mgreen27 · February 16, 2023 05:59 · Feb 16, 2023 · Feb 16, 2023
diff --git a/impact.vql b/impact.vql
@@ -12,6 +12,7 @@ SELECT
     --max(item=LastRecordChange0x10) as LatestRecordChange,
     count() as Total
 FROM source(artifact="Windows.NTFS.MFT")
+WHERE FileName = 'RANSOMNOTEFILENAME'
 GROUP BY Drive
 
 /*
@@ -28,4 +29,5 @@ SELECT
     max(item=LastRecordChange0x10) as LatestRecordChange,
     count() as Total
 FROM source(artifact="Windows.NTFS.MFT")
+WHERE FileName =~ 'RAMSOMEXT$'
 GROUP BY Drive
diff --git a/impact.vql b/impact.vql
@@ -0,0 +1,31 @@
+/*
+### Drive Ransom note stats
+*/
+SELECT
+    strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
+    FileName as RansomeNote,
+    --min(item=Created0x10) as EarliestCreation,
+    --max(item=Created0x10) as LatestCreation,
+    min(item=LastModified0x10) as EarliestModified,
+    max(item=LastModified0x10) as LatestModified,
+    --min(item=LastRecordChange0x10) as EarliestRecordChange,
+    --max(item=LastRecordChange0x10) as LatestRecordChange,
+    count() as Total
+FROM source(artifact="Windows.NTFS.MFT")
+GROUP BY Drive
+
+/*
+### Drive Ransom file stats
+*/
+SELECT
+    strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
+    split(string=FileName,sep_string='.') [-1] as Extension,
+    --min(item=Created0x10) as EarliestCreation,
+    --max(item=Created0x10) as LatestCreation,
+    min(item=LastModified0x10) as EarliestModified,
+    max(item=LastModified0x10) as LatestModified,
+    min(item=LastRecordChange0x10) as EarliestRecordChange,
+    max(item=LastRecordChange0x10) as LatestRecordChange,
+    count() as Total
+FROM source(artifact="Windows.NTFS.MFT")
+GROUP BY Drive
No results found