This artifact parses the KACE software monitoring sqlite database - ksw_process.db which provides excellent third party evidence of execution that may be useful during investigation or detection work.
The artifact can also be modified to target other KACE sqlite databases or set
timebounds using stime or etime fields.
e.g:SELECT * FROM process WHERE stime > '2023-01'SELECT * FROM process WHERE etime < '2022-12-25'SELECT * FROM process WHERE stime > '2023-01' AND etime < '2023-01-06'
name: Windows.Applications.KACE_SW_Process
author: Matt Green - @mgreen27
description: |
This artifact parses the KACE software monitoring sqlite database - ksw_process.db
which provides excellent third party evidence of execution that may
be useful during investigation or detection work.
The artifact can also be modified to target other KACE sqlite databases or set
timebounds using stime or etime fields.
e.g:
`SELECT * FROM process WHERE stime > '2023-01'`
`SELECT * FROM process WHERE etime < '2022-12-25'`
`SELECT * FROM process WHERE stime > '2023-01' AND etime < '2023-01-06'`
parameters:
- name: TargetGlob
default: C:/ProgramData/Quest/KACE/ksw_process.db
description: glob of sqlite db to target
- name: SqlQuery
description: SQL query to run
default: |
SELECT * FROM process
- name: UserRegex
description: regex of strings to match in user field
default: .
type: regex
- name: ProcessNameRegex
description: regex of strings to match in name field
default: .
type: regex
- name: ProcessExclusionRegex
description: regex of strings to exclude in name field.
default:
type: regex
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
-- find files in scope
LET files = SELECT OSPath FROM glob(globs=TargetGlob)
-- query db and output results
SELECT * FROM foreach(row=files,
query={
SELECT *
FROM sqlite(
file=TargetGlob,
query=SqlQuery)
WHERE user =~ UserRegex
AND name =~ ProcessNameRegex
AND NOT if(condition= ProcessExclusionRegex,
then= name=~ProcessExclusionRegex,
else= False)
})