The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Search for a Specific Hash

Description: It searches for a specific hash.

What The Data Shows: Looks for specific hash in the Users directories for files that are less than 50MB (osquery files size limitation.)

SQL: 

SELECT path,sha256 
FROM hash
WHERE path in
  (SELECT path
  FROM file
  WHERE size < 50000000
   AND path LIKE ""/Users/%/Documents/%%"")
   AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75"";
1 Comment
Query_Admin
Community Manager
Community Manager
Status changed to: Approved