File Enumeration

List directory contents

Description: A non-recursive (single level) directory listing.

Author: @eric_capuano

Query:

Windows

SELECT *
FROM file
WHERE path LIKE 'C:\Users\%';

MacOS

SELECT *
FROM file
WHERE path LIKE '/Users/%';

Linux

SELECT *
FROM file
WHERE path LIKE '/home/%';

Recursive directory listing

Windows

SELECT *
FROM file
WHERE path LIKE 'C:\Users\username\%%';

MacOS

SELECT *
FROM file
WHERE path LIKE '/Users/username/%%';

Linux

SELECT *
FROM file
WHERE path LIKE '/home/username/%%';

List downloads for all users

Windows

SELECT *
FROM file
WHERE path LIKE 'C:\Users\%\Downloads\%%';

MacOS

SELECT *
FROM file
WHERE path LIKE '/Users/%/Downloads/%%';

Linux

SELECT *
FROM file
WHERE path LIKE '/home/%/Downloads/%%';

List executables in temp directories

Windows

SELECT btime,ctime,mtime,directory,filename,path,size
FROM file
WHERE (path LIKE 'C:\Users\%\AppData\Local\Temp\%' OR path LIKE 'C:\Windows\temp\%') 
AND (filename LIKE '%.exe' OR filename LIKE '%.dll');

MacOS

Contribute a query!

Linux

Contribute a query!

Obtain hashes of a file

• NOTE: This type of query should only be performed against specific files, not entire directories and certainly not recursively against many directories as calculating hashes is resource intensive.

Windows

SELECT *
FROM hash
WHERE path LIKE 'C:\path\to\legit.docx';

MacOS

SELECT *
FROM hash
WHERE path LIKE '/Users/%/Downloads/legit.docx';

Linux

SELECT *
FROM hash
WHERE path LIKE '/home/%/Downloads/legit.docx';