Query EXEs in Suspicious Location & Compare Scoring

This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations

SELECT sfp.sha256,
sfp.mlScore,
sfp.puaScore,
sfp.globalRep,
sfp.localRep,
f.path,
f.filename,
datetime(f.atime,'unixepoch','localtime') AS Last_Accessed,
datetime(f.mtime,'unixepoch','localtime') AS Last_Modified,
datetime(f.ctime,'unixepoch','localtime') AS Last_Status,
datetime(f.btime,'unixepoch','localtime') AS Created_Time
FROM file f
LEFT JOIN sophos_file_properties sfp
ON f.path = sfp.path
WHERE f.path LIKE 'C:\users\%\AppData\%.exe'
OR f.path LIKE 'C:\users\%\AppData\Roaming\%.exe'
OR f.path LIKE 'C:\ProgramData\%.exe' or f.path LIKE 'C:\Program Files\%.exe'

JeramyKopacko

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Query EXEs in Suspicious Location & Compare Scoring

Submitted a Tech Support Case lately from the Support Portal?

Submitted a Tech Support Case lately from the Support Portal?