cancel
Showing results for 
Search instead for 
Did you mean: 

Malware Hunt for Path Changes

Description: BASH environmental variables.

What The Data Shows: Malware can change variable such as $PATH to get their binaries to be run instead of legitimate copies.

SQL: 

SELECT p.name,pe.key,pe.value 
FROM processes AS p
JOIN process_envs AS pe
  ON p.pid = pe.pid
WHERE p.name = "bash";

 

 

0 Votes
3 Comments
Community Manager
Community Manager
Status changed to: Approved
 
thinson
Carbon Black Employee

I had to remove a pair of " from the WHERE statement to get this working.

WHERE p.name = "bash";

 

Community Manager
Community Manager

@thinson thanks for the heads up, query has been updated.