From 8438a4d4fa7a903e3be4a71b44fab06b7a3df9b9 Mon Sep 17 00:00:00 2001
From: Minoru Kobayashi <unknownbit@gmail.com>
Date: Tue, 25 Jun 2024 16:29:53 +0900
Subject: [PATCH] Fixed deleted.yaml

Fixed "Find open files of (malicious) processes." in deleted.yaml
---
 artifacts/live_response/process/deleted.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/artifacts/live_response/process/deleted.yaml b/artifacts/live_response/process/deleted.yaml
index 9255caf..e619e80 100644
--- a/artifacts/live_response/process/deleted.yaml
+++ b/artifacts/live_response/process/deleted.yaml
@@ -69,10 +69,9 @@ artifacts:
   -
     description: Find open files of (malicious) processes.
     supported_os: [linux]
-    collector: find
-    path: .list_open_file_descriptors.txt
-    is_file_list: true
-    file_type: f
+    collector: command
+    foreach: cat "%destination_directory%/.list_open_file_descriptors.txt"
+    command: find %line% -type f -print
     output_file: .open_file_descriptors.txt
   -
     description: Collect open files of (malicious) processes.