Skip to content

T1057 Process Discovery - Program Blacklist

T1057

Required Tables

  • process_events

Returned Fields

Field Description
unix_nano_timestamp time in unix nano timestamp format
path process event path
args list of process event arguments
parent_process_uuid unique UUID assigned to parent process

Query

WITH pe as (
    SELECT process_events.unix_nano_timestamp,
           process_events.path,
           ARRAY_JOIN(process_events.arguments, ' ') as args,
           process_events.parent_process_uuid
    FROM process_events
)
SELECT pe.* FROM pe WHERE (
  (pe.path LIKE '%/cat'OR
  pe.path LIKE '%/ls' OR
  pe.path LIKE '%/more' OR
  pe.path LIKE '%/head' OR
  pe.path LIKE '%/tail') AND (
    args LIKE '/proc/%' OR args LIKE '% /proc/%')
  ) AND NOT EXISTS (
      SELECT process_events.path      
      FROM process_events
      WHERE process_events.path IN (
        '/usr/bin/dnf',
        '/usr/bin/dpkg',
        '/usr/bin/snap',
        '/usr/bin/yum', 
        '/sbin/service')        
      AND pe.parent_process_uuid = process_events.process_uuid
  )
ORDER BY  pe.unix_nano_timestamp DESC