ecapuano · June 1, 2022 00:23
diff --git a/gistfile1.txt b/gistfile1.txt
 // Run against hunt results from Windows.System.Pslist
 // Note: Returns ONLY unsigned processes, which minimizes less critical API calls
 // Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

 LET VTKey <= "$apikey"
 LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
 WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
 LIMIT 50

 SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)
	// Run against hunt results from Windows.System.Pslist
	// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
	// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

	LET VTKey <= "$apikey"
	LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
	WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
	LIMIT 50

	SELECT , {SELECT FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)