Skip to content

Instantly share code, notes, and snippets.

@mgreen27
Last active February 16, 2023 05:59
Show Gist options
  • Save mgreen27/7ff1a83b429af7e65ae384ebb43f42c6 to your computer and use it in GitHub Desktop.
Save mgreen27/7ff1a83b429af7e65ae384ebb43f42c6 to your computer and use it in GitHub Desktop.
Vql ransomware impact scoping Windows.NTFS.MFT
/*
### Drive Ransom note stats
*/
SELECT
strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
FileName as RansomeNote,
--min(item=Created0x10) as EarliestCreation,
--max(item=Created0x10) as LatestCreation,
min(item=LastModified0x10) as EarliestModified,
max(item=LastModified0x10) as LatestModified,
--min(item=LastRecordChange0x10) as EarliestRecordChange,
--max(item=LastRecordChange0x10) as LatestRecordChange,
count() as Total
FROM source(artifact="Windows.NTFS.MFT")
WHERE FileName = 'RANSOMNOTEFILENAME'
GROUP BY Drive
/*
### Drive Ransom file stats
*/
SELECT
strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
split(string=FileName,sep_string='.') [-1] as Extension,
--min(item=Created0x10) as EarliestCreation,
--max(item=Created0x10) as LatestCreation,
min(item=LastModified0x10) as EarliestModified,
max(item=LastModified0x10) as LatestModified,
min(item=LastRecordChange0x10) as EarliestRecordChange,
max(item=LastRecordChange0x10) as LatestRecordChange,
count() as Total
FROM source(artifact="Windows.NTFS.MFT")
WHERE FileName =~ 'RAMSOMEXT$'
GROUP BY Drive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment