T1016 System Network Configuration Discovery-Program Blacklist
T1016
Required Tables
Returned Fields
Field | Description |
path | process event's path |
arguments | process event's arguments list |
Query
SELECT
process_events.path,
process_events.arguments
FROM process_events
WHERE process_events.event_type=0
AND reverse(split_part(reverse(path), '/', 1)) IN (
'ifconfig',
'ip',
'iptables',
'route',
'traceroute',
'host',
'ping',
'tracepath',
'mtr',
'ethtool',
'arp'
) AND (
reverse(split_part(reverse(process_events.path), '/', 1)) != 'ip'
OR NOT EXISTS(
SELECT 1
FROM process_events parent_process
WHERE process_events.parent_process_uuid = parent_process.process_uuid
AND (
reverse(split_part(reverse(parent_process.path), '/', 1)) NOT IN (
'ip',
'/sbin/dhclient-script'
) OR parent_process.arguments[cardinality(parent_process.arguments)-1] IN (
'/usr/lib/python-exec/python2.7/google_ip_forwarding_daemon',
'/usr/bin/google_network_daemon'
)
)
) AND NOT EXISTS (
SELECT 1
FROM process_events parent_process
WHERE process_events.parent_process_uuid = parent_process.process_uuid
AND (reverse(split_part(reverse(parent_process.path), '/', 1)) IN (
'kubelet',
'hyperkube',
'kube-proxy'
) OR parent_process.path = '/opt/bin/flanneld'
)
)
)