T1204 User Execution
Required Tables
- shell_commands
- container_events
Returned Fields
Field | Description |
---|---|
shell_commands.* | all fields from shell commands table |
Query
SELECT *
FROM shell_commands
LEFT OUTER JOIN container_events USING(container_id)
WHERE (
uid = 0 OR uid > 1000
) AND NOT (
ARRAY_JOIN(program_arguments, ' ') LIKE '%etcdctl%'
OR container_name LIKE '%etcd%'
)