The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Executable in Suspicious Locations

Description: This query looks for suspicious executables which are in unusual locations. 

What The Data Shows:  results can be used for threat hunting. 

SQL: 

SELECT  path,
datetime(atime,"unixepoch","localtime") as "Last Accessed", datetime(mtime,"unixepoch","localtime") as "Last Modified",
datetime(ctime,"unixepoch","localtime") as "Created" 
FROM file where path like "\users\%\AppData\%.exe" or path like "\users\%\AppData\Roaming\%.exe" or path like "\ProgramData\%.exe" or path like "\Program Files\%.exe";

 

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved