defenderdb
resources
osquery
why
osquery db
Order By
Default
Title
Date - Oldest
Date - Newest
Author
Account_policy_data Macos
Retrieves account policy data, such as creation time
Jan 29, 2025
Chainguard
Alf
Retrieves the configuration values for the Application Layer Firewall for OSX.
Jan 29, 2025
Chainguard
Alf_exceptions_macos
Retrieves the exceptions for the Application Layer Firewall in OSX.
Jan 29, 2025
Chainguard
Alf_explicit_auths_macos
Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
Jan 29, 2025
Chainguard
Alf_services
Retrieves the services for the Application Layer Firewall in OSX.
Jan 29, 2025
Chainguard
App_schemes
Retrieves the list of application scheme/protocol-based IPC handlers.
Jan 29, 2025
Chainguard
Apps
Retrieves all the currently installed applications in the target OSX system.
Jan 29, 2025
Chainguard
Authorization_mechanisms Macos
Retrieves entries from the macOS authorization mechanisms db
Jan 29, 2025
Chainguard
Authorizations Macos
Retrieves entries from the macOS authorization rights db
Jan 29, 2025
Chainguard
Authorized_keys
Retrieves all the currently installed authorized keys on a system
Jan 29, 2025
Chainguard
Block_devices
Retrieves all block devices known to the system
Jan 29, 2025
Chainguard
Certificates
Retrieves all the currently installed certificates on a system
Jan 29, 2025
Chainguard
Chrome_extension_content_scripts
Retrieves chrome extension cotent scripts that execute on a broad set of URLs.
Jan 29, 2025
Chainguard
Chrome_extensions
Retrieves chrome extensions that execute on a broad set of URLs.
Jan 29, 2025
Chainguard
Crashes Macos
Retrieves crash log info per user
Jan 29, 2025
Chainguard
Crontab
Crontab entries
Jan 29, 2025
Chainguard
Deb_packages
Retrieves a list of debian packages
Jan 29, 2025
Chainguard
Disk_encryption
Retrieves the current disk encryption status for the target system.
Jan 29, 2025
Chainguard
Disk_events_macos
Retrieves disk image (DMG) events
Jan 29, 2025
Chainguard
Dns_resolvers
Return the list of configured DNS servers on this system
Jan 29, 2025
Chainguard
Docker Container Mounting Root
Detect the execution of a Docker containing mounting the root filesystem
Jan 29, 2025
Chainguard
Docker_container_mounts
Return the list of mounts for Docker containers
Jan 29, 2025
Chainguard
Docker_container_ports
Return the list of ports for Docker containers
Jan 29, 2025
Chainguard
Docker_container_processes
Return the list of processes for Docker containers
Jan 29, 2025
Chainguard
Docker_containers
Return the list of running Docker containers on this machine
Jan 29, 2025
Chainguard
Docker_image_history
Return the Docker image history on a machine
Jan 29, 2025
Chainguard
Docker_images
Return the list of Docker images
Jan 29, 2025
Chainguard
Empty_root_environ_linux
Find programs which spawn root children without propagating environment variables
Jan 29, 2025
Chainguard
Empty_root_environ_macos
Find programs which spawn root children without propagating environment variables
Jan 29, 2025
Chainguard
Es_process_events
Dump a list of process execution events from EndpointSecurity
Jan 29, 2025
Chainguard
Etc_hosts
Retrieves all the entries in the target system /etc/hosts file.
Jan 29, 2025
Chainguard
Evenly Timestomped
Files where the timestamp falls along 12-hour boundaries - probably caused by ‘touch
0000’
Jan 29, 2025
Chainguard
Event_taps_macos
Retrieves software packages with access to listening in on keyboard/mouse events
Jan 29, 2025
Chainguard
Excess Google Drive Downloads Macos
Surface when a machine has downloaded an unusual number of files from Google Drive
Jan 29, 2025
Chainguard
Excess Google Drive Folder Exports Macos
Surface when a machine has downloaded an unusual number of zip exports from Google Drive
Jan 29, 2025
Chainguard
Exec Failed Launch Constraint Violation
Catch programs that failed to run due to a launch constraint violation, such as a signing issue.
Jan 29, 2025
Chainguard
Executables From The Future
Programs which claim to be from the future, based on (btime,ctime,mtime)
Jan 29, 2025
Chainguard
Exotic Command Events Linux
Pick out exotic processes based on their command-line (events-based)
Jan 29, 2025
Chainguard
Exotic Command Events Macos
Pick out exotic processes based on their command-line (events-based)
Jan 29, 2025
Chainguard
Exotic Commands Linux
Pick out exotic processes based on their command-line (state-based)
Jan 29, 2025
Chainguard
Exotic Commands Macos
Pick out exotic processes based on their command-line (state-based)
Jan 29, 2025
Chainguard
Fake Apple Launchd
Find launchd entries which purport to be by Apple, but point to binaries that are not signed by Apple.
Jan 29, 2025
Chainguard
File_events
Return the list of watched file events (must be configured)
Jan 29, 2025
Chainguard
Files Dev
Returns a list of file information from /dev (non-hidden only)
Jan 29, 2025
Chainguard
Files Downloads
Returns a list of file information from Downloads directories
Jan 29, 2025
Chainguard
Files Etc
Returns a list of file information from /etc (non-hidden only)
Jan 29, 2025
Chainguard
Files Recently Written
Returns a list of recently written files
Jan 29, 2025
Chainguard
Firefox_addons
Return the list of installed Firefox addons
Jan 29, 2025
Chainguard
Gatekeeper_approved_apps_macos
Retrieves all the gatekeeper exceptions on a macOS host
Jan 29, 2025
Chainguard
Gcp Service Account Keys
Indicative of stored GCP service account keys just sitting around unencrypted
Jan 29, 2025
Chainguard
Gcp Service Account Keys Mdfind
Indicative of stored GCP service account keys just sitting around unencrypted
Jan 29, 2025
Chainguard
Groups
Return the list of POSIX groups on the system
Jan 29, 2025
Chainguard
Hardware_events
Return hardware events
Jan 29, 2025
Chainguard
Hidden Cwd
Programs running with a hidden current working directory (state-based)
Jan 29, 2025
Chainguard
Hidden Cwd Events Linux
Programs running with a hidden current working directory (event-based)
Jan 29, 2025
Chainguard
Hidden Executable
Programs running with a hidden file path or process name
Jan 29, 2025
Chainguard
Hidden Home Config Dir
Find unexpected hidden files in a users config directory
Jan 29, 2025
Chainguard
Hidden Home Libappsupport
Find unexpected hidden files in a users Application Support directory
Jan 29, 2025
Chainguard
Hidden Home Library Dir
Find unexpected hidden files in a users Library directory
Jan 29, 2025
Chainguard
Hidden Launchd Files Macos
Reveal launchd services which are located in a hidden directory.
Jan 29, 2025
Chainguard
High Disk Bytes Written
Programs which are writing an unusually large amount of data
Jan 29, 2025
Chainguard
High_disk_bytes_read
Programs which are reading an unusually large amount of data
Jan 29, 2025
Chainguard
Homebrew Packages Macos
Dump a list of homebrew packages
Jan 29, 2025
Chainguard
Interface_addresses
Return the list of interface addresses
Jan 29, 2025
Chainguard
Interface_details
Return stats on network interfaces
Jan 29, 2025
Chainguard
Interface_ipv6.Sql
Return the list of interface addresses (IPv6)
Jan 29, 2025
Chainguard
Iokit Registry Macos
Retrieves IOKit registry
Jan 29, 2025
Chainguard
Ip_forwarding
Retrieves the current status of IP/IPv6 forwarding.
Jan 29, 2025
Chainguard
Iptables
Retrieves the current filters and chains per filter in the target system.
Jan 29, 2025
Chainguard
Kernel_info
Return basic kernel information
Jan 29, 2025
Chainguard
Kernel_modules_linux
Retrieves all the information for the current kernel modules in the target Linux system.
Jan 29, 2025
Chainguard
Kernel_panics Macos
Retrieves entries from the macOS kernel panic logs
Jan 29, 2025
Chainguard
Kextstat_macos
Retrieves all the information about the current kernel extensions for the target OSX system.
Jan 29, 2025
Chainguard
Known_hosts
Retrieves chrome extensions that execute on a broad set of URLs.
Jan 29, 2025
Chainguard
Last
Retrieves the list of the latest logins with PID, username and timestamp.
Jan 29, 2025
Chainguard
Launchd_macos
macOS launchd entries
Jan 29, 2025
Chainguard
Launchd_overrides_macos
Retrieves launchd override keys per user
Jan 29, 2025
Chainguard
Listening From Unusual Location
Unexpected programs listening from /tmp or other weird directories
Jan 29, 2025
Chainguard
Listening_ports
Retrieves all the listening ports in the target system.
Jan 29, 2025
Chainguard
Logged_in_users
Retrieves the list of all the currently logged in users in the target system.
Jan 29, 2025
Chainguard
Loginwindow1.Sql
Retrieves all the values for the loginwindow process in the target OSX system.
Jan 29, 2025
Chainguard
Loginwindow2.Sql
Retrieves all the values for the loginwindow process in the target OSX system.
Jan 29, 2025
Chainguard
Loginwindow3.Sql
Retrieves all the values for the loginwindow process in the target OSX system.
Jan 29, 2025
Chainguard
Loginwindow4.Sql
Retrieves all the values for the loginwindow process in the target OSX system.
Jan 29, 2025
Chainguard
Low Fd Socket
Find programs where fd0 (stdin), fd1 (stdout), or fd2 (stderr) are connected to a socket
Jan 29, 2025
Chainguard
Macos_keyboard_sniffer
Find programs that are sniffing keyboard events on macOS
Jan 29, 2025
Chainguard
Memory_map
Returns the OS memory region map.
Jan 29, 2025
Chainguard
Minimal Socket Client Linux
Slow query to find root programs with an open socket and few shared libraries
Jan 29, 2025
Chainguard
Minimal Socket Client Macos
Slow query to find root programs with an open socket and few shared libraries
Jan 29, 2025
Chainguard
Missing From Disk Linux
Processes that do not exist on disk, running in osquery’s namespace
Jan 29, 2025
Chainguard
Missing From Disk Macos
Processes that do not exist on disk
Jan 29, 2025
Chainguard
Mounts
Retrieves the current list of mounted drives in the target system.
Jan 29, 2025
Chainguard
Name_path_mismatch
Processes that have an unrelated name in the process tree than the program on disk.
Jan 29, 2025
Chainguard
Npm_packages
Return the list of npm packages
Jan 29, 2025
Chainguard
Nvram Macos
Retrieves entries from the macOS nvram database
Jan 29, 2025
Chainguard
Old Binaries Running
Alert on programs running that are unusually old
Jan 29, 2025
Chainguard
Open_files
Retrieves all the open files per process in the target system.
Jan 29, 2025
Chainguard
Open_sockets
Retrieves all the open sockets per process in the target system.
Jan 29, 2025
Chainguard
Os_version
Return the OS version including patch level
Jan 29, 2025
Chainguard
Overwritten Memory Map Ddexec Linux
Processes with a memory map that suggests they might be code smuggling.
Jan 29, 2025
Chainguard
Package_install_history_macos
Return macOS package install history
Jan 29, 2025
Chainguard
Package_receipts_macos
Return macOS package receipts
Jan 29, 2025
Chainguard
Parent Missing From Disk Linux
A program where the parent PID is not on disk
Jan 29, 2025
Chainguard
Parent Missing From Disk Macos
A program where the parent PID is not on disk
Jan 29, 2025
Chainguard
Parent Pid Missing From Procfs
Find a process which has a parent that is not listed in the process table
Jan 29, 2025
Chainguard
Pid Hidden By Rootkit
Finds processes that are apparently hidden by a rootkit
Jan 29, 2025
Chainguard
Platform_info
Return hardware platform info (UEFI)
Jan 29, 2025
Chainguard
Preferences_macos
Retrieves entries from the macOS preferences database
Jan 29, 2025
Chainguard
Process_env
Retrieves all the environment variables per process in the target system.
Jan 29, 2025
Chainguard
Process_event_parents
Canonical example of including process parents from process_events
Jan 29, 2025
Chainguard
Process_event_parents_macos
Canonical example of including process parents from process_events
Jan 29, 2025
Chainguard
Process_events
Recently executed programs
Jan 29, 2025
Chainguard
Process_memory_map
Retrieves the memory map per process
Jan 29, 2025
Chainguard
Process_open_files
Return the list of open files by process
Jan 29, 2025
Chainguard
Process_open_pipes
Return the list of open pipes per process
Jan 29, 2025
Chainguard
Process_open_sockets
Return the list of open sockets per process
Jan 29, 2025
Chainguard
Process_parents
Canonical example of information to include for processes
Jan 29, 2025
Chainguard
Process_parents_macos
SELECT
Jan 29, 2025
Chainguard
Processes
Currently running programs, only the columns that are not constantly changing
Jan 29, 2025
Chainguard
Recent_items_macos
Retrieves the list of recent items opened in OSX by parsing the plist per user.
Jan 29, 2025
Chainguard
Recently Created Executables Long Lived Linux
Long-running programs who were recently added to disk, based on btime/ctime
Jan 29, 2025
Chainguard
Recently Created Executables Long Lived Macos
Long-running programs who were started around when they were written to disk
Jan 29, 2025
Chainguard
Relative Exec Low Uid
Programs running as root with a relative path
Jan 29, 2025
Chainguard
Relative Exec Low Uid Events
Programs running as root with a relative path (event-based)
Jan 29, 2025
Chainguard
Reverse Shell Socket
Uncover reverse-shell processes
Jan 29, 2025
Chainguard
Rpm_packages
Retrieves a list of RPM packages
Jan 29, 2025
Chainguard
Running_apps_macos
Retrieves currently running applications
Jan 29, 2025
Chainguard
Safari_extensions_macos
Return the list of installed Safari extensions
Jan 29, 2025
Chainguard
Sandboxes_macos
Lists the application bundle that owns a sandbox label.
Jan 29, 2025
Chainguard
Seccomp_events
Return the list of seccomp events
Jan 29, 2025
Chainguard
Selinux_events
Return the list of SELinux events
Jan 29, 2025
Chainguard
Setxid Cmdline Overflow Attempt
Find setuid events with large cmdlines
Jan 29, 2025
Chainguard
Setxid Env Overflow Attempt
Find setuid process events with large environment sizes
Jan 29, 2025
Chainguard
Shadow
Return user data from /etc/shadow
Jan 29, 2025
Chainguard
Shady Chrome Extension Author
Highlight potentially shady chrome extensions from documented spam authors
Jan 29, 2025
Chainguard
Shared_memory
Return shared memory info
Jan 29, 2025
Chainguard
Shell_history
Retrieves the command history, per user, by parsing the shell history files.
Jan 29, 2025
Chainguard
Sip_config
Retrieves System Integrity Protection Settings data
Jan 29, 2025
Chainguard
Sketchy Docker Image Creator
Detect the execution of a Docker containing mounting the root filesystem
Jan 29, 2025
Chainguard
Sketchy Download Name
Look for sketchy download files based on keywords
Jan 29, 2025
Chainguard
Sketchy Fetcher
Suspicious URL requests by built-in fetching tools (state-based)
Jan 29, 2025
Chainguard
Sketchy Fetcher Events
Suspicious URL requests by built-in fetching tools (event-based)
Jan 29, 2025
Chainguard
Sketchy Mounted Diskimage
Look for sketchy mounted disk images, inspired by Shlayer
Jan 29, 2025
Chainguard
Socket_events
Return the list of socket events
Jan 29, 2025
Chainguard
Spotlight Database Export Macos
Find database exports. Will need tuning based on your table names.
Jan 29, 2025
Chainguard
Ssh Notty
Find ssh sessions that are hiding from ‘w’/‘who’
Jan 29, 2025
Chainguard
Ssh_configs
Retrieves the ssh configs per user
Jan 29, 2025
Chainguard
Startup_items
Retrieve most programs that are part of a systems startup (multi-platform)
Jan 29, 2025
Chainguard
Suid_bin
Retrieves setuid-enabled executables in well-known paths
Jan 29, 2025
Chainguard
Suspicious Systemd Unit
Funky systemd units, may be evidence of persistence
Jan 29, 2025
Chainguard
Suspicious Udev Runner Linux
Look for sketchy udev entries, inspired by sedexp
Jan 29, 2025
Chainguard
Syslog_events
Return the list of syslog events
Jan 29, 2025
Chainguard
System_controls
Return the list of sysctl values
Jan 29, 2025
Chainguard
Systemd_units
Returns a list of systemd units
Jan 29, 2025
Chainguard
Tiny Executable
Unusually small programs (state-based)
Jan 29, 2025
Chainguard
Tiny Executable Events
Unusually small programs (events-based)
Jan 29, 2025
Chainguard
Touched Executable Linux
Programs which were spawned by an executable containing a matching ctime & mtime, which
Jan 29, 2025
Chainguard
Touched Executable Macos
Programs which appear to have been touched on macOS
Jan 29, 2025
Chainguard
Unexpected Active Systemd Units
Unexpected systemd units, may be evidence of persistence
Jan 29, 2025
Chainguard
Unexpected Alf Exceptions Macos
macOS application layer firewall (ALF) service exceptions.
Jan 29, 2025
Chainguard
Unexpected Bpf User
Find root-run processes which link against libpf
Jan 29, 2025
Chainguard
Unexpected Chmod Exec Event Linux
Things that call chmod to set executable permissions
Jan 29, 2025
Chainguard
Unexpected Chmod Exec Event Macos
Things that call chmod to set executable permissions
Jan 29, 2025
Chainguard
Unexpected Chrome Extensions
Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist
Jan 29, 2025
Chainguard
Unexpected Cron Entries
Unexpected crontab entries
Jan 29, 2025
Chainguard
Unexpected Dev Entries
Find unexpected files in /dev
Jan 29, 2025
Chainguard
Unexpected Dev Executables Linux
Find unexpected executables in /dev
Jan 29, 2025
Chainguard
Unexpected Dev Opener Linux
Detects unexpected programs opening files in /dev on Linux
Jan 29, 2025
Chainguard
Unexpected Dev Opener Macos
Detects unexpected programs opening files in /dev on Linux
Jan 29, 2025
Chainguard
Unexpected Device
Finds unexpected device names, sometimes used for communication to a rootkit
Dec 6, 2023
Chainguard
Unexpected Device Linux
Finds unexpected device names, sometimes used for communication to a rootkit
Jan 29, 2025
Chainguard
Unexpected Diskimage Name Macos
Surface ISO/DMG disk images that have suspicious names
Jan 29, 2025
Chainguard
Unexpected Diskimage Source Macos
Surface ISO/DMG disk images that were downloaded from unexpected places
Jan 29, 2025
Chainguard
Unexpected Dns Traffic
Catch DNS traffic going to machines other than the host-configured DNS server (state-based)
Jan 29, 2025
Chainguard
Unexpected Dns Traffic Events
Catch DNS traffic going to machines other than the host-configured DNS server (event-based)
Jan 29, 2025
Chainguard
Unexpected Elevated Children Events_linux
Find processes that run with a lower effective UID than their parent (event-based)
Jan 29, 2025
Chainguard
Unexpected Elevated Children Events_macos
Find processes that run with a lower effective UID than their parent (event-based)
Jan 29, 2025
Chainguard
Unexpected Env Values Linux
Applications setting environment variables to bypass security protections
Jan 29, 2025
Chainguard
Unexpected Env Values Macos
Applications setting environment variables to bypass security protections
Jan 29, 2025
Chainguard
Unexpected Etc Executables
Find unexpected executables in /etc
Jan 29, 2025
Chainguard
Unexpected Etc Hosts
Unexpected /etc/hosts entries
Jan 29, 2025
Chainguard
Unexpected Execdir Events Linux
Catch applications running from unusual directories, such as /tmp (event-based)
Jan 29, 2025
Chainguard
Unexpected Execdir Events Macos
Catch applications running from unusual directories, such as /tmp
Jan 29, 2025
Chainguard
Unexpected Execdir Linux
Programs running out of unexpected directories, such as /tmp (state-based)
Jan 29, 2025
Chainguard
Unexpected Execdir Macos
Find programs running from strange directories on macOS
Jan 29, 2025
Chainguard
Unexpected Executable Permissions
Find processes running that are tied to binaries with unsual permissions. Namely, 0777.
Jan 29, 2025
Chainguard
Unexpected Fetcher Parent Events
Suspicious parenting of fetch tools (event-based)
Jan 29, 2025
Chainguard
Unexpected Fetcher Parents
Suspicious parenting of fetch tools (state-based)
Jan 29, 2025
Chainguard
Unexpected File Made Executable
Detect commands used to bless a file as executable
Dec 6, 2023
Chainguard
Unexpected Gatekeeper Approvals Macos
Gatekeeper exceptions are exceptions for downloaded binaries
Jan 29, 2025
Chainguard
Unexpected Global Lock
Find unexpected world readable run locks
Jan 29, 2025
Chainguard
Unexpected Hidden System Paths
Find unexpected hidden directories in operating-system folders
Jan 29, 2025
Chainguard
Unexpected Https Linux
Unexpected programs communicating over HTTPS (state-based)
Jan 29, 2025
Chainguard
Unexpected Https Macos
Unexpected programs communicating over HTTPS (state-based)
Jan 29, 2025
Chainguard
Unexpected Icmp Socket
Unexpected programs speaking over ICMP (state-based)
Jan 29, 2025
Chainguard
Unexpected Icmp Socket Events
Unexpected programs speaking over ICMP (event-based)
Jan 29, 2025
Chainguard
Unexpected Kernel Extensions Macos
Find unexpected 3rd-party kernel extensions
Jan 29, 2025
Chainguard
Unexpected Kernel Modules Linux
Find kernel modules that are not part of the expected list
Jan 29, 2025
Chainguard
Unexpected Launchd Program Arguments
Unexpected launchd scripts that use the ‘program_arguments’ field
Jan 29, 2025
Chainguard
Unexpected Launchd Program Macos
Unexpected launchd scripts that use the ‘program’ field
Jan 29, 2025
Chainguard
Unexpected Ld So Files Linux
Find unexpected ld.so.conf files
Jan 29, 2025
Chainguard
Unexpected Libcurl User Linux
Find programs processes which link against libcurl, common among cross-platform malware
Dec 6, 2023
Chainguard
Unexpected Libcurl User Macos
Find programs processes which link against libcurl, common among cross-platform malware
Dec 6, 2023
Chainguard
Unexpected Library Entries Macos
Find unexpected files in /Library
Jan 29, 2025
Chainguard
Unexpected Listening Port Linux
Unexpected programs listening on a TCP port (state-based).
Jan 29, 2025
Chainguard
Unexpected Listening Port Macos
Unexpected programs listening on a TCP port.
Jan 29, 2025
Chainguard
Unexpected Lock Opener
Find unexpected programs with open lock files
Jan 29, 2025
Chainguard
Unexpected Long Running Security Framework Macos
Find programs that use the Security Framework on macOS - popular among malware authors
Jan 29, 2025
Chainguard
Unexpected Mounts
Detect weird mounts, like mounting the EFI partition
Jan 29, 2025
Chainguard
Unexpected Netutil Calls Linux
Suspicious parenting of network utilities (event-based)
Jan 29, 2025
Chainguard
Unexpected Netutil Calls Macos
Suspicious parenting of fetch tools (event-based)
Jan 29, 2025
Chainguard
Unexpected Osascript Calls
Detect unusual calls to osascript
Jan 29, 2025
Chainguard
Unexpected Packet Sniffer
Find unexpected use of raw sockets in executables, sometimes used for C&C communications
Jan 29, 2025
Chainguard
Unexpected Pcap User Linux
Find root-run processes which link against libpcap
Jan 29, 2025
Chainguard
Unexpected Pcap User Macos
Find root-run processes which link against libpcap
Jan 29, 2025
Chainguard
Unexpected Privilege Escalation_linux
Find processes that run with a lower effective UID than their parent (state-based)
Jan 29, 2025
Chainguard
Unexpected Privilege Escalation_macos
Find processes that run with a lower effective UID than their parent (state-based)
Jan 29, 2025
Chainguard
Unexpected Privileged Containers
Detect the execution of privileged Docker containers which can be used to escape to the host.
Jan 29, 2025
Chainguard
Unexpected Process Extension Linux
Processes that have an unusual extension
Jan 29, 2025
Chainguard
Unexpected Public Files_macos
Find unexpected files in ~/Public
Jan 29, 2025
Chainguard
Unexpected Root Libcurl Proc Linux
Find programs processes which link against libcurl, common among cross-platform malware
Jan 29, 2025
Chainguard
Unexpected Root Libcurl Proc Macos
Find programs processes which link against libcurl, common among cross-platform malware
Jan 29, 2025
Chainguard
Unexpected Root Signer Events Macos
Programs running as root from unusual signers on macOS
Jan 29, 2025
Chainguard
Unexpected Root Signer Macos
Programs running as root from unusual signers on macOS
Dec 6, 2023
Chainguard
Unexpected Rsa Keys
Indicative of stored RSA keys just sitting around unencrypted
Jan 29, 2025
Chainguard
Unexpected Rsa Keys Mdfind
Indicative of stored RSA keys just sitting around unencrypted
Jan 29, 2025
Chainguard
Unexpected Security Framework Program Macos
Find programs that use the Security Framework on macOS - popular among malware authors
Dec 6, 2023
Chainguard
Unexpected Sensitive File Access Linux
Unexpected programs accessing sensitive data stores (state-based)
Jan 29, 2025
Chainguard
Unexpected Sensitive File Access Macos
Unexpected programs accessing sensitive data stores (state-based)
Jan 29, 2025
Chainguard
Unexpected Setuid Binaries
Find unexpected setuid binaries on disk
Jan 29, 2025
Chainguard
Unexpected Setxid Process
Processes running that originate from setuid/setgid programs
Jan 29, 2025
Chainguard
Unexpected Shell Parent Events
Unexpected process that spawns shell processes (event-based)
Jan 29, 2025
Chainguard
Unexpected Shell Parents
Unexpected process that spawns shell processes (event based)
Jan 29, 2025
Chainguard
Unexpected Small Udev Entry Linux
Unexpected small udev rule entries
Dec 6, 2023
Chainguard
Unexpected Ssh Authorized Keys
Find unexpected SSH authorized keys
Jan 29, 2025
Chainguard
Unexpected Systemctl Calls Linux
Suspicious calls to systemctl(event-based)
Jan 29, 2025
Chainguard
Unexpected Sysutils Linux
Unexpected calls to system utilities (event-based)
Jan 29, 2025
Chainguard
Unexpected Sysutils Macos
Unexpected calls to macOS system utilities (event-based)
Jan 29, 2025
Chainguard
Unexpected Talker Events
Unexpected socket events
Jan 29, 2025
Chainguard
Unexpected Talkers Linux
Unexpected programs communicating over non-HTTPS protocols (state-based)
Jan 29, 2025
Chainguard
Unexpected Talkers Macos
Unexpected programs communicating over non-HTTPS running from weird locations
Jan 29, 2025
Chainguard
Unexpected Tmp Executables Linux
Find unexpected executables in temp directories, often used by malware droppers
Jan 29, 2025
Chainguard
Unexpected Tmp Executables Macos
Find unexpected executables in temp directories, often used by malware droppers
Jan 29, 2025
Chainguard
Unexpected Uid0 Daemon Linux
Unexpected long-running processes running as root
Jan 29, 2025
Chainguard
Unexpected Uid0 Daemon Macos
Unexpected long-running processes running as root
Jan 29, 2025
Chainguard
Unexpected User Executables Macos
Find unexpected in unexpected places under /Users
Jan 29, 2025
Chainguard
Unexpected User Shared Entries
Find unexpected files in /Users/Shared
Jan 29, 2025
Chainguard
Unexpected Var Executables Linux
Find unexpected executables in /var
Jan 29, 2025
Chainguard
Unexpected Var Executables Macos
Find unexpected executables in /var
Jan 29, 2025
Chainguard
Unexpected Var Run Linux
Find unexpected regular files in /var/run
Jan 29, 2025
Chainguard
Unexpected Var Run Macos
Find unexpected regular files in /var/run
Jan 29, 2025
Chainguard
Unexpected Volume Contents
Scan removable volumes for sketchy files
Jan 29, 2025
Chainguard
Unexpected Webmail Downloads
Surface webmail downloads of an unexpected sort
Jan 29, 2025
Chainguard
Unexpected Xattr Calls Macos
Detect unusual calls to xattr, used to remove filesystem attributes
Jan 29, 2025
Chainguard
Unified_log_macos
Retrieves recent entries from the macOS unified log
Jan 29, 2025
Chainguard
Unusual Executable Name Linux
Processes with executable names that feel weird
Jan 29, 2025
Chainguard
Unusual Executable Name Macos
Processes with executable names that feel weird
Jan 29, 2025
Chainguard
Unusual Process Name Linux
Processes with executable names that feel weird
Jan 29, 2025
Chainguard
Unusual Process Name Macos
Processes with executable names that feel weird
Jan 29, 2025
Chainguard
Unusually Long Uptime Likely Missing Patches
Indicative of a machine that probably needs a reboot for operating-system patches
Jan 29, 2025
Chainguard
Unusually Tainted Kernel Linux
Unusually tainted kernel - via a loaded kernel module
Jan 29, 2025
Chainguard
Usb_devices
Return the list of USB devices
Jan 29, 2025
Chainguard
User_events
Return the list of audit user events
Jan 29, 2025
Chainguard
User_ssh_keys
Retrieves the ssh keys per user
Jan 29, 2025
Chainguard
Users
Returns a list of users
Jan 29, 2025
Chainguard
Vulnerable Acrobat Reader
Vulnerable version of Adobe Acrobat Reader is installed
Jan 29, 2025
Chainguard
Xprotect_reports
Returns a list of malware matches from macOS XProtect
Jan 29, 2025
Chainguard
Yara Exec Connect Process Linux
Currently running program with Linux red flags
Jan 29, 2025
Chainguard
Yara Libtomcrypt Process
Linux program uses LibTomCrypt (rare)
Jan 29, 2025
Chainguard
Yara Mounted Stealer
Look for sketchy mounted disk images, inspired by Shlayer
Jan 29, 2025
Chainguard
Yara Recently Downloaded Go Crypt Exec
Recently downloaded cryptexec program
Dec 6, 2023
Chainguard
Yara Recently Downloaded Miner
tags: volume filesystem seldom
Jan 29, 2025
Chainguard
Yara Recently Downloaded Packed
Flag packed binaries that have recently been downloaded
Jan 29, 2025
Chainguard
Yara Recently Downloaded Ransom
tags: volume filesystem seldom
Jan 29, 2025
Chainguard
Yara Recently Downloaded Rust Http Exec
Recently downloaded cryptexec program
Dec 6, 2023
Chainguard
Yara Recently Downloaded Stealer
tags: volume filesystem seldom extra
Jan 29, 2025
Chainguard
Yara Recently Downloaded Upx
Recently downloaded UPX file
Dec 6, 2023
Chainguard
Yara Suspicious Strings Process Linux
Currently running program with Linux red flags
Jan 29, 2025
Chainguard
Yara Unexpected Go Crypt Exec Process
Currently running CryptoCoin miner
Dec 6, 2023
Chainguard
Yara Unexpected Miner Process
Currently running CryptoCoin miner
Jan 29, 2025
Chainguard
Yara Unexpected Rust Http Exec Process
Rust Program that uses both HTTP and Exec
Jan 29, 2025
Chainguard
Yara Unexpected Upx Process
Currently running UPX executable
Jan 29, 2025
Chainguard
No matching items