diff --git a/dftimewolf/lib/collectors/grr_hosts.py b/dftimewolf/lib/collectors/grr_hosts.py index dc5c6f47a..291a90e10 100644 --- a/dftimewolf/lib/collectors/grr_hosts.py +++ b/dftimewolf/lib/collectors/grr_hosts.py @@ -390,7 +390,7 @@ class GRRYaraScanner(GRRFlow): * {2:s} -Flow ID: `{3:s}` +Flow ID: {3:s} """ # pylint: disable=arguments-differ @@ -546,11 +546,12 @@ def _YaraHitsToDataFrame( 'grr_client': client.client_id, 'grr_fqdn': client.data.os_info.fqdn, 'pid': process.pid, - 'process': process.exe, 'username': process.username, - 'cwd': process.cwd, 'rule_name': match.rule_name, - 'string_matches': sorted(list(string_matches)) + 'string_matches': sorted(list(string_matches)), + 'cmdline': ' '.join(process.cmdline), + 'process': process.exe, + 'cwd': process.cwd, }) return pd.DataFrame(entries) diff --git a/tests/lib/collectors/grr_hosts.py b/tests/lib/collectors/grr_hosts.py index a45fdfb50..8215132b1 100644 --- a/tests/lib/collectors/grr_hosts.py +++ b/tests/lib/collectors/grr_hosts.py @@ -1059,6 +1059,7 @@ def testProcess( 'grr_fqdn': 'tomchop', 'pid': 12345, 'process': 'C:\\temp\\bad.exe', + 'cmdline': 'C:\\temp\\bad.exe arg1 arg2', 'username': 'tomchop', 'cwd': 'C:\\temp', 'rule_name': 'badstring', @@ -1067,7 +1068,9 @@ def testProcess( { 'grr_client': 'C.0000000000000001', 'grr_fqdn': 'tomchop', - 'pid': 12345, 'process': 'C:\\temp\\bad.exe', + 'pid': 12345, + 'process': 'C:\\temp\\bad.exe', + 'cmdline': 'C:\\temp\\bad.exe arg1 arg2', 'username': 'tomchop', 'cwd': 'C:\\temp', 'rule_name': 'superbadstring', diff --git a/tests/lib/collectors/test_data/mock_grr_hosts.py b/tests/lib/collectors/test_data/mock_grr_hosts.py index d57afcf7d..a655093a1 100644 --- a/tests/lib/collectors/test_data/mock_grr_hosts.py +++ b/tests/lib/collectors/test_data/mock_grr_hosts.py @@ -138,6 +138,7 @@ exe='C:\\temp\\bad.exe', username='tomchop', cwd='C:\\temp', + cmdline=['C:\\temp\\bad.exe', 'arg1', 'arg2'], ), match=[ flows_pb2.YaraMatch(