zwass
SELECT p.* FROM processes p LEFT JOIN process_open_files pof USING (pid) WHERE cmdline LIKE '%python%' AND name = "Python" AND pof.path = '';
toka
06/26/2018, 3:07 PMsome_filename
is missing on any host, for whatever reason. file
table gives me a nice result for machines that have my some_filename
in place, but how to invert such query?alessandrogario
SELECT *
FROM authenticode
WHERE path = (
SELECT substr(path, 0, 21)
FROM processes
WHERE path LIKE "%winlogon%"
) || "procexp.exe";
Mustafa
08/01/2018, 2:40 PMshadejinx
08/01/2018, 4:23 PMalessandrogario
yuvalapidot
08/16/2018, 7:35 AMSELECT MAX(asl.time) boot_time FROM asl WHERE asl.sender = 'bootlog';
This will select the latest boot time from the Apple System Log data structure.
Any thoughts on this query? will it always work?fritz
01/22/2019, 5:17 PMSELECT * from system_info
WHERE
NOT EXISTS (SELECT *
FROM processes
WHERE name LIKE "%auditd%");
R0n
01/23/2019, 7:11 PMSELECT * FROM file WHERE filename LIKE "%example%"
does not return any resultsfritz
01/24/2019, 7:21 PM%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
8p8c
02/25/2019, 10:53 PMsplit
is.R0n
01/10/2020, 8:00 PMChris Benninger
05/13/2020, 3:29 PMZach Zeid
05/14/2020, 4:55 PM"WITH forbidden_commands(cmd) AS (SELECT * FROM (values (\"rsync\"), (\"ngrok\"), (\"curl\"), (\"scp\"), (\"nc\")) ) SELECT username, uid, command FROM shell_history JOIN forbidden_commands on shell_history.command LIKE (\"%\" || forbidden_commands.cmd || \"%\") JOIN users USING(uid);
but I'm getting this error
W0514 12:24:23.284471 17017 virtual_table.cpp:959] The shell_history table returns data based on the current user by default, consider JOINing against the users table
It looks like it is joining against the users table,?Zach Zeid
05/15/2020, 5:32 PMselect * from shell_history
on a schedule, does that read the whole .bash_history
every time, or does it diff it in some way?fritz
05/28/2020, 1:25 PMZach Zeid
05/29/2020, 6:56 PMZach Zeid
06/02/2020, 2:54 PMosquery> select distinct lp.pid, p.name, lp.port, lp.protocol, lp.family from listening_ports lp cross join processes p where lp.family <> '' and lp.port > 0 and lp.port not in ("80", "443");
looking at getting process name for anything in listening_ports
that's not 80 or 443?lvferdi
07/24/2020, 11:35 AMJulian Scala
10/15/2020, 8:29 PMfritz
11/02/2020, 3:16 PMrpm_packages
where an install_time
exists?zwass
(key, value)
.WS
02/23/2021, 7:33 PMfritz
04/12/2021, 3:35 PMSELECT * FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Office\%'
Divya
06/15/2021, 8:10 AMWill Sheldon
10/27/2021, 8:57 PMWes
11/10/2021, 7:34 PMlist<map<string,string>>
data structures that represent the tables independently of sqlite. In particular, I'm looking into how JOIN
works. Any pointers would be much appreciated! Is there a primer on how tables work under the hood?Divya
01/04/2022, 1:29 PMJon Semon
03/09/2022, 1:30 AMChris Delaney
04/12/2022, 7:50 PM