Skip to content

File Enumeration

List directory contents

Description: A non-recursive (single level) directory listing.

Author: @eric_capuano

Query:

SELECT *
FROM file
WHERE path LIKE 'C:\Users\%';
SELECT *
FROM file
WHERE path LIKE '/Users/%';
SELECT *
FROM file
WHERE path LIKE '/home/%';

Recursive directory listing

SELECT *
FROM file
WHERE path LIKE 'C:\Users\username\%%';
SELECT *
FROM file
WHERE path LIKE '/Users/username/%%';
SELECT *
FROM file
WHERE path LIKE '/home/username/%%';

List downloads for all users

SELECT *
FROM file
WHERE path LIKE 'C:\Users\%\Downloads\%%';
SELECT *
FROM file
WHERE path LIKE '/Users/%/Downloads/%%';
SELECT *
FROM file
WHERE path LIKE '/home/%/Downloads/%%';

List executables in temp directories

SELECT btime,ctime,mtime,directory,filename,path,size
FROM file
WHERE (path LIKE 'C:\Users\%\AppData\Local\Temp\%' OR path LIKE 'C:\Windows\temp\%') 
AND (filename LIKE '%.exe' OR filename LIKE '%.dll');
Contribute a query!
Contribute a query!

Obtain hashes of a file

  • NOTE: This type of query should only be performed against specific files, not entire directories and certainly not recursively against many directories as calculating hashes is resource intensive.
SELECT *
FROM hash
WHERE path LIKE 'C:\path\to\legit.docx';
SELECT *
FROM hash
WHERE path LIKE '/Users/%/Downloads/legit.docx';
SELECT *
FROM hash
WHERE path LIKE '/home/%/Downloads/legit.docx';