{ "options": { "schedule_splay_percent": 10 }, "platform": "windows", "schedule": { "chocolatey_packages": { "query": "SELECT * FROM chocolatey_packages;", "interval": 3600, "description": "List installed Chocolatey packages" }, "chrome_extensions": { "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);", "interval": 3600, "description": "List installed Chrome Extensions for all users" }, "drivers": { "query": "SELECT * FROM drivers;", "interval": 3600, "description": "List in-use Windows drivers" }, "drivers_snapshot": { "query": "SELECT * FROM drivers;", "interval": 28800, "description": "Drivers snapshot query", "snapshot": true }, "etc_hosts": { "query": "SELECT * FROM etc_hosts;", "interval": 3600, "description": "List the contents of the Windows hosts file" }, "ie_extensions": { "query": "SELECT * FROM ie_extensions;", "interval": 3600, "description": "List installed Internet Explorer extensions" }, "kernel_info": { "query": "SELECT * FROM kernel_info;", "interval": 3600, "description": "List the kernel path, version, etc." }, "os_version": { "query": "SELECT * FROM os_version;", "interval": 3600, "description": "List the version of the resident operating system" }, "os_version_snapshot": { "query": "SELECT * FROM os_version;", "interval": 28800, "description": "Operating system version snapshot query", "snapshot": true }, "osquery_info": { "query": "SELECT * FROM osquery_info;", "interval": 28800, "description": "Information about the resident osquery process", "snapshot": true }, "patches": { "query": "SELECT * FROM patches;", "interval": 3600, "description": "Lists all the patches applied" }, "patches_snapshot": { "query": "SELECT * FROM patches;", "interval": 28800, "description": "Patches snapshot query", "snapshot": true }, "programs": { "query": "SELECT * FROM programs;", "interval": 3600, "description": "Lists installed programs" }, "programs_snapshot": { "query": "SELECT * FROM programs;", "interval": 28800, "description": "Programs snapshot query", "snapshot": true }, "scheduled_tasks": { "query": "SELECT * FROM scheduled_tasks;", "interval": 3600, "description": "Lists all of the tasks in the Windows task scheduler" }, "services": { "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';", "interval": 3600, "description": "Lists all installed services configured to start automatically at boot" }, "services_snapshot": { "query": "SELECT * FROM services;", "interval": 28800, "description": "Services snapshot query", "snapshot": true }, "shared_resources": { "query": "SELECT * FROM shared_resources;", "interval": 28800, "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device." }, "system_info": { "query": "SELECT * FROM system_info;", "interval": 3600, "description": "System information for identification." }, "system_info_snapshot": { "query": "SELECT * FROM system_info;", "interval": 28800, "description": "System info snapshot query", "snapshot": true }, "uptime": { "query": "SELECT * FROM uptime;", "interval": 3600, "description": "System uptime" }, "users": { "query": "SELECT * FROM users;", "interval": 3600, "description": "Local system users." }, "users_snapshot": { "query": "SELECT * FROM users;", "interval": 28800, "description": "Users snapshot query", "snapshot": true }, "wmi_cli_event_consumers": { "query": "SELECT * FROM wmi_cli_event_consumers;", "interval": 3600, "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." }, "wmi_event_filters": { "query": "SELECT * FROM wmi_event_filters;", "interval": 3600, "description": "Lists WMI event filters." }, "wmi_filter_consumer_binding": { "query": "SELECT * FROM wmi_filter_consumer_binding;", "interval": 3600, "description": "Lists the relationship between event consumers and filters." }, "wmi_script_event_consumers": { "query": "SELECT * FROM wmi_script_event_consumers;", "interval": 3600, "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." } } }