osquery db

Account_policy_data Macos

Retrieves account policy data, such as creation time

Alf

Retrieves the configuration values for the Application Layer Firewall for OSX.

Alf_exceptions_macos

Retrieves the exceptions for the Application Layer Firewall in OSX.

Alf_explicit_auths_macos

Retrieves the list of processes with explicit authorization for the Application Layer Firewall.

Alf_services

Retrieves the services for the Application Layer Firewall in OSX.

App_schemes

Retrieves the list of application scheme/protocol-based IPC handlers.

Apps

Retrieves all the currently installed applications in the target OSX system.

Authorization_mechanisms Macos

Retrieves entries from the macOS authorization mechanisms db

Authorizations Macos

Retrieves entries from the macOS authorization rights db

Authorized_keys

Retrieves all the currently installed authorized keys on a system

Block_devices

Retrieves all block devices known to the system

Certificates

Retrieves all the currently installed certificates on a system

Chrome_extension_content_scripts

Retrieves chrome extension cotent scripts that execute on a broad set of URLs.

Chrome_extensions

Retrieves chrome extensions that execute on a broad set of URLs.

Crashes Macos

Retrieves crash log info per user

Crontab

Crontab entries

Deb_packages

Retrieves a list of debian packages

Disk_encryption

Retrieves the current disk encryption status for the target system.

Disk_events_macos

Retrieves disk image (DMG) events

Dns_resolvers

Return the list of configured DNS servers on this system

Docker Container Mounting Root

Detect the execution of a Docker containing mounting the root filesystem

Docker_container_mounts

Return the list of mounts for Docker containers

Docker_container_ports

Return the list of ports for Docker containers

Docker_container_processes

Return the list of processes for Docker containers

Docker_containers

Return the list of running Docker containers on this machine

Docker_image_history

Return the Docker image history on a machine

Docker_images

Return the list of Docker images

Empty_root_environ_linux

Find programs which spawn root children without propagating environment variables

Empty_root_environ_macos

Find programs which spawn root children without propagating environment variables

Es_process_events

Dump a list of process execution events from EndpointSecurity

Etc_hosts

Retrieves all the entries in the target system /etc/hosts file.

Evenly Timestomped

Files where the timestamp falls along 12-hour boundaries - probably caused by ‘touch 0000’

Event_taps_macos

Retrieves software packages with access to listening in on keyboard/mouse events

Excess Google Drive Downloads Macos

Surface when a machine has downloaded an unusual number of files from Google Drive

Excess Google Drive Folder Exports Macos

Surface when a machine has downloaded an unusual number of zip exports from Google Drive

Exec Failed Launch Constraint Violation

Catch programs that failed to run due to a launch constraint violation, such as a signing issue.

Executables From The Future

Programs which claim to be from the future, based on (btime,ctime,mtime)

Exotic Command Events Linux

Pick out exotic processes based on their command-line (events-based)

Exotic Command Events Macos

Pick out exotic processes based on their command-line (events-based)

Exotic Commands Linux

Pick out exotic processes based on their command-line (state-based)

Exotic Commands Macos

Pick out exotic processes based on their command-line (state-based)

Fake Apple Launchd

Find launchd entries which purport to be by Apple, but point to binaries that are not signed by Apple.

File_events

Return the list of watched file events (must be configured)

Files Dev

Returns a list of file information from /dev (non-hidden only)

Files Downloads

Returns a list of file information from Downloads directories

Files Etc

Returns a list of file information from /etc (non-hidden only)

Files Recently Written

Returns a list of recently written files

Firefox_addons

Return the list of installed Firefox addons

Gatekeeper_approved_apps_macos

Retrieves all the gatekeeper exceptions on a macOS host

Gcp Service Account Keys

Indicative of stored GCP service account keys just sitting around unencrypted

Gcp Service Account Keys Mdfind

Indicative of stored GCP service account keys just sitting around unencrypted

Groups

Return the list of POSIX groups on the system

Hardware_events

Return hardware events

Hidden Cwd

Programs running with a hidden current working directory (state-based)

Hidden Cwd Events Linux

Programs running with a hidden current working directory (event-based)

Hidden Executable

Programs running with a hidden file path or process name

Hidden Home Config Dir

Find unexpected hidden files in a users config directory

Hidden Home Libappsupport

Find unexpected hidden files in a users Application Support directory

Hidden Home Library Dir

Find unexpected hidden files in a users Library directory

Hidden Launchd Files Macos

Reveal launchd services which are located in a hidden directory.

High Disk Bytes Written

Programs which are writing an unusually large amount of data

High_disk_bytes_read

Programs which are reading an unusually large amount of data

Homebrew Packages Macos

Dump a list of homebrew packages

Interface_addresses

Return the list of interface addresses

Interface_details

Return stats on network interfaces

Interface_ipv6.Sql

Return the list of interface addresses (IPv6)

Iokit Registry Macos

Retrieves IOKit registry

Ip_forwarding

Retrieves the current status of IP/IPv6 forwarding.

Iptables

Retrieves the current filters and chains per filter in the target system.

Kernel_info

Return basic kernel information

Kernel_modules_linux

Retrieves all the information for the current kernel modules in the target Linux system.

Kernel_panics Macos

Retrieves entries from the macOS kernel panic logs

Kextstat_macos

Retrieves all the information about the current kernel extensions for the target OSX system.

Known_hosts

Retrieves chrome extensions that execute on a broad set of URLs.

Last

Retrieves the list of the latest logins with PID, username and timestamp.

Launchd_macos

macOS launchd entries

Launchd_overrides_macos

Retrieves launchd override keys per user

Listening From Unusual Location

Unexpected programs listening from /tmp or other weird directories

Listening_ports

Retrieves all the listening ports in the target system.

Logged_in_users

Retrieves the list of all the currently logged in users in the target system.

Loginwindow1.Sql

Retrieves all the values for the loginwindow process in the target OSX system.

Loginwindow2.Sql

Retrieves all the values for the loginwindow process in the target OSX system.

Loginwindow3.Sql

Retrieves all the values for the loginwindow process in the target OSX system.

Loginwindow4.Sql

Retrieves all the values for the loginwindow process in the target OSX system.

Low Fd Socket

Find programs where fd0 (stdin), fd1 (stdout), or fd2 (stderr) are connected to a socket

Macos_keyboard_sniffer

Find programs that are sniffing keyboard events on macOS

Memory_map

Returns the OS memory region map.

Minimal Socket Client Linux

Slow query to find root programs with an open socket and few shared libraries

Minimal Socket Client Macos

Slow query to find root programs with an open socket and few shared libraries

Missing From Disk Linux

Processes that do not exist on disk, running in osquery’s namespace

Missing From Disk Macos

Processes that do not exist on disk

Mounts

Retrieves the current list of mounted drives in the target system.

Name_path_mismatch

Processes that have an unrelated name in the process tree than the program on disk.

Npm_packages

Return the list of npm packages

Nvram Macos

Retrieves entries from the macOS nvram database

Old Binaries Running

Alert on programs running that are unusually old

Open_files

Retrieves all the open files per process in the target system.

Open_sockets

Retrieves all the open sockets per process in the target system.

Os_version

Return the OS version including patch level

Overwritten Memory Map Ddexec Linux

Processes with a memory map that suggests they might be code smuggling.

Package_install_history_macos

Return macOS package install history

Package_receipts_macos

Return macOS package receipts

Parent Missing From Disk Linux

A program where the parent PID is not on disk

Parent Missing From Disk Macos

A program where the parent PID is not on disk

Parent Pid Missing From Procfs

Find a process which has a parent that is not listed in the process table

Pid Hidden By Rootkit

Finds processes that are apparently hidden by a rootkit

Platform_info

Return hardware platform info (UEFI)

Preferences_macos

Retrieves entries from the macOS preferences database

Process_env

Retrieves all the environment variables per process in the target system.

Process_event_parents

Canonical example of including process parents from process_events

Process_event_parents_macos

Canonical example of including process parents from process_events

Process_events

Recently executed programs

Process_memory_map

Retrieves the memory map per process

Process_open_files

Return the list of open files by process

Process_open_pipes

Return the list of open pipes per process

Process_open_sockets

Return the list of open sockets per process

Process_parents

Canonical example of information to include for processes

Process_parents_macos

Processes

Currently running programs, only the columns that are not constantly changing

Recent_items_macos

Retrieves the list of recent items opened in OSX by parsing the plist per user.

Recently Created Executables Long Lived Linux

Long-running programs who were recently added to disk, based on btime/ctime

Recently Created Executables Long Lived Macos

Long-running programs who were started around when they were written to disk

Relative Exec Low Uid

Programs running as root with a relative path

Relative Exec Low Uid Events

Programs running as root with a relative path (event-based)

Reverse Shell Socket

Uncover reverse-shell processes

Rpm_packages

Retrieves a list of RPM packages

Running_apps_macos

Retrieves currently running applications

Safari_extensions_macos

Return the list of installed Safari extensions

Sandboxes_macos

Lists the application bundle that owns a sandbox label.

Seccomp_events

Return the list of seccomp events

Selinux_events

Return the list of SELinux events

Setxid Cmdline Overflow Attempt

Find setuid events with large cmdlines

Setxid Env Overflow Attempt

Find setuid process events with large environment sizes

Shadow

Return user data from /etc/shadow

Shady Chrome Extension Author

Highlight potentially shady chrome extensions from documented spam authors

Shared_memory

Return shared memory info

Shell_history

Retrieves the command history, per user, by parsing the shell history files.

Sip_config

Retrieves System Integrity Protection Settings data

Sketchy Docker Image Creator

Detect the execution of a Docker containing mounting the root filesystem

Sketchy Download Name

Look for sketchy download files based on keywords

Sketchy Fetcher

Suspicious URL requests by built-in fetching tools (state-based)

Sketchy Fetcher Events

Suspicious URL requests by built-in fetching tools (event-based)

Sketchy Mounted Diskimage

Look for sketchy mounted disk images, inspired by Shlayer

Socket_events

Return the list of socket events

Spotlight Database Export Macos

Find database exports. Will need tuning based on your table names.

Ssh Notty

Find ssh sessions that are hiding from ‘w’/‘who’

Ssh_configs

Retrieves the ssh configs per user

Startup_items

Retrieve most programs that are part of a systems startup (multi-platform)

Suid_bin

Retrieves setuid-enabled executables in well-known paths

Suspicious Systemd Unit

Funky systemd units, may be evidence of persistence

Suspicious Udev Runner Linux

Look for sketchy udev entries, inspired by sedexp

Syslog_events

Return the list of syslog events

System_controls

Return the list of sysctl values

Systemd_units

Returns a list of systemd units

Tiny Executable

Unusually small programs (state-based)

Tiny Executable Events

Unusually small programs (events-based)

Touched Executable Linux

Programs which were spawned by an executable containing a matching ctime & mtime, which

Touched Executable Macos

Programs which appear to have been touched on macOS

Unexpected Active Systemd Units

Unexpected systemd units, may be evidence of persistence

Unexpected Alf Exceptions Macos

macOS application layer firewall (ALF) service exceptions.

Unexpected Bpf User

Find root-run processes which link against libpf

Unexpected Chmod Exec Event Linux

Things that call chmod to set executable permissions

Unexpected Chmod Exec Event Macos

Things that call chmod to set executable permissions

Unexpected Chrome Extensions

Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist

Unexpected Cron Entries

Unexpected crontab entries

Unexpected Dev Entries

Find unexpected files in /dev

Unexpected Dev Executables Linux

Find unexpected executables in /dev

Unexpected Dev Opener Linux

Detects unexpected programs opening files in /dev on Linux

Unexpected Dev Opener Macos

Detects unexpected programs opening files in /dev on Linux

Unexpected Device

Finds unexpected device names, sometimes used for communication to a rootkit

Unexpected Device Linux

Finds unexpected device names, sometimes used for communication to a rootkit

Unexpected Diskimage Name Macos

Surface ISO/DMG disk images that have suspicious names

Unexpected Diskimage Source Macos

Surface ISO/DMG disk images that were downloaded from unexpected places

Unexpected Dns Traffic

Catch DNS traffic going to machines other than the host-configured DNS server (state-based)

Unexpected Dns Traffic Events

Catch DNS traffic going to machines other than the host-configured DNS server (event-based)

Unexpected Elevated Children Events_linux

Find processes that run with a lower effective UID than their parent (event-based)

Unexpected Elevated Children Events_macos

Find processes that run with a lower effective UID than their parent (event-based)

Unexpected Env Values Linux

Applications setting environment variables to bypass security protections

Unexpected Env Values Macos

Applications setting environment variables to bypass security protections

Unexpected Etc Executables

Find unexpected executables in /etc

Unexpected Etc Hosts

Unexpected /etc/hosts entries

Unexpected Execdir Events Linux

Catch applications running from unusual directories, such as /tmp (event-based)

Unexpected Execdir Events Macos

Catch applications running from unusual directories, such as /tmp

Unexpected Execdir Linux

Programs running out of unexpected directories, such as /tmp (state-based)

Unexpected Execdir Macos

Find programs running from strange directories on macOS

Unexpected Executable Permissions

Find processes running that are tied to binaries with unsual permissions. Namely, 0777.

Unexpected Fetcher Parent Events

Suspicious parenting of fetch tools (event-based)

Unexpected Fetcher Parents

Suspicious parenting of fetch tools (state-based)

Unexpected File Made Executable

Detect commands used to bless a file as executable

Unexpected Gatekeeper Approvals Macos

Gatekeeper exceptions are exceptions for downloaded binaries

Unexpected Global Lock

Find unexpected world readable run locks

Unexpected Hidden System Paths

Find unexpected hidden directories in operating-system folders

Unexpected Https Linux

Unexpected programs communicating over HTTPS (state-based)

Unexpected Https Macos

Unexpected programs communicating over HTTPS (state-based)

Unexpected Icmp Socket

Unexpected programs speaking over ICMP (state-based)

Unexpected Icmp Socket Events

Unexpected programs speaking over ICMP (event-based)

Unexpected Kernel Extensions Macos

Find unexpected 3rd-party kernel extensions

Unexpected Kernel Modules Linux

Find kernel modules that are not part of the expected list

Unexpected Launchd Program Arguments

Unexpected launchd scripts that use the ‘program_arguments’ field

Unexpected Launchd Program Macos

Unexpected launchd scripts that use the ‘program’ field

Unexpected Ld So Files Linux

Find unexpected ld.so.conf files

Unexpected Libcurl User Linux

Find programs processes which link against libcurl, common among cross-platform malware

Unexpected Libcurl User Macos

Find programs processes which link against libcurl, common among cross-platform malware

Unexpected Library Entries Macos

Find unexpected files in /Library

Unexpected Listening Port Linux

Unexpected programs listening on a TCP port (state-based).

Unexpected Listening Port Macos

Unexpected programs listening on a TCP port.

Unexpected Lock Opener

Find unexpected programs with open lock files

Unexpected Long Running Security Framework Macos

Find programs that use the Security Framework on macOS - popular among malware authors

Unexpected Mounts

Detect weird mounts, like mounting the EFI partition

Unexpected Netutil Calls Linux

Suspicious parenting of network utilities (event-based)

Unexpected Netutil Calls Macos

Suspicious parenting of fetch tools (event-based)

Unexpected Osascript Calls

Detect unusual calls to osascript

Unexpected Packet Sniffer

Find unexpected use of raw sockets in executables, sometimes used for C&C communications

Unexpected Pcap User Linux

Find root-run processes which link against libpcap

Unexpected Pcap User Macos

Find root-run processes which link against libpcap

Unexpected Privilege Escalation_linux

Find processes that run with a lower effective UID than their parent (state-based)

Unexpected Privilege Escalation_macos

Find processes that run with a lower effective UID than their parent (state-based)

Unexpected Privileged Containers

Detect the execution of privileged Docker containers which can be used to escape to the host.

Unexpected Process Extension Linux

Processes that have an unusual extension

Unexpected Public Files_macos

Find unexpected files in ~/Public

Unexpected Root Libcurl Proc Linux

Find programs processes which link against libcurl, common among cross-platform malware

Unexpected Root Libcurl Proc Macos

Find programs processes which link against libcurl, common among cross-platform malware

Unexpected Root Signer Events Macos

Programs running as root from unusual signers on macOS

Unexpected Root Signer Macos

Programs running as root from unusual signers on macOS

Unexpected Rsa Keys

Indicative of stored RSA keys just sitting around unencrypted

Unexpected Rsa Keys Mdfind

Indicative of stored RSA keys just sitting around unencrypted

Unexpected Security Framework Program Macos

Find programs that use the Security Framework on macOS - popular among malware authors

Unexpected Sensitive File Access Linux

Unexpected programs accessing sensitive data stores (state-based)

Unexpected Sensitive File Access Macos

Unexpected programs accessing sensitive data stores (state-based)

Unexpected Setuid Binaries

Find unexpected setuid binaries on disk

Unexpected Setxid Process

Processes running that originate from setuid/setgid programs

Unexpected Shell Parent Events

Unexpected process that spawns shell processes (event-based)

Unexpected Shell Parents

Unexpected process that spawns shell processes (event based)

Unexpected Small Udev Entry Linux

Unexpected small udev rule entries

Unexpected Ssh Authorized Keys

Find unexpected SSH authorized keys

Unexpected Systemctl Calls Linux

Suspicious calls to systemctl(event-based)

Unexpected Sysutils Linux

Unexpected calls to system utilities (event-based)

Unexpected Sysutils Macos

Unexpected calls to macOS system utilities (event-based)

Unexpected Talker Events

Unexpected socket events

Unexpected Talkers Linux

Unexpected programs communicating over non-HTTPS protocols (state-based)

Unexpected Talkers Macos

Unexpected programs communicating over non-HTTPS running from weird locations

Unexpected Tmp Executables Linux

Find unexpected executables in temp directories, often used by malware droppers

Unexpected Tmp Executables Macos

Find unexpected executables in temp directories, often used by malware droppers

Unexpected Uid0 Daemon Linux

Unexpected long-running processes running as root

Unexpected Uid0 Daemon Macos

Unexpected long-running processes running as root

Unexpected User Executables Macos

Find unexpected in unexpected places under /Users

Unexpected User Shared Entries

Find unexpected files in /Users/Shared

Unexpected Var Executables Linux

Find unexpected executables in /var

Unexpected Var Executables Macos

Find unexpected executables in /var

Unexpected Var Run Linux

Find unexpected regular files in /var/run

Unexpected Var Run Macos

Find unexpected regular files in /var/run

Unexpected Volume Contents

Scan removable volumes for sketchy files

Unexpected Webmail Downloads

Surface webmail downloads of an unexpected sort

Unexpected Xattr Calls Macos

Detect unusual calls to xattr, used to remove filesystem attributes

Unified_log_macos

Retrieves recent entries from the macOS unified log

Unusual Executable Name Linux

Processes with executable names that feel weird

Unusual Executable Name Macos

Processes with executable names that feel weird

Unusual Process Name Linux

Processes with executable names that feel weird

Unusual Process Name Macos

Processes with executable names that feel weird

Unusually Long Uptime Likely Missing Patches

Indicative of a machine that probably needs a reboot for operating-system patches

Unusually Tainted Kernel Linux

Unusually tainted kernel - via a loaded kernel module

Usb_devices

Return the list of USB devices

User_events

Return the list of audit user events

User_ssh_keys

Retrieves the ssh keys per user

Users

Returns a list of users

Vulnerable Acrobat Reader

Vulnerable version of Adobe Acrobat Reader is installed

Xprotect_reports

Returns a list of malware matches from macOS XProtect

Yara Exec Connect Process Linux

Currently running program with Linux red flags

Yara Libtomcrypt Process

Linux program uses LibTomCrypt (rare)

Yara Mounted Stealer

Look for sketchy mounted disk images, inspired by Shlayer

Yara Recently Downloaded Go Crypt Exec

Recently downloaded cryptexec program

Yara Recently Downloaded Miner

tags: volume filesystem seldom

Yara Recently Downloaded Packed

Flag packed binaries that have recently been downloaded

Yara Recently Downloaded Ransom

tags: volume filesystem seldom

Yara Recently Downloaded Rust Http Exec

Recently downloaded cryptexec program

Yara Recently Downloaded Stealer

tags: volume filesystem seldom extra

Yara Recently Downloaded Upx

Recently downloaded UPX file

Yara Suspicious Strings Process Linux

Currently running program with Linux red flags

Yara Unexpected Go Crypt Exec Process

Currently running CryptoCoin miner

Yara Unexpected Miner Process

Currently running CryptoCoin miner

Yara Unexpected Rust Http Exec Process

Rust Program that uses both HTTP and Exec

Yara Unexpected Upx Process

Currently running UPX executable