Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-19 06:58:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 69
fleet/schema/tables/shimcache.yml
Eric 02437a098e
Schema: change default block scalar used in schema override files (#19296) 
Closes: #19271
Closes: #19286

Changes:
- Updated the example in the schema folder readme
- Updated the block scalar used in Fleet's osquery override
documentation (`>-` » `|-`) and removed extra newlines
- Updated the block scalar used in URLs used to create new yaml override
files
- Regenerated osqeury_fleet_schema.json
2024-05-27 18:18:56 -05:00

19 lines
1.6 KiB
YAML
Raw Blame History

name: shimcache
examples: |-
As a byproduct of its functionality, the Application Compatibility Cache (also known as the shimcache) logs some details around process execution. These logs can be useful, especially during incident response. The following query looks for a potential IoC (indicator of compromise) - evidence of process execution of a Windows binary named certutil. (Certutil is a legitimate Windows application, but is also known to be a lolbin - living off the land binary. See more details here: https://lolbas-project.github.io/lolbas/Binaries/Certutil/ ) This query joins the local system's uptime to its results because shimcache logs are kept in memory until the system is rebooted, at which point they are written to disk - so we would also want to know the last time this system was rebooted.
```
SELECT entry AS execution_order, path, DATETIME(modified_time, 'unixepoch') AS file_last_modified, uptime.days || ' days, ' || uptime.hours || ' hours' AS host_uptime FROM shimcache CROSS JOIN uptime WHERE path LIKE '%certutil%';
```
notes: |-
Some key caveats to know about this data source:
* Process execution logs are only written during a reboot, otherwise they are stored in memory. This means you may not be seeing the data you would expect if the system hasn't been rebooted recently.
* The entry column shows the order of execution - Starting from 1, which is the most-recent process execution, and then on from there.
* The modified_time column displays the last modified time for the file.
Source: https://bromiley.medium.com/windows-wednesday-shim-cache-1997ba8b13e7
Reference in a new issue View git blame Copy permalink