osquery-defense-kit/incident_response/open_files.sql

22 lines
461 B
MySQL
Raw Normal View History

2022-10-13 13:11:17 +00:00
-- Retrieves all the open files per process in the target system.
--
-- tags: postmortem
2022-10-13 13:11:17 +00:00
-- platform: posix
SELECT DISTINCT
pof.pid,
pof.path,
pof.fd,
p.name,
p.start_time,
p.euid,
p.parent,
p.uid,
p.cmdline
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
WHERE
pof.path NOT LIKE '/private/var/folders%'
AND pof.path NOT LIKE '/System/Library/%'
AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');