Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 52

Add "Find deleted files from disk" to Standard query library (#1481)

Browse source
This commit is contained in:
AndrewB 2021-07-27 09:33:33 -04:00 committed by GitHub
parent cb10659277
commit 1decb2a56f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
View file

@ -436,3 +436,13 @@ spec:
query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
purpose: Informational
contributors: noahtalerman
---
apiVersion: v1
kind: query
spec:
name: Find deleted files from disk
platforms: Linux, macOS, Windows
description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
purpose: Incident response
contributors: alphabrevity