T1059 Command and Scripting Interpreter
T1059
Required Tables
- shell_commands
- container_events
Returned Fields
| Field | Description |
| timestamp | date timestamp as a string |
| program_filename | |
| program_arguments | shell command's arguments |
| container_name | container name where shell command seen |
Query
SELECT
FROM_UNIXTIME(shell_commands.unix_nano_timestamp/1e9),
program_filename,
program_arguments,
container_name
FROM shell_commands
LEFT JOIN container_events
ON shell_commands.container_id = container_events.container_id
AND container_events.container_name NOT LIKE '%etcd%'
WHERE program_filename NOT LIKE '%etcdctl%'
ORDER BY shell_commands.unix_nano_timestamp