Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 60

add example query that checks a malware artifact (#2296)

Browse source
This commit is contained in:
Mike McNeil 2021-09-29 22:08:39 -05:00 committed by GitHub
parent 746d02ebe0
commit d3a2083188
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View file

@ -496,3 +496,13 @@ spec:
query: select case cnt when 0 then "NONE_INSTALLED" else "INSTALLED" end as "Malicious Python Packages",package_name,package_version from (select count(name) as cnt,nameas package_name,version as package_version,path as package_pathfrom python_packages where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));
purpose: Informational
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Check for artifacts of the Floxif trojan
platforms: Windows
description: See https://github.com/osquery/osquery/blob/b8085572ed1a58ff635683e5f2225cd49cd27bc1/packs/windows-attacks.conf#L4-L10
query: select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';,
purpose: Informational
contributors: micheal-o