T1082
必要なテーブル
戻りフィールド
| フィールド | 説明 |
| process_uuid | プロセスに割り当てられた一意の UUID |
| path | プロセスが実行されたパス |
| arguments | プロセスで使用されている引数 |
クエリ
SELECT
process_events.process_uuid,
process_events.path,
process_events.arguments
FROM process_events
LEFT JOIN process_events parent_process
ON process_events.parent_process_uuid = parent_process.process_uuid
WHERE (
parent_process.path NOT IN (
'/etc/update-motd.d/00-header',
'/etc/update-motd.d/50-motd-news',
'/opt/splunk/bin/splunkd',
'/opt/splunk/bin/splunk',
'/usr/bin/apt-get',
'/usr/bin/unattended-upgrade',
'/usr/bin/yum',
'/usr/bin/google_oslogin_control',
'/usr/sbin/google-fluentd',
'/usr/sbin/google_oslogin_control')
) AND (process_events.path LIKE '%uname'
OR process_events.path LIKE '%id'
OR process_events.path LIKE '%uptime'
OR process_events.path LIKE '%last'
OR process_events.path LIKE '%dmesg')
ORDER BY process_events.unix_nano_timestamp DESC