scudette · December 12, 2020 13:57
diff --git a/Custom.OSQuery.BlackJack.yaml b/Custom.OSQuery.BlackJack.yaml
 name: Custom.OSQuery.BlackJack
 description: |
   Get memory dumps of all processes with a named pipe called BlackJack

 parameters:
   - name: NamedProcessRegex
     default: BlackJack
   - name: OSQuery_query
     default: "SELECT proc.parent AS process_parent, proc.path AS process_path, proc.pid AS process_id, proc.cwd AS process_directory, pipe.pid AS pipe_pid, pipe.name AS pipe_name FROM processes proc JOIN pipes pipe ON proc.pid=pipe.pid;"

 sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      LET matching_processes = SELECT * 
      FROM Artifact.Windows.OSQuery.Generic(Query=OSQuery_query)
      WHERE pipe_name =~ NamedProcessRegex
      GROUP BY process_id
      
      SELECT * FROM foreach(row=matching_processes,
      query={
          SELECT pipe_name, process_id, process_path, 
                    upload(file=FullPath) AS MemDump
          FROM proc_dump(pid=int(int=process_id))
      })
	name: Custom.OSQuery.BlackJack
	description: \|
	Get memory dumps of all processes with a named pipe called BlackJack

	parameters:
	- name: NamedProcessRegex
	default: BlackJack
	- name: OSQuery_query
	default: "SELECT proc.parent AS process_parent, proc.path AS process_path, proc.pid AS process_id, proc.cwd AS process_directory, pipe.pid AS pipe_pid, pipe.name AS pipe_name FROM processes proc JOIN pipes pipe ON proc.pid=pipe.pid;"

	sources:
	- precondition:
	SELECT OS From info() where OS = 'windows'

	query: \|
	LET matching_processes = SELECT *
	FROM Artifact.Windows.OSQuery.Generic(Query=OSQuery_query)
	WHERE pipe_name =~ NamedProcessRegex
	GROUP BY process_id

	SELECT * FROM foreach(row=matching_processes,
	query={
	SELECT pipe_name, process_id, process_path,
	upload(file=FullPath) AS MemDump
	FROM proc_dump(pid=int(int=process_id))
	})
No results found