T1018 Remote System Discovery Policy

Required Tables

process_events

Returned Fields

Field	Description
timestamp	date timestamp as a string
path	process event's path
process_uuid	unique UUID assigned to a process
username	username of who created the process event

Query

SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    path,
    process_uuid,
    username
FROM process_events
WHERE (
    path LIKE '%ping'
    OR path LIKE '%nmap'
    OR path LIKE '%zmap'
    OR path LIKE '%ipscan'
    OR path LIKE '%unicornscan'
    OR path LIKE '%netcat'
    OR path LIKE '%nc'
    OR path LIKE '%ncat'
    OR path LIKE '%fierce'
    OR path LIKE 'openvas%'
    OR path LIKE '%nikto'
    OR path LIKE '%wpscan'
    OR path LIKE '%cmsmap'
    OR path LIKE '%fluxion'
    OR path LIKE '%kismet'
    OR path LIKE '%tshark'
    OR path LIKE '%scapy'
    OR path LIKE '%netstat'
    OR path LIKE '%ss'
    OR path LIKE '%tcpdump'
    OR path LIKE '%net'
)