Title
#general
Andrew Baker

Andrew Baker

09/29/2021, 8:40 PM
I've been looking through Fleet's standard query library, but I was curious if anybody has a recommendation on a query that they can't live without? 👾
puffycid

puffycid

09/29/2021, 11:18 PM
i guess a very simple query i personally really like is querying the
shimcache
table (shimcache is also sometimes called appcompat/application compatibility cache/appcompatcache) on windows so something like
select * from shimcache
it returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path the data is pretty valuable and is very helpful imo order of execution can show the order in which files were executed An extremely basic example below (read bottom to top), shimcache shows cmd.exe executed followed by some basic recon commands, procdump (commonly used to dump credentials), file compression, potential exfil via ftp
ftp.exe
zip.exe
procdump.exe
net.exe
whoami.exe
ipconfig.exe
cmd.exe
u can also combine it with the
file
and
hash
table to see if the executed file is on disk still or if its been deleted u could also query shimcache across 1,000 systems and do frequency analysis to see the most common files that are executed and look for outliers ex: powershell.exe executed on 600 systems vs procdump.exe executed on 4 systems since powershell.exe was executed on 600 systems it could be normal/legit vs procdump.exe was only on 4 systems which could be suspicious again its pretty simple but it has lots of uses imo
f

fritz

09/30/2021, 6:10 PM
@puffycid dropping the knowledge bombs as usual 😉
Andrew Baker

Andrew Baker

09/30/2021, 8:47 PM
This is incredible, thank you so much for the insight! 🤯