DetectionLab/Vagrant/resources/osquery/osquery.conf

{
  "options": {
    "schedule_splay_percent": 10
  },
  "platform": "windows",
  "schedule": {
    "chocolatey_packages": {
      "query": "SELECT * FROM chocolatey_packages;",
      "interval": 3600,
      "description": "List installed Chocolatey packages"
    },
    "chrome_extensions": {
      "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);",
      "interval": 3600,
      "description": "List installed Chrome Extensions for all users"
    },
    "drivers": {
      "query": "SELECT * FROM drivers;",
      "interval": 3600,
      "description": "List in-use Windows drivers"
    },
    "drivers_snapshot": {
      "query": "SELECT * FROM drivers;",
      "interval": 28800,
      "description": "Drivers snapshot query",
      "snapshot": true
    },
    "etc_hosts": {
      "query": "SELECT * FROM etc_hosts;",
      "interval": 3600,
      "description": "List the contents of the Windows hosts file"
    },
    "ie_extensions": {
      "query": "SELECT * FROM ie_extensions;",
      "interval": 3600,
      "description": "List installed Internet Explorer extensions"
    },
    "kernel_info": {
      "query": "SELECT * FROM kernel_info;",
      "interval": 3600,
      "description": "List the kernel path, version, etc."
    },
    "os_version": {
      "query": "SELECT * FROM os_version;",
      "interval": 3600,
      "description": "List the version of the resident operating system"
    },
    "os_version_snapshot": {
      "query": "SELECT * FROM os_version;",
      "interval": 28800,
      "description": "Operating system version snapshot query",
      "snapshot": true
    },
    "osquery_info": {
      "query": "SELECT * FROM osquery_info;",
      "interval": 28800,
      "description": "Information about the resident osquery process",
      "snapshot": true
    },
    "patches": {
      "query": "SELECT * FROM patches;",
      "interval": 3600,
      "description": "Lists all the patches applied"
    },
    "patches_snapshot": {
      "query": "SELECT * FROM patches;",
      "interval": 28800,
      "description": "Patches snapshot query",
      "snapshot": true
    },
    "programs": {
      "query": "SELECT * FROM programs;",
      "interval": 3600,
      "description": "Lists installed programs"
    },
    "programs_snapshot": {
      "query": "SELECT * FROM programs;",
      "interval": 28800,
      "description": "Programs snapshot query",
      "snapshot": true
    },
    "scheduled_tasks": {
      "query": "SELECT * FROM scheduled_tasks;",
      "interval": 3600,
      "description": "Lists all of the tasks in the Windows task scheduler"
    },
    "services": {
      "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';",
      "interval": 3600,
      "description": "Lists all installed services configured to start automatically at boot"
    },
    "services_snapshot": {
      "query": "SELECT * FROM services;",
      "interval": 28800,
      "description": "Services snapshot query",
      "snapshot": true
    },
    "shared_resources": {
      "query": "SELECT * FROM shared_resources;",
      "interval": 28800,
      "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."
    },
    "system_info": {
      "query": "SELECT * FROM system_info;",
      "interval": 3600,
      "description": "System information for identification."
    },
    "system_info_snapshot": {
      "query": "SELECT * FROM system_info;",
      "interval": 28800,
      "description": "System info snapshot query",
      "snapshot": true
    },
    "uptime": {
      "query": "SELECT * FROM uptime;",
      "interval": 3600,
      "description": "System uptime"
    },
    "users": {
      "query": "SELECT * FROM users;",
      "interval": 3600,
      "description": "Local system users."
    },
    "users_snapshot": {
      "query": "SELECT * FROM users;",
      "interval": 28800,
      "description": "Users snapshot query",
      "snapshot": true
    },
    "wmi_cli_event_consumers": {
      "query": "SELECT * FROM wmi_cli_event_consumers;",
      "interval": 3600,
      "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
    },
    "wmi_event_filters": {
      "query": "SELECT * FROM wmi_event_filters;",
      "interval": 3600,
      "description": "Lists WMI event filters."
    },
    "wmi_filter_consumer_binding": {
      "query": "SELECT * FROM wmi_filter_consumer_binding;",
      "interval": 3600,
      "description": "Lists the relationship between event consumers and filters."
    },
    "wmi_script_event_consumers": {
      "query": "SELECT * FROM wmi_script_event_consumers;",
      "interval": 3600,
      "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
    }
  }
}