select * from registry where key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\%\EnforcementMode'

select * from file where path in ('/dev/cuc');

select safari_extensions.* from users join safari_extensions using (uid);

select * from registry where key like 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\%\%\%\SaferFlags'

select * from sandboxes;

select * from file where path in ('/tmp/.uua', '/tmp/.a');

select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;

select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';

select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled'

SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';