Open Sockets
select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';View Full Query Details
OpenType Font Driver Vulnerability
select * from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\%' AND name = 'DisableATMFD' AND data != '1';View Full Query Details
Opera Extensions
select opera_extensions.* from users join opera_extensions using (uid);View Full Query Details
Optickit
select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');View Full Query DetailsOS Version
select * from os_version;View Full Query Details
Osquery Info
select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;View Full Query Details
OSX Backdoor Mokes
select * from file where \\
path LIKE '/Users/%/Library/App Store/storeuserd' OR \\
path LIKE '/Users/%/Library/com.apple.spotlight/SpotlightHelper' OR \\
path LIKE '/Users/%/Library/Dock/com.apple.dock.cache' OR \\
path LIKE '/Users/%/Library/Dropbox/DropboxCache' OR \\
path LIKE '/Users/%/Library/Skype/SkypeHelper' OR \\
path LIKE '/Users/%/Library/Google/Chrome/nacld' OR \\
path LIKE '/Users/%/Library/Firefox/Profiles/profiled';View Full Query DetailsOSX ColdRoot RAT Files
select * from file \\
where path in ('/private/var/tmp/com.apple.audio.driver.app/', \\
'/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/conx.wol');View Full Query DetailsOSX ColdRoot RAT Launchd
select * from launchd where name = 'com.apple.audio.driver.plist';View Full Query Details
OSX DOK 1
select * from launchd where name = 'com.apple.Safari.proxy.plist' or name = 'com.apple.Safari.proxy.pac';View Full Query Details