T1069 Permission Group Discovery Program
T1069
Required Tables
Returned Fields
| Field | Description |
| timestamp | date timestamp as a string |
| path | process event's path |
| username | username who created the process event |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
process_events.path,
process_events.username
FROM process_events
WHERE (
path LIKE '%cat'
AND array_join(arguments, ' ') LIKE '%/etc/group%'
) OR (
path LIKE '%groups'
OR path LIKE '%ldapsearch'
OR path LIKE '%id'
OR path LIKE '%getent'
)
ORDER BY process_events.unix_nano_timestamp DESC