osquery query packs are groups of queries to be added to the osquery schedule. Here is an example:

{
  "platform": "darwin",
  "version": "1.4.5",
  "queries": {
    "example_query": {
      "query": "select * from processes;",
      "interval": "86400",
      "description": "Description of what this query does",
      "value": "Why is this query relevant"
    }
  }
}

Each pack location is specified in the main osquery configuration. Learn more on how to format your query packs here

osquery already provides the following query packs:

hardware-monitoring

acpi_tables

General reporting and heuristics monitoring.
Query select * from acpi_tables;
Interval 86400
Platform all
Version
Value

cpuid

General reporting and heuristics monitoring.
Query select feature, value, output_register, output_bit, input_eax from cpuid;
Interval 86400
Platform all
Version
Value

darwin_kernel_system_controls

Double check the information reported in kernel_info and report the kernel signature.
Query select * from system_controls where subsystem = 'kern' and (name like '%boot%' or name like '%secure%' or name like '%single%');
Interval 7200
Platform darwin
Version
Value

device_nodes

Inventory all 'device' nodes in /dev/.
Query select file.path, uid, gid, mode, 0 as atime, mtime, ctime, block_size, mode, type from file where directory = '/dev/';
Interval 600
Platform all
Version 1.6.0
Value

efi_file_hashes

Hash files related to EFI platform updates and EFI bootloaders on primary boot partition. This does not hash bootloaders on the EFI/boot partition.
Query select file.path, uid, gid, mode, 0 as atime, mtime, ctime, md5, sha1, sha256 from (select * from file where path like '/System/Library/CoreServices/%.efi' union select * from file where path like '/System/Library/LaunchDaemons/com.apple%efi%') file join hash using (path);
Interval 7200
Platform darwin
Version 1.6.1
Value

hardware_events

Retrieves all the hardware related events in the target OSX system.
Query select * from hardware_events where path <> '' or model <> '';
Interval 7200
Platform all
Version 1.4.5
Value Determine if a third party device was attached to the system.

iokit_devicetree

Query select * from iokit_devicetree;
Interval 86400
Platform darwin
Version
Value

kernel_extensions

Retrieves all the information about the current kernel extensions for the target OSX system.
Query select * from kernel_extensions;
Interval 3600
Platform darwin
Version 1.4.5
Value

kernel_info

Report the booted kernel, potential arguments, and the device.
Query select * from kernel_info join hash using (path);
Interval 7200
Platform all
Version
Value

kernel_modules

Retrieves all the information for the current kernel modules in the target Linux system.
Query select * from kernel_modules;
Interval 3600
Platform linux
Version 1.4.5
Value

nvram

Report on crashes, alternate boots, and boot arguments.
Query select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');
Interval 1200
Platform darwin
Version
Value

pci_devices

Report an inventory of PCI devices. Attaches and detaches will show up in hardware_events.
Query select * from pci_devices;
Interval 7200
Platform all
Version
Value

smbios_tables

General reporting and heuristics monitoring.
Query select * from smbios_tables;
Interval 86400
Platform all
Version
Value

usb_devices

Report an inventory of USB devices. Attaches and detaches will show up in hardware_events.
Query select * from usb_devices;
Interval 7200
Platform all
Version
Value

incident-response

alf

Retrieves the configuration values for the Application Layer Firewall for OSX.
Query select * from alf;
Interval 3600
Platform darwin
Version 1.4.5
Value Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans

alf_exceptions

Retrieves the exceptions for the Application Layer Firewall in OSX.
Query select * from alf_exceptions;
Interval 3600
Platform darwin
Version 1.4.5
Value Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans

alf_explicit_auths

Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
Query select * from alf_explicit_auths;
Interval 3600
Platform darwin
Version 1.4.5
Value Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans

alf_services

Retrieves the services for the Application Layer Firewall in OSX.
Query select * from alf_services;
Interval 3600
Platform darwin
Version 1.4.5
Value Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans

app_schemes

Retreives the list of application scheme/protocol-based IPC handlers.
Query select * from app_schemes;
Interval 86400
Platform darwin
Version 1.4.7
Value Post-priori hijack detection, detect potential sensitive information leakage.

arp_cache

Retrieves the ARP cache values in the target system.
Query select * from arp_cache;
Interval 3600
Platform all
Version 1.4.5
Value Determine if MITM in progress.

crontab

Retrieves all the jobs scheduled in crontab in the target system.
Query select * from crontab;
Interval 3600
Platform all
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at a given interval

disk_encryption

Retrieves the current disk encryption status for the target system.
Query select * from disk_encryption;
Interval 86400
Platform all
Version 1.4.5
Value Identifies a system potentially vulnerable to disk cloning.

etc_hosts

Retrieves all the entries in the target system /etc/hosts file.
Query select * from etc_hosts;
Interval 86400
Platform all
Version 1.4.5
Value Identify network communications that are being redirected. Example: identify if security logging has been disabled

installed_applications

Retrieves all the currently installed applications in the target OSX system.
Query select * from apps;
Interval 3600
Platform darwin
Version 1.4.5
Value Identify malware, adware, or vulnerable packages that are installed as an application.

ip_forwarding

Retrieves the current status of IP/IPv6 forwarding.
Query select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';
Interval 3600
Platform all
Version 1.4.5
Value Identify if a machine is being used as relay.

iptables

Retrieves the current filters and chains per filter in the target system.
Query select * from iptables;
Interval 3600
Platform linux
Version 1.4.5
Value Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans

kernel_modules

Retrieves all the information for the current kernel modules in the target Linux system.
Query select * from kernel_modules;
Interval 3600
Platform linux
Version 1.4.5
Value Identify malware that has a kernel module component.

kextstat

Retrieves all the information about the current kernel extensions for the target OSX system.
Query select * from kernel_extensions;
Interval 3600
Platform darwin
Version 1.4.5
Value Identify malware that has a kernel extension component.

last

Retrieves the list of the latest logins with PID, username and timestamp.
Query select * from last;
Interval 3600
Platform all
Version 1.4.5
Value Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.

launchd

Retrieves all the daemons that will run in the start of the target OSX system.
Query select * from launchd;
Interval 3600
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at system boot

listening_ports

Retrieves all the listening ports in the target system.
Query select * from listening_ports;
Interval 3600
Platform all
Version 1.4.5
Value Detect if a listening port iis not mapped to a known process. Find backdoors.

logged_in_users

Retrieves the list of all the currently logged in users in the target system.
Query select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;
Interval 3600
Platform all
Version 1.4.5
Value Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.

loginwindow1

Retrieves all the values for the loginwindow process in the target OSX system.
Query select key, subkey, value from preferences where path = '/Library/Preferences/com.apple.loginwindow.plist';
Interval 86400
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at system boot

loginwindow2

Retrieves all the values for the loginwindow process in the target OSX system.
Query select key, subkey, value from preferences where path = '/Library/Preferences/loginwindow.plist';
Interval 86400
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at system boot

loginwindow3

Retrieves all the values for the loginwindow process in the target OSX system.
Query select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';
Interval 86400
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at system boot

loginwindow4

Retrieves all the values for the loginwindow process in the target OSX system.
Query select username, key, subkey, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';
Interval 86400
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at system boot

mounts

Retrieves the current list of mounted drives in the target system.
Query select * from mounts;
Interval 3600
Platform all
Version 1.4.5
Value Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.

nfs_shares

Retrieves the current list of Network File System mounted shares.
Query select * from nfs_shares;
Interval 3600
Platform darwin
Version 1.4.5
Value Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.

open_files

Retrieves all the open files per process in the target system.
Query select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');
Interval 86400
Platform all
Version 1.4.5
Value Identify processes accessing sensitive files they shouldn't

open_sockets

Retrieves all the open sockets per process in the target system.
Query select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';
Interval 86400
Platform all
Version 1.4.5
Value Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings

process_env

Retrieves all the environment variables per process in the target system.
Query select * from process_envs;
Interval 86400
Platform all
Version 1.4.5
Value Insight into the process data: Where was it started from, was it preloaded...

process_memory

Retrieves the memory map per process in the target Linux system.
Query select * from process_memory_map;
Interval 86400
Platform linux
Version 1.4.5
Value Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.

ramdisk

Retrieves all the ramdisk currently mounted in the target system.
Query select * from block_devices where type = 'Virtual Interface';
Interval 3600
Platform all
Version 1.4.5
Value Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes

recent_items

Retrieves the list of recent items opened in OSX by parsing the plist per user.
Query select username, key, value from preferences p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';
Interval 86400
Platform darwin
Version 1.4.5
Value Identify recently accessed items. Useful for compromised hosts.

sandboxes

Lists the application bundle that owns a sandbox label.
Query select * from sandboxes;
Interval 86400
Platform darwin
Version 1.4.7
Value Post-priori hijack detection, detect potential sensitive information leakage.

shell_history

Retrieves the command history, per user, by parsing the shell history files.
Query select * from shell_history;
Interval 86400
Platform all
Version 1.4.5
Value Identify actions taken. Useful for compromised hosts.

startup_items

Retrieve all the items that will load when the target OSX system starts.
Query select * from startup_items;
Interval 86400
Platform darwin
Version 1.4.5
Value Identify malware that uses this persistence mechanism to launch at a given interval

suid_bin

Retrieves all the files in the target system that are setuid enabled.
Query select * from suid_bin;
Interval 3600
Platform all
Version 1.4.5
Value Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.

wireless_networks

Retrieves all the remembered wireless network that the target machine has connected to.
Query select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;
Interval 3600
Platform darwin
Version 1.6.0
Value Identifies connections to rogue access points.

it-compliance

ad_config

Retrieves the Active Directory configuration for the target machine, attached to the domain (requires sudo).
Query select * from ad_config;
Interval 86400
Platform darwin
Version 1.4.5
Value Helps you debug domain binding / Active Directory issues in your environment.

alf

Retrieves the configuration values for the Application Layer Firewall for OSX.
Query select * from alf;
Interval 86400
Platform darwin
Version 1.4.5
Value Verify firewall settings are as expected

alf_exceptions

Retrieves the exceptions for the Application Layer Firewall in OSX.
Query select * from alf_exceptions;
Interval 86400
Platform darwin
Version 1.4.5
Value Verify firewall settings are as expected

alf_explicit_auths

Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
Query select * from alf_explicit_auths;
Interval 86400
Platform darwin
Version 1.4.5
Value Verify firewall settings are as expected

alf_services

Retrieves the services for the Application Layer Firewall in OSX.
Query select * from alf_services;
Interval 86400
Platform darwin
Version 1.4.5
Value Verify firewall settings are as expected

apt_sources

Retrieves all the APT sources to install packages from in the target Linux system.
Query select * from apt_sources;
Interval 86400
Platform ubuntu
Version 1.4.5
Value General security posture.

browser_plugins

Retrieves the list of C/NPAPI browser plugins in the target system.
Query select * from browser_plugins;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

chrome_extensions

Retrieves the list of extensions for Chrome in the target system.
Query select * from chrome_extensions;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

deb_packages

Retrieves all the installed DEB packages in the target Linux system.
Query select * from deb_packages;
Interval 86400
Platform ubuntu
Version 1.4.5
Value General security posture.

disk_encryption

Retrieves the current disk encryption status for the target system.
Query select * from disk_encryption;
Interval 86400
Platform all
Version 1.4.5
Value Identifies a system potentially vulnerable to disk cloning.

firefox_addons

Retrieves the list of addons for Firefox in the target system.
Query select * from firefox_addons;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

homebrew_packages

Retrieves the list of brew packages installed in the target OSX system.
Query select * from homebrew_packages;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

installed_applications

Retrieves all the currently installed applications in the target OSX system.
Query select * from apps;
Interval 86400
Platform darwin
Version 1.4.5
Value Find currently installed applications and versions of each.

iptables

Retrieves the current filters and chains per filter in the target system.
Query select * from iptables;
Interval 86400
Platform linux
Version 1.4.5
Value General security posture.

kernel_info

Retrieves information from the current kernel in the target system.
Query select * from kernel_info;
Interval 86400
Platform all
Version 1.4.5
Value Identify out of date kernels or version drift across your infrastructure

kernel_modules

Retrieves the current list of loaded kernel modules in the target Linux system.
Query select * from kernel_modules;
Interval 86400
Platform linux
Version 1.4.5
Value General security posture.

keychain_items

Retrieves all the items contained in the keychain in the target OSX system.
Query select * from keychain_items;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

launchd

Retrieves all the daemons that will run in the start of the target OSX system.
Query select * from launchd;
Interval 86400
Platform darwin
Version 1.4.5
Value Visibility on what starts in the system.

mounts

Retrieves the current list of mounted drives in the target system.
Query select * from mounts;
Interval 86400
Platform all
Version 1.4.5
Value Verify if mounts are accessible to those who need it

nfs_shares

Retrieves the current list of Network File System mounted shares.
Query select * from nfs_shares;
Interval 86400
Platform darwin
Version 1.4.5
Value Verify if shares are accessible to those who need it

os_version

Retrieves information from the Operative System where osquery is currently running.
Query select * from os_version;
Interval 86400
Platform all
Version 1.4.5
Value Identify out of date operating systems or version drift across your infrastructure

osquery_info

Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.
Query select * from time, osquery_info;
Interval 86400
Platform all
Version 1.4.5
Value Identify if your infrastructure is running the correct osquery version and which hosts may have drifted

package_receipts

Retrieves all the PKG related information stored in OSX.
Query select * from package_receipts;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

portage_packages

Retrieves all the packages installed with portage from the target Linux system.
Query select * from portage_use;
Interval 86400
Platform gentoo
Version 2.0.0
Value General security posture.

rpm_packages

Retrieves all the installed RPM packages in the target Linux system.
Query select * from rpm_packages;
Interval 86400
Platform redhat,centos
Version 1.4.5
Value General security posture.

safari_extensions

Retrieves the list of extensions for Safari in the target system.
Query select * from safari_extensions;
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

sip_config

Retrieves the current System Integrity Protection configuration in the target system.
Query select * from sip_config;
Interval 86400
Platform darwin
Version 1.7.0
Value General security posture.

usb_devices

Retrieves the current list of USB devices in the target system.
Query select * from usb_devices;
Interval 86400
Platform all
Version 1.4.5
Value General security posture.

osquery-monitoring

events

Report event publisher health and track event counters.
Query select name, publisher, type, subscriptions, events, active from osquery_events;
Interval 86400
Platform all
Version
Value

osquery_info

A heartbeat counter that reports general performance (CPU, memory) and version.
Query select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
Interval 600
Platform all
Version
Value

schedule

Report performance for every query within packs and the general schedule.
Query select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
Interval 7200
Platform all
Version 1.6.0
Value

osx-attacks

Aobo_Keylogger

(http://aobo.cc/aobo-mac-os-x-keylogger.html)
Query select * from launchd where name like 'com.ab.kl%.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Backdoor_MAC_Eleanor

(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)
Query SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

BlazingKeylogger

(http://www.blazingtools.com/mac_keylogger.html)
Query select * from launchd where name = 'com.BT.BPK.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Buca

(http://www.thesafemac.com/arg-buca-apps/)
Query select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Bundlore

(http://www.thesafemac.com/arg-bundlore/)
Query select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

CallMe

(https://www.f-secure.com/weblog/archives/00002546.html)
Query select * from launchd where name = 'realPlayerUpdate.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Careto

(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)
Query select * from launchd where path like '%com.apple.launchport.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Codecm

(http://www.thesafemac.com/osxfkcodec-a-in-action/)
Query select * from launchd where name = 'com.codecm.uploader.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Conduit

(http://www.thesafemac.com/arg-conduit/)
Query select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

DevilRobber

(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)
Query select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Dockster

(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)
Query select * from launchd where name = 'mac.Dockset.deman.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

EliteKeylogger

(https://www.elitekeyloggers.com/elite-keylogger-mac)
Query select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Genieo

(http://www.thesafemac.com/arg-genieo/)
Query select * from launchd where name = 'com.genieo.completer.download.plist' OR name = 'com.genieo.completer.update.plist' OR name = 'com.genieo.completer.ltvbit.plist' OR name = 'com.installer.completer.download.plist' OR name = 'com.installer.completer.update.plist' OR name = 'com.installer.completer.ltvbit.plist' OR name = 'com.genieoinnovation.macextension.plist' OR name = 'com.genieoinnovation.macextension.client.plist' OR name = 'com.genieo.engine.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

GenieoPart2

New version of Genieo
Query select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

HackingTeam_Mac_Persistence

Detection persistency by Hacking Team
Query select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by Hacking Team

HackingTeam_Mac_RAT1

Detect RAT used by Hacking Team
Query select * from file where path = '/dev/ptmx0';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

HackingTeam_Mac_RAT2

Detect RAT used by Hacking Team
Query select * from apps where bundle_identifier = 'com.ht.RCSMac';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

HackingTeam_Mac_RAT3

Detect RAT used by Hacking Team
Query select * from launchd where label = 'com.ht.RCSMac' OR name = 'com.apple.loginStoreagent.plist' OR name = 'com.apple.mdworker.plist' OR name = 'com.apple.UIServerLogin.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Icefog

(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)
Query select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Imuler

(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)
Query select * from launchd where name = 'checkflr.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Inqtana

(https://www.f-secure.com/v-descs/inqtana_a.shtml)
Query select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Java_Adwind_Trojan

(https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/)
Query select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Keranger_1

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
Query select * from processes where name = 'kernel_service';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Keranger_2

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
Query select * from file where path LIKE '/Users/%/Library/.kernel_%' OR path LIKE '/Users/%/Library/kernel_service';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Leverage-A_1

(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)
Query select * from launchd where path like '%UserEvent.System.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Leverage-A_2

(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)
Query select * from file where path = '/Users/Shared/UserEvent.app';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

MacKontrol

(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)
Query select * from launchd where name = 'com.apple.FolderActionsxl.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Morcut

(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)
Query select * from launchd where name = 'com.apple.mdworker.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OSX_Backdoor_Mokes

(https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/)
Query select * from file where path LIKE '/Users/%/Library/App Store/storeuserd' OR path LIKE '/Users/%/Library/com.apple.spotlight/SpotlightHelper' OR path LIKE '/Users/%/Library/Dock/com.apple.dock.cache' OR path LIKE '/Users/%/Library/Dropbox/DropboxCache' OR path LIKE '/Users/%/Library/Skype/SkypeHelper' OR path LIKE '/Users/%/Library/Google/Chrome/nacld' OR path LIKE '/Users/%/Library/Firefox/Profiles/profiled';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OSX_Keydnap

(http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials)
Query select * from launchd where name IN ('com.apple.iCloud.sync.daemon', 'com.geticloud.icloud.photo');
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OSX_Komplex

(http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/)
Query select * from file where path = '/Users/Shared/.local/kext' or path = '/Users/Shared/com.apple.updates.plist' or path = '/Users/Shared/start.sh';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OSX_Pirrit

(https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/)
Query select * from preferences where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OceanLotus_dropped_file_1

OceanLotus dropped file (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)
Query select * from file, ( select '/Library/Logs/.Logs/corevideosd' ioc union select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union select '/Library/Parallels/.cfg' ioc union select '/Library/Preferences/.fDTYuRs' ioc union select '/Library/Hash/.Hashtag/.hash' ioc union select '/Library/Hash/.hash' ioc ) iocs where file.path LIKE '/Users/%/' || ioc OR file.path = iocs.ioc OR file.path LIKE '/tmp/crunzip.temp.%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

OceanLotus_launchagent

OceanLotus Launch Agent (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)
Query select * from launchd where name = 'com.google.plugins.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Olyx

(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)
Query select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

PremierOpinion

(http://www.thesafemac.com/arg-premier-opinion/)
Query select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

PubSab

(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)
Query select * from launchd where name = 'com.apple.PubSabAgent.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Quimitchin_Backdoor

Quimitchin Launch Agent (https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/)
Query select * from launchd where name = 'com.client.client.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

SearchInstUpdater

(https://www.virustotal.com/en/file/9530d481f7bb07aac98a46357bfcff96e2936a90571b4629ae865a2ce63e5c8e/analysis/1458973247/)
Query select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

SniperSpy

(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)
Query select * from launchd where name = 'com.rxs.syslogagent.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Spigot

(http://www.thesafemac.com/arg-spigot/)
Query select * from launchd where name like 'com.spigot.%.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Tibet.D

(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)
Query select * from launchd where path like '%com.apple.AudioService.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Vsearch

(http://www.thesafemac.com/arg-downlite/)
Query select * from launchd where name = 'com.vsearch.agent.plist' OR name = 'com.vsearch.daemon.plist' OR name = 'com.vsearch.helper.plist' OR name = 'Jack.plist' OR program_arguments = '/etc/run_upd.sh' OR program_arguments LIKE '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

Whitesmoke

(http://www.thesafemac.com/osxfkcodec-a-in-action/ )
Query select * from launchd where name = 'com.whitesmoke.uploader.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

WireLurker

(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)
Query select * from launchd where name = 'com.apple.machook_damon.plist' OR name = 'com.apple.globalupdate.plist' OR name = 'com.apple.appstore.plughelper.plist' OR name = 'com.apple.MailServiceAgentHelper.plist' OR name = 'com.apple.systemkeychain-helper.plist' OR name = 'com.apple.periodic-dd-mm-yy.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

XSLCmd

(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)
Query select * from launchd where name = 'com.apple.service.clipboardd.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

XcodeGhost

Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)
Query select * from ( select apps.bundle_short_version as xcode_version, apps.path as xcode_path, file.path, file.type as file_type from apps, file where apps.bundle_name='Xcode' and file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') ) join hash using (path) where file_type = 'regular';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

iWorkServ

(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)
Query select * from startup_items where path like '%iWorkServices%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

iWorm

(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)
Query select * from launchd where name = 'com.JavaW.plist';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

iWorm_1

(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)
Query select * from file where path like '/Library/Application Support/JavaW%';
Interval 3600
Platform darwin
Version 1.4.5
Value Artifact used by this malware

xprotect_reports

Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.
Query select * from xprotect_reports;
Interval 1200
Platform darwin
Version 1.4.5
Value Although XProtect reports are rare, they may be worth collecting and aggregating internally.

vuln-management

apt_sources

Retrieves all the APT sources to install packages from in the target Linux system.
Query select * from apt_sources;
Interval 86400
Platform ubuntu
Version 1.4.5
Value In the future this may not have a lot of value as we expect to have installed only signed packages

browser_plugins

Retrieves the list of C/NPAPI browser plugins in the target system.
Query select browser_plugins.* from users join browser_plugins using (uid);
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

chrome_extensions

Retrieves the list of extensions for Chrome in the target system.
Query select chrome_extensions.* from users join chrome_extensions using (uid);
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

deb_packages

Retrieves all the installed DEB packages in the target Linux system.
Query select * from deb_packages;
Interval 86400
Platform ubuntu
Version 1.4.5
Value This, with the help of vulnerability feed, can help tell if a vulnerable application is installed.

firefox_addons

Retrieves the list of addons for Firefox in the target system.
Query select firefox_addons.* from users join firefox_addons using (uid);
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

homebrew_packages

Retrieves the list of brew packages installed in the target OSX system.
Query select * from homebrew_packages;
Interval 86400
Platform darwin
Version 1.4.5
Value This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed.

installed_applications

Retrieves all the currently installed applications in the target OSX system.
Query select * from apps;
Interval 86400
Platform darwin
Version 1.4.5
Value This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed.

kernel_info

Retrieves information from the current kernel in the target system.
Query select * from kernel_info;
Interval 86400
Platform all
Version 1.4.5
Value Kernel version can tell you vulnerabilities based on the version

kernel_modules

Retrieves all the information for the current kernel modules in the target Linux system.
Query select * from kernel_modules;
Interval 86400
Platform linux
Version 1.4.5
Value Only for Linux. It may pinpoint inserted modules that can carry malicious payloads.

kextstat

Retrieves all the information about the current kernel extensions for the target OSX system.
Query select * from kernel_extensions;
Interval 86400
Platform darwin
Version 1.4.5
Value Only for OS X. It may pinpoint inserted modules that can carry malicious payloads.

os_version

Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.
Query select * from os_version;
Interval 86400
Platform all
Version 1.4.5
Value OS version will tell which distribution the OS is running on, allowing to detect the main distribution

package_receipts

Retrieves all the PKG related information stored in OSX.
Query select * from package_receipts;
Interval 86400
Platform darwin
Version 1.4.5
Value It could give you a trail of installed/deleted packages

portage_packages

Retrieves all the installed packages on the target Linux system.
Query select * from portage_packages;
Interval 86400
Platform gentoo
Version 2.0.0
Value This, with the help of vulnerability feed, can help tell if a vulnerable application is installed.

rpm_packages

Retrieves all the installed RPM packages in the target Linux system.
Query select * from rpm_packages;
Interval 86400
Platform redhat,centos
Version 1.4.5
Value This, with the help of vulnerability feed, can help tell if a vulnerable application is installed.

safari_extensions

Retrieves the list of extensions for Safari in the target system.
Query select safari_extensions.* from users join safari_extensions using (uid);
Interval 86400
Platform darwin
Version 1.4.5
Value General security posture.

unauthenticated_sparkle_feeds

Retrieves all application bundles using unauthenticated Sparkle update feeds. See https://vulnsec.com/2016/osx-apps-vulnerabilities/ for details.
Query select feeds.*, p2.value as sparkle_version from (select a.name as app_name, a.path as app_path, a.bundle_identifier as bundle_id, p.value as feed_url from (select name, path, bundle_identifier from apps) a, preferences p where p.path = a.path || '/Contents/Info.plist' and p.key = 'SUFeedURL' and feed_url like 'http://%') feeds left outer join preferences p2 on p2.path = app_path || '/Contents/Frameworks/Sparkle.framework/Resources/Info.plist' where (p2.key = 'CFBundleShortVersionString' OR coalesce(p2.key, '') = '');
Interval 86400
Platform darwin
Version 1.4.5
Value Tracking vulnerable applications updates may allow blocking of DNS or removal by BundleID.