fleet/schema/fleet_schema.json
Guillaume Ross eadb3b1081
Adding 6 example queries! (#8165)
* Adding 6 example queries!

* Adding alf_explicit_auths + a note about a current bug with it

* Reverting sailsrc changes
2022-10-12 11:13:44 -04:00

1069 lines
41 KiB
JSON

[
{
"name": "account_policy_data",
"examples": "Query the creation date of user accounts. You could also query the date of the last failed login attempt or password change.\n```\nSELECT strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationdate FROM account_policy_data;\n```\n\nSee each user's last password set date and number of failed logins since last successful login to detect any intrusion attempts.\n```\nSELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;"
},
{
"name": "ad_config",
"examples": "See the domain, if any, that the Mac is bound to.\n```\nSELECT domain FROM ad_config;\n```"
},
{
"name": "alf",
"examples": "See the state of the Application Layer Firewall on a Mac. A result of 0 means it is disabled, 1 means it is enabled, and 2 means it is enabled and blocking all inbound connections. See our standard query library for an example policy query using this.\n```\nSELECT global_state FROM alf;\n```"
},
{
"name": "alf_exceptions",
"examples": "List applications that are able to receive inbound connections across the firewall. This is useful when looking to see if vulnerable software is exposed to networks. \n```\nSELECT * FROM alf_exceptions;\n```"
},
{
"name": "alf_explicit_auths",
"examples": "List applications were granted explicit access through the firewall. This is useful when looking to see if vulnerable software is exposed to networks. \n```\nSELECT * FROM alf_exceptions;\n```",
"notes": "This table is currently affected by a [bug](https://github.com/osquery/osquery/issues/2322) and not returning applications visible in the preferences interface."
},
{
"name": "app_schemes",
"examples": "List applications that have registered the URL scheme \"mailto\" to handle email links.\n```\nSELECT * FROM app_schemes WHERE scheme='mailto';\n```"
},
{
"name": "apps",
"examples": "See the last time applications were used. Useful to know if a vulnerable application is being used as well as for licensing purposes.\n```\nSELECT *, strftime('%Y-%m-%d %H:%M:%S',last_opened_time,'unixepoch') as LastUseDate FROM apps WHERE last_opened_time!='-1.0';\n```"
},
{
"name": "arp_cache",
"examples": "List the content of the ARP cache. On systems located in an office or datacenter, you can use this to watch for network attacks by checking for gateway IPs that do not have the expected MAC address.\n```\nSELECT address, interface, mac FROM arp_cache;\n```"
},
{
"name": "asl",
"examples": "Apple System Logger (ASL) is deprecated since macOS 10.12. On older Macs, this table can be used to read logs. On newer ones, see the *unified_log* table. This example is from the osquery documentation.\n```\nSELECT time, message FROM asl WHERE facility = 'authpriv' AND sender = 'sudo' AND message LIKE '%python%';\n```"
},
{
"name": "authorization_mechanisms",
"examples": "Discover privileged macOS authorization mechanisms, which could include third party software. Finding third party software using this means it is likely an important piece of software that should be kept very up to date.\n```\nSELECT * FROM authorization_mechanisms WHERE privileged='true';\n```"
},
{
"name": "authorizations",
"examples": "See macOS authorizations that have been modified since their creation. Useful for threat hunting.\n```\nSELECT * FROM authorizations WHERE created!=modified;\n```"
},
{
"name": "azure_instance_metadata",
"examples": "See in which Azure location a VM is located\n```\nSELECT location FROM azure_instance_metadata;\n```"
},
{
"name": "azure_instance_tags",
"examples": "List the tags assigned to an Azure VM\n```\nSELECT key, value FROM azure_instance_tags;\n```"
},
{
"name": "augeas",
"examples": "This table requires augeas [lenses](https://augeas.net/docs/lenses.html) to be installed in their default location. This query will output *sshd_config* as if it was a table. This is especially useful to check for specific configurations in text files.\n```\nSELECT * FROM augeas WHERE path='/etc/ssh/sshd_config';\n```"
},
{
"name": "battery",
"examples": "This table contains a lot of information about the health of batteries. This query shows how many cycles the battery of a device was used for, allowing you to identify users who put more wear on it and might need more frequent replacements.\n```\nSELECT cycle_count FROM battery;\n```"
},
{
"name": "browser_plugins",
"examples": "See classic browser plugins (C/NPAPI) installed by users. These plugins have been deprecated for a long time, so this query will usually not return anything.\n```\nSELECT bp.name, bp.identifier, bp.version FROM browser_plugins bp JOIN users u on bp.uid = u.uid ;\n```"
},
{
"name": "curl",
"examples": "Connect over HTTP and retrieve statistics about the process. This is useful to detect machines on slow networks, or that have no Internet access.\n```\nSELECT round_trip_time FROM curl WHERE URL='https://fleetdm.com';\n```"
},
{
"name": "curl_certificate",
"examples": "Identify the certificates being served to osquery clients. This can allow you to detect machines that are behind a proxy or firewall attempting to decrypt TLS, maliciously or not.\n```\nSELECT issuer_organization, signature, sha256_fingerprint FROM curl_certificate WHERE hostname='google.com';\n```"
},
{
"name": "etc_hosts",
"examples": "Identify host\"name\"s pointed to IP addresses using the hosts file. This technique is often abused by malware, but can also indicate services that do not have proper DNS configuration to be reached from workstations.\n```\nSELECT * FROM etc_hosts WHERE address!='127.0.0.1' AND address!='::1' AND address!='255.255.255.255';\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "block_devices",
"examples": "Identify USB storage in use\n```\nSELECT * FROM block_devices WHERE type='USB';\n```"
},
{
"name": "carbon_black_info",
"examples": "See systems running Carbon Black but which have protection disabled.\n```\nSELECT * FROM carbon_black_info WHERE protection_disabled='1';\n```"
},
{
"name": "certificates",
"description": "[Certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) installed in Keychains/ca-bundles.",
"examples": "Replace 1QAZ2WSX with your Apple Developer ID, if you have one. This query will then let you identify Macs that have a copy of your code signing and notarization certificates.\n```\nSELECT * FROM certificates WHERE common_\"name\" LIKE '%%1QAZ2SWX%%';\n```",
"columns": [
{
"name": "sid",
"platforms": ["windows"]
},
{
"name": "store_location",
"platforms": ["windows"]
},
{
"name": "store",
"platforms": ["windows"]
},
{
"name": "username",
"platforms": ["windows"]
},
{
"name": "store_id",
"platforms": ["windows"]
},
{
"name": "issuer2",
"platforms": ["linux", "darwin"]
},
{
"name": "subject2",
"platforms": ["linux", "darwin"]
}
]
},
{
"name": "cpu_time",
"examples": "Identify overworked CPUs using a ratio of system to user CPU usage. Here, a ratio of 2 was arbitrarily chosen.\n```\nSELECT * FROM cpu_time WHERE user/system>2;\n```"
},
{
"name": "cups_destinations",
"examples": "Identify the types of printers connected to computers. This query works for both network and local printers.\n```\nSELECT * FROM cups_destinations WHERE option_\"name\"='printer-info';\n```"
},
{
"name": "cups_jobs",
"examples": "See what file format are being printed to what printer. This is useful for identifying systems that print a lot, which can help you ensure they have access to faster printers. Using this table, you could also highlight slow print jobs that might benefit from troubleshooting.\n```\nSELECT destination, format, strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationDate FROM cups_jobs;\n```"
},
{
"name": "cpuid",
"examples": "Identify Intel powered Macs that support a specific Intel CPU feature, such as sgx1.\n```\nSELECT * from cpuid WHERE feature='sgx1';\n```"
},
{
"name": "file",
"examples": "List zip files in the downloads folder as well as their associated sha256 hash.\n```\nSELECT f.path, h.sha256 FROM file f JOIN hash h ON f.path = h.path WHERE f.path LIKE '/Users/%/Downloads/%%.zip';\n```"
},
{
"name": "device_firmware",
"examples": "Identify the firmware version of hardware on a Mac, such as the SSD controller in this case. Older versions might indicate a problem with software updates, and this information can be useful when troubleshooting various issues.\n```\nSELECT * FROM device_firmware WHERE device='AppleANS3NVMeController';\n```"
},
{
"name": "disk_encryption",
"examples": "A policy query to check if Filevault disk encryption is enabled on a Mac.\n```\nSELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' LIMIT 1;\n```",
"columns": [
{
"name": "uid",
"platforms": ["darwin"]
},
{
"name": "user_uuid",
"platforms": ["darwin"]
},
{
"name": "filevault_status",
"platforms": ["darwin"]
}
]
},
{
"name": "disk_events",
"examples": "This is an evented table, and as such, is more useful if you are sending osquery logs to a SIEM or other centralized destination via Fleet. Events must be enabled. This query will contain the list of all actions related to connecting and removing disks, including SMB drives and USB storage, which can be very useful for investigative purposes.\n```\nSELECT * FROM disk_events;\n```"
},
{
"name": "event_taps",
"examples": "Identify processes that have a tap into the system, such as access to keystrokes, and view details on the executable including signature status, team identifier if signed and the authority that emitted the signing certificate. This can be used to detect keyloggers and other malicious applications.\n```\nSELECT t.event_tapped, s.identifier, s.signed, s.team_identifier, s.authority FROM event_taps t JOIN processes p ON p.pid = t.tapping_process JOIN signature s on s.path = p.path WHERE s.identifier !='com.apple.ViewBridgeAuxiliary' AND s.identifier !='com.apple.universalaccessd' AND s.identifier !='com.apple.accessibility.AXVisualSupportAgent';\n```"
},
{
"name": "gatekeeper",
"examples": "Policy query to check that Gatekeeper is enabled\n```\nSELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;\n```"
},
{
"name": "homebrew_packages",
"examples": "Check the version of a package installed via homebrew. This example checks the version of ffmeg, which should be replaced by the actual package you want to check for. This is useful for finding problematic or vulnerable installs, though Fleet will detect vulnerable packages automatically.\n```\nSELECT version FROM homebrew_packages WHERE name = 'ffmpeg';\n```"
},
{
"name": "groups",
"examples": "See all groups with the IsHidden OpenDirectory attribute\n```\nSELECT * FROM groups WHERE is_hidden='1';\n```",
"columns": [
{
"name": "group_sid",
"platforms": ["windows"]
},
{
"name": "comment",
"platforms": ["windows"]
},
{
"name": "is_hidden",
"platforms": ["darwin"]
},
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
],
"notes": "* On Windows, `gid` and `gid_signed` are always the same"
},
{
"name": "hash",
"examples": "List zip files in the downloads folder as well as their associated sha256 hash.\n```\nSELECT f.path, h.sha256 FROM file f JOIN hash h ON f.path = h.path WHERE f.path LIKE '/Users/%/Downloads/%%.zip';\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "interface_addresses",
"examples": "Find all interfaces that have a public Internet IP. This query filters out all RFC1918 IPv4 addresses as well as IPv6 localhost.\n```\nSELECT * FROM interface_addresses WHERE address NOT LIKE '192.168%%' AND address NOT LIKE '172.16%%' AND address NOT LIKE '172.17%%' AND address NOT LIKE '172.18%%' AND address NOT LIKE '172.19%%' AND address NOT LIKE '172.20%%' AND address NOT LIKE '172.21%%' AND address NOT LIKE '172.22%%' AND address NOT LIKE '172.23%%' AND address NOT LIKE '10.%%' AND address NOT LIKE '127.%%' AND address IS NOT NULL AND address IS NOT ' ' AND address IS NOT '' AND address IS NOT '::1' AND mask IS NOT 'ffff:ffff:ffff:ffff::';\n```",
"columns": [
{
"name": "friendly_name",
"platforms": ["windows"]
}
]
},
{
"name": "interface_ipv6",
"examples": "Identify interfaces using IPv6 with forwarding enabled.\n```\nSELECT interface FROM interface_ipv6 WHERE forwarding_enabled='1';\n```"
},
{
"name": "iokit_devicetree",
"examples": "List the components in a Mac's device tree\n```\nSELECT * from iokit_devicetree;\n```"
},
{
"name": "iokit_registry",
"examples": "Identify devices with a Yubikey connected. The name will also contain the protocols supported by the key, such as FIDO.\n```\nSELECT * from iokit_registry WHERE name LIKE 'Yubi%';\n```"
},
{
"name": "kernel_extensions",
"examples": "Identify third-party kernel extensions.\n```\nSELECT * FROM kernel_extensions WHERE name NOT LIKE 'com.apple%' AND name NOT LIKE '__kernel__';\n```"
},
{
"name": "kernel_info",
"examples": "See the kernel version running\n```\nSELECT version FROM kernel_info;\n```"
},
{
"name": "kernel_panics",
"examples": "Look for kernel panics and see which module was last loaded before they happened.\n```\nSELECT os_version, name, time, system_model, last_loaded FROM kernel_panics;\n```"
},
{
"name": "keychain_acls",
"examples": "Identify keychain items with permissions granted to Applications at the system or user level.SELECT * FROM keychain_acls WHERE path LIKE '/System/Applications/%%' OR path LIKE '/Users/%%/Applications/%%';\n```\nSELECT * FROM keychain_acls WHERE path LIKE '/System/Applications/%%' OR path LIKE '/Users/%%/Applications/%%';\n```"
},
{
"name": "keychain_items",
"examples": "Identify Macs that contain certificates related to Apple application signing and notarization. (replace with your Apple Developer ID string)\n```\nSELECT * FROM keychain_items WHERE label LIKE '%8EHZ83LZNU%';\n```"
},
{
"name": "last",
"examples": "System logins and logouts with formatted time.\n```\nSELECT strftime('%Y-%m-%d %H:%M:%S',time,'unixepoch') AS formatted_time, username, pid, type FROM last WHERE tty='console'; \n```"
},
{
"name": "launchd",
"examples": "List launch daemons that run an application in the Applications directory.\n```\nSELECT * FROM launchd WHERE program LIKE '/Applications/%%' OR program LIKE '/Users/%%/Applications/%%';\n```"
},
{
"name": "managed_policies",
"examples": "Check if critical software update installation is enabled via a profile (1 = enabled)\n```\nSELECT name, value FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' LIMIT 1;\n```"
},
{
"name": "mdls",
"examples": "Identify hidden files that have been indexed by Spotlight. This could reveal files that were recently deleted and are still in the Spotlight database.\n```\nSELECT * FROM mdls WHERE path LIKE '/Users/g/%%' AND key='kMDItemFSIsExtensionHidden' AND value='true';\n```"
},
{
"name": "nfs_shares",
"examples": "List shares exported via NFS on Macs, and if they are read only (readonly=1) or not.\n```\nSELECT share, readonly FROM nfs_shares;\n```"
},
{
"name": "wifi_networks",
"examples": "Find WiFi networks configured on Macs that are unencrypted and require a captive portal. This can be useful to understand how much people use laptops in hotels, airports and other environments, and is a good indicator that tools such as DNS-over-HTTPS would improve privacy of connectivity.\n```\nSELECT network_name FROM wifi_networks WHERE security_type='Open' AND captive_portal='1';\n```"
},
{
"name": "wifi_status",
"examples": "See the current speed of the WiFi connection, in megabits per second.\n```\nSELECT transmit_rate FROM wifi_status;\n```"
},
{
"name": "wifi_survey",
"examples": "Count the amount of wireless networks visible to the computer.\n```\nSELECT COUNT ( DISTINCT network_name ) AS \"Number of wireless networks visible\" FROM wifi_survey;\n```"
},
{
"name": "load_average",
"examples": "Find computers with a load average of 3.5 or higher over the last 15 minutes.\n```\nSELECT average from load_average WHERE period='15m' AND average>=3.5;\n```"
},
{
"name": "location_services",
"examples": "If this query returns a 1 in the enabled column, location services are enabled on this Mac.\n```\nSELECT enabled from location_services;\n```"
},
{
"name": "mounts",
"examples": "If this query returns a 1 in the enabled column, location services are enabled on this Mac.\n```\nSELECT enabled from location_services;\n```"
},
{
"name": "nvram",
"examples": "If a Mac had a sleep failure, this query will return the reason for it.\n```\nSELECT name, value FROM nvram WHERE name='SleepWakeFailureString';\n```"
},
{
"name": "osquery_events",
"examples": "Identify osquery event types which have no subscriber.\n```\nSELECT * from osquery_events WHERE subscriptions='0';\n```"
},
{
"name": "osquery_extensions",
"examples": "Identify osquery extensions in use that are not part of osquery core.\n```\nSELECT name, path from osquery_extensions WHERE type IS NOT 'core';\n```"
},
{
"name": "osquery_flags",
"examples": "If disable_events has a value of false, events are enabled.\n```\nSELECT description, name, value FROM osquery_flags WHERE name='disable_events';\n```"
},
{
"name": "osquery_info",
"examples": "See the version of the currently running osquery.\n```\nSELECT version FROM osquery_info; \n```"
},
{
"name": "osquery_packs",
"examples": "See query packs currently active on osquery.\n```\nSELECT name FROM osquery_packs WHERE active='1';\n```"
},
{
"name": "osquery_registry",
"examples": "See the list of tables available on this instance of osquery.\n```\nSELECT DISTINCT name FROM osquery_registry;\n```"
},
{
"name": "osquery_schedule",
"examples": "Identify scheduled queries that have been denylisted by the osquery watchdog. This could indicate queries that required a lot of resources to be executed. They will not be executed again until osquery restarts.\n```\nSELECT name, query FROM osquery_schedule WHERE denylisted='1';\n```"
},
{
"name": "package_bom",
"examples": "List the bill of materials of a package. The receipts directory contains packages to installed applications.\n```\nSELECT * FROM package_bom WHERE path='/private/var/db/receipts/com.yubico.ykman.bom';\n```"
},
{
"name": "package_install_history",
"examples": "See a list of packages installed in the last week.\n```\nSELECT name, version, source, datetime(time,'unixepoch') AS install_time from package_install_history WHERE install_time >= datetime('now','-7 days');\n```"
},
{
"name": "package_receipts",
"examples": "List the location of receipt files related to installed packages.\n```\nSELECT * FROM package_receipts;\n```"
},
{
"name": "platform_info",
"examples": "See version information about the boot system, such as iBoot on Apple Silicon\n```\nSELECT version FROM platform_info;\n```"
},
{
"name": "plist",
"examples": "Read the contents of a plist file, formatted into a table\n```\nSELECT key, subkey, value FROM plist WHERE path LIKE '/Users/%%/Library/Preferences/com.apple.Terminal.plist';\n```"
},
{
"name": "process_envs",
"examples": "See what PATH is configured as an environment variable.\n```\nSELECT DISTINCT value, key FROM process_envs WHERE key='PATH';\n```"
},
{
"name": "process_memory_map",
"examples": "See the memory ranges with write permissions assigned to processes.\n```\nSELECT * FROM process_memory_map WHERE permissions LIKE '%w%';\n```"
},
{
"name": "process_open_files",
"examples": "See what processes have which files open, for example, what processes are currently interacting with files with 1Password in their name?\n```\nSELECT f.path file_path, p.path process_path FROM process_open_files f JOIN processes p ON p.pid = f.pid WHERE f.path LIKE '%1Password%';\n```"
},
{
"name": "running_apps",
"examples": "List all running applications. Filter on is_active='1' to see the application that currently has focus.\n```\nSELECT * FROM running_apps;\n```"
},
{
"name": "secureboot",
"examples": "See the secure boot status (enabled or not) of Windows and Linux systems. You could create a policy looking for it to be set to 1.\n```\nSELECT secure_boot FROM secureboot;\n```"
},
{
"name": "shared_folders",
"examples": "List all shared folders except for the standard public ones.\n```\nSELECT * FROM shared_folders WHERE path NOT LIKE '/Users/%%/Public%';\n```"
},
{
"name": "sharing_preferences",
"examples": "Identify systems where any type of sharing is enabled. This table can be very useful for building policies for specific types of sharing.\n```\nSELECT * FROM sharing_preferences WHERE screen_sharing='1' OR file_sharing='1' OR printer_sharing='1' OR remote_login='1' OR remote_management='1' OR remote_apple_events='1' OR internet_sharing='1' OR bluetooth_sharing='1' OR disc_sharing='1' OR content_caching='1';\n```"
},
{
"name": "signature",
"examples": "Identify system extensions that are not managed via MDM and see their signature status.\n```\nSELECT se.identifier, se.bundle_path, se.category, se.state, s.signed FROM system_extensions se JOIN signature s on s.path = se.bundle_path WHERE se.mdm_managed='0';\n```"
},
{
"name": "sip_config",
"examples": "View the status of System Integrity Protection.\n```\nSELECT config_flag, enabled FROM sip_config WHERE config_flag='sip';\n```"
},
{
"name": "smc_keys",
"examples": "See if the temperature sensor on an Intel Mac is returning values. SMC values aren't officially documented and as such this table is useful if you are troubleshooting and digging into a specific hardware related issue.\n```\nSELECT * FROM smc_keys WHERE key='TC0P';\n```"
},
{
"name": "startup_items",
"examples": "List commands executed as user/logon startup items.\n```\nSELECT name, type FROM startup_items WHERE status='enabled';\n```"
},
{
"name": "sudoers",
"examples": "Identify systems where sudo is configured in a way to allow users to retain their existing environment variables, which is a security risk.\n```\nSELECT header, source, rule_details FROM sudoers WHERE rule_details='!env_reset';\n```"
},
{
"name": "system_extensions",
"examples": "Identify system extensions that are not managed via MDM and see their signature status.\n```\nSELECT se.identifier, se.bundle_path, se.category, se.state, s.signed FROM system_extensions se JOIN signature s on s.path = se.bundle_path WHERE se.mdm_managed='0';\n```"
},
{
"name": "system_info",
"examples": "See the CPU architecture of a machine as well as who made it and what its serial number is.\n```\nSELECT CPU_type, hardware_vendor, hardware_model, hardware_serial FROM system_info;\n```"
},
{
"name": "temperature_sensors",
"examples": "Identify systems with CPU temperature sensors above or equal to 90c.\n```\nSELECT name, celsius FROM temperature_sensors WHERE name LIKE 'CPU%' AND celsius>='90';\n```"
},
{
"name": "time_machine_backups",
"examples": "See the time of the latest backup. In environments where you want to encourage backups, this can be useful to remind users to perform them, and in environments where you do not allow backups, to detect that they are happening.\n```\nSELECT strftime('%Y-%m-%d %H:%M:%S',backup_date,'unixepoch') AS last_backup FROM time_machine_backups;\n```"
},
{
"name": "time_machine_destinations",
"examples": "If Time Machine is configured, see what destination it is configured to go to. \n```\nSELECT alias FROM time_machine_destinations;\n```"
},
{
"name": "ulimit_info",
"examples": "Check the stack size limit\n```\nSELECT * FROM ulimit_info WHERE type='stack';\n```"
},
{
"name": "uptime",
"examples": "See how long hosts that have been up for more than a month have been up. This could indicate systems that are not ephemeral as expected, or not being patched as frequently as they should be.\n```\nSELECT days FROM uptime WHERE days>='31'\n```"
},
{
"name": "usb_devices",
"examples": "Identify Yubikeys currently connected. The model field contains information about what authentication protocols the keys are configured to support. This table can be used to track any type of USB device.\n```\nSELECT model, vendor, version FROM usb_devices WHERE vendor='Yubico';\n```"
},
{
"name": "virtual_memory_info",
"examples": "Identify systems where memory swapping is occuring. These systems might benefit from more RAM.\n```\nSELECT * FROM virtual_memory_info WHERE swap_ins>'0';\n```"
},
{
"name": "xprotect_entries",
"examples": "Identify the Bundlore variants Xprotect protects the computer from\n```\nSELECT * FROM xprotect_entries WHERE name LIKE 'OSX.Bundlore%';\n```"
},
{
"name": "xprotect_meta",
"examples": "See the minimum version of specific components allowed by Xprotect. This usually means the previous versions have vulnerabilities that are being exploited at scale, or were exploited at scale at some point in time.\n```\nSELECT * FROM xprotect_meta WHERE min_version!='any';\n```"
},
{
"name": "xprotect_reports",
"examples": "See all Xprotect activity reports, if any are present. This indicates potentially malicious software was blocked by Xprotect.\n```\nSELECT * FROM xprotect_reports;\n```"
},
{
"name": "interface_details",
"columns": [
{
"name": "link_speed",
"platforms": ["linux", "darwin"]
},
{
"name": "pci_slot",
"platforms": ["linux"]
},
{
"name": "friendly_name",
"platforms": ["windows"]
},
{
"name": "description",
"platforms": ["windows"]
},
{
"name": "manufacturer",
"platforms": ["windows"]
},
{
"name": "connection_id",
"platforms": ["windows"]
},
{
"name": "connection_status",
"platforms": ["windows"]
},
{
"name": "enabled",
"platforms": ["windows"]
},
{
"name": "physical_adapter",
"platforms": ["windows"]
},
{
"name": "speed",
"platforms": ["windows"]
},
{
"name": "service",
"platforms": ["windows"]
},
{
"name": "dhcp_enabled",
"platforms": ["windows"]
},
{
"name": "dhcp_lease_expires",
"platforms": ["windows"]
},
{
"name": "dhcp_lease_obtained",
"platforms": ["windows"]
},
{
"name": "dhcp_server",
"platforms": ["windows"]
},
{
"name": "dns_domain",
"platforms": ["windows"]
},
{
"name": "dns_domain_suffix_search_order",
"platforms": ["windows"]
},
{
"name": "dns_host_name",
"platforms": ["windows"]
},
{
"name": "dns_server_search_order",
"platforms": ["windows"]
}
]
},
{
"name": "apt_sources",
"examples": "On Ubuntu or other Debian based systems, identify APT repositories that are not maintained by Ubuntu.\n```\nSELECT * FROM apt_sources WHERE maintainer!='Ubuntu';\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "deb_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "rpm_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "yum_sources",
"examples": "Find yum repositories on Linux servers for which cryptographic verification via GPG is disabled. This could allow untrusted packages to be injected into a repository that could then be installed.\n```\nSELECT * FROM yum_sources WHERE gpgcheck='0'; \n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "listening_ports",
"examples": "List executables listening on network ports.\n```\nSELECT l.port, l.pid, p.name, p.path FROM listening_ports l JOIN processes p USING (pid); \n```",
"columns": [
{
"name": "net_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "logged_in_users",
"examples": "See the user currently logged in on the console of the computer.\n```\nSELECT user, type, tty from logged_in_users WHERE tty='console';\n```",
"columns": [
{
"name": "sid",
"platforms": ["windows"]
},
{
"name": "registry_hive",
"platforms": ["windows"]
}
]
},
{
"name": "npm_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "os_version",
"examples": "See the OS version as well as the CPU architecture in use (X86 vs ARM for example)\n```\nSELECT arch, version FROM os_version;\n```",
"columns": [
{
"name": "install_date",
"platforms": ["windows"]
},
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "authorized_keys",
"examples": "List the SSH keys allowed to connect to this host.\n```\nSELECT key FROM authorized_keys;\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "crontab",
"examples": "List commands scheduled for execution as cron jobs\n```\nSELECT * FROM crontab;\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["windows"]
}
]
},
{
"name": "dns_resolvers",
"examples": "Identify computers that are using an external DNS server instead of an internal one. This query also removes null and empty strings that can be returned by this table.\n```\nSELECT address FROM dns_resolvers WHERE type='nameserver' AND address NOT LIKE '192.168%%' AND address NOT LIKE '172.16%%' AND address NOT LIKE '172.17%%' AND address NOT LIKE '172.18%%' AND address NOT LIKE '172.19%%' AND address NOT LIKE '172.20%%' AND address NOT LIKE '172.21%%' AND address NOT LIKE '172.22%%' AND address NOT LIKE '172.23%%' AND address NOT LIKE '10.%%' AND address NOT LIKE '127.%%' AND address IS NOT NULL AND address IS NOT ' ' AND address IS NOT ''; \n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "docker_containers",
"columns": [
{
"name": "cgroup_namespace",
"platforms": ["linux"]
},
{
"name": "ipc_namespace",
"platforms": ["linux"]
},
{
"name": "mnt_namespace",
"platforms": ["linux"]
},
{
"name": "net_namespace",
"platforms": ["linux"]
},
{
"name": "pid_namespace",
"platforms": ["linux"]
},
{
"name": "user_namespace",
"platforms": ["linux"]
},
{
"name": "uts_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "docker_images",
"examples": "See how much storage is used by Docker images. Requires Docker to be running.\n```\nSELECT ROUND(SUM(size_bytes * 10e-10),2) as gigabytes_of_images FROM docker_images; \n```"
},
{
"name": "docker_volumes",
"columns": [
{
"name": "name",
"description": "Volume name from `docker volume ls`"
}
]
},
{
"name": "pci_devices",
"columns": [
{
"name": "pci_class_id",
"platforms": ["linux"]
},
{
"name": "pci_subclass_id",
"platforms": ["linux"]
},
{
"name": "pci_subclass",
"platforms": ["linux"]
},
{
"name": "subsystem_vendor_id",
"platforms": ["linux"]
},
{
"name": "subsystem_vendor",
"platforms": ["linux"]
},
{
"name": "subsystem_model_id",
"platforms": ["linux"]
},
{
"name": "subsystem_model",
"platforms": ["linux"]
}
]
},
{
"name": "process_events",
"columns": [
{
"name": "status",
"platforms": ["darwin"]
},
{
"name": "fsuid",
"platforms": ["linux"]
},
{
"name": "suid",
"platforms": ["linux"]
},
{
"name": "fsgid",
"platforms": ["linux"]
},
{
"name": "sgid",
"platforms": ["linux"]
},
{
"name": "syscall",
"platforms": ["linux"]
}
]
},
{
"name": "suid_bin",
"examples": "Identify unsigned executables with suid privileges.\n```\nSELECT s.path, s.username, s.permissions, sig.signed, sig.team_identifier, sig.authority FROM suid_bin s JOIN signature sig on s.path = sig.path WHERE sig.signed='0';\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "system_controls",
"examples": "See if IP forwarding is enabled (value=1) or not (current_value=0). This table provides access to a large quantity of low-level settings and is ideal to build policies.\n```\nSELECT current_value, name FROM system_controls WHERE name='net.inet.ip.forwarding';\n```",
"columns": [
{
"name": "field_name",
"platforms": ["darwin"]
}
]
},
{
"name": "process_open_sockets",
"columns": [
{
"name": "state",
"platforms": ["windows", "linux", "darwin"]
},
{
"name": "net_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "processes",
"examples": "List executables listening on network ports.\n```\nSELECT l.port, l.pid, p.name, p.path FROM listening_ports l JOIN processes p USING (pid); \n```",
"columns": [
{
"name": "elevated_token",
"platforms": ["windows"]
},
{
"name": "secure_process",
"platforms": ["windows"]
},
{
"name": "protection_type",
"platforms": ["windows"]
},
{
"name": "virtual_process",
"platforms": ["windows"]
},
{
"name": "elapsed_time",
"platforms": ["windows"]
},
{
"name": "handle_count",
"platforms": ["windows"]
},
{
"name": "percent_processor_time",
"platforms": ["windows"]
},
{
"name": "upid",
"platforms": ["darwin"]
},
{
"name": "uppid",
"platforms": ["darwin"]
},
{
"name": "cpu_type",
"platforms": ["darwin"]
},
{
"name": "cpu_subtype",
"platforms": ["darwin"]
},
{
"name": "translated",
"platforms": ["darwin"]
}
]
},
{
"name": "python_packages",
"examples": "List the versions of pip installed.\n```\nSELECT author, name, summary, version FROM python_packages WHERE name='pip';\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "routes",
"examples": "Identify static routes\n```\nSELECT destination, interface, type FROM routes WHERE type='static';\n```",
"columns": [
{
"name": "hopcount",
"platforms": ["linux", "darwin"]
}
]
},
{
"name": "user_ssh_keys",
"examples": "Identify SSH keys stored in clear text in user directories\n```\nSELECT * FROM users JOIN user_ssh_keys USING (uid) WHERE encrypted = 0;,\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "users",
"examples": "List users that have interactive access via a shell that isn't false.\n```\nSELECT * FROM users WHERE shell!='/usr/bin/false';\n```",
"columns": [
{
"name": "type",
"platforms": ["windows"]
},
{
"name": "is_hidden",
"platforms": ["darwin"]
},
{
"name": "pid_with_namespace",
"platforms": ["linux"]
}
]
},
{
"name": "file",
"columns": [
{
"name": "attributes",
"platforms": ["windows"]
},
{
"name": "volume_serial",
"platforms": ["windows"]
},
{
"name": "file_id",
"platforms": ["windows"]
},
{
"name": "file_version",
"platforms": ["windows"]
},
{
"name": "product_version",
"platforms": ["windows"]
},
{
"name": "original_filename",
"platforms": ["windows"]
},
{
"name": "bsd_flags",
"platforms": ["darwin"]
},
{
"name": "pid_with_namespace",
"platforms": ["linux"]
},
{
"name": "mount_namespace_id",
"platforms": ["linux"]
}
]
},
{
"name": "time",
"examples": "View the timezone a system is configured in. \n```\nSELECT local_timezone FROM time;\n```",
"columns": [
{
"name": "win_timestamp",
"platforms": ["windows"]
}
]
},
{
"name": "atom_packages",
"examples": "List installed Atom packages and their version.\n```\nSELECT name, version, description FROM atom_packages;\n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "chrome_extension_content_scripts",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "chrome_extensions",
"examples": "List Chrome extensions by user and profile which have full access to HTTPS browsing.\n```\nSELECT u.username, ce.name, ce.description, ce.version, ce.profile, ce.permissions FROM users u CROSS JOIN chrome_extensions ce USING (uid) WHERE ce.permissions LIKE '%%https://*/*%%';\n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "crashes",
"examples": "See software responsible for crashes. This can be useful to detect what the most problematic software in your environment is.\n```\nSELECT crash_path, identifier, responsible, exception_type FROM crashes;\n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "preferences",
"examples": "This table reads a huge amount of preferences, including on third-party apps. This query will show how many users are enrolled to TouchID.\n```\nSELECT * FROM preferences WHERE subkey='dailyEvents/2/enrolledUserCount';\n```",
"columns": [
{
"name": "username",
"requires_user_context": true
}
]
},
{
"name": "safari_extensions",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "firefox_addons",
"examples": "See Firefox extensions by user as well as information about their creator and automatic update status.\n```\nSELECT u.username, f.identifier, f.creator, f.description, f.version, f.autoupdate FROM users u CROSS JOIN firefox_addons f USING (uid) WHERE f.active='1';\n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "known_hosts",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "shell_history",
"examples": "See command line executions and related timestamps. Useful for threat hunting when a device is suspected of being compromised.\n```\nSELECT u.username, s.command, s.time FROM users u CROSS JOIN shell_history s USING (uid);\n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "ssh_configs",
"examples": "Identify SSH clients configured to send their locales to the server.\n```\nSELECT * FROM ssh_configs WHERE option='sendenv lang lc_*'; \n```",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
}
]