malware_arcane_filepath_detected query fails
johnosn opened this issue · comments
malware_arcane_filepath_detected query fails with the message "constraint failed"
The 'path' and/or 'directory' column is requited to query the 'file' table. https://github.com/osquery/osquery/blob/master/specs/utility/file.table
Per the reference to https://any.run/report/af8dddbf552e3b9630ce7b3db09d0fed01002f5877e5cbe9a3124b6fb30ad8a4/10c0f102-6b3c-4cb8-9e73-ae6cfe87b6a1
The following query should be able to determine if the the 'U3LZDGVTLKNOYXJBXQd' directory exists.
SELECT
f.path,
f.filename,
h.sha256,
f.uid,
f.gid,
f.mode,
f.size,
DATETIME(f.atime, "unixepoch","UTC") AS last_access_time,
DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified,
DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time,
DATETIME(f.btime, "unixepoch", "UTC") AS creation_time,
f.type
FROM file f
LEFT JOIN hash h ON f.path=h.path
WHERE
f.directory LIKE "C:\Users\%\AppData\Local\"
AND f.filename = "U3LZDGVTLKNOYXJBXQ";
Or this query
WITH ud AS (
SELECT directory || '\AppData\Local' AS directory
FROM users
WHERE directory LIKE "%\Users\%"
)
SELECT
f.path,
f.directory,
f.filename,
h.sha256,
f.uid,
f.gid,
f.mode,
f.size,
DATETIME(f.atime, "unixepoch", "UTC") AS last_access_time,
DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified,
DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time,
DATETIME(f.btime, "unixepoch", "UTC") AS creation_time,
f.type
FROM ud
JOIN file f ON ud.directory = f.directory
LEFT JOIN hash h ON f.path = h.path
WHERE f.filename = "U3LZDGVTLKNOYXJBXQ";
Fixed in d2cbad0.
Thank you for your issue.