From 675f14b16b616d772c3a4f2ec531048e50ba78ed Mon Sep 17 00:00:00 2001 From: eashaw Date: Fri, 22 Oct 2021 16:58:34 -0500 Subject: [PATCH] Standard query library updates (#2546) * update Floxif trojan query description, Add puffyCid's query, update query description styles * Update standard-query-library.yml --- .../standard-query-library.yml | 14 ++++++++++++-- website/assets/styles/pages/query-detail.less | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 938a1fe872..55eb741eb0 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -502,7 +502,17 @@ kind: query spec: name: Check for artifacts of the Floxif trojan platforms: Windows - description: See https://github.com/osquery/osquery/blob/b8085572ed1a58ff635683e5f2225cd49cd27bc1/packs/windows-attacks.conf#L4-L10 - query: select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';, + description: Checks for artifacts from the Floxif trojan on Windows machines. + query: select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%'; purpose: Informational contributors: micheal-o +--- +apiVersion: v1 +kind: query +spec: + name: Get shimcache table + platforms: Windows + description: Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed. + query: select * from shimcache + purpose: Informational + contributors: puffyCid diff --git a/website/assets/styles/pages/query-detail.less b/website/assets/styles/pages/query-detail.less index 51a3cf0892..ae4721db39 100644 --- a/website/assets/styles/pages/query-detail.less +++ b/website/assets/styles/pages/query-detail.less @@ -10,6 +10,7 @@ font-family: 'Nunito'; font-size: 16px; line-height: 25px; + word-wrap: break-word; } p {