T1070.003 Clear Command History

Required Tables

file_events
process_events

Returned Fields

Field	Description
timestamp	date timestamp as a string
file_events.path	path of the file event
process_events.path	the process events path
provess_events.username	username of who created the process event

Query

SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    file_events.path,
    process_events.path,
    process_events.username
FROM file_events
LEFT JOIN (
    SELECT
        path,
        username,
        process_uuid
    FROM process_events 
    GROUP BY path, username, process_uuid
) AS process_events
    ON process_events.process_uuid = file_events.process_uuid
WHERE process_events.path != '/usr/bin/dockerd'
    AND (event_type=4 OR event_type=3)
    AND (regexp_like(file_events.path, '/home/.+/\..+_history')
        OR regexp_like(file_events.path, '/root/\..+\.history')
    )
ORDER BY  file_events.unix_nano_timestamp DESC