empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d6456029b9
fleet/schema/tables/userassist.yml
Josh Brower 4c73ccb338
Add additional Windows tables to schema (#8817) 
* Add dns_cache

* Add ntdomains

* Add userassist

* add shimcache

* Spacing
2022-11-28 10:00:23 -05:00

11 lines
920 B
YAML
Raw Blame History

name: userassist
examples: >-
The User Assist featureset allows Windows to keep track of most recently used applications. Because of that, it is a useful datasource to pull from during investigations and incident response. The following example queries the userassist table and converts the last_execution_time into a human readable format (using UTC) and then sorts the results by this column, descending. It also joins the users table to change the user SID into a human readable username. The output from this query displays most recently used applications, sorted by most recent timestamp as well as the username of who ran it.
```
SELECT userassist.path, datetime(userassist.last_execution_time, 'unixepoch') AS timestamp_of_last_exec, userassist.count as execution_count, users.username FROM userassist join users ON users.uuid = userassist.sid ORDER BY timestamp_of_last_exec DESC;
```
Reference in New Issue View Git Blame Copy Permalink