SMB / Named Pipes
Description: Named pipes are an inter-process communication mechanism on Windows and are very often leveraged by malware and C2 beacons.
SELECT proc.parent AS process_parent, proc.path AS process_path, proc.pid AS process_id, proc.cwd AS process_directory, pipe.pid AS pipe_pid, pipe.name AS pipe_name FROM processes proc JOIN pipes pipe ON proc.pid=pipe.pid;
Logged in users
Description: Get all logged on users. Helpful if you already suspect a compromised account and want to quickly identify where that account is in use.
SELECT * FROM logged_in_users WHERE user = 'compromised.username';