security

command module
v0.0.0-...-8ec0cbd Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 13, 2021 License: MIT Imports: 8 Imported by: 0

README

Example Security Check

Attackers will sometimes leave a malicious process running but delete the original binary on disk. This example will use OSQuery to run a query that returns processes in which the original binary has been deleted from disk. The example converts the OSQuery results into something analyzer can consume and then uses analyzer to interpret the results.

The check is defined in the config.json file included with the example.

{
  "collectors": [
    {
      "id": "process-check",
      "expression": "SELECT name, path, pid FROM processes WHERE on_disk = 0;"
    }
  ],
  "checks": [
    {
      "collector-id": "process-check",
      "Description": "processes running without binary on disk",
      "conditions": [
        {
          "type": "fail",
          "predicate": "@len( $ ) > 2",
          "message": "lots of possible malicious processes exist"
        },
        {
          "type": "warning",
          "predicate": "@len( $ ) > 0 && @len( $ ) <= 2",
          "message": "possible malicious processes exist"
        },
        {
          "type": "pass",
          "predicate": "@len( $ ) == 0",
          "message": "no suspect processes found"
        }
      ]
    }
  ]
}

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.