Approved

Query for Applications that Auto Start

SELECT
name as 'Key Name',
source as 'Start Up source',
path as 'Path',
args as 'Aruments',
username as 'Owner',
status as 'Status'
FROM startup_items
ORDER by status

This may be used to identify persistence or unidentified startup items

Parents Comment Children
  • Danish,

    There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:

    SELECT
    datetime(time,'unixepoch','localtime') as 'Time',
    eventid,
    task_message,
    json_extract(data,'$.EventData.FailureReason')as FailureReason,
    json_extract(data,'$.EventData.TargetUserName') as UserName
    FROM sophos_windows_events
    WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

    Thanks!