QUERIES
macOS LaunchDaemon's that keep running
Approved 1 Comment Submitted by stympanick 2 weeks agoDescription:macOS LaunchDaemon'sWhat The Data Shows: Find every macOS LaunchDaemon that launche...
3Votes
All versions of Powershell Core
Under Review 2 Comments Submitted by ksnihur 10-09-2019Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed ...
1Vote
Libssh vulnerability - CVE-2018-10933
Approved 1 Comment Submitted by ksnihur 09-20-2019Description: Query checks for the libssh vulnerability where clients create channels before authenti...
3Votes
Check Devices for BlueKeep Vulnerability
Approved 1 Comment Submitted by mjomha 09-13-2019Description: Query looks for Devices that are vulnerable to the BlueKeep Windows vulnerability (CVE-...
Community Incident Response Vulnerability Management Windows
1Vote
Find Active Wireless Interfaces
Approved 6 Comments Submitted by ksnihur 09-09-2019Description: Looks for active wireless interfacesWhat The Data Shows:Shows all active wireless ...
0Votes
Find specific installed application and version
Approved 1 Comment Submitted by ksnihur 09-09-2019Description: This query can be customized to specify the application to be queried. (replace the VLC...
0Votes
Rogue DHCP Servers
Approved 1 Comment Submitted by ksnihur 09-09-2019Description: This query looks for DHCP servers that are not in a permitted list.What The Data S...
0Votes
Executable in Suspicious Locations
Approved 1 Comment Submitted by ksnihur 09-09-2019Description: This query looks for suspicious executables which are in unusual locations.What Th...
2Votes
Stealthier persistence using new services purposely vulnerable to path interception
Approved 1 Comment Submitted by stympanick 09-05-2019Description:Identify all services running on your machinesWhat The Data Shows: Unquoted Service...
0Votes
Check if LLMNR is enabled
Approved 3 Comments Submitted by ksnihur 08-12-2019Description: This query looks to see if LLMNR is enabled. Part 2 of 2 for stopping Responder.What Th...
0Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
