	OR path LIKE '%tcpdump'
	OR path LIKE '%net'
)
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.