Skip to content

T1049 System Network Connection Discovery Program

T1049

Required Tables

  • process_events

Returned Fields

Field Description
timestamp timestamp date value in the string format
path process event path
username username who triggered process event
process_uuid unique UUID assigned to the created process

Query

SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    path,
    username,
    process_uuid
FROM process_events
WHERE (
    path LIKE '%netstat'
    OR path LIKE '%ss'
    OR path LIKE '%lsof'
    OR path LIKE '%last'
    OR path LIKE '%w'
    OR path LIKE '%ngrep'
    OR path LIKE '%netwatch'
    OR path LIKE '%tcpdump'
    OR path LIKE '%iftop'
    OR path LIKE '%iptraf'
    OR path LIKE '%who'
)