mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
e82962e4a7
* create schema/tables, add yaml schema tables * Update osquery-table-details.ejs * Generate schema from schema/tables/ folder * Create generate-yaml-tables-from-json.js * update created table files * update fleet override validation * update error messages, add fleetRepoUrl * Delete generate-yaml-tables-from-json.js * Update osquery-table-details.ejs * Update whitespace in table examples * Revert "Update osquery-table-details.ejs" This reverts commit 2e9d63208f59997d492375ebaf1d0ec7e4afe468. * add YAML tables generated from updated Fleet schema * lint fixes * update arp_cache and docker_containers tables
14 lines
702 B
YAML
14 lines
702 B
YAML
name: event_taps
|
|
examples: >-
|
|
Identify processes that have a tap into the system, such as access to
|
|
keystrokes, and view details on the executable including signature status,
|
|
team identifier if signed and the authority that emitted the signing
|
|
certificate. This can be used to detect keyloggers and other malicious
|
|
applications.
|
|
|
|
```
|
|
|
|
SELECT t.event_tapped, s.identifier, s.signed, s.team_identifier, s.authority FROM event_taps t JOIN processes p ON p.pid = t.tapping_process JOIN signature s on s.path = p.path WHERE s.identifier !='com.apple.ViewBridgeAuxiliary' AND s.identifier !='com.apple.universalaccessd' AND s.identifier !='com.apple.accessibility.AXVisualSupportAgent';
|
|
|
|
```
|