forked from CycloneDX/cdxgen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathqueries.json
213 lines (213 loc) · 8.39 KB
/
queries.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
{
"os_version": {
"query": "select * from os_version;",
"description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
"purlType": "swid",
"componentType": "operating-system"
},
"kernel_info": {
"query": "select * from kernel_info;",
"name": "os-image",
"description": "Retrieves information from the current kernel in the target system.",
"purlType": "swid",
"componentType": "operating-system"
},
"chrome_extensions": {
"query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
"description": "Retrieves the list of extensions for Chrome in the target system.",
"purlType": "swid",
"componentType": "application"
},
"firefox_addons": {
"query": "select firefox_addons.* from users join firefox_addons using (uid);",
"description": "Retrieves the list of addons for Firefox in the target system.",
"purlType": "swid",
"componentType": "application"
},
"deb_packages": {
"query": "select * from deb_packages;",
"description": "Retrieves all the installed DEB packages in the target Linux system.",
"purlType": "deb"
},
"apt_sources": {
"query": "select * from apt_sources;",
"description": "Retrieves all the APT sources to install packages from in the target Linux system.",
"purlType": "deb"
},
"yum_sources": {
"query": "select * from yum_sources;",
"description": "Display yum package manager sources.",
"purlType": "yum"
},
"portage_packages": {
"query": "select * from portage_packages;",
"description": "Retrieves all the installed packages on the target Linux system.",
"purlType": "ebuild"
},
"rpm_packages": {
"query": "select * from rpm_packages;",
"description": "Retrieves all the installed RPM packages in the target Linux system.",
"purlType": "rpm"
},
"python_packages": {
"query": "select * from python_packages;",
"description": "Python packages installed on system.",
"purlType": "pypi"
},
"windows_programs": {
"query": "select * from programs;",
"description": "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
"purlType": "swid",
"componentType": "application"
},
"windows_patches": {
"query": "select * from patches;",
"description": "Retrieves all the information for the current windows drivers in the target Windows system.",
"purlType": "swid",
"componentType": "application"
},
"windows_drivers": {
"query": "select * from drivers;",
"description": "Retrieves all the information for the current windows drivers in the target Windows system.",
"purlType": "swid",
"componentType": "device-driver"
},
"windows_shared_resources": {
"query": "select * from shared_resources;",
"description": "Retrieves the list of shared resources in the target Windows system.",
"purlType": "swid",
"componentType": "data"
},
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"description": "System info snapshot query.",
"purlType": "swid",
"componentType": "data"
},
"pipes_snapshot": {
"query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);",
"description": "Pipes snapshot query.",
"purlType": "swid",
"componentType": "data"
},
"services_snapshot": {
"query": "SELECT * FROM services;",
"description": "Services snapshot query.",
"purlType": "swid",
"componentType": "data"
},
"etc_hosts": {
"query": "SELECT * FROM etc_hosts;",
"description": "List the contents of the Windows hosts file.",
"purlType": "swid",
"componentType": "data"
},
"scheduled_tasks": {
"query": "SELECT * FROM scheduled_tasks;",
"description": "List all scheduled_tasks.",
"purlType": "swid",
"componentType": "data"
},
"homebrew_packages": {
"query": "SELECT * FROM homebrew_packages;",
"description": "List all homebrew_packages.",
"purlType": "swid",
"componentType": "data"
},
"installed_applications": {
"query": "SELECT * FROM apps;",
"description": "List all macos apps.",
"purlType": "swid",
"componentType": "data"
},
"kernel_integrity": {
"query": "SELECT * FROM kernel_integrity;",
"description": "Various Linux kernel integrity checked attributes.",
"purlType": "swid",
"componentType": "data"
},
"crontab_snapshot": {
"query": "SELECT * FROM crontab;",
"description": "Retrieves all the jobs scheduled in crontab in the target system.",
"purlType": "swid",
"componentType": "data"
},
"kernel_modules": {
"query": "SELECT * FROM kernel_modules;",
"description": "Linux kernel modules both loaded and within the load search path.",
"purlType": "swid",
"componentType": "data"
},
"behavioral_reverse_shell": {
"query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
"description": "Find shell processes that have open sockets.",
"purlType": "swid",
"componentType": "data"
},
"process_events": {
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"description": "Process events collected from the audit framework.",
"purlType": "swid",
"componentType": "data"
},
"ld_preload": {
"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
"description": "Any processes that run with an LD_PRELOAD environment variable.",
"purlType": "swid",
"componentType": "data"
},
"certificates": {
"query": "SELECT * FROM certificates WHERE path != 'Other People';",
"description": "List all certificates in the trust store.",
"purlType": "swid",
"componentType": "data"
},
"processes": {
"query": "SELECT * FROM processes;",
"description": "List all processes.",
"purlType": "swid",
"componentType": "data"
},
"startup_items": {
"query": "SELECT * FROM startup_items;",
"description": "List all startup_items.",
"purlType": "swid",
"componentType": "data"
},
"listening_ports": {
"query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
"description": "List all processes and their listening_ports.",
"purlType": "swid",
"componentType": "application"
},
"interface_addresses": {
"query": "SELECT * FROM interface_addresses;",
"description": "List all interface_addresses.",
"purlType": "swid",
"componentType": "data"
},
"docker_container_ports": {
"query": "SELECT * FROM docker_container_ports;",
"description": "List all docker_container_ports.",
"purlType": "swid",
"componentType": "data"
},
"docker_containers": {
"query": "SELECT * FROM docker_containers;",
"description": "List all docker_containers.",
"purlType": "swid",
"componentType": "data"
},
"docker_networks": {
"query": "SELECT * FROM docker_networks;",
"description": "List all docker_networks.",
"purlType": "swid",
"componentType": "data"
},
"docker_volumes": {
"query": "SELECT * FROM docker_volumes;",
"description": "List all docker_volumes.",
"purlType": "swid",
"componentType": "data"
}
}