get current process command line

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get current process command line
    namespace: host-interation/process
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
  features:
    - and:
      - os: linux
      - api: open
      - string: "/proc/self/cmdline"
      - api: read

last edited: 2025-01-29 09:27:13