Approved

Process HTTP Calls

In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. 

SELECT
sophos_http_journal.PID,
sophos_http_journal.PID,
datetime(sophos_http_journal.time,'unixepoch','localtime') AS LocalTimeStamp,
datetime(sophos_http_journal.processStartTime,'unixepoch','localtime') AS processStartTime,
sophos_http_journal.source,
sophos_http_journal.sourcePort,
sophos_http_journal.destination,
sophos_http_journal.destinationPort,
sophos_http_journal.url,
sophos_http_journal.headers AS Command,
processes.pid,
processes.name,
processes.path,
processes.cmdline,
processes.state,
processes.cwd,
processes.root,
processes.on_disk,
processes.elevated_token
FROM
sophos_http_journal
INNER JOIN processes
ON
sophos_http_journal.PID = processes.pid

If you wanted to sort through the data faster, adding a filter on the contents of on_disk or elevated_token can help identify admin level processes or items written as a path on disk.

WHERE processes.elevated_token = '1' OR processes.on_disk = '1'

on_disk: 1 = yes, 0 = no, -1 = unknown

elevated_token: 1 = yes, 0 = no