QUERIES
Finding specific indicators of compromise (IOCs) for Mac in memory or on disk
Approved 4 Comments Submitted by alpopov 2 weeks agoDescription: Finding specific indicators of compromise (IOCs) in memory or on diskWhat The Data...
0Votes
List all inactive security products
Approved 1 Comment Submitted by jaydelcic 3 weeks agoDescription: Threat actors disable AV to evade detection. The proposed query probes the state of reg...
0Votes
macOS Disk Encryption
Approved 1 Comment Submitted by stympanick 09-17-2020Source:https://www.uptycs.com/blog/osquery-tutorial-how-to-check-disk-encryption-on-mac-linux-and-wi...
2Votes
Audit docker TCP API sockets (re Doki malware)
Approved 1 Comment Submitted by gallen 07-30-2020Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable ...
Carbon Black Compliance IT Hygiene Linux Vulnerability Management
0Votes
Determine CVE-2020-0594 Vulnerability Status
Approved 1 Comment Submitted by DPennyDell 07-02-2020Description: This query discovers the Intel Management Engine (IME) version, and cross-references it...
Carbon Black Compliance IT Hygiene Vulnerability Management Windows
3Votes
SMBleed CVE-2020-1206 Vulnerability
Approved 1 Comment Submitted by JRoosa 06-11-2020Description:Lists endpoints that are either vulnerable or not vulnerable to the SMBleed vulnerabilit...
2Votes
query salt-master rpm/deb versions with remote-code-execution vulnerabilities: CVE-2020-11651 and CVE-2020-116...
Approved 1 Comment Submitted by gallen 05-08-2020Description: This query looks for versions of the salt-master package vulnerable toCVE-2020-11651 an...
1Vote
SMB named pipe based C2/LM activity indicator
Approved 4 Comments Submitted by jaydelcic 05-06-2020Description: This query looks for the default named pipes used by the most common C2/LM tools.What T...
1Vote
Open sockets from Endpoints
Approved 1 Comment Submitted by gstrandberg 04-07-2020Description:This Query get the currently open sockets from the Endpoints - useful in Incident Respon...
2Votes
Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796)
Approved 1 Comment Submitted by gallen 03-16-2020Description:Discover SMB servers potentially vulnerable to CVE-2020-0796. Indicates vulnerability wh...
3Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
