From d3a20831885931fd5b719b13fe5fa9fd16594807 Mon Sep 17 00:00:00 2001
From: Mike McNeil <mikermcneil@users.noreply.github.com>
Date: Wed, 29 Sep 2021 22:08:39 -0500
Subject: [PATCH] add example query that checks a malware artifact (#2296)

---
 .../standard-query-library/standard-query-library.yml  | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index a9f9017dce..938a1fe872 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -496,3 +496,13 @@ spec:
   query: select case cnt when 0 then "NONE_INSTALLED" else "INSTALLED" end as "Malicious Python Packages",package_name,package_version from (select count(name) as  cnt,nameas package_name,version as package_version,path as package_pathfrom python_packages where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));
   purpose: Informational
   contributors: alphabrevity
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Check for artifacts of the Floxif trojan
+  platforms: Windows
+  description: See https://github.com/osquery/osquery/blob/b8085572ed1a58ff635683e5f2225cd49cd27bc1/packs/windows-attacks.conf#L4-L10
+  query: select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';,
+  purpose: Informational
+  contributors: micheal-o