trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
87ef15ade9e114941c9027f695fb93d9e4cb86d2
DetectionLab/Vagrant/resources/osquery/osquery.conf
Chris Long 1577341ce9 Initial commit
2017-12-11 08:49:25 -08:00

152 lines
5.3 KiB
Plaintext
Raw Blame History

{
"options": {
"schedule_splay_percent": 10
},
"platform": "windows",
"schedule": {
"chocolatey_packages": {
"query": "SELECT * FROM chocolatey_packages;",
"interval": 3600,
"description": "List installed Chocolatey packages"
},
"chrome_extensions": {
"query": "SELECT * FROM users JOIN chrome_extensions USING (uid);",
"interval": 3600,
"description": "List installed Chrome Extensions for all users"
},
"drivers": {
"query": "SELECT * FROM drivers;",
"interval": 3600,
"description": "List in-use Windows drivers"
},
"drivers_snapshot": {
"query": "SELECT * FROM drivers;",
"interval": 28800,
"description": "Drivers snapshot query",
"snapshot": true
},
"etc_hosts": {
"query": "SELECT * FROM etc_hosts;",
"interval": 3600,
"description": "List the contents of the Windows hosts file"
},
"ie_extensions": {
"query": "SELECT * FROM ie_extensions;",
"interval": 3600,
"description": "List installed Internet Explorer extensions"
},
"kernel_info": {
"query": "SELECT * FROM kernel_info;",
"interval": 3600,
"description": "List the kernel path, version, etc."
},
"os_version": {
"query": "SELECT * FROM os_version;",
"interval": 3600,
"description": "List the version of the resident operating system"
},
"os_version_snapshot": {
"query": "SELECT * FROM os_version;",
"interval": 28800,
"description": "Operating system version snapshot query",
"snapshot": true
},
"osquery_info": {
"query": "SELECT * FROM osquery_info;",
"interval": 28800,
"description": "Information about the resident osquery process",
"snapshot": true
},
"patches": {
"query": "SELECT * FROM patches;",
"interval": 3600,
"description": "Lists all the patches applied"
},
"patches_snapshot": {
"query": "SELECT * FROM patches;",
"interval": 28800,
"description": "Patches snapshot query",
"snapshot": true
},
"programs": {
"query": "SELECT * FROM programs;",
"interval": 3600,
"description": "Lists installed programs"
},
"programs_snapshot": {
"query": "SELECT * FROM programs;",
"interval": 28800,
"description": "Programs snapshot query",
"snapshot": true
},
"scheduled_tasks": {
"query": "SELECT * FROM scheduled_tasks;",
"interval": 3600,
"description": "Lists all of the tasks in the Windows task scheduler"
},
"services": {
"query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';",
"interval": 3600,
"description": "Lists all installed services configured to start automatically at boot"
},
"services_snapshot": {
"query": "SELECT * FROM services;",
"interval": 28800,
"description": "Services snapshot query",
"snapshot": true
},
"shared_resources": {
"query": "SELECT * FROM shared_resources;",
"interval": 28800,
"description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."
},
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 3600,
"description": "System information for identification."
},
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 28800,
"description": "System info snapshot query",
"snapshot": true
},
"uptime": {
"query": "SELECT * FROM uptime;",
"interval": 3600,
"description": "System uptime"
},
"users": {
"query": "SELECT * FROM users;",
"interval": 3600,
"description": "Local system users."
},
"users_snapshot": {
"query": "SELECT * FROM users;",
"interval": 28800,
"description": "Users snapshot query",
"snapshot": true
},
"wmi_cli_event_consumers": {
"query": "SELECT * FROM wmi_cli_event_consumers;",
"interval": 3600,
"description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
},
"wmi_event_filters": {
"query": "SELECT * FROM wmi_event_filters;",
"interval": 3600,
"description": "Lists WMI event filters."
},
"wmi_filter_consumer_binding": {
"query": "SELECT * FROM wmi_filter_consumer_binding;",
"interval": 3600,
"description": "Lists the relationship between event consumers and filters."
},
"wmi_script_event_consumers": {
"query": "SELECT * FROM wmi_script_event_consumers;",
"interval": 3600,
"description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
}
}
}
Reference in New Issue View Git Blame Copy Permalink