/***************************************************************

  CacheGrab v1.0 

  Developed by: Kevvie Fowler | kevvie.fowler@ringzero.ca
                  ringzero.ca | applicationforensics.com

***************************************************************/

DECLARE @INTERVAL int
SET @INTERVAL = '-15' --scheduled execution interval in minutes
DECLARE @dbid VARCHAR(20)
DECLARE @creation_time datetime
DECLARE @last_exec_time datetime
DECLARE @text NVARCHAR(255)
DECLARE @execution_count VARCHAR(20)


DECLARE CUR_cachescan CURSOR READ_ONLY FOR 
select RTRIM(DB_NAME(dbid)), RTRIM(creation_time), RTRIM(last_execution_time), RTRIM(text), RTRIM(execution_count) from  sys.dm_exec_query_stats qs CROSS APPLY sys.dm_exec_sql_text(qs.sql_handle) st where last_execution_time >= DATEADD(n, @interval, GETDATE()) order by last_execution_time DESC
OPEN CUR_cachescan
FETCH NEXT FROM CUR_cachescan INTO @dbid, @creation_time, @last_exec_time, @text, @execution_count
WHILE @@FETCH_STATUS = 0
--
BEGIN
--Check for cache matches

-- ** Insert SQL wildcard rules here ** ( Wildcard help can be found at http://msdn.microsoft.com/en-us/library/ms179859.aspx )

IF @text like '%pangolin%xp_regread%' BEGIN set @text = 'Pangolin registry enumeration: ' + @text; exec xp_logevent 50001, @text, warning END
ELSE IF @text like '%is_srvrolemember(0x730079007300610064006d0069006e00)%char(94)+char(94)%' BEGIN set @text = 'Pangolin user enumeration: ' + @text; exec xp_logevent 50001, @text, warning END
ELSE IF @text like '%pangolin%xp_availablemedia%' BEGIN set @text = 'Pangolin partition enumeration: ' + @text; exec xp_logevent 50001, @text, warning END
ELSE IF @text like '%pangolin%xp_dirtree%' BEGIN set @text = 'Pangolin filesystem enumeration: ' + @text; exec xp_logevent 50001, @text, warning END


FETCH NEXT FROM CUR_cachescan INTO @dbid, @creation_time, @last_exec_time, @text, @execution_count
END
DEALLOCATE CUR_cachescan