👋We’re launching free support for BYOD Android devices and looking for early feedback. Interested?

Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Guides Vitals Queries Policies Software OS settings Data tables API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Get Nmap scanner

Get Nmap scanner

Get Nmap scanner process, as well as its user, parent, and process details.

To learn more about queries, check this guide.

SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';
$processes = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE CommandLine LIKE 'nmap%'"  
foreach ($proc in $processes) {  
    # Get parent's name  
    $parentName = ""  
    if ($proc.ParentProcessId) {  
        $parentProc = Get-WmiObject Win32_Process -Filter "ProcessId=$($proc.ParentProcessId)" -ErrorAction SilentlyContinue  
        if ($parentProc) {  
            $parentName = $parentProc.Name  
        }  
    }  

    # Get username from process owner  
    $username = ""  
    $ownerInfo = $proc.GetOwner()  
    if ($ownerInfo.ReturnValue -eq 0) {  
        $username = "$($ownerInfo.Domain)\$($ownerInfo.User)"  
    }  

    # Convert WMI creation date to readable time  
    $startTime = $null  
    if ($proc.CreationDate) {  
        $startTime = [Management.ManagementDateTimeConverter]::ToDateTime($proc.CreationDate)  
    }  

    # cwd is not available from Win32_Process; use placeholder  
    $cwd = "N/A"  

    # Create a custom object with the desired fields  
    $result = [PSCustomObject]@{  
        pid         = $proc.ProcessId  
        name        = $proc.Name  
        path        = $proc.ExecutablePath  
        cmdline     = $proc.CommandLine  
        cwd         = $cwd  
        start_time  = $startTime  
        parent      = $proc.ParentProcessId  
        parent_name = $parentName  
        username    = $username  
    }  

    Write-Output $result  
}
echo "pid,name,path,cmdline,cwd,start_time,parent,parent_name,username"; for pid in $(ps -axo pid,args | awk '$0 ~ /^[[:space:]]*[0-9]+ nmap/ {print $1}'); do cmd=$(ps -p $pid -o args=); name=$(ps -p $pid -o comm=); path=$(lsof -p $pid | awk '$4=="txt" {print $9; exit}'); cwd=$(lsof -a -p $pid -d cwd 2>/dev/null | awk 'NR==2 {print $9}'); start_time=$(ps -p $pid -o lstart=); parent=$(ps -p $pid -o ppid=); parent_name=$(ps -p $parent -o comm= 2>/dev/null); user=$(ps -p $pid -o user=); echo "$pid,$name,$path,$cmd,$cwd,$start_time,$parent,$parent_name,$user"; done
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands for macOS are currently work in progress, contributions welcome.

Platform

macOSApple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Suggest an editEdit Talk to an engineerTalk to us