-
-
Notifications
You must be signed in to change notification settings - Fork 41
SQLite Database
Andi Morris edited this page Mar 8, 2022
·
1 revision
By default Goodhound will insert all of attack paths that it finds into a local SQLite database located in a db directory inside the current working directory.
This database can be then queried separately using the SQLite tools and queries.
In order to query the database you'll need the SQLite binaries available from https://www.sqlite.org/download.html
sqlite3.exe db\goodhound.db
select * from paths where date(last_seen, 'unixepoch') < date('now', '-90 days');
See number of paths containing a section of paths, useful for looking at the Nodes brought up in the Weakest Link report
select count(*) from paths where fullpath like'%ReadLAPSPassword -> SERVER%.DOMAIN.LOCAL%';
select query from paths where groupname = '[email protected]' and datetime(last_seen, 'unixepoch') = '2021-10-28 05:15:22';
.quit