-
Notifications
You must be signed in to change notification settings - Fork 262
Expand file tree
/
Copy pathGeneric.Events.Processes.yaml
More file actions
22 lines (17 loc) · 1.03 KB
/
Generic.Events.Processes.yaml
File metadata and controls
22 lines (17 loc) · 1.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: Generic.Events.Processes
author: Herbert Bärschneider, SEC Consult
description: |
This artifact is meant for monitoring processes on clients. It is usable on every operating system supported by Velociraptor.
It periodically queries the existing processes and emits lines for differences (new processes and missing/removed ones).
Processes are tracked and compared based on the following elements: process ID, parent process ID, SID of the process owner, username, process name, executable associated with the process, commandline of the process
type: CLIENT_EVENT
parameters:
- name: Period
default: 2
type: int
description: how many seconds the artifact waits between checking processes for changes
sources:
- query: |
LET RunningProcesses = SELECT *, format(format="%v %v %v %v %v %v %v", args=[Pid, Ppid, OwnerSid, Username, Name, Exe, CommandLine]) AS DiffKey FROM pslist()
LET EventQuery = SELECT * FROM diff(query=RunningProcesses, period=Period, key="DiffKey")
SELECT * FROM EventQuery