empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
aa4f8393a9
fleet/website/.sailsrc
Guillaume Ross fca2bb6d1e
[4196] Adding vulnerability management information (#4197) 
* [4196] Adding vulnerability management information

This was planned to be published soon, but we have demand for it so decided to get it done this week!

* added line break to README.md

Added a line break between headings in security section of index.

Co-authored-by: Mike Thomas <mthomas@fleetdm.com>
2022-02-17 08:47:02 -05:00

1803 lines
75 KiB
Plaintext
Vendored
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"generators": {
"modules": {}
},
"_generatedWith": {
"sails": "1.2.5",
"sails-generate": "2.0.0"
},
"builtStaticContent": {
"markdownPages": [
{
"url": "/docs",
"title": "Readme.md",
"lastModifiedAt": 1632328105000,
"htmlId": "docs--readme--0390102d67",
"sectionRelativeRepoPath": "README.md",
"meta": {}
},
{
"url": "/docs/contributing/building-fleet",
"title": "Building Fleet",
"lastModifiedAt": 1636342002000,
"htmlId": "docs--01-building-fleet--5f11ca40e4",
"sectionRelativeRepoPath": "03-Contributing/01-Building-Fleet.md",
"meta": {}
},
{
"url": "/docs/contributing/testing",
"title": "Testing",
"lastModifiedAt": 1644862424000,
"htmlId": "docs--02-testing--a138f39b6b",
"sectionRelativeRepoPath": "03-Contributing/02-Testing.md",
"meta": {}
},
{
"url": "/docs/contributing/migrations",
"title": "Migrations",
"lastModifiedAt": 1644474926000,
"htmlId": "docs--03-migrations--48772e2095",
"sectionRelativeRepoPath": "03-Contributing/03-Migrations.md",
"meta": {}
},
{
"url": "/docs/contributing/committing-changes",
"title": "Committing changes",
"lastModifiedAt": 1644850183000,
"htmlId": "docs--04-committing-change--21ff165f0e",
"sectionRelativeRepoPath": "03-Contributing/04-Committing-Changes.md",
"meta": {}
},
{
"url": "/docs/contributing/releasing-fleet",
"title": "Releasing Fleet",
"lastModifiedAt": 1644804786000,
"htmlId": "docs--05-releasing-fleet--735939447c",
"sectionRelativeRepoPath": "03-Contributing/05-Releasing-Fleet.md",
"meta": {}
},
{
"url": "/docs/contributing/seeding-data",
"title": "Seeding data",
"lastModifiedAt": 1644850183000,
"htmlId": "docs--06-seeding-data--296858e17b",
"sectionRelativeRepoPath": "03-Contributing/06-Seeding-Data.md",
"meta": {}
},
{
"url": "/docs/contributing/api-versioning",
"title": "API versioning",
"lastModifiedAt": 1644850183000,
"htmlId": "docs--08-api-versioning--4a78bdcb12",
"sectionRelativeRepoPath": "03-Contributing/08-API-Versioning.md",
"meta": {}
},
{
"url": "/docs/contributing/api-for-contributors",
"title": "API for contributors",
"lastModifiedAt": 1644850183000,
"htmlId": "docs--07-api-for-contribut--3b60312565",
"sectionRelativeRepoPath": "03-Contributing/07-API-for-contributors.md",
"meta": {}
},
{
"url": "/docs/contributing/faq",
"title": "FAQ",
"lastModifiedAt": 1637092915000,
"htmlId": "docs--faq--b79c10afcc",
"sectionRelativeRepoPath": "03-Contributing/FAQ.md",
"meta": {}
},
{
"url": "/docs/contributing",
"title": "Contributing",
"lastModifiedAt": 1636120985000,
"htmlId": "docs--readme--0491397301",
"sectionRelativeRepoPath": "03-Contributing/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/learn-how-to-use-fleet",
"title": "Learn how to use Fleet",
"lastModifiedAt": 1635391919000,
"htmlId": "docs--00-learn-how-to-use---1659c631d9",
"sectionRelativeRepoPath": "01-Using-Fleet/00-Learn-how-to-use-Fleet.md",
"meta": {}
},
{
"url": "/docs/using-fleet/fleet-ui",
"title": "Fleet UI",
"lastModifiedAt": 1632328105000,
"htmlId": "docs--01-fleet-ui--35c6ffc72f",
"sectionRelativeRepoPath": "01-Using-Fleet/01-Fleet-UI.md",
"meta": {}
},
{
"url": "/docs/using-fleet/fleetctl-cli",
"title": "Fleetctl CLI",
"lastModifiedAt": 1644851973000,
"htmlId": "docs--02-fleetctl-cli--4418f0d2b8",
"sectionRelativeRepoPath": "01-Using-Fleet/02-fleetctl-CLI.md",
"meta": {}
},
{
"url": "/docs/using-fleet/rest-api",
"title": "REST API",
"lastModifiedAt": 1644804771000,
"htmlId": "docs--03-rest-api--e6c5275c43",
"sectionRelativeRepoPath": "01-Using-Fleet/03-REST-API.md",
"meta": {}
},
{
"url": "/docs/using-fleet/adding-hosts",
"title": "Adding hosts",
"lastModifiedAt": 1644279716000,
"htmlId": "docs--04-adding-hosts--49998e8d09",
"sectionRelativeRepoPath": "01-Using-Fleet/04-Adding-hosts.md",
"meta": {}
},
{
"url": "/docs/using-fleet/osquery-logs",
"title": "Osquery logs",
"lastModifiedAt": 1642615196000,
"htmlId": "docs--05-osquery-logs--f7a6d4168c",
"sectionRelativeRepoPath": "01-Using-Fleet/05-Osquery-logs.md",
"meta": {}
},
{
"url": "/docs/using-fleet/monitoring-fleet",
"title": "Monitoring Fleet",
"lastModifiedAt": 1642559146000,
"htmlId": "docs--06-monitoring-fleet--f92f33d982",
"sectionRelativeRepoPath": "01-Using-Fleet/06-Monitoring-Fleet.md",
"meta": {}
},
{
"url": "/docs/using-fleet/security-best-practices",
"title": "Security best practices",
"lastModifiedAt": 1639002215000,
"htmlId": "docs--07-security-best-pra--7d4dd7a66c",
"sectionRelativeRepoPath": "01-Using-Fleet/07-Security-best-practices.md",
"meta": {}
},
{
"url": "/docs/using-fleet/permissions",
"title": "Permissions",
"lastModifiedAt": 1642522720000,
"htmlId": "docs--09-permissions--9cf57df352",
"sectionRelativeRepoPath": "01-Using-Fleet/09-Permissions.md",
"meta": {}
},
{
"url": "/docs/using-fleet/teams",
"title": "Teams",
"lastModifiedAt": 1637332681000,
"htmlId": "docs--10-teams--04d79ca67e",
"sectionRelativeRepoPath": "01-Using-Fleet/10-Teams.md",
"meta": {}
},
{
"url": "/docs/using-fleet/usage-statistics",
"title": "Usage statistics",
"lastModifiedAt": 1638823140000,
"htmlId": "docs--11-usage-statistics--3475e52901",
"sectionRelativeRepoPath": "01-Using-Fleet/11-Usage-statistics.md",
"meta": {}
},
{
"url": "/docs/using-fleet/supported-browsers",
"title": "Supported browsers",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--12-supported-browser--6078bb981c",
"sectionRelativeRepoPath": "01-Using-Fleet/12-Supported-browsers.md",
"meta": {}
},
{
"url": "/docs/using-fleet/vulnerability-processing",
"title": "Vulnerability processing",
"lastModifiedAt": 1641910549000,
"htmlId": "docs--13-vulnerability-pro--1196c82a8f",
"sectionRelativeRepoPath": "01-Using-Fleet/13-Vulnerability-Processing.md",
"meta": {}
},
{
"url": "/docs/using-fleet/automations",
"title": "Automations",
"lastModifiedAt": 1644804771000,
"htmlId": "docs--14-automations--86267c337a",
"sectionRelativeRepoPath": "01-Using-Fleet/14-Automations.md",
"meta": {}
},
{
"url": "/docs/using-fleet/faq",
"title": "FAQ",
"lastModifiedAt": 1644542778000,
"htmlId": "docs--faq--5fd3badf4b",
"sectionRelativeRepoPath": "01-Using-Fleet/FAQ.md",
"meta": {}
},
{
"url": "/docs/using-fleet",
"title": "Using Fleet",
"lastModifiedAt": 1644850219000,
"htmlId": "docs--readme--2dfd9f33ad",
"sectionRelativeRepoPath": "01-Using-Fleet/README.md",
"meta": {}
},
{
"url": "/docs/deploying/introduction",
"title": "Introduction",
"lastModifiedAt": 1644280390000,
"htmlId": "docs--01-introduction--6a7df32ae9",
"sectionRelativeRepoPath": "02-Deploying/01-Introduction.md",
"meta": {}
},
{
"url": "/docs/deploying/server-installation",
"title": "Server installation",
"lastModifiedAt": 1644474957000,
"htmlId": "docs--02-server-installati--9417eacb5f",
"sectionRelativeRepoPath": "02-Deploying/02-Server-Installation.md",
"meta": {}
},
{
"url": "/docs/deploying/configuration",
"title": "Configuration",
"lastModifiedAt": 1644450551000,
"htmlId": "docs--03-configuration--661d644d1c",
"sectionRelativeRepoPath": "02-Deploying/03-Configuration.md",
"meta": {}
},
{
"url": "/docs/deploying/fleetctl-agent-updates",
"title": "Fleetctl agent updates",
"lastModifiedAt": 1644474974000,
"htmlId": "docs--04-fleetctl-agent-up--0efcca6df7",
"sectionRelativeRepoPath": "02-Deploying/04-fleetctl-agent-updates.md",
"meta": {}
},
{
"url": "/docs/deploying/load-testing",
"title": "Load testing",
"lastModifiedAt": 1637117313000,
"htmlId": "docs--05-load-testing--119652e61f",
"sectionRelativeRepoPath": "02-Deploying/05-Load-testing.md",
"meta": {}
},
{
"url": "/docs/deploying/reference-architectures",
"title": "Reference architectures",
"lastModifiedAt": 1644474997000,
"htmlId": "docs--06-reference-archite--5137259cc0",
"sectionRelativeRepoPath": "02-Deploying/06-Reference-Architectures.md",
"meta": {}
},
{
"url": "/docs/deploying/upgrading-fleet",
"title": "Upgrading Fleet",
"lastModifiedAt": 1644475017000,
"htmlId": "docs--06-upgrading-fleet--3fcc96dcf0",
"sectionRelativeRepoPath": "02-Deploying/06-Upgrading-Fleet.md",
"meta": {}
},
{
"url": "/docs/deploying/faq",
"title": "FAQ",
"lastModifiedAt": 1644310185000,
"htmlId": "docs--faq--8a5421ff4d",
"sectionRelativeRepoPath": "02-Deploying/FAQ.md",
"meta": {}
},
{
"url": "/docs/deploying",
"title": "Deploying",
"lastModifiedAt": 1642559146000,
"htmlId": "docs--readme--c2c13f140a",
"sectionRelativeRepoPath": "02-Deploying/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/configuration-files",
"title": "Configuration files",
"lastModifiedAt": 1644850183000,
"htmlId": "docs--readme--1f5ce1c90f",
"sectionRelativeRepoPath": "01-Using-Fleet/configuration-files/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/standard-query-library",
"title": "Standard query library",
"lastModifiedAt": 1643924976000,
"htmlId": "docs--readme--0bb1e0c004",
"sectionRelativeRepoPath": "01-Using-Fleet/standard-query-library/README.md",
"meta": {}
},
{
"url": "/handbook",
"title": "Readme.md",
"lastModifiedAt": 1644873224000,
"htmlId": "handbook--readme--ae76892837",
"sectionRelativeRepoPath": "README.md",
"meta": {
"maintainedBy": "mikermcneil"
}
},
{
"url": "/handbook/brand",
"title": "Brand",
"lastModifiedAt": 1644265234000,
"htmlId": "handbook--brand--4e6c3dcf66",
"sectionRelativeRepoPath": "brand.md",
"meta": {
"maintainedBy": "mike-j-thomas"
}
},
{
"url": "/handbook/company",
"title": "Company",
"lastModifiedAt": 1643418324000,
"htmlId": "handbook--company--3e83e92cd6",
"sectionRelativeRepoPath": "company.md",
"meta": {
"maintainedBy": "mikermcneil"
}
},
{
"url": "/handbook/customers",
"title": "Customers",
"lastModifiedAt": 1643664488000,
"htmlId": "handbook--customers--799a22bddb",
"sectionRelativeRepoPath": "customers.md",
"meta": {
"maintainedBy": "tgauda"
}
},
{
"url": "/handbook/community",
"title": "Community",
"lastModifiedAt": 1644388647000,
"htmlId": "handbook--community--a4f6e16e9b",
"sectionRelativeRepoPath": "community.md",
"meta": {
"maintainedBy": "mike-j-thomas"
}
},
{
"url": "/handbook/engineering",
"title": "Engineering",
"lastModifiedAt": 1642446791000,
"htmlId": "handbook--engineering--19725b7469",
"sectionRelativeRepoPath": "engineering.md",
"meta": {
"maintainedBy": "zwass"
}
},
{
"url": "/handbook/handbook",
"title": "Handbook",
"lastModifiedAt": 1642145590000,
"htmlId": "handbook--handbook--8347e28f8a",
"sectionRelativeRepoPath": "handbook.md",
"meta": {
"maintainedBy": "mike-j-thomas"
}
},
{
"url": "/handbook/people",
"title": "People",
"lastModifiedAt": 1644861673000,
"htmlId": "handbook--people--2c8a3cee70",
"sectionRelativeRepoPath": "people.md",
"meta": {
"maintainedBy": "eashaw"
}
},
{
"url": "/handbook/product",
"title": "Product",
"lastModifiedAt": 1644542778000,
"htmlId": "handbook--product--153aaa2125",
"sectionRelativeRepoPath": "product.md",
"meta": {
"maintainedBy": "noahtalerman"
}
},
{
"url": "/handbook/security",
"title": "Security",
"lastModifiedAt": 1644873224000,
"htmlId": "handbook--security--4d7d24ab6e",
"sectionRelativeRepoPath": "security.md",
"meta": {
"maintainedBy": "GuillaumeRoss"
}
}
],
"queries": [
{
"name": "Count Apple applications installed",
"platforms": "macOS",
"description": "Get the total number of Apple applications installed on the host system.",
"query": "SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%';",
"purpose": "Informational",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
},
{
"name": "Noah Talerman",
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
},
{
"name": "Mike McNeil",
"handle": "mikermcneil",
"avatarUrl": "https://avatars.githubusercontent.com/u/618009?v=4",
"htmlUrl": "https://github.com/mikermcneil"
}
],
"kind": "query",
"slug": "count-apple-applications-installed",
"resolution": "N/A",
"tags": []
},
{
"name": "Get OpenSSL versions",
"platforms": "Linux",
"description": "Retrieves the OpenSSL version.",
"query": "SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-open-ssl-versions",
"resolution": "N/A",
"tags": []
},
{
"name": "Get whether Gatekeeper is disabled",
"platforms": "macOS",
"description": "Gatekeeper tries to ensure only trusted software is run on a mac machine.",
"query": "SELECT * FROM gatekeeper WHERE assessments_enabled = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-whether-gatekeeper-is-disabled",
"resolution": "N/A",
"tags": []
},
{
"name": "Get authorized SSH keys",
"platforms": "macOS, Linux",
"description": "Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.",
"query": "SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Informational",
"remediation": "Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
}
],
"kind": "query",
"slug": "get-authorized-ssh-keys",
"resolution": "N/A",
"tags": []
},
{
"name": "Get authorized keys for Local Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-authorized-keys-for-local-accounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get authorized keys for Domain Joined Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-authorized-keys-for-domain-joined-accounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get crashes",
"platforms": "macOS",
"description": "Retrieve application, system, and mobile app crash logs.",
"query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-crashes",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed Chrome Extensions",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "List installed Chrome Extensions for all users.",
"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-chrome-extensions",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed FreeBSD software",
"platforms": "FreeBSD",
"description": "Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-free-bsd-software",
"resolution": "N/A",
"tags": []
},
{
"name": "Get Homebrew Packages",
"platforms": "macOS",
"description": "Get the installed homebrew package database.",
"query": "SELECT * FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-homebrew-packages",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed Linux software",
"platforms": "Linux",
"description": "Get all software installed on a Linux computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-linux-software",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed macOS software",
"platforms": "macOS",
"description": "Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-mac-os-software",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed Safari extensions",
"platforms": "macOS",
"description": "Retrieves the list of installed Safari Extensions for all users in the target system.",
"query": "SELECT safari_extensions.* FROM users join safari_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-safari-extensions",
"resolution": "N/A",
"tags": []
},
{
"name": "Get installed Windows software",
"platforms": "Windows",
"description": "Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-installed-windows-software",
"resolution": "N/A",
"tags": []
},
{
"name": "Get laptops with failing batteries",
"platforms": "macOS",
"description": "Lists all laptops with under-performing or failing batteries.",
"query": "SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-laptops-with-failing-batteries",
"resolution": "N/A",
"tags": []
},
{
"name": "Get macOS disk free space percentage",
"platforms": "macOS",
"description": "Displays the percentage of free space available on the primary disk partition.",
"query": "SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/';",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-mac-os-disk-free-space-percentage",
"resolution": "N/A",
"tags": []
},
{
"name": "Get mounts",
"platforms": "macOS, Linux",
"description": "Shows system mounted devices and filesystems (not process specific).",
"query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-mounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get the version of the resident operating system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Retrieves the version of the host(s) operating system(s).",
"query": "SELECT * FROM os_version;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-the-version-of-the-resident-operating-system",
"resolution": "N/A",
"tags": []
},
{
"name": "Get platform info",
"platforms": "macOS",
"description": "Shows information about the host platform",
"query": "SELECT vendor, version, date, revision from platform_info;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-platform-info",
"resolution": "N/A",
"tags": []
},
{
"name": "Get startup items",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows applications and binaries set as user/login startup items.",
"query": "SELECT * FROM startup_items;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-startup-items",
"resolution": "N/A",
"tags": []
},
{
"name": "Get system logins and logouts",
"platforms": "macOS",
"description": "Get a list of system logins and logouts.",
"query": "SELECT * FROM last;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-system-logins-and-logouts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get current users with active shell/console on the system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Get current users with active shell/console on the system and associated process",
"query": "SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-current-users-with-active-shell-console-on-the-system",
"resolution": "N/A",
"tags": []
},
{
"name": "Get system uptime",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows the system uptime.",
"query": "SELECT * FROM uptime;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-system-uptime",
"resolution": "N/A",
"tags": []
},
{
"name": "Get USB devices",
"platforms": "macOS, Linux",
"description": "Shows all USB devices that are actively plugged into the host system.",
"query": "SELECT * FROM usb_devices;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-usb-devices",
"resolution": "N/A",
"tags": []
},
{
"name": "Get wifi status",
"platforms": "macOS",
"description": "Shows information about the wifi network that a host is currently connected to.",
"query": "SELECT * FROM wifi_status;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-wifi-status",
"resolution": "N/A",
"tags": []
},
{
"name": "Get Windows machines with unencrypted hard disks",
"platforms": "Windows",
"description": "List all Windows machines with unencrypted hard disks.",
"query": "SELECT * FROM bitlocker_info WHERE protection_status = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-windows-machines-with-unencrypted-hard-disks",
"resolution": "N/A",
"tags": []
},
{
"name": "Get disk encryption status",
"platforms": "macOS, Linux",
"description": "Disk encryption status and information.",
"query": "SELECT * FROM disk_encryption;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-disk-encryption-status",
"resolution": "N/A",
"tags": []
},
{
"name": "Get unencrypted SSH keys for local accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;",
"purpose": "Informational",
"remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-unencrypted-ssh-keys-for-local-accounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get unencrypted SSH keys for domain joined accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);",
"purpose": "Informational",
"remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-unencrypted-ssh-keys-for-domain-joined-accounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get crontab jobs",
"platforms": "macOS, Linux",
"description": "Line parsed values from system and user cron/tab.",
"query": "SELECT * FROM crontab;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-crontab-jobs",
"resolution": "N/A",
"tags": []
},
{
"name": "Get suid binaries",
"platforms": "macOS, Linux",
"description": "suid binaries in common locations.",
"query": "SELECT * FROM suid_bin;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"kind": "query",
"slug": "get-suid-binaries",
"resolution": "N/A",
"tags": []
},
{
"name": "Get dynamic linker hijacking on Linux (MITRE. T1574.006)",
"platforms": "Linux",
"description": "Detect any processes that run with LD_PRELOAD environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';",
"purpose": "Informational",
"remediation": "Identify the process/binary detected and confirm with the system's owner.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-dynamic-linker-hijacking-on-linux-mitre-t-1574-006",
"resolution": "N/A",
"tags": []
},
{
"name": "Get dynamic linker hijacking on macOS (MITRE. T1574.006)",
"platforms": "macOS",
"description": "Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';",
"purpose": "Informational",
"remediation": "Identify the process/binary detected and confirm with the system's owner.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-dynamic-linker-hijacking-on-mac-os-mitre-t-1574-006",
"resolution": "N/A",
"tags": []
},
{
"name": "Get etc hosts entries",
"platforms": "macOS, Linux",
"description": "Line-parsed /etc/hosts",
"query": "SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-etc-hosts-entries",
"resolution": "N/A",
"tags": []
},
{
"name": "Get network interfaces",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Network interfaces MAC address",
"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-network-interfaces",
"resolution": "N/A",
"tags": []
},
{
"name": "Get local user accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Local user accounts (including domain accounts that have logged on locally (Windows)).",
"query": "SELECT uid, gid, username, description,directory, shell FROM users;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-local-user-accounts",
"resolution": "N/A",
"tags": []
},
{
"name": "Get active user accounts on servers",
"platforms": "Linux",
"description": "Domain Joined environment normally have root or other service account only and users are SSH-ing using their Domain Accounts.",
"query": "SELECT * FROM shadow WHERE password_status='active' and username!='root';",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-active-user-accounts-on-servers",
"resolution": "N/A",
"tags": []
},
{
"name": "Get Nmap scanner",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Get Nmap scanner process, as well as its user, parent, and process details.",
"query": "SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-nmap-scanner",
"resolution": "N/A",
"tags": []
},
{
"name": "Get docker images on a system",
"platforms": "macOS, Linux",
"description": "Docker images information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_images;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-docker-images-on-a-system",
"resolution": "N/A",
"tags": []
},
{
"name": "Get docker running containers on a system",
"platforms": "macOS, Linux",
"description": "Docker containers information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_containers;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-docker-running-containers-on-a-system",
"resolution": "N/A",
"tags": []
},
{
"name": "Get docker running process on a system",
"platforms": "macOS, Linux",
"description": "Docker containers Processes, can be used on normal system or a kubenode.",
"query": "SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"kind": "query",
"slug": "get-docker-running-process-on-a-system",
"resolution": "N/A",
"tags": []
},
{
"name": "Get Windows print spooler remote code execution vulnerability",
"platforms": "Windows",
"description": "Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.",
"query": "SELECT CASE cnt WHEN 2 THEN \"TRUE\" ELSE \"FALSE\" END \"Vulnerable\" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;",
"purpose": "Informational",
"contributors": [
{
"name": null,
"handle": "maravedi",
"avatarUrl": "https://avatars.githubusercontent.com/u/9169890?v=4",
"htmlUrl": "https://github.com/maravedi"
}
],
"kind": "query",
"slug": "get-windows-print-spooler-remote-code-execution-vulnerability",
"resolution": "N/A",
"tags": []
},
{
"name": "Get local users and their privileges",
"platforms": "macOS, Linux, Windows",
"description": "Collects the local user accounts and their respective user group.",
"query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
"purpose": "Informational",
"contributors": [
{
"name": "Noah Talerman",
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
}
],
"kind": "query",
"slug": "get-local-users-and-their-privileges",
"resolution": "N/A",
"tags": []
},
{
"name": "Get processes that no longer exist on disk",
"platforms": "Linux, macOS, Windows",
"description": "Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.",
"query": "SELECT name, path, pid FROM processes WHERE on_disk = 0;",
"purpose": "Incident response",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-processes-that-no-longer-exist-on-disk",
"resolution": "N/A",
"tags": []
},
{
"name": "Get user files matching a specific hash",
"platforms": "macOS, Linux",
"description": "Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)",
"query": "SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75';",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-user-files-matching-a-specific-hash",
"resolution": "N/A",
"tags": []
},
{
"name": "Get local administrator accounts on macOS",
"platforms": "macOS",
"description": "The query allows you to check macOS systems for local administrator accounts.",
"query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-local-administrator-accounts-on-mac-os",
"resolution": "N/A",
"tags": []
},
{
"name": "Get all listening ports, by process",
"platforms": "Linux, macOS, Windows",
"description": "List ports that are listening on all interfaces, along with the process to which they are attached.",
"query": "SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = \"0.0.0.0\";",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-all-listening-ports-by-process",
"resolution": "N/A",
"tags": []
},
{
"name": "Get whether TeamViewer is installed/running",
"platforms": "Windows",
"description": "Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.",
"query": "SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE \"%teamviewer%\";",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-whether-team-viewer-is-installed-running",
"resolution": "N/A",
"tags": []
},
{
"name": "Get malicious Python backdoors",
"platforms": "macOS, Linux, Windows",
"description": "Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)",
"query": "SELECT CASE cnt WHEN 0 THEN \"NONE_INSTALLED\" ELSE \"INSTALLED\" END AS \"Malicious Python Packages\", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acqusition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib'));",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"kind": "query",
"slug": "get-malicious-python-backdoors",
"resolution": "N/A",
"tags": []
},
{
"name": "Check for artifacts of the Floxif trojan",
"platforms": "Windows",
"description": "Checks for artifacts from the Floxif trojan on Windows machines.",
"query": "SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Piriform\\\\Agomo%';",
"purpose": "Informational",
"contributors": [
{
"name": "Babatunde Micheal Okutubo",
"handle": "micheal-o",
"avatarUrl": "https://avatars.githubusercontent.com/u/22627292?v=4",
"htmlUrl": "https://github.com/micheal-o"
}
],
"kind": "query",
"slug": "check-for-artifacts-of-the-floxif-trojan",
"resolution": "N/A",
"tags": []
},
{
"name": "Get shimcache table",
"platforms": "Windows",
"description": "Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.",
"query": "select * from shimcache",
"purpose": "Informational",
"contributors": [
{
"name": null,
"handle": "puffyCid",
"avatarUrl": "https://avatars.githubusercontent.com/u/16283453?v=4",
"htmlUrl": "https://github.com/puffyCid"
}
],
"kind": "query",
"slug": "get-shimcache-table",
"resolution": "N/A",
"tags": []
},
{
"name": "Get running docker containers",
"platforms": "macOS, Linux",
"description": "Returns the running Docker containers",
"query": "SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = \"running\";",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-running-docker-containers",
"resolution": "N/A",
"tags": []
},
{
"name": "Get applications hogging memory",
"platforms": "macOS, Linux, Windows",
"description": "Returns top 10 applications or processes hogging memory the most.",
"query": "SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-applications-hogging-memory",
"resolution": "N/A",
"tags": []
},
{
"name": "Get Mac and Linux machines with unencrypted primary disks",
"platforms": "macOS, Linux",
"description": null,
"query": "SELECT * FROM mounts m, disk_encryption d WHERE m.path= \"/\" AND m.device = d.name AND d.encrypted = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-mac-and-linux-machines-with-unencrypted-primary-disks",
"resolution": "N/A",
"tags": []
},
{
"name": "Get servers with root login in the last 24 hours",
"platforms": "macOS, Linux, Windows",
"description": "Returns servers with root login in the last 24 hours and the time the users where logged in.",
"query": "SELECT * FROM last WHERE username = \"root\" AND time > (( SELECT unix_time FROM time ) - 86400 );",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-servers-with-root-login-in-the-last-24-hours",
"resolution": "N/A",
"tags": []
},
{
"name": "Detect active processes with Log4j running",
"platforms": "macOS, Linux",
"description": "Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely.",
"query": "WITH target_jars AS (\n SELECT DISTINCT path\n FROM (\n WITH split(word, str) AS(\n SELECT '', cmdline || ' '\n FROM processes\n UNION ALL\n SELECT substr(str, 0, instr(str, ' ')), substr(str, instr(str, ' ') + 1)\n FROM split\n WHERE str != '')\n SELECT word AS path\n FROM split\n WHERE word LIKE '%.jar'\n UNION ALL\n SELECT path\n FROM process_open_files\n WHERE path LIKE '%.jar'\n )\n)\nSELECT path, matches\nFROM yara\nWHERE path IN (SELECT path FROM target_jars)\n AND count > 0\n AND sigrule IN (\n 'rule log4jJndiLookup {\n strings:\n $jndilookup = \"JndiLookup\"\n condition:\n $jndilookup\n }',\n 'rule log4jJavaClass {\n strings:\n $javaclass = \"org/apache/logging/log4j\"\n condition:\n $javaclass\n }'\n );\n",
"purpose": "Detection",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
},
{
"name": "Tony Gauda",
"handle": "tgauda",
"avatarUrl": "https://avatars.githubusercontent.com/u/5620541?v=4",
"htmlUrl": "https://github.com/tgauda"
}
],
"kind": "query",
"slug": "detect-active-processes-with-log-4-j-running",
"resolution": "N/A",
"tags": []
},
{
"name": "Get applications that were opened within the last 24 hours",
"platforms": "macOS",
"description": "Returns applications that were opened within the last 24 hours starting with the last opened application.",
"query": "SELECT * FROM apps WHERE last_opened_time > (( SELECT unix_time FROM time ) - 86400 ) ORDER BY last_opened_time DESC;",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-applications-that-were-opened-within-the-last-24-hours",
"resolution": "N/A",
"tags": []
},
{
"name": "Get applications that are not in the Applications directory",
"platforms": "macOS",
"description": "Returns applications that are not in the `/Applications` directory",
"query": "SELECT * FROM apps WHERE path NOT LIKE '/Applications/%';",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-applications-that-are-not-in-the-applications-directory",
"resolution": "N/A",
"tags": []
},
{
"name": "Get subscription-based applications that have not been opened for the last 30 days",
"platforms": "macOS",
"description": "Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.",
"query": "SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN (\"Photoshop.app\", \"Adobe XD.app\", \"Sketch.app\", \"Illustrator.app\") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 );",
"purpose": "Informational",
"contributors": [
{
"name": "Kelvin Oghenerhoro Omereshone",
"handle": "DominusKelvin",
"avatarUrl": "https://avatars.githubusercontent.com/u/24433274?v=4",
"htmlUrl": "https://github.com/DominusKelvin"
}
],
"kind": "query",
"slug": "get-subscription-based-applications-that-have-not-been-opened-for-the-last-30-days",
"resolution": "N/A",
"tags": []
},
{
"name": "Gatekeeper enabled (macOS)",
"query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
"description": "Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.",
"resolution": "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "gatekeeper-enabled-mac-os",
"tags": []
},
{
"name": "Full disk encryption enabled (Windows)",
"query": "SELECT 1 FROM bitlocker_info where protection_status = 1;",
"description": "Checks to make sure that full disk encryption is enabled on Windows devices.",
"resolution": "To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the query results, if protection_status is 2, then the status cannot be determined. If it is 0, it is considered unprotected. Use the additional results (percent_encrypted, conversion_status, etc.) to help narrow down the specific reason why Windows considers the volume unprotected.",
"platforms": "Windows",
"contributors": [
{
"name": "Josh Brower",
"handle": "defensivedepth",
"avatarUrl": "https://avatars.githubusercontent.com/u/954732?v=4",
"htmlUrl": "https://github.com/defensivedepth"
}
],
"kind": "policy",
"slug": "full-disk-encryption-enabled-windows",
"tags": []
},
{
"name": "Full disk encryption enabled (macOS)",
"query": "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT \"\" AND filevault_status = 'on' LIMIT 1;",
"description": "Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.",
"resolution": "To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "full-disk-encryption-enabled-mac-os",
"tags": []
},
{
"name": "System Integrity Protection enabled (macOS)",
"query": "SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;",
"description": "Checks to make sure that the System Integrity Protection feature is enabled.",
"resolution": "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "system-integrity-protection-enabled-mac-os",
"tags": []
},
{
"name": "Automatic login disabled (macOS)",
"query": "SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;",
"description": "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password.",
"resolution": "The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "automatic-login-disabled-mac-os",
"tags": []
},
{
"name": "Guest users disabled (macOS)",
"query": "SELECT 1 FROM managed_policies WHERE domain = 'com.apple.MCX' AND name = 'DisableGuestAccount' AND value = 1 LIMIT 1;",
"description": "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that guest accounts cannot be used to log in to the device without a password.",
"resolution": "The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "guest-users-disabled-mac-os",
"tags": []
},
{
"name": "Secure keyboard entry for Terminal.app enabled (macOS)",
"query": "SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;",
"description": "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the Secure Keyboard Entry setting is enabled.",
"platforms": "macOS",
"contributors": [
{
"name": "Victor Vrantchan",
"handle": "groob",
"avatarUrl": "https://avatars.githubusercontent.com/u/1526945?v=4",
"htmlUrl": "https://github.com/groob"
}
],
"kind": "policy",
"slug": "secure-keyboard-entry-for-terminal-app-enabled-mac-os",
"resolution": "N/A",
"tags": []
},
{
"name": "Get built-in antivirus status on macOS",
"platforms": "macOS",
"query": "SELECT path, value AS version FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist') OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist');",
"description": "Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists",
"purpose": "Informational",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "query",
"slug": "get-built-in-antivirus-status-on-mac-os",
"resolution": "N/A",
"tags": []
},
{
"name": "Get antivirus status from the Windows Security Center",
"platforms": "Windows",
"query": "SELECT antivirus, signatures_up_to_date from windows_security_center CROSS JOIN windows_security_products WHERE type = 'Antivirus';",
"description": "Selects the antivirus and signatures status from Windows Security Center.",
"purpose": "Informational",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "query",
"slug": "get-antivirus-status-from-the-windows-security-center",
"resolution": "N/A",
"tags": []
},
{
"name": "Get antivirus (ClamAV/clamd) and updater (freshclam) process status",
"platforms": "Linux",
"query": "SELECT pid, state, cmdline, name FROM processes WHERE name='clamd' OR name='freshclam';",
"description": "Selects the clamd and freshclam processes to ensure AV and its updater are running",
"purpose": "Informational",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "query",
"slug": "get-antivirus-clam-av-clamd-and-updater-freshclam-process-status",
"resolution": "N/A",
"tags": []
},
{
"name": "Antivirus healthy (macOS)",
"query": "SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist' AND value>=2155) OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist' and value>=1.88)) WHERE score == 1;",
"description": "Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with latest version regularly.",
"resolution": "To enable automatic security definition updates, on the failing device, select System Preferences > Software Update > Advanced > Turn on Install system data files and security updates.",
"platforms": "macOS",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "policy",
"slug": "antivirus-healthy-mac-os",
"tags": []
},
{
"name": "Antivirus healthy (Windows)",
"query": "SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;",
"description": "Checks the status of antivirus and signature updates from the Windows Security Center.",
"resolution": "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center.",
"platforms": "Windows",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "policy",
"slug": "antivirus-healthy-windows",
"tags": []
},
{
"name": "Antivirus healthy (Linux)",
"query": "SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;",
"description": "Checks that both ClamAV's daemon and its updater service (freshclam) are running.",
"resolution": "Ensure ClamAV and Freshclam are installed and running.",
"platforms": "Linux",
"contributors": [
{
"name": "Guillaume Ross",
"handle": "GuillaumeRoss",
"avatarUrl": "https://avatars.githubusercontent.com/u/73836008?v=4",
"htmlUrl": "https://github.com/GuillaumeRoss"
}
],
"kind": "policy",
"slug": "antivirus-healthy-linux",
"tags": []
}
],
"queryLibraryYmlRepoPath": "docs/01-Using-Fleet/standard-query-library/standard-query-library.yml",
"compiledPagePartialsAppPath": "views/partials/built-from-markdown"
}
}
Reference in New Issue View Git Blame Copy Permalink