Mounts
select * from mounts;View Full Query Details
MoveImages
select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\moveImages'View Full Query Details
Nfs Shares
select * from nfs_shares;View Full Query Details
Nvram
select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');View Full Query DetailsOceanLotus Dropped File 1
select * from file, ( \\
select '/Library/Logs/.Logs/corevideosd' ioc union \\
select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union \\
select '/Library/Parallels/.cfg' ioc union \\
select '/Library/Preferences/.fDTYuRs' ioc union \\
select '/Library/Hash/.Hashtag/.hash' ioc union \\
select '/Library/Hash/.hash' ioc \\
) iocs where \\
file.path LIKE '/Users/%/' || ioc OR \\
file.path = iocs.ioc OR \\
file.path LIKE '/tmp/crunzip.temp.%';View Full Query DetailsOceanLotus Launchagent
select * from launchd where name = 'com.google.plugins.plist';View Full Query Details
Old Rootkits
select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');View Full Query DetailsOlyx
select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';View Full Query Details
Omega Worm
select * from file where path in ('/dev/chr');View Full Query DetailsOpen Files
select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');View Full Query Details