Comment on page

osquery Templates

Selection of osquery rules for use as guides or templates
-- platform: windows
-- description: Controls UAC. A setting of 0 indicates that UAC is disabled.
FROM registry
WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' AND data=0;
Windows Update history
-- platform: windows
-- description: List Windows Update history.
select title, datetime(date, 'unixepoch', 'localtime')
from windows_update_history;
Registry Run entries
-- platform: windows
-- description: List startup entries under Run keys.
select *
from registry
where key like
or key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
or key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run%\%';
Services that start automatically
-- platform: windows
-- description: List installed services that start automatically
SELECT name,display_name,user_account,path
FROM services
WHERE start_type = 'AUTO_START'
AND path NOT LIKE 'C:\Windows\system32\svchost.exe -k %';
Unusual Cron entries
-- Unexpected crontab entries
-- references:
-- * (Scheduled Task/Job: Cron)
-- *
-- false positives:
-- * crontab entries added by the user
-- tags: persistent filesystem state
-- platform: posix
command NOT LIKE 'root%run-parts%'
AND command NOT LIKE '%freshclam%'
AND command NOT LIKE '%clamscan%'
AND command NOT LIKE '%e2scrub%'
AND command NOT LIKE '%zfs-linux%'
AND command NOT LIKE '%anacron start%'
AND command NOT LIKE '%/usr/lib/php/sessionclean%'
AND command NOT LIKE 'root command -v debian-sa1%'
Launched items not signed by Apple
-- description: Find launchd entries which purport to be by Apple, but point to binaries that are not signed by Apple.
-- references:
-- * (Create or Modify System Process: Launch Daemon)
-- *
-- *
-- false positives:
-- * none have been observed
-- platform: darwin
-- tags: persistent launchd state
LEFT JOIN file ON launchd.path = file.path
LEFT JOIN signature ON launchd.program_arguments = signature.path
-- Optimization, assumes SIP
AND launchd.run_at_load = 1
AND signature.authority != 'Software Signing'
Processes running no binary on the disk
-- description: Find processes that are running whose binary has been deleted from the disk.
SELECT name, path, pid FROM processes WHERE on_disk = 0;
Scheduled Task with Temp path reference
-- description: List scheduled tasks where Temp directory is contained in Action path.
SELECT name, action FROM scheduled_tasks WHERE action LIKE '%\Temp\%';
List all local Users
-- description: List all local Users on the system.
select * from users where type = 'local';
List logged users
-- description: List logged users.
select * from logged_in_users;
List users with Administrative privileges
-- description: List all the users with Administrative privileges.
select users.uid,users.gid,users.username, from users JOIN user_groups ON users.uid=user_groups.uid where user_groups.gid=544;
Check the security status of the system
-- description: Check the security status of the system.
select * from windows_security_center;
select * from windows_security_products;
List processes running from CMD (with hash value)
-- description: List processes running from cmd (with a hash value)
select,p.path,,p.parent,h.md5,pp.path as parentpath from processes p JOIN hash h on p.path=h.path JOIN processes pp ON where pp.path like '%cmd%';