I've been looking through Fleet's standard query library, but I was curious if anybody has a recommendation on a query that they can't live without? 👾

i guess a very simple query i personally really like is querying the

shimcache

table (shimcache is also sometimes called appcompat/application compatibility cache/appcompatcache) on windows so something like

select * from shimcache

it returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path the data is pretty valuable and is very helpful imo order of execution can show the order in which files were executed An extremely basic example below (read bottom to top), shimcache shows cmd.exe executed followed by some basic recon commands, procdump (commonly used to dump credentials), file compression, potential exfil via ftp

ftp.exe
zip.exe
procdump.exe
net.exe
whoami.exe
ipconfig.exe
cmd.exe

u can also combine it with the

file

and

hash

table to see if the executed file is on disk still or if its been deleted u could also query shimcache across 1,000 systems and do frequency analysis to see the most common files that are executed and look for outliers ex: powershell.exe executed on 600 systems vs procdump.exe executed on 4 systems since powershell.exe was executed on 600 systems it could be normal/legit vs procdump.exe was only on 4 systems which could be suspicious again its pretty simple but it has lots of uses imo

@puffycid dropping the knowledge bombs as usual 😉

This is incredible, thank you so much for the insight! 🤯