{ "queries": { "launchd": { "query": "select * from launchd;", "interval": "3600", "platform": "darwin", "version": "1.4.5", "description": "Retrieves all the daemons that will run in the start of the target OSX system.", "value": "Identify malware that uses this persistence mechanism to launch at system boot" }, "disk_encryption (posix)": { "query": "select * from disk_encryption;", "interval": "86400", "platform": "posix", "version": "1.4.5", "description": "Retrieves the current disk encryption status for the target system.", "value": "Identifies a system potentially vulnerable to disk cloning." }, "disk_encryption (darwin,linux)": { "query": "select * from disk_encryption;", "interval": "300", "platform": "darwin,linux", "version": "1.4.5", "description": "Retrieves the current disk encryption status for the target system.", "value": "Identifies a system potentially vulnerable to disk cloning." }, "iptables": { "query": "select * from iptables;", "interval": "3600", "platform": "linux", "version": "1.4.5", "description": "Retrieves the current filters and chains per filter in the target system.", "value": "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans" }, "app_schemes": { "query": "select * from app_schemes;", "interval": "86400", "platform": "darwin", "version": "1.4.7", "description": "Retrieves the list of application scheme/protocol-based IPC handlers.", "value": "Post-priori hijack detection, detect potential sensitive information leakage." }, "sandboxes": { "query": "select * from sandboxes;", "interval": "86400", "platform": "darwin", "version": "1.4.7", "description": "Lists the application bundle that owns a sandbox label.", "value": "Post-priori hijack detection, detect potential sensitive information leakage." }, "disk_info": { "query": "select * from disk_info;", "interval": "86400", "platform": "chrome,windows", "version": "1.4.7", "description": "Retrieve basic information about the physical disks of a system.", "value": "Identify scary possibilities with disks." }, "listening_ports (specs)": { "query": "select * from listening_ports;", "interval": "3600", "platform": "specs", "version": "1.4.7", "description": "Retrieves the list of listening ports.", "value": "Identify unwanted open ports." }, "listening_ports (utility)": { "query": "select * from listening_ports;", "interval": "3600", "platform": "utility", "version": "1.4.7", "description": "Retrieves the list of listening ports.", "value": "Identify unwanted open ports." }, "yara (yara)": { "query": "select * from yara;", "interval": "0", "platform": "yara", "version": "1.4.7", "description": "Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.", "value": "TBD" }, "ulimit_info (smart)": { "query": "select * from ulimit_info;", "interval": "300", "platform": "smart", "version": "1.4.7", "description": "System resource usage limits.", "value": "Identify potential resource exhaustion attacks." }, "uptime (kernel)": { "query": "select * from uptime;", "interval": "600", "platform": "kernel", "version": "1.4.7", "description": "System uptime.", "value": "Identify systems that have been rebooted recently." }, "uptime (linwin)": { "query": "select * from uptime;", "interval": "600", "platform": "linwin", "version": "1.4.7", "description": "System uptime.", "value": "Identify systems that have been rebooted recently." }, "uptime (macwin)": { "query": "select * from uptime;", "interval": "600", "platform": "macwin", "version": "1.4.7", "description": "System uptime.", "value": "Identify systems that have been rebooted recently." }, "uptime (sleuthkit)": { "query": "select * from uptime;", "interval": "600", "platform": "sleuthkit", "version": "1.4.7", "description": "System uptime.", "value": "Identify systems that have been rebooted recently." }, "windows crashes": { "query": "select * from windows_crashes;", "interval": "3600", "platform": "windows", "version": "1.4.7", "description": "Extracted information from Windows crash logs (Minidumps).", "value": "Identify systems that have been rebooted recently." }, "user groups (any)": { "query": "select * from user_groups;", "interval": "3600", "platform": "any", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (missing platform)": { "query": "select * from user_groups;", "interval": "3600", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (missing version)": { "query": "select * from user_groups;", "interval": "3600", "platform": "darwin", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (all)": { "query": "select * from user_groups;", "interval": "3600", "platform": "all", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (empty string platform, empty string version)": { "query": "select * from user_groups;", "interval": "3600", "platform": "", "version": "", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (darwin,linux)": { "query": "select * from user_groups;", "interval": "3600", "platform": "darwin,linux", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (linux,darwin)": { "query": "select * from user_groups;", "interval": "3600", "platform": "linux,darwin", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." }, "user groups (windows,chrome)": { "query": "select * from user_groups;", "interval": "3600", "platform": "windows,chrome", "version": "1.4.7", "description": "List of all user groups.", "value": "Identify unwanted user groups." } } }