Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Windows.Nirsoft.FileActivityWatch.yaml #657

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Create Windows.Nirsoft.FileActivityWatch.yaml #657

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d4edd62
Create Windows.Nirsoft.FileActivityWatch.yaml
conexioninversa Aug 25, 2023
4a2de9e
Merge branch 'master' into conexioninversa-patch-1-FileActivityWatch
conexioninversa Aug 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions content/exchange/artifacts/Windows.Nirsoft.FileActivityWatch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Custom.Windows.Nirsoft.FileActivityWatch
description: |
FileActivityWatch is a tool for Windows that displays information about every read/write/delete operation of files occurs on your system. For every file, FileActivityWatch displays the number of read/write bytes, number of read/write/delete operations, first and last read/write timestamp, and the name/ID of the process responsible for the file operation.

author: Pedro Sánchez Cordero @ conexioninversa

tools:
- name: FileActivityWatch
url: https://www.nirsoft.net/utils/fileactivitywatch-x64.zip

precondition: SELECT OS From info() where OS = 'windows'

sources:
- name: Upload
query: |

LET Hostname <= SELECT Hostname as Host FROM info()

-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="FileActivityWatch", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
-- Set EXE
LET FileActivityWatchExe <= TmpDir + '\\FileActivityWatch.exe'

-- Build the exec command
LET FileActivityWatchCmd <= filter(list=(FileActivityWatchExe, "/scomma", TmpDir + "\\" + Hostname.Host[0] + "-FileActivityWatch.csv" )
, regex=".+")

-- Run the tool.
LET ExeFileActivityWatchView <= SELECT *
FROM execve(argv=FileActivityWatchCmd,sep="\n", length=10000)

-- Upload CSV to the hunt
LET Upload <= SELECT Name, upload(file=FullPath,name=relpath(base=TmpDir + Hostname.Host[0] + "-FileActivityWatch.csv", path=FullPath)) as FileDetails
FROM glob(globs="/**", root=TmpDir)
WHERE Name =~ "(csv)$"

-- Parse CSV to Notebook
SELECT * FROM parse_csv(filename= TmpDir + "\\" + Hostname.Host[0] + "-FileActivityWatch.csv")