Under Review

windows_startup_programs_md5

windows_startup_programs_md5

SCHEMA

core_file_info string Core file info
file_size long File size now
global_rep int The machine learning global reputation now
global_rep_data string All global reputation data
local_rep int The machine learning local reputation now
local_rep_data string All local reputation now
ml_score int The machine learning malware score now
ml_score_data string All ML score data
mod_path string Path to the startup item
name string Name of the registry value entry
path string Full path to the value
pua_score int The machine learning PUA score now
sha1 string SHA1 of the file now
sha256 string SHA256 of the file now
status string The reason the logon failed
type string Type of the registry value
username string Username

-- windows_startup_programs_md5 INFO
SELECT 
   -- Device ID DETAILS
   meta_hostname, meta_ip_address, 

   -- Query Details
   query_name, core_file_info, file_size, global_rep, global_rep_data,
   local_rep, local_rep_data, ml_score, ml_score_data, mod_path,
   name, path, pua_score, sha1, sha256,
   status, type, username,

   -- Decoration 
   meta_boot_time, meta_eid, meta_endpoint_type, 
   meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type,
   meta_os_version, meta_public_ip, meta_query_pack_version, meta_username,

   --- Generic
   calendar_time, counter, epoch, host_identifier, numerics
   osquery_action, unix_time,

   -- Data Lake
   customer_id, endpoint_id, upload_size

FROM xdr_data
WHERE query_name = 'windows_startup_programs_md5'

RESULTS


+-----------------+-------------------+------------------------------+-------------------------------------------------+-------------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------+---------------------+-------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+----------+--------------+------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname   | meta_ip_address   | query_name                   | core_file_info                                  |   file_size |   global_rep | global_rep_data                                                                                                    |   local_rep | local_rep_data                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |   ml_score | ml_score_data                                                                                                                                                    | mod_path                                                                      | name                | path                                                                          |   pua_score | sha1                                     | sha256                                                           | status   | type         | username   |   meta_boot_time | meta_eid                             | meta_endpoint_type   | meta_ip_mask   | meta_mac_address   | meta_os_name                 | meta_os_platform   | meta_os_type   | meta_os_version   | meta_public_ip   | meta_query_pack_version   | meta_username   | calendar_time        |   counter |      epoch | host_identifier   | osquery_action   | unix_time            | customer_id                          | endpoint_id                          |   upload_size |
|-----------------+-------------------+------------------------------+-------------------------------------------------+-------------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------+---------------------+-------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+----------+--------------+------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| Victim1-EDR     | 192.168.100.164   | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} |     1465952 |            0 |                                                                                                                    |          91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |          6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2}  | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               | Sophos UI.exe       | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               |          15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled  | Startup Item | SYSTEM     |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-14T15:00:27Z |         0 | 1602319950 | Victim1-EDR       | False            | 2020-10-14T15:00:27Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |          1838 |
| Victim1-EDR     | 192.168.100.164   | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2}  |       86488 |            0 |                                                                                                                    |          81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1}                                                                                          |          4 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2}  | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             |          12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled  | Startup Item | SYSTEM     |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-14T15:00:27Z |         0 | 1602319950 | Victim1-EDR       | False            | 2020-10-14T15:00:27Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |          2374 |
| Victim1-EDR     | 192.168.100.164   | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} |     1465952 |            0 |                                                                                                                    |          91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |          6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2}  | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               | Sophos UI.exe       | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               |          15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled  | Startup Item | SYSTEM     |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T14:28:45Z |         0 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T14:28:45Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |          1838 |
| Victim1-EDR     | 192.168.100.164   | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2}  |       86488 |            0 |                                                                                                                    |          81 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1}                                                                                          |          4 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2}  | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             |          12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled  | Startup Item | SYSTEM     |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T14:28:45Z |         0 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T14:28:45Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |          2374 |
| Victim3-EDR     | 192.168.100.143   | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2}  |       86488 |            0 |                                                                                                                    |          81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1}                                                                                          |          4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2}  | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             |          12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled  | Startup Item | SYSTEM     |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-14T05:23:08Z |         3 | 1602320453 | Victim3-EDR       | False            | 2020-10-14T05:23:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |          2376 |
| Victim3-EDR     | 192.168.100.143   | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2}  |       86488 |            0 |                                                                                                                    |          81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1}                                                                                          |          4 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2}  | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                             |          12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled  | Startup Item | SYSTEM     |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-14T05:23:08Z |         3 | 1602320453 | Victim3-EDR       | False            | 2020-10-14T05:23:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |          2374 |
| Victim3-EDR     | 192.168.100.143   | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} |     1465952 |            0 |                                                                                                                    |          91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |          6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2}  | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               | Sophos UI.exe       | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe                               |          15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled  | Startup Item | SYSTEM     |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T13:00:40Z |         0 | 1602320453 | Victim3-EDR       | False            | 2020-10-10T13:00:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |          1838 |