https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi All.. Seeking some help to do some file search...
# general
s
Hi All.. Seeking some help to do some file search using osquery but couldn't find a way where it recursively searches all sub directories? Is it possible or not via osquery? I'm looking to find files with a particular exe name.
j
There is a 
windows_search
table, but I don't know if that works for you or not.
k
using a %% in a query for the file table will do a recursive search so something like 
SELECT * FROM FILE WHERE path LIKE "C:\%%" AND filename = "example.exe"
Of course, if the query takes a long time it will likely be killed by the watchdog
s
Tq for the input... Btw I'm trying on a mac.. I tried below but it's not listing any results... SELECT * FROM FILE WHERE path LIKE "/%%" AND filename = "<myexefilename>"
@Keith Swagler If I give this way "SELECT path FROM file WHERE path LIKE '/%%';" it gives some result but stops recursing at some level and doesn't go deep anymore.
@John Speno I'm trying on a mac, do you know equivalent table?
j
Sorry, you said 
exe
and that made me think Windows. 🙂 Look at https://osquery.io/schema/5.11.0/#mdfind
s
Tried below query on mac but it gives below error... select path from mdfind where path like '/%%'; W0125 191723.492113 -648111040 virtual_table.cpp:975] Table mdfind was queried without a required column in the WHERE clause W0125 191723.492201 -648111040 virtual_table.cpp:986] Please see the table documentation: https://osquery.io/schema/#mdfind Error: constraint failed
j
You need to use the 
query
column, not 
path
. See 
man mdfind
for query formats.
The 📌 icon in the docs indicates which columns must be provide in the query.
2 Views
Open in Slack
PreviousNext
Powered by