empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix some broken document separators in standard-query-library file (#2072)

Browse Source 
* fix some broken document separators in standard-query-library file

* remove in progress dockerfile
This commit is contained in:
Benjamin Edwards 2021-09-15 11:21:26 -04:00 committed by GitHub
parent 1fa5ce16b8
commit 0bc485b32f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
View File

@ -446,13 +446,13 @@ spec:
query: SELECT name, path, pid FROM processes WHERE on_disk = 0; query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
purpose: Incident response purpose: Incident response
contributors: alphabrevity contributors: alphabrevity
--- ---
apiVersion: v1 apiVersion: v1
kind: query kind: query
spec: spec:
name: Get user files matching a specific hash name: Get user files matching a specific hash
platforms: macOS, Linux platforms: macOS, Linux
Description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.) description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
query: SELECT path,sha256 FROM hash WHERE path in (SELECT path FROM file WHERE size < 50000000 AND path LIKE ""/Users/%/Documents/%%"") AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75""; query: SELECT path,sha256 FROM hash WHERE path in (SELECT path FROM file WHERE size < 50000000 AND path LIKE ""/Users/%/Documents/%%"") AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75"";
purpose: Informational purpose: Informational
contributors: alphabrevity contributors: alphabrevity
@ -466,13 +466,13 @@ spec:
query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid; query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
purpose: Informational purpose: Informational
contributors: alphabrevity contributors: alphabrevity
-- ---
apiVersion: v1 apiVersion: v1
kind: query kind: query
spec: spec:
name: Get all listening ports, by process name: Get all listening ports, by process
platforms: Linux, macOS, Windows platforms: Linux, macOS, Windows
Description: List ports that are listening on all interfaces, along with the process to which they are attached. description: List ports that are listening on all interfaces, along with the process to which they are attached.
query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0"; query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0";
purpose: Informational purpose: Informational
contributors: alphabrevity contributors: alphabrevity
@ -482,7 +482,7 @@ kind: query
spec: spec:
name: Get whether TeamViewer is installed/running name: Get whether TeamViewer is installed/running
platforms: Windows platforms: Windows
description: Description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine. description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%"; query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%";
purpose: Informational purpose: Informational
contributors: alphabrevity contributors: alphabrevity