Zander Mackie
08/30/2021, 9:06 PM/%%
would recurse down from the root directory, but the top query is only return 3 results for some reason, which is not what I thought it would do)mikermcneil
08/30/2021, 9:11 PMpuffycid
08/30/2021, 9:27 PM/%%
would recursively go through the full file system but it usually went only 2-3 directories but I may have been doing something wrong as it looks like mikermcneil got some accurate? results
Also just to addon to the fleet issue/feature/idea
In addition to listing recently modified files, listing all created files in a specified time range could be very powerful/valuable
Ex scenario: attacker logs onto system via RDP, session lasts 4 hours. Run query to list all files created during that 4 hour period.
Same idea with modified, accessed, etcmikermcneil
08/30/2021, 9:31 PMLIMIT
to 200 to verify, and I'm seeing what looks like a max depth of 3 directories deep tooseph
mikermcneil
08/30/2021, 10:12 PMseph
puffycid
08/31/2021, 6:13 AMZander Mackie
08/31/2021, 2:15 PMfind
fully knowing it could lock the machine:
find src/ -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head -n 20
mikermcneil
08/31/2021, 5:08 PMZander Mackie
08/31/2021, 6:40 PMread_max
.seph
read_max
should be about max file size.Zander Mackie
08/31/2021, 6:47 PMcould be due to 50MB filesystem read limit (that is configurable) -- could try configuring that to rule out it’s not thisWas this referring to
read_max
or something else?
I was a bit confused because the docs agreed with what @seph pointed out.sharvil
08/31/2021, 6:48 PMseph
Zander Mackie
08/31/2021, 6:52 PM