Initial commit

Vagrant/resources/osquery/osquery.conf

@@ -0,0 +1,151 @@
+{
+  "options": {
+    "schedule_splay_percent": 10
+  },
+  "platform": "windows",
+  "schedule": {
+    "chocolatey_packages": {
+      "query": "SELECT * FROM chocolatey_packages;",
+      "interval": 3600,
+      "description": "List installed Chocolatey packages"
+    },
+    "chrome_extensions": {
+      "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);",
+      "interval": 3600,
+      "description": "List installed Chrome Extensions for all users"
+    },
+    "drivers": {
+      "query": "SELECT * FROM drivers;",
+      "interval": 3600,
+      "description": "List in-use Windows drivers"
+    },
+    "drivers_snapshot": {
+      "query": "SELECT * FROM drivers;",
+      "interval": 28800,
+      "description": "Drivers snapshot query",
+      "snapshot": true
+    },
+    "etc_hosts": {
+      "query": "SELECT * FROM etc_hosts;",
+      "interval": 3600,
+      "description": "List the contents of the Windows hosts file"
+    },
+    "ie_extensions": {
+      "query": "SELECT * FROM ie_extensions;",
+      "interval": 3600,
+      "description": "List installed Internet Explorer extensions"
+    },
+    "kernel_info": {
+      "query": "SELECT * FROM kernel_info;",
+      "interval": 3600,
+      "description": "List the kernel path, version, etc."
+    },
+    "os_version": {
+      "query": "SELECT * FROM os_version;",
+      "interval": 3600,
+      "description": "List the version of the resident operating system"
+    },
+    "os_version_snapshot": {
+      "query": "SELECT * FROM os_version;",
+      "interval": 28800,
+      "description": "Operating system version snapshot query",
+      "snapshot": true
+    },
+    "osquery_info": {
+      "query": "SELECT * FROM osquery_info;",
+      "interval": 28800,
+      "description": "Information about the resident osquery process",
+      "snapshot": true
+    },
+    "patches": {
+      "query": "SELECT * FROM patches;",
+      "interval": 3600,
+      "description": "Lists all the patches applied"
+    },
+    "patches_snapshot": {
+      "query": "SELECT * FROM patches;",
+      "interval": 28800,
+      "description": "Patches snapshot query",
+      "snapshot": true
+    },
+    "programs": {
+      "query": "SELECT * FROM programs;",
+      "interval": 3600,
+      "description": "Lists installed programs"
+    },
+    "programs_snapshot": {
+      "query": "SELECT * FROM programs;",
+      "interval": 28800,
+      "description": "Programs snapshot query",
+      "snapshot": true
+    },
+    "scheduled_tasks": {
+      "query": "SELECT * FROM scheduled_tasks;",
+      "interval": 3600,
+      "description": "Lists all of the tasks in the Windows task scheduler"
+    },
+    "services": {
+      "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';",
+      "interval": 3600,
+      "description": "Lists all installed services configured to start automatically at boot"
+    },
+    "services_snapshot": {
+      "query": "SELECT * FROM services;",
+      "interval": 28800,
+      "description": "Services snapshot query",
+      "snapshot": true
+    },
+    "shared_resources": {
+      "query": "SELECT * FROM shared_resources;",
+      "interval": 28800,
+      "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."
+    },
+    "system_info": {
+      "query": "SELECT * FROM system_info;",
+      "interval": 3600,
+      "description": "System information for identification."
+    },
+    "system_info_snapshot": {
+      "query": "SELECT * FROM system_info;",
+      "interval": 28800,
+      "description": "System info snapshot query",
+      "snapshot": true
+    },
+    "uptime": {
+      "query": "SELECT * FROM uptime;",
+      "interval": 3600,
+      "description": "System uptime"
+    },
+    "users": {
+      "query": "SELECT * FROM users;",
+      "interval": 3600,
+      "description": "Local system users."
+    },
+    "users_snapshot": {
+      "query": "SELECT * FROM users;",
+      "interval": 28800,
+      "description": "Users snapshot query",
+      "snapshot": true
+    },
+    "wmi_cli_event_consumers": {
+      "query": "SELECT * FROM wmi_cli_event_consumers;",
+      "interval": 3600,
+      "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
+    },
+    "wmi_event_filters": {
+      "query": "SELECT * FROM wmi_event_filters;",
+      "interval": 3600,
+      "description": "Lists WMI event filters."
+    },
+    "wmi_filter_consumer_binding": {
+      "query": "SELECT * FROM wmi_filter_consumer_binding;",
+      "interval": 3600,
+      "description": "Lists the relationship between event consumers and filters."
+    },
+    "wmi_script_event_consumers": {
+      "query": "SELECT * FROM wmi_script_event_consumers;",
+      "interval": 3600,
+      "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
+    }
+  }
+}

Vagrant/resources/osquery/osquery.flags

@@ -0,0 +1,3 @@
+--config_path=c:\programdata\osquery\osquery.conf
+--disable_events=true
+--disable_tables=windows_events