T1136 Create Account-Program
Required Tables
- process_events
Returned Fields
| Field | Description |
|---|---|
| timestamp | date timestamp as a string |
| path | process event's path |
| arguments | process event's arguments |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
path,
arguments
FROM process_events
WHERE
path LIKE '%useradd'
OR path LIKE '%newusers'
ORDER BY unix_nano_timestamp