Last active
July 15, 2021 10:18
-
-
Save githubfoam/6753b5efad8e5ab8fa2ca29ce7b29988 to your computer and use it in GitHub Desktop.
macos_osquery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#all local user accounts that exist on a machine | |
SELECT * FROM users WHERE username NOT LIKE '\_%' ESCAPE '\'; | |
# finds all users who have actual login shells | |
SELECT * FROM users WHERE shell NOT LIKE '%false' AND shell NOT LIKE '%true'; | |
#listening ports | |
SELECT p.name, address, port, family, protocol, | |
COALESCE(NULLIF(pos.path,''), p.path) AS path | |
FROM listening_ports AS pos | |
INNER JOIN processes AS p ON p.pid = pos.pid | |
WHERE address <> "" | |
AND port != 0 | |
AND pos.pid > 0 | |
LIMIT 5; | |
#information about the specified file on disk | |
SELECT file.path, users.username AS owner, | |
groups.groupname AS groups, | |
datetime(file.btime,'unixepoch') AS created, | |
datetime(file.mtime,'unixepoch') AS last_mod, | |
ROUND((file.size * 10e-7),4) AS size_mb | |
FROM file | |
JOIN users USING (uid) | |
JOIN groups USING (gid) | |
WHERE path LIKE '/Users/%/Downloads/%%' | |
ORDER BY last_mod DESC; | |
#shell_history,search for the executed commands on the system. | |
SELECT uid, | |
username, | |
shell, | |
command | |
FROM users | |
JOIN shell_history USING (uid); | |
#sudo rules present on a system. | |
SELECT * FROM sudoers; | |
SELECT * FROM sudoers WHERE rule_details LIKE '%ALL'; | |
#List system information | |
select cpu_type, cpu_brand, hardware_vendor, hardware_model from system_info; | |
#Find remaining hard disk storage | |
select path, type, round((blocks_available * blocks_size *10e-10),2) as gigs_free from mounts where path='/'; | |
#Find apps installed on machine | |
select display_name, bundle_short_version, bundle_version from apps limit 1; | |
#Find the process running on port 8080 | |
select pid from listening_ports where port = 8080; | |
#join it with processes | |
select p.pid, p.name, p.state,p.uid, lp.port from processes p join listening_ports lp on p.pid = lp.pid and lp.port=8080; | |
#Find top 5 most CPU intensive processes | |
SELECT pid, uid, name, ROUND(( | |
(user_time + system_time) / (cpu_time.tsb - cpu_time.itsb) | |
) * 100, 2) AS percentage | |
FROM processes, ( | |
SELECT ( | |
SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb, | |
SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb | |
FROM cpu_time | |
) AS cpu_time | |
ORDER BY user_time+system_time DESC | |
LIMIT 5; | |
#Find top 5 most memory intensive processes | |
SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS used FROM processes ORDER BY total_size DESC LIMIT 5; | |
#who is logged into the system | |
select * from logged_in_users; | |
#List Python packages installed in default Python | |
select name, version from python_packages; | |
# Find the last docker image installed in my local registry | |
select id,tags from docker_images order by created desc limit 1; | |
#find processes that are running whose binary has been deleted from the disk | |
SELECT name, path, pid FROM processes WHERE on_disk = 0; | |
# audited socket events | |
sudo osqueryd -S --disable_events=false --audit_allow_sockets --disable_audit=false | |
#CTI, DFIR, OSX | |
Finding specific indicators of compromise (IOCs) in memory or on disk; Facebook has provided the queries which detect Hacking Team’s OSX backdoor by querying for specific persistent mechanisms and file system activity on OSX | |
select * from file where path = '/dev/ptmx0'; | |
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX'; | |
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist'; | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment