From cbe2d252df314f0da17c6104fd98ba0613a1deb4 Mon Sep 17 00:00:00 2001
From: Nabil Schear <nabilschear@users.noreply.github.com>
Date: Tue, 20 Sep 2022 13:10:25 -0700
Subject: [PATCH] Discover Python Packages from Running Python Interpreters
 query (#7857)

* Discover Python Packages from Running Python Interpreters documentation

* add hunting tag

Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca>

* Removed extra quote

Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca>
Co-authored-by: Guillaume Ross <guillaume@fleetdm.com>
---
 .../standard-query-library/standard-query-library.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index 16a70cfcce..be5fe3e3f7 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -931,3 +931,14 @@ spec:
   purpose: Informational
   tags: network, tls
   contributors: nabilschear
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Discover Python Packages from Running Python Interpreters
+  platforms: Linux, macOS
+  description: Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.
+  query: SELECT * FROM python_packages WHERE directory IN (SELECT DISTINCT directory FROM (SELECT SUBSTR(path,0,INSTR(path,'/bin/'))||'/lib' AS directory FROM processes WHERE path LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT SUBSTR(cmdline,0,INSTR(cmdline,'/bin/'))||'/lib' AS directory FROM processes WHERE cmdline LIKE '%python%' AND cmdline LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT cwd||'/lib' AS directory FROM processes WHERE path LIKE '%python%'));
+  purpose: Informational
+  tags: compliance, hunting
+  contributors: nabilschear