scudette/spool_enrichment.sql

## spool_enrichment.sql

SELECT "C:/" + FullPath AS FullPath,
        InUse,FileName,FileSize,
            dict(
                Created0x10 = Created0x10,
                LastModified0x10 = LastModified0x10,
                LastRecordChange0x10 = LastRecordChange0x10,
                LastAccess0x10 = LastAccess0x10
                ) as SI,
            dict(
                Created0x30 = Created0x10,
                LastModified0x30 = LastModified0x10,
                LastRecordChange0x30 = LastRecordChange0x10,
                LastAccess0x30 = LastAccess0x10
                ) as FN,
            parse_pe(file="C:/" + FullPath) as PE,
            authenticode(filename="C:/" + FullPath) as Authenticode,
            hash(path="C:/" + FullPath) as Hash
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir
   AND FullPath =~ "Windows/System32/spool/drivers"
   AND PE

	SELECT "C:/" + FullPath AS FullPath,
	InUse,FileName,FileSize,
	dict(
	Created0x10 = Created0x10,
	LastModified0x10 = LastModified0x10,
	LastRecordChange0x10 = LastRecordChange0x10,
	LastAccess0x10 = LastAccess0x10
	) as SI,
	dict(
	Created0x30 = Created0x10,
	LastModified0x30 = LastModified0x10,
	LastRecordChange0x30 = LastRecordChange0x10,
	LastAccess0x30 = LastAccess0x10
	) as FN,
	parse_pe(file="C:/" + FullPath) as PE,
	authenticode(filename="C:/" + FullPath) as Authenticode,
	hash(path="C:/" + FullPath) as Hash
	FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
	WHERE NOT IsDir
	AND FullPath =~ "Windows/System32/spool/drivers"
	AND PE