osquery-1/packs/incident-response.conf

{
  "queries": {
    "launchd": {
      "query" : "select * from launchd;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the daemons that will run in the start of the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "startup_items": {
      "query" : "select * from startup_items;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieve all the items that will load when the target OSX system starts.",
      "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
    },
    "crontab": {
      "query" : "select * from crontab;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves all the jobs scheduled in crontab in the target system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
    },
    "loginwindow1": {
      "query" : "select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow2": {
      "query" : "select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow3": {
      "query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow4": {
      "query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "alf": {
      "query" : "select * from alf;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_exceptions": {
      "query" : "select * from alf_exceptions;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_services": {
      "query" : "select * from alf_services;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the services for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_explicit_auths": {
      "query" : "select * from alf_explicit_auths;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "etc_hosts": {
      "query" : "select * from etc_hosts;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves all the entries in the target system /etc/hosts file.",
      "value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled"
    },
    "kextstat": {
      "query" : "select * from kernel_extensions;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
      "value" : "Identify malware that has a kernel extension component."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "3600",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
      "value" : "Identify malware that has a kernel module component."
    },
    "last": {
      "query" : "select * from last;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the list of the latest logins with PID, username and timestamp.",
      "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "Identify malware, adware, or vulnerable packages that are installed as an application."
    },
    "open_sockets": {
      "query" : "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves all the open sockets per process in the target system.",
      "value" : "Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings"
    },
    "open_files": {
      "query" : "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves all the open files per process in the target system.",
      "value" : "Identify processes accessing sensitive files they shouldn't"
    },
    "logged_in_users": {
      "query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the list of all the currently logged in users in the target system.",
      "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
    },
    "ip_forwarding": {
      "query" : "select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the current status of IP/IPv6 forwarding.",
      "value" : "Identify if a machine is being used as relay."
    },
    "process_env": {
      "query" : "select * from process_envs;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves all the environment variables per process in the target system.",
      "value" : "Insight into the process data: Where was it started from, was it preloaded..."
    },
    "mounts": {
      "query" : "select * from mounts;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of mounted drives in the target system.",
      "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
    },
    "nfs_shares": {
      "query" : "select * from nfs_shares;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of Network File System mounted shares.",
      "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
    },
    "shell_history": {
      "query" : "select * from users join shell_history using (uid);",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the command history, per user, by parsing the shell history files.",
      "value" : "Identify actions taken. Useful for compromised hosts."
    },
    "recent_items": {
      "query" : "select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of recent items opened in OSX by parsing the plist per user.",
      "value" : "Identify recently accessed items. Useful for compromised hosts."
    },
    "ramdisk": {
      "query" : "select * from block_devices where type = 'Virtual Interface';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves all the ramdisk currently mounted in the target system.",
      "value" : "Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes"
    },
    "listening_ports": {
      "query" : "select * from listening_ports;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves all the listening ports in the target system.",
      "value" : "Detect if a listening port iis not mapped to a known process. Find backdoors."
    },
    "suid_bin": {
      "query" : "select * from suid_bin;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves all the files in the target system that are setuid enabled.",
      "value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build."
    },
    "process_memory": {
      "query" : "select * from process_memory_map;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the memory map per process in the target Linux system.",
      "value" : "Ability to compare with known good. Identify mapped regions corresponding with or containing injected code."
    },
    "arp_cache": {
      "query" : "select * from arp_cache;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the ARP cache values in the target system.",
      "value" : "Determine if MITM in progress."
    },
    "wireless_networks": {
      "query" : "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.6.0",
      "description" : "Retrieves all the remembered wireless network that the target machine has connected to.",
      "value" : "Identifies connections to rogue access points."
    },
    "disk_encryption": {
      "query" : "select * from disk_encryption;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current disk encryption status for the target system.",
      "value" : "Identifies a system potentially vulnerable to disk cloning."
    },
    "iptables": {
      "query" : "select * from iptables;",
      "interval" : "3600",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the current filters and chains per filter in the target system.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "app_schemes": {
      "query" : "select * from app_schemes;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.7",
      "description" : "Retreives the list of application scheme/protocol-based IPC handlers.",
      "value" : "Post-priori hijack detection, detect potential sensitive information leakage."
    },
    "sandboxes": {
      "query" : "select * from sandboxes;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.7",
      "description" : "Lists the application bundle that owns a sandbox label.",
      "value" : "Post-priori hijack detection, detect potential sensitive information leakage."
    }
  }
}
Query packs files 2015-07-17 21:42:05 +00:00			`{`
			`"queries": {`
			`"launchd": {`
			`"query" : "select * from launchd;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the daemons that will run in the start of the target OSX system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at system boot"`
			`},`
			`"startup_items": {`
			`"query" : "select * from startup_items;",`
			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieve all the items that will load when the target OSX system starts.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at a given interval"`
			`},`
			`"crontab": {`
			`"query" : "select * from crontab;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the jobs scheduled in crontab in the target system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at a given interval"`
			`},`
			`"loginwindow1": {`
packs: Update darwin's preferences table to plist (#3471) 2017-07-17 21:13:34 +00:00			`"query" : "select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at system boot"`
			`},`
			`"loginwindow2": {`
packs: Update darwin's preferences table to plist (#3471) 2017-07-17 21:13:34 +00:00			`"query" : "select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at system boot"`
			`},`
			`"loginwindow3": {`
packs: Update darwin's preferences table to plist (#3471) 2017-07-17 21:13:34 +00:00			`"query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory \|\| '/Library/Preferences/com.apple.loginwindow.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at system boot"`
			`},`
			`"loginwindow4": {`
packs: Update darwin's preferences table to plist (#3471) 2017-07-17 21:13:34 +00:00			`"query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory \|\| '/Library/Preferences/loginwindow.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the values for the loginwindow process in the target OSX system.",`
			`"value" : "Identify malware that uses this persistence mechanism to launch at system boot"`
			`},`
			`"alf": {`
			`"query" : "select * from alf;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",`
			`"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"`
			`},`
			`"alf_exceptions": {`
			`"query" : "select * from alf_exceptions;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",`
			`"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"`
			`},`
			`"alf_services": {`
			`"query" : "select * from alf_services;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the services for the Application Layer Firewall in OSX.",`
			`"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"`
			`},`
			`"alf_explicit_auths": {`
			`"query" : "select * from alf_explicit_auths;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",`
			`"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"`
			`},`
			`"etc_hosts": {`
			`"query" : "select * from etc_hosts;",`
			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the entries in the target system /etc/hosts file.",`
			`"value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled"`
			`},`
			`"kextstat": {`
			`"query" : "select * from kernel_extensions;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",`
			`"value" : "Identify malware that has a kernel extension component."`
			`},`
			`"kernel_modules": {`
			`"query" : "select * from kernel_modules;",`
			`"interval" : "3600",`
			`"platform" : "linux",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the information for the current kernel modules in the target Linux system.",`
			`"value" : "Identify malware that has a kernel module component."`
			`},`
			`"last": {`
			`"query" : "select * from last;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the list of the latest logins with PID, username and timestamp.",`
			`"value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."`
			`},`
			`"installed_applications": {`
			`"query" : "select * from apps;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the currently installed applications in the target OSX system.",`
			`"value" : "Identify malware, adware, or vulnerable packages that are installed as an application."`
			`},`
			`"open_sockets": {`
[Fix #1369] Limit IOKit HID events 2015-07-23 16:54:38 +00:00			`"query" : "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the open sockets per process in the target system.",`
			`"value" : "Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings"`
			`},`
			`"open_files": {`
[Fix #1369] Limit IOKit HID events 2015-07-23 16:54:38 +00:00			`"query" : "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the open files per process in the target system.",`
			`"value" : "Identify processes accessing sensitive files they shouldn't"`
			`},`
			`"logged_in_users": {`
Update an error in the incident response pack #1398 2015-07-27 18:38:51 +00:00			`"query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the list of all the currently logged in users in the target system.",`
			`"value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."`
			`},`
			`"ip_forwarding": {`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`"query" : "select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "3600",`
			`"version" : "1.4.5",`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`"description" : "Retrieves the current status of IP/IPv6 forwarding.",`
			`"value" : "Identify if a machine is being used as relay."`
Query packs files 2015-07-17 21:42:05 +00:00			`},`
			`"process_env": {`
			`"query" : "select * from process_envs;",`
			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the environment variables per process in the target system.",`
			`"value" : "Insight into the process data: Where was it started from, was it preloaded..."`
			`},`
			`"mounts": {`
			`"query" : "select * from mounts;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the current list of mounted drives in the target system.",`
			`"value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."`
			`},`
			`"nfs_shares": {`
			`"query" : "select * from nfs_shares;",`
			`"interval" : "3600",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the current list of Network File System mounted shares.",`
			`"value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."`
			`},`
			`"shell_history": {`
Updating shell_history in IR pack (#3549) 2017-08-09 22:57:23 +00:00			`"query" : "select * from users join shell_history using (uid);",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the command history, per user, by parsing the shell history files.",`
			`"value" : "Identify actions taken. Useful for compromised hosts."`
			`},`
			`"recent_items": {`
packs: Update darwin's preferences table to plist (#3471) 2017-07-17 21:13:34 +00:00			`"query" : "select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory \|\| '/Library/Preferences/com.apple.recentitems.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the list of recent items opened in OSX by parsing the plist per user.",`
			`"value" : "Identify recently accessed items. Useful for compromised hosts."`
			`},`
			`"ramdisk": {`
			`"query" : "select * from block_devices where type = 'Virtual Interface';",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the ramdisk currently mounted in the target system.",`
			`"value" : "Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes"`
			`},`
			`"listening_ports": {`
			`"query" : "select * from listening_ports;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the listening ports in the target system.",`
			`"value" : "Detect if a listening port iis not mapped to a known process. Find backdoors."`
			`},`
			`"suid_bin": {`
			`"query" : "select * from suid_bin;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves all the files in the target system that are setuid enabled.",`
			`"value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build."`
			`},`
			`"process_memory": {`
			`"query" : "select * from process_memory_map;",`
			`"interval" : "86400",`
			`"platform" : "linux",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the memory map per process in the target Linux system.",`
			`"value" : "Ability to compare with known good. Identify mapped regions corresponding with or containing injected code."`
			`},`
			`"arp_cache": {`
			`"query" : "select * from arp_cache;",`
			`"interval" : "3600",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the ARP cache values in the target system.",`
			`"value" : "Determine if MITM in progress."`
			`},`
			`"wireless_networks": {`
Update wireless_networks in IR pack to use wifi_networks table 2015-11-22 08:44:06 +00:00			`"query" : "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "3600",`
			`"platform" : "darwin",`
Update wireless_networks in IR pack to use wifi_networks table 2015-11-22 08:44:06 +00:00			`"version" : "1.6.0",`
Query packs files 2015-07-17 21:42:05 +00:00			`"description" : "Retrieves all the remembered wireless network that the target machine has connected to.",`
			`"value" : "Identifies connections to rogue access points."`
			`},`
			`"disk_encryption": {`
			`"query" : "select * from disk_encryption;",`
			`"interval" : "86400",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the current disk encryption status for the target system.",`
			`"value" : "Identifies a system potentially vulnerable to disk cloning."`
			`},`
			`"iptables": {`
			`"query" : "select * from iptables;",`
			`"interval" : "3600",`
			`"platform" : "linux",`
			`"version" : "1.4.5",`
			`"description" : "Retrieves the current filters and chains per filter in the target system.",`
			`"value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"`
			`},`
			`"app_schemes": {`
			`"query" : "select * from app_schemes;",`
			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.7",`
			`"description" : "Retreives the list of application scheme/protocol-based IPC handlers.",`
			`"value" : "Post-priori hijack detection, detect potential sensitive information leakage."`
			`},`
			`"sandboxes": {`
			`"query" : "select * from sandboxes;",`
			`"interval" : "86400",`
			`"platform" : "darwin",`
			`"version" : "1.4.7",`
			`"description" : "Lists the application bundle that owns a sandbox label.",`
			`"value" : "Post-priori hijack detection, detect potential sensitive information leakage."`
			`}`
			`}`
			`}`