diff --git a/artifacts/definitions/Windows/Detection/Yara/Process.yaml b/artifacts/definitions/Windows/Detection/Yara/Process.yaml index dcb27afff75..6b63c7e9c3c 100644 --- a/artifacts/definitions/Windows/Detection/Yara/Process.yaml +++ b/artifacts/definitions/Windows/Detection/Yara/Process.yaml @@ -89,7 +89,7 @@ sources: query: | -- check which Yara to use LET yara_rules <= YaraUrl || YaraRule - + -- find velociraptor process LET me = SELECT Pid FROM pslist(pid=getpid()) @@ -112,8 +112,8 @@ sources: ExePath, CommandLine, Pid, - Namespace, Rule, + Tags, Meta, String.Name as YaraString, String.Offset as HitOffset, @@ -124,25 +124,26 @@ sources: split(string=ProcessName, sep='\\.')[0], Pid, String.Offset ] )) as HitContext - FROM yara( - files=format(format="/%d", args=Pid), - accessor='process', - rules=yara_rules, - context=ContextBytes, - number=NumberOfHits) + + FROM proc_yara( + pid=int(int=Pid), + rules=yara_rules, + context=ContextBytes, + number=NumberOfHits + ) }) -- upload hits using proc_dump plugin LET upload_hits = SELECT * FROM foreach( row=hits, query={ - SELECT + SELECT ProcessName, ExePath, CommandLine, Pid, - Namespace, Rule, + Tags, Meta, YaraString, HitOffset, @@ -154,7 +155,7 @@ sources: ) as ProcessDump FROM proc_dump(pid=Pid) }) - + -- return rows SELECT * FROM if(condition=UploadHits, then=upload_hits, @@ -162,4 +163,4 @@ sources: column_types: - name: HitContext - type: preview_upload + type: preview_upload \ No newline at end of file