Skip to content

Instantly share code, notes, and snippets.

@githubfoam
Last active July 15, 2021 10:18
Show Gist options
  • Save githubfoam/6753b5efad8e5ab8fa2ca29ce7b29988 to your computer and use it in GitHub Desktop.
Save githubfoam/6753b5efad8e5ab8fa2ca29ce7b29988 to your computer and use it in GitHub Desktop.
macos_osquery
#all local user accounts that exist on a machine
SELECT * FROM users WHERE username NOT LIKE '\_%' ESCAPE '\';
# finds all users who have actual login shells
SELECT * FROM users WHERE shell NOT LIKE '%false' AND shell NOT LIKE '%true';
#listening ports
SELECT p.name, address, port, family, protocol,
COALESCE(NULLIF(pos.path,''), p.path) AS path
FROM listening_ports AS pos
INNER JOIN processes AS p ON p.pid = pos.pid
WHERE address <> ""
AND port != 0
AND pos.pid > 0
LIMIT 5;
#information about the specified file on disk
SELECT file.path, users.username AS owner,
groups.groupname AS groups,
datetime(file.btime,'unixepoch') AS created,
datetime(file.mtime,'unixepoch') AS last_mod,
ROUND((file.size * 10e-7),4) AS size_mb
FROM file
JOIN users USING (uid)
JOIN groups USING (gid)
WHERE path LIKE '/Users/%/Downloads/%%'
ORDER BY last_mod DESC;
#shell_history,search for the executed commands on the system.
SELECT uid,
username,
shell,
command
FROM users
JOIN shell_history USING (uid);
#sudo rules present on a system.
SELECT * FROM sudoers;
SELECT * FROM sudoers WHERE rule_details LIKE '%ALL';
#List system information
select cpu_type, cpu_brand, hardware_vendor, hardware_model from system_info;
#Find remaining hard disk storage
select path, type, round((blocks_available * blocks_size *10e-10),2) as gigs_free from mounts where path='/';
#Find apps installed on machine
select display_name, bundle_short_version, bundle_version from apps limit 1;
#Find the process running on port 8080
select pid from listening_ports where port = 8080;
#join it with processes
select p.pid, p.name, p.state,p.uid, lp.port from processes p join listening_ports lp on p.pid = lp.pid and lp.port=8080;
#Find top 5 most CPU intensive processes
SELECT pid, uid, name, ROUND((
(user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)
) * 100, 2) AS percentage
FROM processes, (
SELECT (
SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb,
SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb
FROM cpu_time
) AS cpu_time
ORDER BY user_time+system_time DESC
LIMIT 5;
#Find top 5 most memory intensive processes
SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS used FROM processes ORDER BY total_size DESC LIMIT 5;
#who is logged into the system
select * from logged_in_users;
#List Python packages installed in default Python
select name, version from python_packages;
# Find the last docker image installed in my local registry
select id,tags from docker_images order by created desc limit 1;
#find processes that are running whose binary has been deleted from the disk
SELECT name, path, pid FROM processes WHERE on_disk = 0;
# audited socket events
sudo osqueryd -S --disable_events=false --audit_allow_sockets --disable_audit=false
#CTI, DFIR, OSX
Finding specific indicators of compromise (IOCs) in memory or on disk; Facebook has provided the queries which detect Hacking Team’s OSX backdoor by querying for specific persistent mechanisms and file system activity on OSX
select * from file where path = '/dev/ptmx0';
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment