{ "queries": { "launchd": { "query" : "select * from launchd;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the daemons that will run in the start of the target OSX system.", "value" : "Identify malware that uses this persistence mechanism to launch at system boot" }, "startup_items": { "query" : "select * from startup_items;", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieve all the items that will load when the target OSX system starts.", "value" : "Identify malware that uses this persistence mechanism to launch at a given interval" }, "crontab": { "query" : "select * from crontab;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves all the jobs scheduled in crontab in the target system.", "value" : "Identify malware that uses this persistence mechanism to launch at a given interval" }, "loginwindow1": { "query" : "select key, subkey, value from preferences where path = '/Library/Preferences/com.apple.loginwindow.plist';", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the values for the loginwindow process in the target OSX system.", "value" : "Identify malware that uses this persistence mechanism to launch at system boot" }, "loginwindow2": { "query" : "select key, subkey, value from preferences where path = '/Library/Preferences/loginwindow.plist';", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the values for the loginwindow process in the target OSX system.", "value" : "Identify malware that uses this persistence mechanism to launch at system boot" }, "loginwindow3": { "query" : "select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the values for the loginwindow process in the target OSX system.", "value" : "Identify malware that uses this persistence mechanism to launch at system boot" }, "loginwindow4": { "query" : "select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the values for the loginwindow process in the target OSX system.", "value" : "Identify malware that uses this persistence mechanism to launch at system boot" }, "alf": { "query" : "select * from alf;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.", "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "alf_exceptions": { "query" : "select * from alf_exceptions;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.", "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "alf_services": { "query" : "select * from alf_services;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the services for the Application Layer Firewall in OSX.", "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "alf_explicit_auths": { "query" : "select * from alf_explicit_auths;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.", "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "etc_hosts": { "query" : "select * from etc_hosts;", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves all the entries in the target system /etc/hosts file.", "value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled" }, "kextstat": { "query" : "select * from kernel_extensions;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.", "value" : "Identify malware that has a kernel extension component." }, "kernel_modules": { "query" : "select * from kernel_modules;", "interval" : "3600", "platform" : "linux", "version" : "1.4.5", "description" : "Retrieves all the information for the current kernel modules in the target Linux system.", "value" : "Identify malware that has a kernel module component." }, "last": { "query" : "select * from last;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves the list of the latest logins with PID, username and timestamp.", "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise." }, "installed_applications": { "query" : "select * from apps;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves all the currently installed applications in the target OSX system.", "value" : "Identify malware, adware, or vulnerable packages that are installed as an application." }, "open_sockets": { "query" : "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves all the open sockets per process in the target system.", "value" : "Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings" }, "open_files": { "query" : "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves all the open files per process in the target system.", "value" : "Identify processes accessing sensitive files they shouldn't" }, "logged_in_users": { "query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves the list of all the currently logged in users in the target system.", "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise." }, "ip_forwarding": { "query" : "select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves the current status of IP/IPv6 forwarding.", "value" : "Identify if a machine is being used as relay." }, "process_env": { "query" : "select * from process_envs;", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves all the environment variables per process in the target system.", "value" : "Insight into the process data: Where was it started from, was it preloaded..." }, "mounts": { "query" : "select * from mounts;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves the current list of mounted drives in the target system.", "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors." }, "nfs_shares": { "query" : "select * from nfs_shares;", "interval" : "3600", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the current list of Network File System mounted shares.", "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors." }, "shell_history": { "query" : "select * from shell_history;", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves the command history, per user, by parsing the shell history files.", "value" : "Identify actions taken. Useful for compromised hosts." }, "recent_items": { "query" : "select username, key, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';", "interval" : "86400", "platform" : "darwin", "version" : "1.4.5", "description" : "Retrieves the list of recent items opened in OSX by parsing the plist per user.", "value" : "Identify recently accessed items. Useful for compromised hosts." }, "ramdisk": { "query" : "select * from block_devices where type = 'Virtual Interface';", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves all the ramdisk currently mounted in the target system.", "value" : "Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes" }, "listening_ports": { "query" : "select * from listening_ports;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves all the listening ports in the target system.", "value" : "Detect if a listening port iis not mapped to a known process. Find backdoors." }, "suid_bin": { "query" : "select * from suid_bin;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves all the files in the target system that are setuid enabled.", "value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build." }, "process_memory": { "query" : "select * from process_memory_map;", "interval" : "86400", "platform" : "linux", "version" : "1.4.5", "description" : "Retrieves the memory map per process in the target Linux system.", "value" : "Ability to compare with known good. Identify mapped regions corresponding with or containing injected code." }, "arp_cache": { "query" : "select * from arp_cache;", "interval" : "3600", "version" : "1.4.5", "description" : "Retrieves the ARP cache values in the target system.", "value" : "Determine if MITM in progress." }, "wireless_networks": { "query" : "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;", "interval" : "3600", "platform" : "darwin", "version" : "1.6.0", "description" : "Retrieves all the remembered wireless network that the target machine has connected to.", "value" : "Identifies connections to rogue access points." }, "disk_encryption": { "query" : "select * from disk_encryption;", "interval" : "86400", "version" : "1.4.5", "description" : "Retrieves the current disk encryption status for the target system.", "value" : "Identifies a system potentially vulnerable to disk cloning." }, "iptables": { "query" : "select * from iptables;", "interval" : "3600", "platform" : "linux", "version" : "1.4.5", "description" : "Retrieves the current filters and chains per filter in the target system.", "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "app_schemes": { "query" : "select * from app_schemes;", "interval" : "86400", "platform" : "darwin", "version" : "1.4.7", "description" : "Retreives the list of application scheme/protocol-based IPC handlers.", "value" : "Post-priori hijack detection, detect potential sensitive information leakage." }, "sandboxes": { "query" : "select * from sandboxes;", "interval" : "86400", "platform" : "darwin", "version" : "1.4.7", "description" : "Lists the application bundle that owns a sandbox label.", "value" : "Post-priori hijack detection, detect potential sensitive information leakage." } } }