-
Notifications
You must be signed in to change notification settings - Fork 120
/
osquery.conf
executable file
·174 lines (174 loc) · 6.15 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
{
"options": {
"logger_snapshot_event_type": "true",
"schedule_splay_percent": 10
},
"platform": "windows",
"schedule": {
"certificates": {
"query": "SELECT * FROM certificates WHERE path != 'Other People';",
"interval": 3600,
"description": "List all certificates in the trust store",
"removed": false
},
"certificates_snapshot": {
"query": "SELECT * FROM certificates WHERE path != 'Other People';",
"interval": 28800,
"description": "List all certificates in the trust store (snapshot query)",
"snapshot": true
},
"chocolatey_packages": {
"query": "SELECT * FROM chocolatey_packages;",
"interval": 3600,
"description": "List installed Chocolatey packages"
},
"chrome_extensions": {
"query": "SELECT * FROM users JOIN chrome_extensions USING (uid);",
"interval": 3600,
"description": "List installed Chrome Extensions for all users"
},
"drivers": {
"query": "SELECT * FROM drivers;",
"interval": 3600,
"description": "List in-use Windows drivers"
},
"drivers_snapshot": {
"query": "SELECT * FROM drivers;",
"interval": 28800,
"description": "Drivers snapshot query",
"snapshot": true
},
"etc_hosts": {
"query": "SELECT * FROM etc_hosts;",
"interval": 3600,
"description": "List the contents of the Windows hosts file"
},
"ie_extensions": {
"query": "SELECT * FROM ie_extensions;",
"interval": 3600,
"description": "List installed Internet Explorer extensions"
},
"kernel_info": {
"query": "SELECT * FROM kernel_info;",
"interval": 3600,
"description": "List the kernel path, version, etc."
},
"os_version": {
"query": "SELECT * FROM os_version;",
"interval": 3600,
"description": "List the version of the resident operating system"
},
"os_version_snapshot": {
"query": "SELECT * FROM os_version;",
"interval": 28800,
"description": "Operating system version snapshot query",
"snapshot": true
},
"osquery_info": {
"query": "SELECT * FROM osquery_info;",
"interval": 28800,
"description": "Information about the resident osquery process",
"snapshot": true
},
"patches": {
"query": "SELECT * FROM patches;",
"interval": 3600,
"description": "Lists all the patches applied"
},
"patches_snapshot": {
"query": "SELECT * FROM patches;",
"interval": 28800,
"description": "Patches snapshot query",
"snapshot": true
},
"programs": {
"query": "SELECT * FROM programs;",
"interval": 3600,
"description": "Lists installed programs"
},
"programs_snapshot": {
"query": "SELECT * FROM programs;",
"interval": 28800,
"description": "Programs snapshot query",
"snapshot": true
},
"scheduled_tasks": {
"query": "SELECT * FROM scheduled_tasks;",
"interval": 3600,
"description": "Lists all of the tasks in the Windows task scheduler"
},
"services": {
"query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';",
"interval": 3600,
"description": "Lists all installed services configured to start automatically at boot"
},
"services_snapshot": {
"query": "SELECT * FROM services;",
"interval": 28800,
"description": "Services snapshot query",
"snapshot": true
},
"shared_resources": {
"query": "SELECT * FROM shared_resources;",
"interval": 28800,
"description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."
},
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 3600,
"description": "System information for identification."
},
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 28800,
"description": "System info snapshot query",
"snapshot": true
},
"uptime": {
"query": "SELECT * FROM uptime;",
"interval": 3600,
"description": "System uptime",
"snapshot": true
},
"users": {
"query": "SELECT * FROM users;",
"interval": 3600,
"description": "Local system users."
},
"users_snapshot": {
"query": "SELECT * FROM users;",
"interval": 28800,
"description": "Users snapshot query",
"snapshot": true
},
"wmi_cli_event_consumers": {
"query": "SELECT * FROM wmi_cli_event_consumers;",
"interval": 3600,
"description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
},
"wmi_event_filters": {
"query": "SELECT * FROM wmi_event_filters;",
"interval": 3600,
"description": "Lists WMI event filters."
},
"wmi_filter_consumer_binding": {
"query": "SELECT * FROM wmi_filter_consumer_binding;",
"interval": 3600,
"description": "Lists the relationship between event consumers and filters."
},
"wmi_script_event_consumers": {
"query": "SELECT * FROM wmi_script_event_consumers;",
"interval": 3600,
"description": "WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
}
},
"packs": {
"performance-metrics": "packs/performance-metrics.conf",
"security-tooling-checks": "packs/security-tooling-checks.conf",
"unwanted-chrome-extensions": "packs/unwanted-chrome-extensions.conf",
"windows-application-security": "packs/windows-application-security.conf",
"windows-compliance": "packs/windows-compliance.conf",
"windows-registry-monitoring": "packs/windows-registry-monitoring.conf",
"windows-attacks": "packs/windows-attacks.conf"
}
}