T1136 Create Account-File
Required Tables
- file_events
Returned Fields
| Field | Description |
|---|---|
| timestamp | date timestamp as a string |
| path | the path for the file event |
| process_uuid | unique UUID assigned to a process |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
path,
process_uuid
FROM file_events
WHERE
event_type != 4
AND path LIKE '/etc/ld.so.%'
AND path NOT IN (
'/usr/bin/dnf',
'/usr/bin/dpkg',
'/usr/bin/rpm',
'/usr/bin/snap',
'/usr/bin/yum'
) AND path NOT LIKE '%puppet'
AND path NOT LIKE '%chef'