This artifact parses /proc/[0-9]*/status files and extracts the ProcessName and Kthread values. Helpful for identifying imposter processes.
name: Linux.ExtractKthread
author: Andy Swift
description: |
This artifact parses `/proc/[0-9]*/status` files and extracts the `ProcessName` and `Kthread` values. Helpful for identifying imposter processes.
type: CLIENT
precondition: SELECT OS FROM info() WHERE OS = "linux"
parameters:
- name: FileNameGlob
description: Glob pattern to search for process status files.
default: "/proc/[0-9]*/status"
type: str
sources:
- name: extractKthread
query: |
LET FileInfos <= SELECT OSPath, read_file(filename=OSPath) AS content
FROM glob(globs=FileNameGlob, accessor='file')
WHERE content =~ 'Kthread:\\s*(\\d+)'
LET ParsedInfos <= SELECT OSPath,
parse_string_with_regex(
string=content,
regex=[
'^Name:\\s*(?P<Name>.+)',
'Kthread:\\s*(?P<KthreadValue>\\d+)'
]
) AS ParsedContent
FROM FileInfos
SELECT OSPath,
ParsedContent.Name AS ProcessName,
ParsedContent.KthreadValue AS Kthread
FROM ParsedInfos