fleet/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml

---
apiVersion: v1
kind: query
spec:
  name: Count Apple applications installed
  platforms: macOS
  description: Get the total number of Apple applications installed on the host system.
  query: SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%';
  purpose: Informational
  contributors: mike-j-thomas,noahtalerman,mikermcneil
---
apiVersion: v1
kind: query
spec:
  name: Get OpenSSL versions
  platforms: Linux
  description: Retrieves the OpenSSL version.
  query: SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get whether Gatekeeper is disabled
  platforms: macOS
  description: Gatekeeper tries to ensure only trusted software is run on a mac machine.
  query: SELECT * FROM gatekeeper WHERE assessments_enabled = 0;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get authorized SSH keys
  platforms: macOS, Linux
  description: Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.
  query: SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);
  purpose: Informational
  remediation: Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)
  contributors: mike-j-thomas
---
apiVersion: v1
kind: query
spec:
  name: Get authorized keys for Local Accounts
  platforms: macOS, Linux
  description: List authorized_keys for each user on the system.
  query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get authorized keys for Domain Joined Accounts
  platforms: macOS, Linux
  description: List authorized_keys for each user on the system.
  query: SELECT *  FROM users CROSS JOIN  authorized_keys USING(uid) WHERE  username IN (SELECT distinct(username) FROM last);
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get crashes
  platforms: macOS
  description: Retrieve application, system, and mobile app crash logs.
  query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed Chrome Extensions
  platforms: macOS, Linux, Windows, FreeBSD
  description: List installed Chrome Extensions for all users.
  query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed FreeBSD software
  platforms: FreeBSD
  description: Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.
  query: SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get Homebrew Packages
  platforms: macOS
  description: Get the installed homebrew package database.
  query: SELECT * FROM homebrew_packages;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed Linux software
  platforms: Linux
  description: Get all software installed on a Linux computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.
  query: SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed macOS software
  platforms: macOS
  description: Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.
  query: SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed Safari extensions
  platforms: macOS
  description: Retrieves the list of installed Safari Extensions for all users in the target system.
  query: SELECT safari_extensions.* FROM users join safari_extensions USING (uid);
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get installed Windows software
  platforms: Windows
  description: Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.
  query: SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get laptops with failing batteries
  platforms: macOS
  description: Lists all laptops with under-performing or failing batteries.
  query: SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get macOS disk free space percentage
  platforms: macOS
  description: Displays the percentage of free space available on the primary disk partition.
  query: SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/';
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get mounts
  platforms: macOS, Linux
  description: Shows system mounted devices and filesystems (not process specific).
  query: SELECT device, device_alias, path, type, blocks_size FROM mounts;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get the version of the resident operating system
  platforms: macOS, Linux, Windows, FreeBSD
  description: Retrieves the version of the host(s) operating system(s).
  query: SELECT * FROM os_version;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get platform info
  platforms: macOS
  description: Shows information about the host platform
  query: SELECT vendor, version, date, revision from platform_info;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get startup items
  platforms: macOS, Linux, Windows, FreeBSD
  description: Shows applications and binaries set as user/login startup items.
  query: SELECT * FROM startup_items;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get system logins and logouts
  platforms: macOS
  description: Get a list of system logins and logouts.
  query: SELECT * FROM last;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get current users with active shell/console on the system
  platforms: macOS, Linux, Windows, FreeBSD
  description: Get current users with active shell/console on the system and associated process
  query: SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get system uptime
  platforms: macOS, Linux, Windows, FreeBSD
  description: Shows the system uptime.
  query: SELECT * FROM uptime;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get USB devices
  platforms: macOS, Linux
  description: Shows all USB devices that are actively plugged into the host system.
  query: SELECT * FROM usb_devices;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get wifi status
  platforms: macOS
  description: Shows information about the wifi network that a host is currently connected to.
  query: SELECT * FROM wifi_status;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get Windows machines with unencrypted hard disks
  platforms: Windows
  description: List all Windows machines with unencrypted hard disks.
  query: SELECT * FROM bitlocker_info WHERE protection_status = 0;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get disk encryption status
  platforms: macOS, Linux
  description: Disk encryption status and information.
  query: SELECT * FROM disk_encryption;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get unencrypted SSH keys for local accounts
  platforms: macOS, Linux, Windows, FreeBSD
  description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
  query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;
  purpose: Informational
  remediation: First, make the user aware about the impact of SSH keys.  Then rotate the unencrypted keys detected.
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get unencrypted SSH keys for domain joined accounts
  platforms: macOS, Linux, Windows, FreeBSD
  description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
  query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);
  purpose: Informational
  remediation: First, make the user aware about the impact of SSH keys.  Then rotate the unencrypted keys detected.
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get crontab jobs
  platforms: macOS, Linux
  description: Line parsed values from system and user cron/tab.
  query: SELECT * FROM crontab;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get suid binaries
  platforms: macOS, Linux
  description: suid binaries in common locations.
  query: SELECT * FROM suid_bin;
  purpose: Informational
  contributors: zwass
---
apiVersion: v1
kind: query
spec:
  name: Get dynamic linker hijacking on Linux (MITRE. T1574.006)
  platforms: Linux
  description: Detect any processes that run with LD_PRELOAD environment variable
  query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';
  purpose: Informational
  remediation: Identify the process/binary detected and confirm with the system's owner.
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get dynamic linker hijacking on macOS (MITRE. T1574.006)
  platforms: macOS
  description: Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable
  query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';
  purpose: Informational
  remediation: Identify the process/binary detected and confirm with the system's owner.
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get etc hosts entries
  platforms: macOS, Linux
  description: Line-parsed /etc/hosts
  query: SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get network interfaces
  platforms: macOS, Linux, Windows, FreeBSD
  description: Network interfaces MAC address
  query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get local user accounts
  platforms: macOS, Linux, Windows, FreeBSD
  description: Local user accounts (including domain accounts that have logged on locally (Windows)).
  query: SELECT uid, gid, username, description,directory, shell FROM users;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get active user accounts on servers
  platforms: Linux
  description: Domain Joined environment normally have root or other service account only and users are SSH-ing using their Domain Accounts.
  query: SELECT * FROM shadow WHERE password_status='active' and username!='root';
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get Nmap scanner
  platforms: macOS, Linux, Windows, FreeBSD
  description: Get Nmap scanner process, as well as its user, parent, and process details.
  query: SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent,
    (SELECT name FROM processes WHERE pid=p.parent) AS parent_name,
    (SELECT username FROM users WHERE uid=p.uid) AS username
    FROM processes as p WHERE cmdline like 'nmap%';
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get docker images on a system
  platforms: macOS, Linux
  description: Docker images information, can be used on normal system or a kubenode.
  query: SELECT * FROM docker_images;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get docker running containers on a system
  platforms: macOS, Linux
  description: Docker containers information, can be used on normal system or a kubenode.
  query: SELECT * FROM docker_containers;
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get docker running process on a system
  platforms: macOS, Linux
  description: Docker containers Processes, can be used on normal system or a kubenode.
  query: SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline  FROM docker_containers c CROSS JOIN docker_container_processes p using(id);
  purpose: Informational
  contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
  name: Get Windows print spooler remote code execution vulnerability
  platforms: Windows
  description: Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.
  query: SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;
  purpose: Informational
  contributors: maravedi
---
apiVersion: v1
kind: query
spec:
  name: Get local users and their privileges
  platforms: macOS, Linux, Windows
  description: Collects the local user accounts and their respective user group.
  query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
  purpose: Informational
  contributors: noahtalerman
---
apiVersion: v1
kind: query
spec:
  name: Get processes that no longer exist on disk
  platforms: Linux, macOS, Windows
  description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
  query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
  purpose: Incident response
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Get user files matching a specific hash
  platforms: macOS, Linux
  description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
  query: SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75';
  purpose: Informational
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Get local administrator accounts on macOS
  platforms: macOS
  description: The query allows you to check macOS systems for local administrator accounts.
  query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
  purpose: Informational
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Get all listening ports, by process
  platforms: Linux, macOS, Windows
  description: List ports that are listening on all interfaces, along with the process to which they are attached.
  query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0";
  purpose: Informational
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Get whether TeamViewer is installed/running
  platforms: Windows
  description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
  query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%";
  purpose: Informational
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Get malicious Python backdoors
  platforms: macOS, Linux, Windows
  description: Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
  query: SELECT CASE cnt WHEN 0 THEN "NONE_INSTALLED" ELSE "INSTALLED" END AS "Malicious Python Packages", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acqusition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib'));
  purpose: Informational
  contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
  name: Check for artifacts of the Floxif trojan
  platforms: Windows
  description: Checks for artifacts from the Floxif trojan on Windows machines.
  query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';
  purpose: Informational
  contributors: micheal-o
---
apiVersion: v1
kind: query
spec:
  name: Get shimcache table
  platforms: Windows
  description: Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.
  query: select * from shimcache
  purpose: Informational
  contributors: puffyCid
---
apiVersion: v1
kind: query
spec:
  name: Get running docker containers
  platforms: macOS, Linux
  description: Returns the running Docker containers
  query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running";
  purpose: Informational
  contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
  name: Get applications hogging memory
  platforms: macOS, Linux, Windows
  description: Returns top 10 applications or processes hogging memory the most.
  query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
  purpose: Informational
  contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
  name: Get Mac and Linux machines with unencrypted primary disks
  platforms: macOS, Linux
  description:
  query: SELECT * FROM mounts m, disk_encryption d WHERE m.path= "/" AND m.device = d.name AND d.encrypted = 0;
  purpose: Informational
  contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
  name: Get servers with root login in the last 24 hours
  platforms: macOS, Linux, Windows
  description: Returns servers with root login in the last 24 hours and the time the users where logged in.
  query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 );
  purpose: Informational
  contributors: DominusKelvin