logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Malware Hunt for Path Changes

Status: Approved Submitted by Community Manager on ‎05-14-2019 01:55 PM

Description: BASH environmental variables.

What The Data Shows: Malware can change variable such as $PATH to get their binaries to be run instead of legitimate copies.

SQL: 

SELECT p.name,pe.key,pe.value 

FROM processes AS p 

JOIN process_envs AS pe 
  ON p.pid = pe.pid 

WHERE p.name = "bash";

 

 

0 Votes
Comment
3 Comments
Query_Admin
Community Manager
Community Manager
‎05-14-2019 01:55 PM
‎05-14-2019 01:55 PM
Status changed to: Approved
 
thinson
Carbon Black Employee
‎07-16-2019 06:27 AM
‎07-16-2019 06:27 AM

I had to remove a pair of " from the WHERE statement to get this working.

WHERE p.name = "bash";

 

esullivan
Carbon Black Employee
‎07-17-2019 05:26 AM
‎07-17-2019 05:26 AM

@thinson thanks for the heads up, query has been updated.

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.