T1018 Remote System Discovery Policy
T1018
Required Tables
Returned Fields
Field | Description |
timestamp | date timestamp as a string |
path | process event's path |
process_uuid | unique UUID assigned to a process |
username | username of who created the process event |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
path,
process_uuid,
username
FROM process_events
WHERE (
path LIKE '%ping'
OR path LIKE '%nmap'
OR path LIKE '%zmap'
OR path LIKE '%ipscan'
OR path LIKE '%unicornscan'
OR path LIKE '%netcat'
OR path LIKE '%nc'
OR path LIKE '%ncat'
OR path LIKE '%fierce'
OR path LIKE 'openvas%'
OR path LIKE '%nikto'
OR path LIKE '%wpscan'
OR path LIKE '%cmsmap'
OR path LIKE '%fluxion'
OR path LIKE '%kismet'
OR path LIKE '%tshark'
OR path LIKE '%scapy'
OR path LIKE '%netstat'
OR path LIKE '%ss'
OR path LIKE '%tcpdump'
OR path LIKE '%net'
)