Search for a Specific Hash

Description: It searches for a specific hash.

What The Data Shows: Looks for specific hash in the Users directories for files that are less than 50MB (osquery files size limitation.)


SELECT path,sha256 
FROM hash
WHERE path in
  (SELECT path
  FROM file
  WHERE size < 50000000
   AND path LIKE ""/Users/%/Documents/%%"")
   AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75"";
