logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Bad Rabbit Scheduled Tasks

Status: Approved Submitted by on ‎07-18-2019 10:03 AM

Description: Bad Rabbit Scheduled Tasks

What The Data Shows: Provides IOC for BadRabbit

SQL: 

SELECT name,action,path,enabled,state,hidden,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time,
    datetime(next_run_time,"unixepoch","localtime") AS next_run_time,
    last_run_message,last_run_code
FROM (`scheduled_tasks` )
WHERE (`name` = 'drogon') or (`name` = 'Rhaegel');
3 Comments
jnelson
Carbon Black Employee
‎07-18-2019 09:11 PM
‎07-18-2019 09:11 PM
Status changed to: Under Review

@ksnihur would you please consider converting the time stamps from the table? Maybe something like this:

SELECT name,action,path,enabled,state,hidden,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time,
    datetime(next_run_time,"unixepoch","localtime") AS next_run_time,
    last_run_message,last_run_code
FROM (`scheduled_tasks` )
WHERE (`name` = 'drogon') or (`name` = 'Rhaegel');

ksnihur
Contributor II
‎07-19-2019 01:23 PM
‎07-19-2019 01:23 PM

hey @jnelson 

Updated as requested. I'll start doing that on all the new ones I submit. 

 

jnelson
Carbon Black Employee
‎07-20-2019 11:14 AM
‎07-20-2019 11:14 AM
Status changed to: Approved

@ksnihur Thanks on both counts!!

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.