Built off the open source project Osquery
Description: This query looks for suspicious executables which are in unusual locations.
What The Data Shows: results can be used for threat hunting.
SQL:
SELECT path, datetime(atime,"unixepoch","localtime") as "Last Accessed", datetime(mtime,"unixepoch","localtime") as "Last Modified", datetime(ctime,"unixepoch","localtime") as "Created"
FROM file where path like "\users\%\AppData\%.exe" or path like "\users\%\AppData\Roaming\%.exe" or path like "\ProgramData\%.exe" or path like "\Program Files\%.exe";
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.