Skip to content

T1542.003 Bootkit

T1542.003

Required Tables

  • shell_commands

Returned Fields

Field Description
timestamp date timestamp as a string
file_events.path path of the file event
process_events.path process event's path
process_events.username username of who created the process event

Query

SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    file_events.path,
    process_events.path,
    process_events.username
FROM file_events
LEFT JOIN (
    SELECT
        path,
        username,
        process_uuid
    FROM process_events
    GROUP BY path, username, process_uuid
) AS process_events
    ON process_events.process_uuid = file_events.process_uuid
WHERE file_events.event_type != 4
    AND process_events.path NOT IN (
        '/usr/bin/dpkg',
        '/usr/bin/yum',
        '/usr/sbin/grub-mkconfig',
        '/usr/sbin/mkinitramfs',
        '/etc/init.d/grub-common'
    )
    AND file_events.path LIKE '/boot/%'
ORDER BY file_events.unix_nano_timestamp DESC