malware_arcane_filepath_detected query fails

Question

malware_arcane_filepath_detected query fails

johnosn opened this issue 3 years ago · comments

malware_arcane_filepath_detected query fails with the message "constraint failed"

The 'path' and/or 'directory' column is requited to query the 'file' table. https://github.com/osquery/osquery/blob/master/specs/utility/file.table

Per the reference to https://any.run/report/af8dddbf552e3b9630ce7b3db09d0fed01002f5877e5cbe9a3124b6fb30ad8a4/10c0f102-6b3c-4cb8-9e73-ae6cfe87b6a1

The following query should be able to determine if the the 'U3LZDGVTLKNOYXJBXQd' directory exists.

SELECT 
	f.path,
	f.filename,
	h.sha256,
	f.uid,
	f.gid,
	f.mode,
	f.size,
	DATETIME(f.atime, "unixepoch","UTC") AS last_access_time,
	DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified, 
	DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time,
	DATETIME(f.btime, "unixepoch", "UTC") AS creation_time,
	f.type 
FROM file f
	LEFT JOIN hash h ON f.path=h.path 
WHERE 
	f.directory LIKE "C:\Users\%\AppData\Local\"
	AND f.filename = "U3LZDGVTLKNOYXJBXQ";

Or this query

WITH ud AS (
	SELECT directory || '\AppData\Local' AS directory
	FROM users
	WHERE directory LIKE "%\Users\%"
)
SELECT
	f.path,
	f.directory,
	f.filename,
	h.sha256,
	f.uid,
	f.gid,
	f.mode,
	f.size,
	DATETIME(f.atime, "unixepoch", "UTC") AS last_access_time,
	DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified,
	DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time,
	DATETIME(f.btime, "unixepoch", "UTC") AS creation_time,
	f.type
FROM ud
	JOIN file f ON ud.directory = f.directory
	LEFT JOIN hash h ON f.path = h.path 
WHERE f.filename = "U3LZDGVTLKNOYXJBXQ";

Matthew Molyett · Answer 1 · Tue Apr 13 2021 01:46:58 GMT+0800 (China Standard Time)

Fixed in d2cbad0.

Thank you for your issue.