T1057 Process Discovery - Program Blacklist
T1057
必要なテーブル
戻りフィールド
| フィールド | 説明 |
| unix_nano_timestamp | UnixNano タイムスタンプ形式で表した時刻 |
| path | プロセスイベントのパス |
| args | プロセスイベントの引数のリスト |
| parent_process_uuid | 親プロセスに割り当てられた一意の UUID |
クエリ
WITH pe as (
SELECT process_events.unix_nano_timestamp,
process_events.path,
ARRAY_JOIN(process_events.arguments, ' ') as args,
process_events.parent_process_uuid
FROM process_events
)
SELECT pe.*FROM pe WHERE (
(pe.path LIKE '%/cat'OR
pe.path LIKE '%/ls' OR
pe.path LIKE '%/more' OR
pe.path LIKE '%/head' OR
pe.path LIKE '%/tail') AND (
args LIKE '/proc/%' OR args LIKE '% /proc/%')
) AND NOT EXISTS (
SELECT process_events.path
FROM process_events
WHERE process_events.path IN (
'/usr/bin/dnf',
'/usr/bin/dpkg',
'/usr/bin/snap',
'/usr/bin/yum',
'/sbin/service')
AND pe.parent_process_uuid = process_events.process_uuid
)
ORDER BY pe.unix_nano_timestamp DESC