Skip to content

T1082 System Information Discovery - Program Blacklist

T1082

Required Tables

  • process_events

Returned Fields

Field Description
process_uuid unique UUID assigned processes
path path the process was executed
arguments arguments used in process

Query

SELECT
    process_events.process_uuid,
    process_events.path,
    process_events.arguments
FROM process_events
LEFT JOIN process_events parent_process
    ON process_events.parent_process_uuid = parent_process.process_uuid
WHERE (
    parent_process.path NOT IN (
        '/etc/update-motd.d/00-header',
        '/etc/update-motd.d/50-motd-news',
        '/opt/splunk/bin/splunkd',
        '/opt/splunk/bin/splunk',
        '/usr/bin/apt-get',
        '/usr/bin/unattended-upgrade',
        '/usr/bin/yum',
        '/usr/bin/google_oslogin_control',
        '/usr/sbin/google-fluentd',
        '/usr/sbin/google_oslogin_control')
) AND (process_events.path LIKE '%uname'
    OR process_events.path LIKE '%id'
    OR process_events.path LIKE '%uptime'
    OR process_events.path LIKE '%last'
    OR process_events.path LIKE '%dmesg')
ORDER BY  process_events.unix_nano_timestamp DESC