Skip to content

Commit

Permalink
uupdate to proc_yara to optimise process scanning (#47)
Browse files Browse the repository at this point in the history 
* Add proc_yara update to Windows.Detection.Yara.Process

* Add proc_yara update to Windows.Detection.Yara.Process
  • Loading branch information
@mgreen27
mgreen27 authored Jan 22, 2024
1 parent 588df9a commit e9b0906
Showing 1 changed file with 13 additions and 12 deletions.
25 changes: 13 additions & 12 deletions artifacts/definitions/Windows/Detection/Yara/Process.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ sources:
query: |
-- check which Yara to use
LET yara_rules <= YaraUrl || YaraRule
-- find velociraptor process
LET me = SELECT Pid FROM pslist(pid=getpid())
Expand All @@ -112,8 +112,8 @@ sources:
ExePath,
CommandLine,
Pid,
Namespace,
Rule,
Tags,
Meta,
String.Name as YaraString,
String.Offset as HitOffset,
Expand All @@ -124,25 +124,26 @@ sources:
split(string=ProcessName, sep='\\.')[0], Pid,
String.Offset ]
)) as HitContext
FROM yara(
files=format(format="/%d", args=Pid),
accessor='process',
rules=yara_rules,
context=ContextBytes,
number=NumberOfHits)
FROM proc_yara(
pid=int(int=Pid),
rules=yara_rules,
context=ContextBytes,
number=NumberOfHits
)
})
-- upload hits using proc_dump plugin
LET upload_hits = SELECT * FROM foreach(
row=hits,
query={
SELECT
SELECT
ProcessName,
ExePath,
CommandLine,
Pid,
Namespace,
Rule,
Tags,
Meta,
YaraString,
HitOffset,
Expand All @@ -154,12 +155,12 @@ sources:
) as ProcessDump
FROM proc_dump(pid=Pid)
})
-- return rows
SELECT * FROM if(condition=UploadHits,
then=upload_hits,
else=hits)
column_types:
- name: HitContext
type: preview_upload
type: preview_upload

0 comments on commit e9b0906

Please sign in to comment.