T1046 Network Service Scanning
Required Tables
- process_events
Returned Fields
Field | Description |
---|---|
username | username of who created the process event |
path | path of the process event |
arguments | process event arguments |
Query
SELECT
username,
path,
arguments
FROM process_events
WHERE reverse(split_part(reverse(path), '/', 1)) IN (
'telnet',
'nc',
'nmap',
'nping'
)
ORDER BY unix_nano_timestamp