cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

Query Exchange

QUERIES

macOS Disk Encryption

Approved 1 Comment Submitted by stympanick a week ago

Source:https://www.uptycs.com/blog/osquery-tutorial-how-to-check-disk-encryption-on-mac-linux-and-wi...

Community IT Hygiene Mac

1Vote

Audit docker TCP API sockets (re Doki malware)

Approved 1 Comment Submitted by gallen 07-30-2020

Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable ...

Carbon Black Compliance IT Hygiene Linux Vulnerability Management

0Votes

Determine CVE-2020-0594 Vulnerability Status

Approved 1 Comment Submitted by DPennyDell 07-02-2020

Description: This query discovers the Intel Management Engine (IME) version, and cross-references it...

Carbon Black Compliance IT Hygiene Vulnerability Management Windows

3Votes

SMBleed CVE-2020-1206 Vulnerability

Approved 1 Comment Submitted by JRoosa 06-11-2020

Description:Lists endpoints that are either vulnerable or not vulnerable to the SMBleed vulnerabilit...

Carbon Black Vulnerability Management Windows

2Votes

query salt-master rpm/deb versions with remote-code-execution vulnerabilities: CVE-2020-11651 and CVE-2020-116...

Approved 1 Comment Submitted by gallen 05-08-2020

Description: This query looks for versions of the salt-master package vulnerable toCVE-2020-11651 an...

Carbon Black Linux Vulnerability Management

1Vote

SMB named pipe based C2/LM activity indicator

Approved 4 Comments Submitted by jaydelcic 05-06-2020

Description: This query looks for the default named pipes used by the most common C2/LM tools.What T...

Community Incident Response Windows

1Vote

Open sockets from Endpoints

Approved 1 Comment Submitted by gstrandberg 04-07-2020

Description:This Query get the currently open sockets from the Endpoints - useful in Incident Respon...

Community Incident Response Linux Mac Windows

2Votes

Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796)

Approved 1 Comment Submitted by gallen 03-16-2020

Description:Discover SMB servers potentially vulnerable to CVE-2020-0796. Indicates vulnerability wh...

Carbon Black Vulnerability Management Windows

3Votes

CVE-2020-0796 | Windows SMBv3 RCE

Approved 1 Comment Submitted by s-shimizu 03-13-2020

Description:Query checks forCVE-2020-0796Windows SMBv3 Client/Server Remote Code Execution Vulnerabi...

Community IT Hygiene Windows

4Votes

Linux and macOS X login information

Approved 3 Comments Submitted by stympanick 02-27-2020

Description:Linux and macOS X login information
Source:https://medium.com/@zercurity/building-at...

Carbon Black Help Desk Operations Incident Response IT Hygiene Linux Mac

2Votes

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.