Is it possible to get the MAC ID of the PC/Laptop that was used to do some malicious operations on a SQL Server database.
I used this SQL command:
DECLARE @current VARCHAR(500);
DECLARE @start VARCHAR(500);
DECLARE @indx INT;
SELECT @current = path
FROM sys.traces
WHERE is_default = 1;
SET @current = REVERSE(@current)
SELECT @indx = PATINDEX('%\%', @current)
SET @current = REVERSE(@current)
SET @start = LEFT(@current, LEN(@current) - @indx) + '\log.trc';
-- CHNAGE FILER AS NEEDED
SELECT
CASE EventClass
WHEN 47 THEN 'Object:Deleted'
WHEN 164 THEN 'Object:Altered'
END, *
FROM::fn_trace_gettable(@start, DEFAULT)
WHERE
EventClass IN (47, 164)
AND EventSubclass = 0
AND DatabaseID <> 2
ORDER BY
StartTime DESC
This able to give a lot of information regarding the operation. One of them was the Hostname, Likewise would it be possible to get the MAC ID of the said Hostname.
I read somewhere That I can only get the MAC ID If he PC is using the same LAN. But That is not the case here. I Tried the below code too.
use master
select
hostname,
MAC = substring(net_address, 1, 2) + '-' +
substring(net_address, 3, 2) + '-' +
substring(net_address, 5, 2) + '-' +
substring(net_address, 7, 2) + '-' +
substring(net_address, 9, 2) + '- ' +
substring(net_address, 11, 2)
from
sysprocesses
where
spid in ('51','55','64','58','60','65','73','79','80','81','83')
Here the spid I got the the Previous command. But that is not unique to that particular "Hostname"/PC. So I only got the servers macid. Any help would be appreciated.
