Downloads:

373,785

Downloads of v 4.5.1:

3,695

Last Update:

09 Nov 2020

Package Maintainer(s):

Software Author(s):

  • osquery

Tags:

infosec tools security

osquery

4.5.1 | Updated: 09 Nov 2020

Downloads:

373,785

Downloads of v 4.5.1:

3,695

Maintainer(s):

Software Author(s):

  • osquery

osquery 4.5.1

All Checks are Passing

2 Passing Test


Validation Testing Passed


Verification Testing Passed

Details

To install osquery, run the following command from the command line or from PowerShell:

>

To upgrade osquery, run the following command from the command line or from PowerShell:

>

To uninstall osquery, run the following command from the command line or from PowerShell:

>

NOTE: This applies to both open source and commercial editions of Chocolatey.

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://chocolatey.org/api/v2. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Enter your internal repository url

(this should look similar to https://chocolatey.org/api/v2)

4. Choose your deployment method:


choco upgrade osquery -y --source="'STEP 3 URL'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade osquery -y --source="'STEP 3 URL'"
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode

- name: Ensure osquery installed
  win_chocolatey:
    name: osquery
    state: present
    version: 4.5.1
    source: STEP 3 URL

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.

Coming early 2020! Central Managment Reporting available now! More information...


chocolatey_package 'osquery' do
  action    :install
  version  '4.5.1'
  source   'STEP 3 URL'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


Chocolatey::Ensure-Package
(
    Name: osquery,
    Version: 4.5.1,
    Source: STEP 3 URL
);

Requires Otter Chocolatey Extension. See docs at https://inedo.com/den/otter/chocolatey.


cChocoPackageInstaller osquery
{
   Name     = 'osquery'
   Ensure   = 'Present'
   Version  = '4.5.1'
   Source   = 'STEP 3 URL'
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'osquery':
  provider => 'chocolatey',
  ensure   => '4.5.1',
  source   => 'STEP 3 URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.


salt '*' chocolatey.install osquery version="4.5.1" source="STEP 3 URL"

See docs at https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.chocolatey.html.

5. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

This package was approved as a trusted package on 09 Nov 2020.

Description

osquery allows you to easily ask questions about your Linux, macOS, and
Windows infrastructure. Whether your goal is intrusion detection,
infrastructure reliability, or compliance, osquery gives you the ability
to empower and inform a broad set of organizations within your company.

### Package Parameters
* /InstallService - This creates a new windows service that will
auto-start the daemon.

These parameters can be passed to the installer with the use of
--params. For example: --params='/InstallService'.


certs\certs.pem
 
LICENSE.txt
# License

By contributing to osquery you agree that your contributions will be licensed
under the terms of both the [LICENSE-Apache-2.0](LICENSE-Apache-2.0) and the
[LICENSE-GPL-2.0](LICENSE-GPL-2.0) files in the root of this source tree.

If you're using osquery you are free to choose one of the provided licenses.

`SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-only`
manage-osqueryd.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

param(
  [string] $startupArgs = "",
  [switch] $install = $false,
  [switch] $uninstall = $false,
  
  [switch] $start = $false,
  [switch] $stop = $false,
  
  [switch] $help = $false,
  [switch] $debug = $false,

  [switch] $installWelManifest = $false,
  [switch] $uninstallWelManifest = $false,
  [string] $welManifestPath = (Join-Path $PSScriptRoot "osquery.man")
)

$kServiceName = "osqueryd"
$kServiceDescription = "osquery daemon service"
$kServiceBinaryPath = Resolve-Path ([System.IO.Path]::Combine($PSScriptRoot, '..', 'osquery', 'osqueryd', 'osqueryd.exe'))

# Adapted from http://www.jonathanmedd.net/2014/01/testing-for-admin-privileges-in-powershell.html
function Test-IsAdmin {
  return ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole] "Administrator"
  )
}

function Do-Help {
  $programName = (Get-Item $PSCommandPath ).Name
  
  Write-Host "Usage: $programName (-install|-uninstall|-start|-stop|-help)" -foregroundcolor Yellow
  Write-Host ""
  Write-Host "  Only one of the following options can be used. Using multiple will result in "
  Write-Host "  options being ignored."
  Write-Host "    -install                  Install the osqueryd service"
  Write-Host "    -startupArgs              Specifies additional arguments for the service (only used with -install)"
  Write-Host "    -uninstall                Uninstall the osqueryd service"
  Write-Host "    -start                    Start the osqueryd service"
  Write-Host "    -stop                     Stop the osqueryd service"
  Write-Host "    -installWelManifest       Installs the Windows Event Log manifest"
  Write-Host "    -uninstallWelManifest     Uninstalls the Windows Event Log manifest"
  Write-Host "    -welManifestPath <path>   The Windows Event Log manifest path"
  Write-Host ""
  Write-Host "    -help                     Shows this help screen"
  
  Exit 1
}

function Do-Service {
  if (-not (Test-Path $kServiceBinaryPath)) {
    Write-Host "'$kServiceBinaryPath' is not a valid file. Did you build the osquery daemon?" -foregroundcolor Red
    Exit -1
  }
  
  $osquerydService = Get-WmiObject -Class Win32_Service -Filter "Name='$kServiceName'"
  
  if ($install) {
    if ($osquerydService) {
      Write-Host "'$kServiceName' is already installed." -foregroundcolor Yellow
      Exit 1
    } else {
      New-Service -BinaryPathName "$kServiceBinaryPath $startupArgs" `
                  -Name $kServiceName `
                  -DisplayName $kServiceName `
                  -Description $kServiceDescription `
                  -StartupType Automatic
      Write-Host "Installed '$kServiceName' system service." -foregroundcolor Cyan
      Exit 0
    }
  } elseif ($uninstall) {
    if ($osquerydService) {
      Stop-Service $kServiceName
      
      Write-Host "Found '$kServiceName', stopping the system service..."
      
      Start-Sleep -s 5
      
      Write-Host "System service should be stopped."
      
      $osquerydService.Delete()
      Write-Host "System service '$kServiceName' uninstalled." -foregroundcolor Cyan
      
      Exit 0
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1
    }
  } elseif ($start) {
    if ($osquerydService) {
      Start-Service $kServiceName
      Write-Host "'$kServiceName' system service is started." -foregroundcolor Cyan
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1
    }
  } elseif ($stop) {
    if ($osquerydService) {
      Stop-Service $kServiceName
      Write-Host "'$kServiceName' system service is stopped." -foregroundcolor Cyan
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1      
    }
  } elseif ($installWelManifest) {
    if (-not (Test-Path $welManifestPath)) {
      Write-Host "[-] Failed to find the osquery Event Log manifest file! ($welManifestPath)" -ForegroundColor Red
      Exit 1
    }

    wevtutil im $welManifestPath
    if ($?) {
      Write-Host "The Windows Event Log manifest has been successfully installed." -foregroundcolor Cyan
    } else {
      Write-Host "Failed to install the Windows Event Log manifest." -foregroundcolor Yellow
    }
  } elseif ($uninstallWelManifest) {
    if (-not (Test-Path $welManifestPath)) {
      Write-Host "[-] Failed to find the osquery Event Log manifest file! ($welManifestPath)" -ForegroundColor Red
      Exit 1
    }

    wevtutil um $welManifestPath
    if ($?) {
      Write-Host "The Windows Event Log manifest has been successfully uninstalled." -foregroundcolor Cyan
    } else {
      Write-Host "Failed to uninstall the Windows Event Log manifest." -foregroundcolor Yellow
    }
  } else {
    Write-Host "Invalid state: this should not exist!" -foregroundcolor Red
    Exit -1
  }
}

function Main {
  if (-not (Test-IsAdmin)) {
    Write-Host "Please run this script with Admin privileges!" -foregroundcolor Red
    Exit -1
  }
  
  if ($help) {
    Do-Help
  } elseif ($debug) {
    $osquerydExists = Test-Path $kServiceBinaryPath
    
    Write-Host "Service Information" -foregroundcolor Cyan
    Write-Host "  kServiceName       = '$kServiceName'" -foregroundcolor Cyan
    Write-Host "  kServiceBinaryPath = '$kServiceBinaryPath'" -foregroundcolor Cyan
    Write-Host "             +exists = $osquerydExists" -foregroundcolor Cyan
    
    Exit 0
  } elseif (($install.ToBool() + $uninstall.ToBool() + $start.ToBool() + $stop.ToBool() + $installWelManifest.ToBool() + $uninstallWelManifest.ToBool()) -Eq 1) {
    # The above is a dirty method of determining if only one of the following booleans are true.
    Do-Service
  } else {
    Write-Host "Invalid option selected: please see -help for usage details." -foregroundcolor Red
    Exit -1
  }
}

$null = Main
osquery.conf
{
  // Configure the daemon below:
  "options": {
    // Select the osquery config plugin.
    "config_plugin": "filesystem",

    // Select the osquery logging plugin.
    "logger_plugin": "filesystem",

    // The log directory stores info, warning, and errors.
    // If the daemon uses the 'filesystem' logging retriever then the log_dir
    // will also contain the query results.
    //"logger_path": "/var/log/osquery",

    // Set 'disable_logging' to true to prevent writing any info, warning, error
    // logs. If a logging plugin is selected it will still write query results.
    //"disable_logging": "false",

    // Splay the scheduled interval for queries.
    // This is very helpful to prevent system performance impact when scheduling
    // large numbers of queries that run a smaller or similar intervals.
    //"schedule_splay_percent": "10",

    // A filesystem path for disk-based backing storage used for events and
    // query results differentials. See also 'use_in_memory_database'.
    //"database_path": "/var/osquery/osquery.db",

    // Comma-delimited list of table names to be disabled.
    // This allows osquery to be launched without certain tables.
    //"disable_tables": "foo_bar,time",

    // Comma-delimited list of table names to be enabled.
    // This allows osquery to be launched with certain tables only.
    //"enable_tables": "foo_bar,time",

    "utc": "true"
  },

  // Define a schedule of queries:
  "schedule": {
    // This is a simple example query that outputs basic system information.
    "system_info": {
      // The exact query to run.
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    }
  },

  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed with 'make install' or via
  // packages and/or Homebrew.
  //
  // Linux:        /usr/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
    // "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    // "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
    // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
    // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
    // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
    // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
  },

  // Provides feature vectors for osquery to leverage in simple statistical 
  // analysis of results data. 
  //
  // Currently this configuration is only used by Windows in the Powershell
  // Events table, wherein character_frequencies is a list of doubles 
  // representing the aggregate occurrence of character values in Powershell 
  // Scripts. A default configuration is provided which was adapated from 
  // Lee Holmes cobbr project: 
  // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
  // 
  "feature_vectors": {
    "character_frequencies": [
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.00045,  0.01798,
      0.0,      0.03111,  0.00063,  0.00027,   0.0,      0.01336,  0.0133,
      0.00128,  0.0027,   0.00655,  0.01932,   0.01917,  0.00432,  0.0045,
      0.00316,  0.00245,  0.00133,  0.001029,  0.00114,  0.000869, 0.00067,
      0.000759, 0.00061,  0.00483,  0.0023,    0.00185,  0.01342,  0.00196,
      0.00035,  0.00092,  0.027875, 0.007465,  0.016265, 0.013995, 0.0490895,
      0.00848,  0.00771,  0.00737,  0.025615,  0.001725, 0.002265, 0.017875,
      0.016005, 0.02533,  0.025295, 0.014375,  0.00109,  0.02732,  0.02658,
      0.037355, 0.011575, 0.00451,  0.005865,  0.003255, 0.005965, 0.00077,
      0.00621,  0.00222,  0.0062,   0.0,       0.00538,  0.00122,  0.027875,
      0.007465, 0.016265, 0.013995, 0.0490895, 0.00848,  0.00771,  0.00737,
      0.025615, 0.001725, 0.002265, 0.017875,  0.016005, 0.02533,  0.025295,
      0.014375, 0.00109,  0.02732,  0.02658,   0.037355, 0.011575, 0.00451,
      0.005865, 0.003255, 0.005965, 0.00077,   0.00771,  0.002379, 0.00766,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0
    ]
  }    
}
osquery.flags
 
osquery.man
 
osqueryd\osqueryd.exe
md5: 174D06DDEAF5FF8E7ED09A71849948F3 | sha1: AD3E2139BE255487A5625C4AC393195299D7D7F2 | sha256: 4A0A3D39C4581DBAAD1B4EF0D93055FCDA92800F358723B152A510E09D3ADCE9 | sha512: DF410E145AFC4955D54A26DB6014555B6E2124663F2F1AAD84BA1EF6580105A375C011DED55C09410443B56F641350C4899A0BD0465B0CD3E6EE968CA80F4AA5
osqueryi.exe
md5: 174D06DDEAF5FF8E7ED09A71849948F3 | sha1: AD3E2139BE255487A5625C4AC393195299D7D7F2 | sha256: 4A0A3D39C4581DBAAD1B4EF0D93055FCDA92800F358723B152A510E09D3ADCE9 | sha512: DF410E145AFC4955D54A26DB6014555B6E2124663F2F1AAD84BA1EF6580105A375C011DED55C09410443B56F641350C4899A0BD0465B0CD3E6EE968CA80F4AA5
osquery_utils.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# Force Powershell to use TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

# The osquery installation happens in Program Files
$progFiles =  [System.Environment]::GetEnvironmentVariable('ProgramFiles')
$targetFolder = Join-Path $progFiles 'osquery'

# Maintain the daemon and extension folders for "safe" permissions management
$daemonFolder = Join-Path $targetFolder 'osqueryd'
$extensionsFolder = Join-Path $targetFolder 'extensions'
$logFolder = Join-Path $targetFolder 'log'

# Maintain the binary paths for creating the system service and extraction
$targetDaemonBin = Join-Path $targetFolder "osqueryd.exe"
$destDaemonBin = Join-Path $daemonFolder "osqueryd.exe"

# Meta data for the system service installation
$serviceName = 'osqueryd'
$serviceDescription = 'osquery daemon service'

# Track the old installation paths for removal
$progData = [System.Environment]::GetEnvironmentVariable('ProgramData')
$legacyInstall = Join-Path $progData "osquery"

# Helper function to add an explicit Deny-Write ACE for the Everyone group
function Set-DenyWriteAcl {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $targetDir = '',
    [string] $action = ''
  )
  if (($action -ine 'Add') -and ($action -ine 'Remove')) {
    Write-Debug '[-] Invalid action in Set-DenyWriteAcl.'
    return $false
  }
  if ($PSCmdlet.ShouldProcess($targetDir)) {
    $acl = Get-Acl $targetDir
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Deny

    $worldSIDObj = New-Object System.Security.Principal.SecurityIdentifier ('S-1-1-0')
    $worldUser = $worldSIDObj.Translate([System.Security.Principal.NTAccount])
    $permission = $worldUser.Value, "write", $inheritanceFlag, $propagationFlag, $permType
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    # We only support adding or removing the ACL
    if ($action -ieq 'add') {
      $acl.SetAccessRule($accessRule)
    } else {
      $acl.RemoveAccessRule($accessRule)
    }
    Set-Acl $targetDir $acl
    return $true
  }
  return $false
}

# A helper function to set "safe" permissions for osquery binaries
function Set-SafePermissions {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $target = ''
  )
  if ($PSCmdlet.ShouldProcess($target)) {
    $acl = Get-Acl $target

    # First, to ensure success, we remove the entirety of the ACL
    $acl.SetAccessRuleProtection($true, $false)
    foreach ($access in $acl.Access) {
      $acl.RemoveAccessRule($access)
    }
    Set-Acl $target $acl

    $acl = Get-Acl $target
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Allow

    # "Safe" permissions in osquery entail the containing folder and binary both
    # are owned by the Administrators group, as well as no account has Write
    # permissions except for the Administrators group and SYSTEM account
    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18')
    $systemUser = $systemSid.Translate([System.Security.Principal.NTAccount])

    $adminsSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544')
    $adminsGroup = $adminsSid.Translate([System.Security.Principal.NTAccount])

    $usersSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-545')
    $usersGroup = $usersSid.Translate([System.Security.Principal.NTAccount])

    $permGroups = @($systemUser, $adminsGroup, $usersGroup)
    foreach ($accnt in $permGroups) {
      $grantedPerm = ''
      if ($accnt -eq $usersGroup) {
        $grantedPerm = 'ReadAndExecute'
      } else {
        $grantedPerm = 'FullControl'
      }
      $permission = $accnt.Value, $grantedPerm, $inheritanceFlag, $propagationFlag, $permType
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $acl.SetAccessRule($accessRule)
    }
    $acl.SetOwner($adminsGroup)
    Set-Acl $target $acl

    # Finally set the Administrators group as the owner for all items
    $items = Get-ChildItem -Recurse -Path $target
    foreach ($item in $items) {
      $acl = Get-Acl -Path $item.FullName
      $acl.SetOwner($adminsGroup)
      Set-Acl $item.FullName $acl
    }

    return $true
  }
  return $false
}

# Helper function for running a .bat file from powershell
function Invoke-BatchFile {
  param(
    [string]$path,
    [string]$parameters
  )
  $tempFile = [IO.Path]::GetTempFileName()
  cmd.exe /c " `"$path`" $parameters && set > `"$tempFile`" "
  Get-Content $tempFile | Foreach-Object {
    if ($_ -match '^(.*?)=(.*)$') {
      Set-Content "env:\$($matches[1])" $matches[2]
    }
  }
  Remove-Item $tempFile
}

# Constructs a chocolatey .nuspec file in the current directory
function Write-NuSpec {
  param(
    [string] $packageName,
    [string] $version,
    [string] $authors,
    [string] $owners,
    [string] $projectSource,
    [string] $packageSourceUrl,
    [string] $copyright,
    [string] $license
  )
  $nuspec = @"
<?xml version="1.0" encoding="utf-8"?>
<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>$packageName</id>
    <title>$packageName</title>
    <version>$version</version>
    <authors>$authors</authors>
    <owners>$owners</owners>
    <summary>$packageName</summary>
    <description>$packageName</description>
    <projectUrl>$projectSource</projectUrl>
    <packageSourceUrl>$packageSourceUrl</packageSourceUrl>
    <tags>$packageName</tags>
    <copyright>$copyright</copyright>
    <licenseUrl>$license</licenseUrl>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
  </metadata>
  <files>
    <file src="local\**" target="local" />
  </files>
</package>
"@
  Out-File -Encoding "UTF8" -FilePath "$packageName.nuspec" -InputObject $nuspec
}

# Derive the location of the osquery build location
function Get-OsqueryBuildPath {
  [OutputType('System.String')]
  param()
  $loc = Get-Location
  $toks = $loc -Split '\\'
  $ret = ''
  0..$toks.length | ForEach-Object {
    if (Test-Path "$($toks[0..$_] -Join '\')\tools\provision.ps1") {
      $ret = "$($toks[0..$_] -Join '\')\build"
    }
  }
  return $ret
}

# Helper function to add to the SYSTEM path
function Add-ToSystemPath {
  param(
    [string] $targetFolder = ''
  )

  $oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
  if (-not ($oldPath -imatch [regex]::escape($targetFolder))) {
    $newPath = $oldPath
    if ($oldPath[-1] -eq ';') {
      $newPath = $newPath + $targetFolder
    } else {
      $newPath = $newPath + ';' + $targetFolder
    }
    [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
  }
}

# A helper function for starting and waiting on processes in powershell
function Start-OsqueryProcess {
  param(
    [string] $binaryPath = '',
    [array] $binaryArgs = @(),
    [bool] $redirectOutput = $true
  )
  $pinfo = New-Object System.Diagnostics.ProcessStartInfo
  $pinfo.FileName = $binaryPath
  $pinfo.RedirectStandardError = $redirectOutput
  $pinfo.RedirectStandardOutput = $redirectOutput
  $pinfo.UseShellExecute = $false
  $pinfo.Arguments = $binaryArgs
  $pinfo.WorkingDirectory = Get-Location
  $p = New-Object System.Diagnostics.Process
  $p.StartInfo = $pinfo
  $p.Start()
  $p.WaitForExit()

  if ($redirectOutput) {
    $stdout = $p.StandardOutput.ReadToEnd()
    $stderr = $p.StandardError.ReadToEnd()
    $exit = $p.ExitCode
    [PSCustomObject] @{
      stdout = $stdout
      stderr = $stderr
      exitcode = $exit
    }
  } else {
    $exit = $p.ExitCode
    [PSCustomObject] @{
      exitcode = $exit
    }
  }
}

# A helper function to derive the latest VS install
function Get-VSInfo {

  # Attempt to make use of vswhere to derive the build tools scripts
  $vswhere = (Get-Command 'vswhere').Source
  $vswhereArgs = @('-latest', '-legacy')
  $vswhereOut = (Start-OsqueryProcess $vswhere $vswhereArgs).stdout
  $vsinfo = New-Object -TypeName psobject
  $vsinfo | Add-Member -MemberType NoteProperty -Name version -Value ''
  $vsinfo | Add-Member -MemberType NoteProperty -Name location -Value ''
  foreach ($l in $vswhereOut.split([environment]::NewLine)) {
    $toks = $l.split(":")
    if ($toks.Length -lt 2) {
      continue
    }
    if ($toks[0].trim() -like 'installationVersion') {
      $vsinfo.version = $toks[1].Split(".")[0]
    }
    if ($toks[0].trim() -like 'installationPath') {
      $vsinfo.location = [System.String]::Join(":", $toks[1..$toks.Length])
    }
  }
  $vsinfo.location = $vsinfo.location.trim()
  $vsinfo.version = $vsinfo.version.trim()
  return $vsinfo
}

# A helper function to derive the latest VS install and call vcvarsall.bat
function Invoke-VcVarsAll {
  $vsinfo = Get-VSInfo
  $vsLoc = $vsinfo.location
  $vsVersion = $vsinfo.version

  if ($vsLoc -ne '') {
    $vcvarsall = Join-Path $vsLoc 'VC'
    if ($vsVersion -eq '15') {
      $vcvarsall = Join-Path $vcvarsall '\Auxiliary\Build\vcvarsall.bat'
    } else {
      $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
    }

    # Lastly invoke the environment provisioning script
    $null = Invoke-BatchFile "$vcvarsall" "amd64"
    return $true
  }

  # As a last ditch effort, attempt to find the env variables set by VS2015
  # in order to derive the location of vcvarsall
  $vsComnTools = [environment]::GetEnvironmentVariable("VS140COMNTOOLS")
  if ($vsComnTools -eq '') {
    return $false
  }
  $vcvarsall = Resolve-Path $(Join-Path "$vsComnTools" "..\..\VC")
  $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
  $null = Invoke-BatchFile "$vcvarsall" "amd64"
  return $true
}
packs\hardware-monitoring.conf
{
  "queries": {
    "acpi_tables": {
      "query": "select * from acpi_tables;",
      "interval": 86400,
      "platform": "posix",
      "version": "1.3.0",
      "description": "General reporting and heuristics monitoring."
    },
    "cpuid": {
      "query": "select feature, value, output_register, output_bit, input_eax from cpuid;",
      "interval": 86400,
      "version": "1.0.4",
      "description": "General reporting and heuristics monitoring."
    },
    "smbios_tables": {
      "query": "select * from smbios_tables;",
      "interval": 86400,
      "platform": "posix",
      "version": "1.3.0",
      "description": "General reporting and heuristics monitoring."
    },
    "nvram": {
      "query": "select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.0.2",
      "description": "Report on crashes, alternate boots, and boot arguments."
    },
    "kernel_info": {
      "query": "select * from kernel_info join hash using (path);",
      "interval": 7200,
      "version": "1.4.0",
      "description": "Report the booted kernel, potential arguments, and the device."
    },
    "pci_devices": {
      "query": "select * from pci_devices;",
      "interval": 7200,
      "platform": "posix",
      "version": "1.0.4",
      "description": "Report an inventory of PCI devices. Attaches and detaches will show up in hardware_events."
    },
    "fan_speeds": {
      "query": "select * from fan_speed_sensors;",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.7.1",
      "description": "Report current fan speeds in the target OSX system."
    },
    "temperatures": {
      "query": "select * from temperature_sensors;",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.7.1",
      "description": "Report current machine temperatures in the target OSX system."
    },
    "usb_devices": {
      "query": "select * from usb_devices;",
      "interval": 7200,
      "platform": "posix",
      "version": "1.2.0",
      "description": "Report an inventory of USB devices. Attaches and detaches will show up in hardware_events."
    },
    "hardware_events": {
      "query" : "select * from hardware_events where path <> '' or model <> '';",
      "interval" : 7200,
      "platform": "posix",
      "removed": false,
      "version" : "1.4.5",
      "description" : "Retrieves all the hardware related events in the target OSX system.",
      "value" : "Determine if a third party device was attached to the system."
    },
    "darwin_kernel_system_controls": {
      "query": "select * from system_controls where subsystem = 'kern' and (name like '%boot%' or name like '%secure%' or name like '%single%');",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.4.3",
      "description": "Double check the information reported in kernel_info and report the kernel signature."
    },
    "iokit_devicetree": {
      "query": "select * from iokit_devicetree;",
      "interval": 86400,
      "platform": "darwin",
      "version": "1.3.0",
      "description": "General inventory of IOKit's devices on OS X."
    },
    "efi_file_hashes": {
      "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, md5, sha1, sha256 from (select * from file where path like '/System/Library/CoreServices/%.efi' union select * from file where path like '/System/Library/LaunchDaemons/com.apple%efi%') file join hash using (path);",
      "interval": 7200,
      "removed": false,
      "version": "1.6.1",
      "platform": "darwin",
      "description": "Hash files related to EFI platform updates and EFI bootloaders on primary boot partition. This does not hash bootloaders on the EFI/boot partition."
    },
    "kernel_extensions": {
      "query" : "select * from kernel_extensions;",
      "interval" : "7200",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "7200",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system."
    },
    "windows_drivers": {
      "query" : "select * from drivers;",
      "interval" : "7200",
      "platform" : "windows",
      "version" : "2.2.0",
      "description" : "Retrieves all the information for the current windows drivers in the target Windows system."
    },
    "device_nodes": {
      "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, block_size, type from file where directory = '/dev/';",
      "interval": "7200",
      "platform": "posix",
      "version": "1.6.0",
      "description": "Inventory all 'device' nodes in /dev/."
    }
  }
}
packs\incident-response.conf
{
  "queries": {
    "launchd": {
      "query" : "select * from launchd;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the daemons that will run in the start of the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "startup_items": {
      "query" : "select * from startup_items;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieve all the items that will load when the target OSX system starts.",
      "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
    },
    "crontab": {
      "query" : "select * from crontab;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the jobs scheduled in crontab in the target system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
    },
    "loginwindow1": {
      "query" : "select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow2": {
      "query" : "select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow3": {
      "query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "loginwindow4": {
      "query" : "select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the values for the loginwindow process in the target OSX system.",
      "value" : "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "alf": {
      "query" : "select * from alf;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_exceptions": {
      "query" : "select * from alf_exceptions;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_services": {
      "query" : "select * from alf_services;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the services for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "alf_explicit_auths": {
      "query" : "select * from alf_explicit_auths;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "etc_hosts": {
      "query" : "select * from etc_hosts;",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the entries in the target system /etc/hosts file.",
      "value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled"
    },
    "kextstat": {
      "query" : "select * from kernel_extensions;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
      "value" : "Identify malware that has a kernel extension component."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "3600",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
      "value" : "Identify malware that has a kernel module component."
    },
    "last": {
      "query" : "select * from last;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the list of the latest logins with PID, username and timestamp.",
      "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "Identify malware, adware, or vulnerable packages that are installed as an application."
    },
    "open_sockets": {
      "query" : "select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the open sockets per process in the target system.",
      "value" : "Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings"
    },
    "open_files": {
      "query" : "select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the open files per process in the target system.",
      "value" : "Identify processes accessing sensitive files they shouldn't"
    },
    "logged_in_users": {
      "query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the list of all the currently logged in users in the target system.",
      "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
    },
    "ip_forwarding": {
      "query" : "select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the current status of IP/IPv6 forwarding.",
      "value" : "Identify if a machine is being used as relay."
    },
    "process_env": {
      "query" : "select * from process_envs;",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the environment variables per process in the target system.",
      "value" : "Insight into the process data: Where was it started from, was it preloaded..."
    },
    "mounts": {
      "query" : "select * from mounts;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of mounted drives in the target system.",
      "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
    },
    "nfs_shares": {
      "query" : "select * from nfs_shares;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of Network File System mounted shares.",
      "value" : "Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors."
    },
    "shell_history": {
      "query" : "select * from users join shell_history using (uid);",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the command history, per user, by parsing the shell history files.",
      "value" : "Identify actions taken. Useful for compromised hosts."
    },
    "recent_items": {
      "query" : "select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of recent items opened in OSX by parsing the plist per user.",
      "value" : "Identify recently accessed items. Useful for compromised hosts."
    },
    "ramdisk": {
      "query" : "select * from block_devices where type = 'Virtual Interface';",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the ramdisk currently mounted in the target system.",
      "value" : "Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes"
    },
    "listening_ports": {
      "query" : "select * from listening_ports;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the listening ports in the target system.",
      "value" : "Detect if a listening port iis not mapped to a known process. Find backdoors."
    },
    "suid_bin": {
      "query" : "select * from suid_bin;",
      "interval" : "3600",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves all the files in the target system that are setuid enabled.",
      "value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build."
    },
    "process_memory": {
      "query" : "select * from process_memory_map;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the memory map per process in the target Linux system.",
      "value" : "Ability to compare with known good. Identify mapped regions corresponding with or containing injected code."
    },
    "arp_cache": {
      "query" : "select * from arp_cache;",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Retrieves the ARP cache values in the target system.",
      "value" : "Determine if MITM in progress."
    },
    "wireless_networks": {
      "query" : "select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;",
      "interval" : "3600",
      "platform" : "darwin",
      "version" : "1.6.0",
      "description" : "Retrieves all the remembered wireless network that the target machine has connected to.",
      "value" : "Identifies connections to rogue access points."
    },
    "disk_encryption": {
      "query" : "select * from disk_encryption;",
      "interval" : "86400",
      "platform": "posix",
      "version" : "1.4.5",
      "description" : "Retrieves the current disk encryption status for the target system.",
      "value" : "Identifies a system potentially vulnerable to disk cloning."
    },
    "iptables": {
      "query" : "select * from iptables;",
      "interval" : "3600",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the current filters and chains per filter in the target system.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "app_schemes": {
      "query" : "select * from app_schemes;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.7",
      "description" : "Retrieves the list of application scheme/protocol-based IPC handlers.",
      "value" : "Post-priori hijack detection, detect potential sensitive information leakage."
    },
    "sandboxes": {
      "query" : "select * from sandboxes;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.7",
      "description" : "Lists the application bundle that owns a sandbox label.",
      "value" : "Post-priori hijack detection, detect potential sensitive information leakage."
    }
  }
}
packs\it-compliance.conf
{
  "queries": {
    "osquery_info": {
      "query" : "select * from time, osquery_info;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
      "value" : "Identify if your infrastructure is running the correct osquery version and which hosts may have drifted"
    },
    "ad_config": {
      "query" : "select * from ad_config;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the Active Directory configuration for the target machine, attached to the domain (requires sudo).",
      "value" : "Helps you debug domain binding / Active Directory issues in your environment."
    },
    "kernel_info": {
      "query" : "select * from kernel_info;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves information from the current kernel in the target system.",
      "value" : "Identify out of date kernels or version drift across your infrastructure"
    },
    "os_version": {
      "query" : "select * from os_version;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves information from the Operative System where osquery is currently running.",
      "value" : "Identify out of date operating systems or version drift across your infrastructure"
    },
    "alf": {
      "query" : "select * from alf;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
      "value" : "Verify firewall settings are as expected"
    },
    "alf_exceptions": {
      "query" : "select * from alf_exceptions;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as expected"
    },
    "alf_services": {
      "query" : "select * from alf_services;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the services for the Application Layer Firewall in OSX.",
      "value" : "Verify firewall settings are as expected"
    },
    "alf_explicit_auths": {
      "query" : "select * from alf_explicit_auths;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",
      "value" : "Verify firewall settings are as expected"
    },
    "mounts": {
      "query" : "select * from mounts;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of mounted drives in the target system.",
      "value" : "Verify if mounts are accessible to those who need it"
    },
    "nfs_shares": {
      "query" : "select * from nfs_shares;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of Network File System mounted shares.",
      "value" : "Verify if shares are accessible to those who need it"
    },
    "windows_shared_resources": {
      "query" : "select * from shared_resources;",
      "interval" : "86400",
      "platform" : "windows",
      "version" : "2.0.0",
      "description" : "Retrieves the list of shared resources in the target Windows system.",
      "value" : "General security posture."
    },
    "browser_plugins": {
      "query" : "select * from users join browser_plugins using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
      "value" : "General security posture."
    },
    "safari_extensions": {
      "query" : "select * from users join safari_extensions using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of extensions for Safari in the target system.",
      "value" : "General security posture."
    },
    "chrome_extensions": {
      "query" : "select * from users join chrome_extensions using (uid);",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the list of extensions for Chrome in the target system.",
      "value" : "General security posture."
    },
    "firefox_addons": {
      "query" : "select * from users join firefox_addons using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of addons for Firefox in the target system.",
      "value" : "General security posture."
    },
    "homebrew_packages": {
      "query" : "select * from homebrew_packages;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of brew packages installed in the target OSX system.",
      "value" : "General security posture."
    },
    "windows_programs": {
      "query" : "select * from programs;",
      "interval" : "86400",
      "platform" : "windows",
      "version" : "2.0.0",
      "description" : "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
      "value" : "General security posture."
    },
    "windows_patches": {
      "query" : "select * from patches;",
      "interval" : "86400",
      "platform" : "windows",
      "version" : "2.2.0",
      "description" : "Retrieves all the information for the current windows drivers in the target Windows system."
    },
    "package_receipts": {
      "query" : "select * from package_receipts;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the PKG related information stored in OSX.",
      "value" : "General security posture."
    },
    "usb_devices": {
      "query" : "select * from usb_devices;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of USB devices in the target system.",
      "value" : "General security posture."
    },
    "keychain_items": {
      "query" : "select * from keychain_items;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the items contained in the keychain in the target OSX system.",
      "value" : "General security posture."
    },
    "deb_packages": {
      "query" : "select * from deb_packages;",
      "interval" : "86400",
      "platform" : "ubuntu",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed DEB packages in the target Linux system.",
      "value" : "General security posture."
    },
    "apt_sources": {
      "query" : "select * from apt_sources;",
      "interval" : "86400",
      "platform" : "ubuntu",
      "version" : "1.4.5",
      "description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
      "value" : "General security posture."
    },
    "portage_packages": {
      "query" : "select * from portage_use;",
      "interval" : "86400",
      "platform" : "gentoo",
      "version" : "2.0.0",
      "description" : "Retrieves all the packages installed with portage from the target Linux system.",
      "value" : "General security posture."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the current list of loaded kernel modules in the target Linux system.",
      "value" : "General security posture."
    },
    "windows_drivers": {
      "query" : "select * from drivers;",
      "interval" : "86400",
      "platform" : "windows",
      "version" : "2.2.0",
      "description" : "Retrieves all the information for the current windows drivers in the target Windows system."
    },
    "rpm_packages": {
      "query" : "select * from rpm_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed RPM packages in the target Linux system.",
      "value" : "General security posture."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "Find currently installed applications and versions of each."
    },
    "disk_encryption": {
      "query" : "select * from disk_encryption;",
      "interval" : "86400",
      "version" : "1.4.5",
      "platform" : "posix",
      "description" : "Retrieves the current disk encryption status for the target system.",
      "value" : "Identifies a system potentially vulnerable to disk cloning."
    },
    "launchd": {
      "query" : "select * from launchd;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the daemons that will run in the start of the target OSX system.",
      "value" : "Visibility on what starts in the system."
    },
    "iptables": {
      "query" : "select * from iptables;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves the current filters and chains per filter in the target system.",
      "value" : "General security posture."
    },
    "sip_config": {
      "query" : "select * from sip_config;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.7.0",
      "description" : "Retrieves the current System Integrity Protection configuration in the target system.",
      "value" : "General security posture."
    }
  }
}
packs\osquery-monitoring.conf
{
  "queries": {
    "schedule": {
      "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed, denylisted from osquery_schedule;",
      "interval": 7200,
      "removed": false,
      "denylist": false,
      "version": "2.11.0",
      "description": "Report performance for every query within packs and the general schedule."
    },
    "events": {
      "query": "select name, publisher, type, subscriptions, events, active from osquery_events;",
      "interval": 86400,
      "removed": false,
      "denylist": false,
      "version": "1.5.3",
      "description": "Report event publisher health and track event counters."
    },
    "osquery_info": {
      "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
      "interval": 600,
      "removed": false,
      "denylist": false,
      "version": "1.2.2",
      "description": "A heartbeat counter that reports general performance (CPU, memory) and version."
    }
  }
}
packs\ossec-rootkit.conf
{
  "platform": "linux", 
  "version": "1.4.5", 
  "queries": {
    "bash_door": {
      "query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');", 
      "interval": "3600", 
      "description": "bash_door", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "slapper_installed": {
      "query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');", 
      "interval": "3600", 
      "description": "slapper_installed", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "mithra`s_rootkit": {
      "query": "select * from file where path in ('/usr/lib/locale/uboot');", 
      "interval": "3600", 
      "description": "mithra`s_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "omega_worm": {
      "query": "select * from file where path in ('/dev/chr');", 
      "interval": "3600", 
      "description": "omega_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "kenga3_rootkit": {
      "query": "select * from file where path in ('/usr/include/. .');", 
      "interval": "3600", 
      "description": "kenga3_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "sadmind/iis_worm": {
      "query": "select * from file where path in ('/dev/cuc');", 
      "interval": "3600", 
      "description": "sadmind/iis_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "rsha": {
      "query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');", 
      "interval": "3600", 
      "description": "rsha", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "old_rootkits": {
      "query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');", 
      "interval": "3600", 
      "description": "old_rootkits", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "telekit_trojan": {
      "query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');", 
      "interval": "3600", 
      "description": "telekit_trojan", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "tc2_worm": {
      "query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');", 
      "interval": "3600", 
      "description": "tc2_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "shitc": {
      "query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');", 
      "interval": "3600", 
      "description": "shitc", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "rh_sharpe": {
      "query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');", 
      "interval": "3600", 
      "description": "rh_sharpe", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "showtee_/_romanian_rootkit": {
      "query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');", 
      "interval": "3600", 
      "description": "showtee_/_romanian_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "lrk_rootkit": {
      "query": "select * from file where path in ('/dev/ida/.inet');", 
      "interval": "3600", 
      "description": "lrk_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "zk_rootkit": {
      "query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');", 
      "interval": "3600", 
      "description": "zk_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "ramen_worm": {
      "query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');", 
      "interval": "3600", 
      "description": "ramen_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "maniac_rk": {
      "query": "select * from file where path in ('/usr/bin/mailrc');", 
      "interval": "3600", 
      "description": "maniac_rk", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "bmbl_rootkit": {
      "query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');", 
      "interval": "3600", 
      "description": "bmbl_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "suckit_rootkit": {
      "query": "select * from file where path in ('/lib/.x', '/lib/sk');", 
      "interval": "3600", 
      "description": "suckit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "adore_rootkit": {
      "query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');", 
      "interval": "3600", 
      "description": "adore_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "ldp_worm": {
      "query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');", 
      "interval": "3600", 
      "description": "ldp_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "romanian_rootkit": {
      "query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');", 
      "interval": "3600", 
      "description": "romanian_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "illogic_rootkit": {
      "query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');", 
      "interval": "3600", 
      "description": "illogic_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "bobkit_rootkit": {
      "query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');", 
      "interval": "3600", 
      "description": "bobkit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "monkit": {
      "query": "select * from file where path in ('/lib/defs');", 
      "interval": "3600", 
      "description": "monkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "override_rootkit": {
      "query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');", 
      "interval": "3600", 
      "description": "override_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "madalin_rootkit": {
      "query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');", 
      "interval": "3600", 
      "description": "madalin_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "solaris_worm": {
      "query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');", 
      "interval": "3600", 
      "description": "solaris_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "phalanx_rootkit": {
      "query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');", 
      "interval": "3600", 
      "description": "phalanx_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "ark_rootkit": {
      "query": "select * from file where path in ('/dev/ptyxx');", 
      "interval": "3600", 
      "description": "ark_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "tribe_bot": {
      "query": "select * from file where path in ('/dev/wd4');", 
      "interval": "3600", 
      "description": "tribe_bot", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "cback_worm": {
      "query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');", 
      "interval": "3600", 
      "description": "cback_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "optickit": {
      "query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');", 
      "interval": "3600", 
      "description": "optickit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "anonoiyng_rootkit": {
      "query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');", 
      "interval": "3600", 
      "description": "anonoiyng_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "loc_rookit": {
      "query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');", 
      "interval": "3600", 
      "description": "loc_rookit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "showtee": {
      "query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');", 
      "interval": "3600", 
      "description": "showtee", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "zarwt_rootkit": {
      "query": "select * from file where path in ('/bin/imin', '/bin/imout');", 
      "interval": "3600", 
      "description": "zarwt_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "lion_worm": {
      "query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');", 
      "interval": "3600", 
      "description": "lion_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "suspicious_file": {
      "query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');", 
      "interval": "3600", 
      "description": "suspicious_file", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "apa_kit": {
      "query": "select * from file where path in ('/usr/share/.aPa');", 
      "interval": "3600", 
      "description": "apa_kit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "enye_sec_rootkit": {
      "query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');", 
      "interval": "3600", 
      "description": "enye_sec_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "rk17": {
      "query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');", 
      "interval": "3600", 
      "description": "rk17", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "trk_rootkit": {
      "query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');", 
      "interval": "3600", 
      "description": "trk_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "scalper_installed": {
      "query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');", 
      "interval": "3600", 
      "description": "scalper_installed", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "hidr00tkit": {
      "query": "select * from file where path in ('/var/lib/games/.k');", 
      "interval": "3600", 
      "description": "hidr00tkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "beastkit_rootkit": {
      "query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');", 
      "interval": "3600", 
      "description": "beastkit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "shv5_rootkit": {
      "query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');", 
      "interval": "3600", 
      "description": "shv5_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "esrk_rootkit": {
      "query": "select * from file where path in ('/usr/lib/tcl5.3');", 
      "interval": "3600", 
      "description": "esrk_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "shkit_rootkit": {
      "query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');", 
      "interval": "3600", 
      "description": "shkit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "knark_installed": {
      "query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');", 
      "interval": "3600", 
      "description": "knark_installed", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "volc_rootkit": {
      "query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');", 
      "interval": "3600", 
      "description": "volc_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "fu_rootkit": {
      "query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');", 
      "interval": "3600", 
      "description": "fu_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "ajakit_rootkit": {
      "query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');", 
      "interval": "3600", 
      "description": "ajakit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "monkit_found": {
      "query": "select * from file where path in ('/usr/lib/libpikapp.a');", 
      "interval": "3600", 
      "description": "monkit_found", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "t0rn_rootkit": {
      "query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');", 
      "interval": "3600", 
      "description": "t0rn_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "adore_worm": {
      "query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');", 
      "interval": "3600", 
      "description": "adore_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "55808.a_worm": {
      "query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');", 
      "interval": "3600", 
      "description": "55808.a_worm", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }, 
    "tuxkit_rootkit": {
      "query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');", 
      "interval": "3600", 
      "description": "tuxkit_rootkit", 
      "value": "Artifacts used by this malware", 
      "platform": "linux"
    }
  }
}
packs\osx-attacks.conf
{
  "platform": "darwin",
  "queries": {
    "WireLurker": {
      "query" : "select * from launchd where \
        name = 'com.apple.machook_damon.plist' OR \
        name = 'com.apple.globalupdate.plist' OR \
        name = 'com.apple.appstore.plughelper.plist' OR \
        name = 'com.apple.MailServiceAgentHelper.plist' OR \
        name = 'com.apple.systemkeychain-helper.plist' OR \
        name = 'com.apple.periodic-dd-mm-yy.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_1": {
      "query" : "select * from launchd where path like '%UserEvent.System.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_2": {
      "query" : "select * from file where path = '/Users/Shared/UserEvent.app';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_3": {
      "query" : "select * from launchd where name = 'com.GetFlashPlayer.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/)",
      "value" : "Artifact used by this malware"
    },
    "Tibet.D": {
      "query" : "select * from launchd where path like '%com.apple.AudioService.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)",
      "value" : "Artifact used by this malware"
    },
    "DevilRobber": {
      "query" : "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "XSLCmd": {
      "query" : "select * from launchd where name = 'com.apple.service.clipboardd.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)",
      "value" : "Artifact used by this malware"
    },
    "Olyx": {
      "query" : "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Imuler": {
      "query" : "select * from launchd where name = 'checkflr.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "iWorkServ": {
      "query" : "select * from startup_items where path like '%iWorkServices%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Morcut": {
      "query" : "select * from launchd where name = 'com.apple.mdworker.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)",
      "value" : "Artifact used by this malware"
    },
    "BlazingKeylogger": {
      "query" : "select * from launchd where name = 'com.BT.BPK.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.blazingtools.com/mac_keylogger.html)",
      "value" : "Artifact used by this malware"
    },
    "Icefog": {
      "query" : "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)",
      "value" : "Artifact used by this malware"
    },
    "Careto": {
      "query" : "select * from launchd where path like '%com.apple.launchport.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)",
      "value" : "Artifact used by this malware"
    },
    "Inqtana": {
      "query" : "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/inqtana_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "MacKontrol": {
      "query" : "select * from launchd where name = 'com.apple.FolderActionsxl.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "PubSab": {
      "query" : "select * from launchd where name = 'com.apple.PubSabAgent.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Dockster": {
      "query" : "select * from launchd where name = 'mac.Dockset.deman.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)",
      "value" : "Artifact used by this malware"
    },
    "CallMe": {
      "query" : "select * from launchd where name = 'realPlayerUpdate.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.f-secure.com/weblog/archives/00002546.html)",
      "value" : "Artifact used by this malware"
    },
    "Whitesmoke": {
      "query" : "select * from launchd where name = 'com.whitesmoke.uploader.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/ )",
      "value" : "Artifact used by this malware"
    },
    "Codecm": {
      "query" : "select * from launchd where name = 'com.codecm.uploader.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/)",
      "value" : "Artifact used by this malware"
    },
    "iWorm": {
      "query" : "select * from launchd where name = 'com.JavaW.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
      "value" : "Artifact used by this malware"
    },
    "iWorm_1": {
      "query" : "select * from file where path like '/Library/Application Support/JavaW%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
      "value" : "Artifact used by this malware"
    },
    "SniperSpy": {
      "query" : "select * from launchd where name = 'com.rxs.syslogagent.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)",
      "value" : "Artifact used by this malware"
    },
    "Vsearch": {
      "query" : "select * from launchd where \
        name = 'com.vsearch.agent.plist' OR \
        name = 'com.vsearch.daemon.plist' OR \
        name = 'com.vsearch.helper.plist' OR \
        name = 'Jack.plist' OR \
        program_arguments = '/etc/run_upd.sh' OR \
        program_arguments LIKE '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/arg-downlite/)",
      "value" : "Artifact used by this malware"
    },
    "Buca": {
      "query" : "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/arg-buca-apps/)",
      "value" : "Artifact used by this malware"
    },
    "Conduit": {
      "query" : "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/arg-conduit/)",
      "value" : "Artifact used by this malware"
    },
    "Genieo": {
      "query" : "select * from launchd where \
        name = 'com.genieo.completer.download.plist' OR \
        name = 'com.genieo.completer.update.plist' OR \
        name = 'com.genieo.completer.ltvbit.plist' OR \
        name = 'com.installer.completer.download.plist' OR \
        name = 'com.installer.completer.update.plist' OR \
        name = 'com.installer.completer.ltvbit.plist' OR \
        name = 'com.genieoinnovation.macextension.plist' OR \
        name = 'com.genieoinnovation.macextension.client.plist' OR \
        name = 'com.genieo.engine.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "(http://www.thesafemac.com/arg-genieo/)",
      "value" : "Artifact used by this malware"
    },
    "GenieoPart2": {
      "query" : "select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "New version of Genieo",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT1": {
      "query" : "select * from file where path = '/dev/ptmx0';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT2": {
      "query" : "select * from apps where bundle_identifier = 'com.ht.RCSMac';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT3": {
      "query" : "select * from launchd where \
        label = 'com.ht.RCSMac' OR \
        name = 'com.apple.loginStoreagent.plist' OR \
        name = 'com.apple.mdworker.plist' OR \
        name = 'com.apple.UIServerLogin.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_Persistence": {
      "query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "Detection persistency by Hacking Team",
      "value": "Artifact used by Hacking Team"
    },
    "xprotect_reports": {
      "query": "select * from xprotect_reports;",
      "interval": 1200,
      "removed": false,
      "version": "1.4.5",
      "description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",
      "value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."
    },
    "Keranger_1": {
      "query": "select * from processes where name = 'kernel_service';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
      "value": "Artifact used by this malware"
    },
    "Keranger_2": {
      "query": "select * from file where \
        path LIKE '/Users/%/Library/.kernel_%' OR \
        path LIKE '/Users/%/Library/kernel_service';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
      "value": "Artifact used by this malware"
    },
    "PremierOpinion": {
      "query": "select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://www.thesafemac.com/arg-premier-opinion/)",
      "value": "Artifact used by this malware"
    },
    "Bundlore": {
      "query": "select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://www.thesafemac.com/arg-bundlore/)",
      "value": "Artifact used by this malware"
    },
    "Spigot": {
      "query": "select * from launchd where name like 'com.spigot.%.plist';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://www.thesafemac.com/arg-spigot/)",
      "value": "Artifact used by this malware"
    },
    "SearchInstUpdater": {
      "query": "select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://www.virustotal.com/en/file/9530d481f7bb07aac98a46357bfcff96e2936a90571b4629ae865a2ce63e5c8e/analysis/)",
      "value": "Artifact used by this malware"
    },
    "OSX_Pirrit": {
      "query": "select * from plist where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/)",
      "value": "Artifact used by this malware"
    },
    "Backdoor_MAC_Eleanor": {
      "query": "SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)",
      "value": "Artifact used by this malware"
    },
    "EliteKeylogger": {
      "query": "select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://www.elitekeyloggers.com/elite-keylogger-mac)",
      "value": "Artifact used by this malware"
    },
    "Aobo_Keylogger": {
      "query": "select * from launchd where name like 'com.ab.kl%.plist';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://aobo.cc/aobo-mac-os-x-keylogger.html)",
      "value": "Artifact used by this malware"
    },
    "OSX_Keydnap": {
      "query": "select * from launchd where name IN ('com.apple.iCloud.sync.daemon', 'com.geticloud.icloud.photo');",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials)",
      "value": "Artifact used by this malware"
    },
    "Java_Adwind_Trojan": {
      "query": "select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/)",
      "value": "Artifact used by this malware"
    },
    "OSX_Backdoor_Mokes": {
      "query": "select * from file where \
        path LIKE '/Users/%/Library/App Store/storeuserd' OR \
        path LIKE '/Users/%/Library/com.apple.spotlight/SpotlightHelper' OR \
        path LIKE '/Users/%/Library/Dock/com.apple.dock.cache' OR \
        path LIKE '/Users/%/Library/Dropbox/DropboxCache' OR \
        path LIKE '/Users/%/Library/Skype/SkypeHelper' OR \
        path LIKE '/Users/%/Library/Google/Chrome/nacld' OR \
        path LIKE '/Users/%/Library/Firefox/Profiles/profiled';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/)",
      "value": "Artifact used by this malware"
    },
    "OSX_Komplex": {
      "query": "select * from file where path = '/Users/Shared/.local/kext' or path = '/Users/Shared/com.apple.updates.plist' or path = '/Users/Shared/start.sh';",
      "interval": "3600",
      "version": "1.4.5",
      "description": "(http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/)",
      "value": "Artifact used by this malware"
    },
    "OceanLotus_launchagent": {
      "query" : "select * from launchd where name = 'com.google.plugins.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OceanLotus Launch Agent (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
      "value" : "Artifact used by this malware"
    },
    "OceanLotus_dropped_file_1": {
      "query" : "select * from file, ( \
        select '/Library/Logs/.Logs/corevideosd' ioc union \
        select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union \
        select '/Library/Parallels/.cfg' ioc union \
        select '/Library/Preferences/.fDTYuRs' ioc union \
        select '/Library/Hash/.Hashtag/.hash' ioc union \
        select '/Library/Hash/.hash' ioc \
      ) iocs where \
        file.path LIKE '/Users/%/' || ioc OR \
        file.path = iocs.ioc OR \
        file.path LIKE '/tmp/crunzip.temp.%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OceanLotus dropped file (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
      "value" : "Artifact used by this malware"
    },
    "XcodeGhost": {
      "query" : "select * from ( \
        select apps.bundle_short_version as xcode_version, \
          apps.path as xcode_path, \
          file.path, \
          file.type as file_type \
        from apps, file \
        where apps.bundle_name='Xcode' and \
          file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \
      ) join hash using (path) where file_type = 'regular';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)",
      "value" : "Artifact used by this malware"
    },
    "Quimitchin_Backdoor": {
      "query" : "select * from launchd where name = 'com.client.client.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "Quimitchin Launch Agent (https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/)",
      "value" : "Artifact used by this malware"
    },
    "Pronto": {
      "query" : "select * from launchd where name = 'pronto.notification.plist' or name = 'pronto.update.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "ProntoApp Launch Agents (https://malwarefixes.com/remove-pronto-video-converter/)",
      "value" : "Artifact used by this malware"
    },
    "OSX_DOK_1": {
      "query" : "select * from launchd where name = 'com.apple.Safari.proxy.plist' or name = 'com.apple.Safari.proxy.pac';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "DOK Launch Agents (http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/)",
      "value" : "Artifact used by this malware"
    },
    "OSX_DOK_2": {
      "query" : "select common_name, sha1, subject_key_id from certificates where subject_key_id = 'e637d656f9f088ddca3b3b55c4fe698d8c97a552';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "DOK certificate (http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/)",
      "value" : "Artifact used by this malware"
    },
    "OSX_DOK_3": {
      "query" : "select * from file where path = '/Users/Shared/AppStore.app';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "DOK dropped file (http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/)",
      "value" : "Artifact used by this malware"
    },
    "OSX_DOK_4": {
      "query" : "select * from apps where bundle_name = 'Truesteer.AppStore';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "DOK malicious app (http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/)",
      "value" : "Artifact used by this malware"
    },
    "OSX_Snake": {
      "query" : "select * from file \
         where path = '/Library/LaunchDaemons/com.adobe.update.plist' OR \
           path = '/Library/Scripts/installd.sh' OR \
           path = '/Library/Scripts/queue' OR \
           path = '/tmp/.gdm-socket' OR \
           path = '/tmp/.gdm-selinux' OR \
           path LIKE '/var/tmp/.ur-%%';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OS X port of Snake malware discovered by Fox-IT (https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_Proton_Files": {
      "query" : "select * from file \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/' OR \
        path like '/Users/%/Library/LaunchAgents/fr.handbrake.activity_agent.plist' OR \
        path='/tmp/Updater.app' OR path='/Library/.rand/updateragent.app' OR \
        path='/Library/LaunchAgents/com.apple.xpcd.plist' OR \
        path='/Library/.cachedir' OR \
        path='/Library/.random';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_Proton_Launchd": {
      "query" : "select * from launchd where name='com.Eltima.UpdaterAgent.plist' OR name='com.apple.xpcd.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OSX/Proton bundled with a tampered version of Elmedia Player or Fake Symantec Blog: (https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/) and (https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_Proton_Process": {
      "query" : "select * from processes \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR \
        path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR \
        path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/)",
      "value" : "Artifacts created by this malware"
    },
    "EmPyre_Agent": {
      "query" : "select * from launchd where name = 'com.proxy.initialize.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description" : "EmPyre post exploitation agent (https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/persistence/osx/launchdaemonexecutable.py)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_FruitFly": {
      "query" : "select * from launchd where name = 'com.client.client.plist';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "FruitFly OSX Malware (https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_Mughthesec": {
      "query" : "select * from launchd where name = 'com.Mughthesec.plist';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Mughthesec OSX Malware (https://objective-see.com/blog/blog_0x20.html)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_HiddenLotus": {
      "query" : "select * from launchd where name = 'com.apple.hidd.shared.plist';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "Apple added XProtect rules for this sample: (https://www.virustotal.com/en/file/f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179/analysis/1509567775/)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_MaMi_DNS_Servers": {
      "query" : "select * from dns_resolvers where type = 'nameserver' and address in ('82.163.143.135', '82.163.142.137');",
      "interval" : "3600",
      "version" : "2.8.0",
      "description" : "MaMi OSX Malware 2017-01-12 (https://objective-see.com/blog/blog_0x26.html)",
      "value" : "DNS Servers set by this malware"
    },
    "OSX_MaMi_Certificate": {
      "query" : "select * from certificates where common_name like '%cloudguard.me%' and not_valid_after = '2352216315';",
      "interval" : "3600",
      "version" : "2.8.0",
      "description" : "MaMi OSX Malware 2017-01-12 (https://objective-see.com/blog/blog_0x26.html)",
      "value" : "bogus certificate added to key store by this malware"
    },
    "Behavioral_Reverse_Shell": {
      "query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, \
        processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, \
        processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, \
        (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline \
        FROM processes JOIN process_open_sockets USING (pid) \
        LEFT OUTER JOIN process_open_files \
        ON processes.pid = process_open_files.pid \
        WHERE (name='sh' OR name='bash') \
        AND process_open_files.pid IS NULL;",
      "interval" : "3600",
      "version" : "2.8.0",
      "description" : "Find shell processes that have open sockets and no open files or TTY (https://clo.ng/blog/osquery_reverse_shell/)",
      "value" : "Behavioral detection for potential reverse shells"
    },
    "OSX_ColdRoot_RAT_Launchd": {
      "query" : "select * from launchd where name = 'com.apple.audio.driver.plist';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "ColdRoot OSX Malware (https://objective-see.com/blog/blog_0x2A.html)",
      "value" : "Artifacts created by this malware"
    },
    "OSX_ColdRoot_RAT_Files": {
      "query" : "select * from file \
        where path in ('/private/var/tmp/com.apple.audio.driver.app/', \
        '/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/conx.wol');",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "ColdRoot OSX Malware (https://objective-see.com/blog/blog_0x2A.html)",
      "value" : "Artifacts created by this malware"
    },
    "MacSearch_Adware": {
      "query": "SELECT * FROM launchd WHERE path='/Library/LaunchAgents/tapufind.plist';",
      "interval" : "3600",
      "version" : "1.4.5",
      "description" : "MacSearch OSX Adware (https://www.virustotal.com/latest-scan/15966224C4E25C9787A4A8C984A863E9)",
      "value" : "Artifacts created by this adware"
    },
    "OSX_Dummy_Launchd": {
      "query": "SELECT * FROM launchd WHERE name = 'com.startup.plist';",
      "interval" : "3600",
      "version": "1.4.5",
      "description": "OSX Dummy Malware (https://objective-see.com/blog/blog_0x32.html and https://isc.sans.edu/diary/23816)",
      "value": "Artifacts created by this malware"
    },
    "OSX_Dummy_Files": {
      "query" : "SELECT * FROM file \
         WHERE path = '/Library/LaunchDaemons/com.startup.plist' OR \
           path = '/var/root/script.sh' OR \
           path = '/Users/Shared/dumpdummy' OR \
           path = '/tmp/script.sh' OR \
           path = '/tmp/com.startup.plist' OR \
           path = '/tmp/dumpdummy';",
      "interval" : "3600",
      "version": "1.4.5",
      "description": "OSX Dummy Malware (https://objective-see.com/blog/blog_0x32.html and https://isc.sans.edu/diary/23816)",
      "value": "Artifacts created by this malware"
    },
    "Keyboard_Event_Taps": {
      "query": "SELECT * FROM processes JOIN event_taps ON processes.pid = event_taps.tapping_process where event_taps.enabled = 1;",
      "interval" : "3600",
      "version": "3.3.0",
      "description": "Finds processes that have active keyboard event taps, typically used by RATs and other malicious software for keylogging",
      "value": "Process with keyboard event taps"
    },
    "OSX_SearchAwesome": {
      "query" : "SELECT * FROM file \
         WHERE path = '/Applications/spi.app' OR \
           path = '/Users/%/Library/LaunchAgents/spid-uninstall.plist' OR \
           path = '/Users/%/Library/LaunchAgents/spid.plist' OR \
           path = '/Users/%/Library/SPI';",
      "interval" : "3600",
      "version": "1.4.5",
      "description": "OSX SearchAwesome Malware (https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/)",
      "value": "Artifacts created by this malware"
    }
  }
}
packs\unwanted-chrome-extensions.conf
{
  "platform": "windows,darwin",
  "queries": {
    "BetternetVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gjknjjomckknofjidppipffbpoekiipm';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "Chrometana": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='kaicbfmipfpfpjmlbpejaoaflfdnabnc';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "CopyFish": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='eenjdnjldapjajjofmldgmkjaienebbj';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/copyfish-chrome-extension-hijacked-to-show-adware/)"
    },
    "HolaVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gkojfkhlekighikafcpjkiklfbnlmeio';",
      "interval": 3600,
      "description": "(http://adios-hola.org)"
    },
    "InfinityNewTab": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='dbfmnekepjoapopniengjbcpnbljalfg';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "SocialFixer": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='ifmhoabcaeehkljcfclfiieohkohdgbb';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "TouchVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bihmplhobchoageeokmgbdihknkjbknd';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "WebDeveloper": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/chrome-extension-with-over-one-million-users-hijacked-to-serve-adware/)"
    },
    "WebPaint": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='emeokgokialpjadjaoeiplmnkjoaegng';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "MacOSInstallCore": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='hinehnlkkmckjblijjpbpamhljokoohh';",
      "interval": 3600,
      "description": "(https://www.virustotal.com/#/file/5cab0821f597100dc1170bfef704d8cebaf67743e9d509e83b0b208eb630d992/detection)"
    }
  }
}
packs\vuln-management.conf
{
  "queries": {
    "kernel_info": {
      "query" : "select * from kernel_info;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves information from the current kernel in the target system.",
      "value" : "Kernel version can tell you vulnerabilities based on the version"
    },
    "os_version": {
      "query" : "select * from os_version;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
      "value" : "OS version will tell which distribution the OS is running on, allowing to detect the main distribution"
    },
    "kextstat": {
      "query" : "select * from kernel_extensions;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
      "value" : "Only for OS X.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
      "value" : "Only for Linux.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "browser_plugins": {
      "query" : "select browser_plugins.* from users join browser_plugins using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.6.1",
      "description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
      "value" : "General security posture."
    },
    "safari_extensions": {
      "query" : "select safari_extensions.* from users join safari_extensions using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Safari in the target system.",
      "value" : "General security posture."
    },
    "opera_extensions": {
      "query" : "select opera_extensions.* from users join opera_extensions using (uid);",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Opera in the target system.",
      "value" : "General security posture."
    },
    "chrome_extensions": {
      "query" : "select chrome_extensions.* from users join chrome_extensions using (uid);",
      "interval" : "86400",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Chrome in the target system.",
      "value" : "General security posture."
    },
    "firefox_addons": {
      "query" : "select firefox_addons.* from users join firefox_addons using (uid);",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.6.1",
      "description" : "Retrieves the list of addons for Firefox in the target system.",
      "value" : "General security posture."
    },
    "homebrew_packages": {
      "query" : "select * from homebrew_packages;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of brew packages installed in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "package_receipts": {
      "query" : "select * from package_receipts;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the PKG related information stored in OSX.",
      "value" : "It could give you a trail of installed/deleted packages"
    },
    "deb_packages": {
      "query" : "select * from deb_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed DEB packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "apt_sources": {
      "query" : "select * from apt_sources;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
      "value" : "In the future this may not have a lot of value as we expect to have installed only signed packages"
    },
    "portage_packages": {
      "query" : "select * from portage_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "2.0.0",
      "description" : "Retrieves all the installed packages on the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "rpm_packages": {
      "query" : "select * from rpm_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed RPM packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "unauthenticated_sparkle_feeds": {
      "query" : "select feeds.*, p2.value as sparkle_version from (select a.name as app_name, a.path as app_path, a.bundle_identifier as bundle_id, p.value as feed_url from (select name, path, bundle_identifier from apps) a, plist p where p.path = a.path || '/Contents/Info.plist' and p.key = 'SUFeedURL' and feed_url like 'http://%') feeds left outer join plist p2 on p2.path = app_path || '/Contents/Frameworks/Sparkle.framework/Resources/Info.plist' where (p2.key = 'CFBundleShortVersionString' OR coalesce(p2.key, '') = '');",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all application bundles using unauthenticated Sparkle update feeds. See (https://vulnsec.com/2016/osx-apps-vulnerabilities/) for details.",
      "value" : "Tracking vulnerable applications updates may allow blocking of DNS or removal by BundleID."
    },
    "backdoored_python_packages": {
      "query" : "select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.4.5",
      "description" : "Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)",
      "value" : "Gives some assurances that no bad Python packages are installed on the system."
    }
  }
}
packs\windows-attacks.conf
{
  "platform": "windows",
  "queries": {
    "CCleaner_Trojan.Floxif": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",
      "value" : "Artifact used by this malware"
    },
    "CCleaner_Trojan_stage2.Floxif": {
      "query": "select h.md5, h.sha1, h.sha256, s.name, s.service_type, s.display_name, s.module_path, s.user_account from services s, hash h where h.path = s.module_path and ((s.module_path like '%GeeSetup_x86%' and h.sha256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83') or (s.module_path like '%EFACli64%' and h.sha256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f') or (s.module_path like '%TSMSISrv%' and h.sha256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902'));",
      "interval" : "3600",
      "version": "2.1.0",
      "description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",
      "value" : "Artifact used by this malware"
    },
    "Winsecurity_info_1": {
      "query" : "select * from programs where name = 'Winsecurity.info';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",
      "value" : "Artifact used by this malware"
    },
    "Winsecurity_info_2": {
      "query" : "select * from chrome_extensions join users using (uid) where name = 'Winsecurity.info';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",
      "value" : "Artifact used by this malware"
    },
    "unTabs_1": {
      "query" : "select * from programs where name like 'unTabs%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",
      "value" : "Artifact used by this malware"
    },
    "unTabs_2": {
      "query" : "select * from chrome_extensions join users using (uid) where name like 'unTabs%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",
      "value" : "Artifact used by this malware"
    },
    "StickyKeys_File_Replace_Backdoor": {
      "query": "SELECT * FROM hash WHERE (path='c:\\windows\\system32\\osk.exe' OR path='c:\\windows\\system32\\sethc.exe' OR path='c:\\windows\\system32\\narrator.exe' OR path='c:\\windows\\system32\\magnify.exe' OR path='c:\\windows\\system32\\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\\windows\\system32\\cmd.exe' OR path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' OR path='c:\\windows\\system32\\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)"
    },
    "StickyKeys_Registry_Backdoor": {
      "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' and name='Debugger';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)"
    },
    "conhost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "dllhost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "lsass.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "services.exe_incorrect_parent_process": {
      "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "svchost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "svchost.exe_incorrect_parent_process": {
      "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe') AND LOWER(name)!='services.exe';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    }
  }
}
packs\windows-hardening.conf
{
  "platform": "windows",
  "queries": {
    "OpenType_Font_Driver_Vulnerability": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)"
    },
    "Protecting_Against_Weak_Crypto_Algo": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",
      "value" : "Artifact used by this malware"
    },
    "UAC_Disabled": {
      "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Controls UAC. A setting of 0 indicates that UAC is disabled."
    },
    "SecureBoot": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State\\UEFISecureBootEnabled'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Whether Secureboot is enabled"
    },
    "FontBlocking": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions\\MitigationOptions_FontBlocking'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Whether FontBlocking is enabled"
    },
    "DepPolicy": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemStartOptions'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Whether DEP is enabled"
    },
    "MitigationOptions": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Whether DEP is enabled with application mitigation options"
    },
    "MoveImages": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\moveImages'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check ASLR configuration"
    },
    "KernelSehopEnabled": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\KernelSEHOPEnabled'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Whether SEHOP is enabled"
    },
    "EnableCertPaddingCheck": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)"
    },
    "EnableCertPaddingCheck_wow64": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)"
    },
    "CwdIllegalInDllSearch": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\CWDIllegalInDllSearch'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Secure Search Path state (https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the)"
    },
    "DisabledExceptionChainValidation": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\DisableExceptionChainValidation'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check SEHOP state: DisabledExceptionChainValidation"
    },
    "EnableLowVaAccess": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableLowVaAccess'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Kernel Null page state"
    },
    "ControlFlowGuard": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableCfg'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Control Flow Guard state"
    },
    "App_ExecuteOptions": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\executeOptions'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applications opted in for DEP"
    },
    "App_MitigationOptions": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\MitigationOptions'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applications opted in for DEP"
    },
    "AppCompat": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applications opted in for DEP"
    },
    "App_disabledExceptionChainValidation": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\DisableExceptionChainValidation'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applications not supporting SEHOP"
    },
    "DefaultLevelMachine": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "DefaultLevelUser": {
      "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "PolicyScopeMachine": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "PolicyScopeUser": {
      "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "ExecutableTryMachine": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "ExecutableTryUser": {
      "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "TransparentEnabledMachine": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "TransparentEnabledUser": {
      "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state"
    },
    "Unrestricted": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: No SRP allow list rules"
    },
    "Unrestricted_Paths": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: No SRP path rules"
    },
    "Unrestricted_Paths_ItemData": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths\\%\\ItemData'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: SRP allow list rules is missing"
    },
    "Disallowed": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: No SRP deny list rules"
    },
    "Disallowed_Paths": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: No SRP path rules"
    },
    "Disallowed_Paths_ItemData": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\%\\ItemData'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: SRP deny list rule is missing"
    },
    "SaferFlags": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\%\\%\\%\\SaferFlags'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Software Restriction Policies state: SRP rule is not enforcing"
    },
    "RuleSetEnforcementMode": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\EnforcementMode'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applocker rule set configuration"
    },
    "Rule": {
      "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\%\\Value'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Applocker rule set"
    },
    "AuditSpecialGroups": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Special Logon Audit configuration - https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/"
    },
    "SysmonConfig": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CCS\\Services\\SysmonDrv\\Parameters'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Microsoft Sysinternals Sysmon config"
    },
    "DeveloperMode": {
      "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'",
      "interval": "86400",
      "snapshot": true,
      "description" : "Check Developer Mode state"
    }
  }
}
tools\chocolateyBeforeModify.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

# Ensure the service is stopped and processes are not running if exists.
if ((Get-Service $serviceName -ErrorAction SilentlyContinue) -and `
  (Get-Service $serviceName).Status -eq 'Running') {
  Stop-Service $serviceName
  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }
}

# Lastly, ensure that the Deny Write ACLs have been removed before modifying
if (Test-Path $daemonFolder) {
  Set-DenyWriteAcl $daemonFolder 'Remove'
}
if (Test-Path $extensionsFolder) {
  Set-DenyWriteAcl $extensionsFolder 'Remove'
}
tools\chocolateyinstall.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

$packageParameters = $env:chocolateyPackageParameters
$arguments = @{}

# Ensure the service is stopped and processes are not running if exists.
$svc = Get-WmiObject -ClassName Win32_Service -Filter "Name='osqueryd'"
if ($svc -and $svc.State -eq 'Running') {
  Stop-Service $serviceName
  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }
  
  # If the service was installed using the legacy path in ProgramData, remove
  # it and allow the service creation below to fix it up.
  if ([regex]::escape($svc.PathName) -like [regex]::escape("${legacyInstall}*")) {
    Get-CimInstance -ClassName Win32_Service -Filter "Name='osqueryd'" |
    Invoke-CimMethod -MethodName Delete
  }
}

# Lastly, ensure that the Deny Write ACLs have been removed before modifying
if (Test-Path $daemonFolder) {
  Set-DenyWriteAcl $daemonFolder 'Remove'
}
if (Test-Path $extensionsFolder) {
  Set-DenyWriteAcl $extensionsFolder 'Remove'
}

# Now parse the packageParameters using good old regular expression
if ($packageParameters) {
  $match_pattern = "\/(?<option>([a-zA-Z]+)):(?<value>([`"'])?([a-zA-Z0-9- _\\:\.]+)([`"'])?)|\/(?<option>([a-zA-Z]+))"
  $option_name = 'option'
  $value_name = 'value'

  if ($packageParameters -match $match_pattern ) {
    $results = $packageParameters | Select-String $match_pattern -AllMatches
    $results.matches | ForEach-Object {
      $arguments.Add(
        $_.Groups[$option_name].Value.Trim(),
        $_.Groups[$value_name].Value.Trim())
    }
  } else {
    Throw "Package Parameters were found but were invalid (REGEX Failure)"
  }
  if ($arguments.ContainsKey("InstallService")) {
    $installService = $true
  }
} else {
  Write-Debug "No Package Parameters Passed in"
}

# Install the package

# Create a log directory in case one doesn't already exist
New-Item -Force -Type directory -Path $logFolder

# Grab the primary folders
$packageRoot = (Join-Path "$PSScriptRoot" "..")
Copy-Item -Force -Recurse (Join-Path "$packageRoot" "certs") $targetFolder
Copy-Item -Force -Recurse (Join-Path "$packageRoot" "osqueryd") $targetFolder
Copy-Item -Force -Recurse (Join-Path "$packageRoot" "packs") $targetFolder

# Grab the individual files
Copy-Item -Force (Join-Path "$packageRoot" "manage-osqueryd.ps1") $targetFolder
Copy-Item -Force (Join-Path "$packageRoot" "osquery.man") $targetFolder
Copy-Item -Force (Join-Path "$PSScriptRoot" "osquery_utils.ps1") $targetFolder
Copy-Item -Force (Join-Path "$packageRoot" "osqueryi.exe") $targetFolder

# We intentionally do not replace configuration and flags files from previous
# installations, as these often dictate the osquery configuration and may not
# change through upgrades.
$currConf = (Join-Path "$targetFolder" "osquery.conf")
if (-not (Test-Path $currConf)) {
  Copy-Item -Force (Join-Path "$packageRoot" "osquery.conf") $targetFolder
}
$currFlags = (Join-Path "$targetFolder" "osquery.flags")
if (-not (Test-Path $currFlags)) {
  Copy-Item -Force (Join-Path "$packageRoot" "osquery.flags") $targetFolder
}

# The osquery daemon requires no low privileged users have write access to run
Set-SafePermissions $daemonFolder

if ($installService) {
  if (-not (Get-Service $serviceName -ErrorAction SilentlyContinue)) {
    Write-Debug 'Installing osquery daemon service.'
    # If the 'install' parameter is passed, we create a Windows service with
    # the flag file in the default location, 'C:\Program Files\osquery'
    $cmd = '"{0}" --flagfile="{1}\osquery.flags"' -f $destDaemonBin, $targetFolder

    $svcArgs = @{
      Name = $serviceName
      BinaryPathName = $cmd
      DisplayName = $serviceName
      Description = $serviceDescription
      StartupType = "Automatic"
    }
    New-Service @svcArgs

    # If the osquery.flags file doesn't exist, we create a blank one.
    if (-not (Test-Path "$targetFolder\osquery.flags")) {
      Add-Content "$targetFolder\osquery.flags" $null
    }
  }
  Start-Service $serviceName
}

# Add osquery binary path to machines path for ease of use.
Install-ChocolateyPath $targetFolder -PathType 'Machine'
tools\chocolateyuninstall.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

# Remove the osquery path from the System PATH variable. Note: Here
# we don't make use of our local vars, as Regex requires escaping the '\'
$oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
if ($oldPath -imatch [regex]::escape($targetFolder)) {
  $newPath = $oldPath -replace [regex]::escape($targetFolder), $NULL
  [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
}

if ((Get-Service $serviceName -ErrorAction SilentlyContinue)) {
  Stop-Service $serviceName

  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }

  Set-Service $serviceName -startuptype 'manual'
  Get-CimInstance -ClassName Win32_Service -Filter "Name='osqueryd'" | Invoke-CimMethod -methodName Delete
}

if (Test-Path $targetFolder) {
  Remove-Item -Force -Recurse $targetFolder
} else {
  Write-Debug 'osquery was not found on the system. Nothing to do.'
}
tools\osquery_utils.ps1
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# Force Powershell to use TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

# The osquery installation happens in Program Files
$progFiles =  [System.Environment]::GetEnvironmentVariable('ProgramFiles')
$targetFolder = Join-Path $progFiles 'osquery'

# Maintain the daemon and extension folders for "safe" permissions management
$daemonFolder = Join-Path $targetFolder 'osqueryd'
$extensionsFolder = Join-Path $targetFolder 'extensions'
$logFolder = Join-Path $targetFolder 'log'

# Maintain the binary paths for creating the system service and extraction
$targetDaemonBin = Join-Path $targetFolder "osqueryd.exe"
$destDaemonBin = Join-Path $daemonFolder "osqueryd.exe"

# Meta data for the system service installation
$serviceName = 'osqueryd'
$serviceDescription = 'osquery daemon service'

# Track the old installation paths for removal
$progData = [System.Environment]::GetEnvironmentVariable('ProgramData')
$legacyInstall = Join-Path $progData "osquery"

# Helper function to add an explicit Deny-Write ACE for the Everyone group
function Set-DenyWriteAcl {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $targetDir = '',
    [string] $action = ''
  )
  if (($action -ine 'Add') -and ($action -ine 'Remove')) {
    Write-Debug '[-] Invalid action in Set-DenyWriteAcl.'
    return $false
  }
  if ($PSCmdlet.ShouldProcess($targetDir)) {
    $acl = Get-Acl $targetDir
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Deny

    $worldSIDObj = New-Object System.Security.Principal.SecurityIdentifier ('S-1-1-0')
    $worldUser = $worldSIDObj.Translate([System.Security.Principal.NTAccount])
    $permission = $worldUser.Value, "write", $inheritanceFlag, $propagationFlag, $permType
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    # We only support adding or removing the ACL
    if ($action -ieq 'add') {
      $acl.SetAccessRule($accessRule)
    } else {
      $acl.RemoveAccessRule($accessRule)
    }
    Set-Acl $targetDir $acl
    return $true
  }
  return $false
}

# A helper function to set "safe" permissions for osquery binaries
function Set-SafePermissions {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $target = ''
  )
  if ($PSCmdlet.ShouldProcess($target)) {
    $acl = Get-Acl $target

    # First, to ensure success, we remove the entirety of the ACL
    $acl.SetAccessRuleProtection($true, $false)
    foreach ($access in $acl.Access) {
      $acl.RemoveAccessRule($access)
    }
    Set-Acl $target $acl

    $acl = Get-Acl $target
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Allow

    # "Safe" permissions in osquery entail the containing folder and binary both
    # are owned by the Administrators group, as well as no account has Write
    # permissions except for the Administrators group and SYSTEM account
    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18')
    $systemUser = $systemSid.Translate([System.Security.Principal.NTAccount])

    $adminsSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544')
    $adminsGroup = $adminsSid.Translate([System.Security.Principal.NTAccount])

    $usersSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-545')
    $usersGroup = $usersSid.Translate([System.Security.Principal.NTAccount])

    $permGroups = @($systemUser, $adminsGroup, $usersGroup)
    foreach ($accnt in $permGroups) {
      $grantedPerm = ''
      if ($accnt -eq $usersGroup) {
        $grantedPerm = 'ReadAndExecute'
      } else {
        $grantedPerm = 'FullControl'
      }
      $permission = $accnt.Value, $grantedPerm, $inheritanceFlag, $propagationFlag, $permType
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $acl.SetAccessRule($accessRule)
    }
    $acl.SetOwner($adminsGroup)
    Set-Acl $target $acl

    # Finally set the Administrators group as the owner for all items
    $items = Get-ChildItem -Recurse -Path $target
    foreach ($item in $items) {
      $acl = Get-Acl -Path $item.FullName
      $acl.SetOwner($adminsGroup)
      Set-Acl $item.FullName $acl
    }

    return $true
  }
  return $false
}

# Helper function for running a .bat file from powershell
function Invoke-BatchFile {
  param(
    [string]$path,
    [string]$parameters
  )
  $tempFile = [IO.Path]::GetTempFileName()
  cmd.exe /c " `"$path`" $parameters && set > `"$tempFile`" "
  Get-Content $tempFile | Foreach-Object {
    if ($_ -match '^(.*?)=(.*)$') {
      Set-Content "env:\$($matches[1])" $matches[2]
    }
  }
  Remove-Item $tempFile
}

# Constructs a chocolatey .nuspec file in the current directory
function Write-NuSpec {
  param(
    [string] $packageName,
    [string] $version,
    [string] $authors,
    [string] $owners,
    [string] $projectSource,
    [string] $packageSourceUrl,
    [string] $copyright,
    [string] $license
  )
  $nuspec = @"
<?xml version="1.0" encoding="utf-8"?>
<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>$packageName</id>
    <title>$packageName</title>
    <version>$version</version>
    <authors>$authors</authors>
    <owners>$owners</owners>
    <summary>$packageName</summary>
    <description>$packageName</description>
    <projectUrl>$projectSource</projectUrl>
    <packageSourceUrl>$packageSourceUrl</packageSourceUrl>
    <tags>$packageName</tags>
    <copyright>$copyright</copyright>
    <licenseUrl>$license</licenseUrl>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
  </metadata>
  <files>
    <file src="local\**" target="local" />
  </files>
</package>
"@
  Out-File -Encoding "UTF8" -FilePath "$packageName.nuspec" -InputObject $nuspec
}

# Derive the location of the osquery build location
function Get-OsqueryBuildPath {
  [OutputType('System.String')]
  param()
  $loc = Get-Location
  $toks = $loc -Split '\\'
  $ret = ''
  0..$toks.length | ForEach-Object {
    if (Test-Path "$($toks[0..$_] -Join '\')\tools\provision.ps1") {
      $ret = "$($toks[0..$_] -Join '\')\build"
    }
  }
  return $ret
}

# Helper function to add to the SYSTEM path
function Add-ToSystemPath {
  param(
    [string] $targetFolder = ''
  )

  $oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
  if (-not ($oldPath -imatch [regex]::escape($targetFolder))) {
    $newPath = $oldPath
    if ($oldPath[-1] -eq ';') {
      $newPath = $newPath + $targetFolder
    } else {
      $newPath = $newPath + ';' + $targetFolder
    }
    [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
  }
}

# A helper function for starting and waiting on processes in powershell
function Start-OsqueryProcess {
  param(
    [string] $binaryPath = '',
    [array] $binaryArgs = @(),
    [bool] $redirectOutput = $true
  )
  $pinfo = New-Object System.Diagnostics.ProcessStartInfo
  $pinfo.FileName = $binaryPath
  $pinfo.RedirectStandardError = $redirectOutput
  $pinfo.RedirectStandardOutput = $redirectOutput
  $pinfo.UseShellExecute = $false
  $pinfo.Arguments = $binaryArgs
  $pinfo.WorkingDirectory = Get-Location
  $p = New-Object System.Diagnostics.Process
  $p.StartInfo = $pinfo
  $p.Start()
  $p.WaitForExit()

  if ($redirectOutput) {
    $stdout = $p.StandardOutput.ReadToEnd()
    $stderr = $p.StandardError.ReadToEnd()
    $exit = $p.ExitCode
    [PSCustomObject] @{
      stdout = $stdout
      stderr = $stderr
      exitcode = $exit
    }
  } else {
    $exit = $p.ExitCode
    [PSCustomObject] @{
      exitcode = $exit
    }
  }
}

# A helper function to derive the latest VS install
function Get-VSInfo {

  # Attempt to make use of vswhere to derive the build tools scripts
  $vswhere = (Get-Command 'vswhere').Source
  $vswhereArgs = @('-latest', '-legacy')
  $vswhereOut = (Start-OsqueryProcess $vswhere $vswhereArgs).stdout
  $vsinfo = New-Object -TypeName psobject
  $vsinfo | Add-Member -MemberType NoteProperty -Name version -Value ''
  $vsinfo | Add-Member -MemberType NoteProperty -Name location -Value ''
  foreach ($l in $vswhereOut.split([environment]::NewLine)) {
    $toks = $l.split(":")
    if ($toks.Length -lt 2) {
      continue
    }
    if ($toks[0].trim() -like 'installationVersion') {
      $vsinfo.version = $toks[1].Split(".")[0]
    }
    if ($toks[0].trim() -like 'installationPath') {
      $vsinfo.location = [System.String]::Join(":", $toks[1..$toks.Length])
    }
  }
  $vsinfo.location = $vsinfo.location.trim()
  $vsinfo.version = $vsinfo.version.trim()
  return $vsinfo
}

# A helper function to derive the latest VS install and call vcvarsall.bat
function Invoke-VcVarsAll {
  $vsinfo = Get-VSInfo
  $vsLoc = $vsinfo.location
  $vsVersion = $vsinfo.version

  if ($vsLoc -ne '') {
    $vcvarsall = Join-Path $vsLoc 'VC'
    if ($vsVersion -eq '15') {
      $vcvarsall = Join-Path $vcvarsall '\Auxiliary\Build\vcvarsall.bat'
    } else {
      $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
    }

    # Lastly invoke the environment provisioning script
    $null = Invoke-BatchFile "$vcvarsall" "amd64"
    return $true
  }

  # As a last ditch effort, attempt to find the env variables set by VS2015
  # in order to derive the location of vcvarsall
  $vsComnTools = [environment]::GetEnvironmentVariable("VS140COMNTOOLS")
  if ($vsComnTools -eq '') {
    return $false
  }
  $vcvarsall = Resolve-Path $(Join-Path "$vsComnTools" "..\..\VC")
  $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
  $null = Invoke-BatchFile "$vcvarsall" "amd64"
  return $true
}
VERIFICATION.txt
VERIFICATION

Verification is intended to assist the Chocolatey moderators and community
in verifying that this package's contents are trustworthy.

Package can be verified like this:

  - Check that the file signing certificate is valid:
  ```
  PS C:\\Users\\thor> Get-AuthenticodeSignature 'C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe'
    Directory: C:\\Program Files\\osquery\\osqueryd

    SignerCertificate                         Status          Path
    -----------------                         ------          ----
    EEA3330A4F0FAC86A3FE01F1E7D72E7A9808AC86  Valid           osqueryd.exe
  ```

  - Check that the file hash of the osqueryd.exe binary is correct:
  ```
  PS C:\\Users\\thor> (Get-FileHash -Algorithm sha256 'C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe').Hash
  ```

  - Alternatively pull the MSI package from https://osquery.io and verify the osqueryd.exe hashes match

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Version Downloads Last Updated Status
osquery 4.5.0 9335 Thursday, October 1, 2020 Approved
osquery 4.4.0 12883 Friday, July 31, 2020 Approved
osquery 4.3.0 19368 Saturday, May 9, 2020 Approved
osquery 4.2.0 28693 Tuesday, February 25, 2020 Approved
osquery 4.0.2 58321 Friday, September 13, 2019 Approved
osquery 4.0.1 480 Wednesday, September 11, 2019 Approved
osquery 3.4.0 9438 Thursday, May 23, 2019 Approved
osquery 3.3.2 27104 Monday, January 28, 2019 Approved

This package has no dependencies.

Discussion for the osquery Package

Ground Rules:

  • This discussion is only about osquery and the osquery package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or osquery, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus