Skip to content
Last update: 2022-05-10

T1069 Permission Group Discovery Program

T1069

Required Tables

  • process_events

Returned Fields

Field Description
timestamp date timestamp as a string
path process event's path
username username who created the process event

Query

SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    process_events.path,
    process_events.username
FROM process_events
WHERE (
    path LIKE '%cat'
    AND array_join(arguments, ' ') LIKE '%/etc/group%'
) OR (
    path LIKE '%groups'
    OR path LIKE '%ldapsearch'
    OR path LIKE '%id'
    OR path LIKE '%getent'
)
ORDER BY  process_events.unix_nano_timestamp DESC
Back to top