QUERIES
Using YARA rules to detect webshell
Under Review 1 Comment Submitted by GerAbm01 06-18-2023Description:Attempts to find PHP webshell type malware in the systemWhat The Data Shows: report if t...
1Vote
Status of Fast Startup
Approved 1 Comment Submitted by dvollendorf 06-12-2023Description: This query checks a registry key to see if Fast Startup is enabled or disabled on the c...
2Votes
Telnet Client Enabled, Disabled or Absent
Approved 1 Comment Submitted by Tom-Houpt 06-09-2023Description: Whether theTelnet Client Enabled, Disabled or AbsentWhat The Data Shows: Telnet is...
Carbon Black Compliance Help Desk Operations IT Hygiene Windows
2Votes
Trivial File Transfer Protocol (TFTP) On, Off or Absent
Approved 1 Comment Submitted by Tom-Houpt 06-08-2023Description:Shows if you have TFTP enabled, disabled or absent in your windows environment.What...
Carbon Black Compliance Help Desk Operations IT Hygiene Windows
1Vote
CVE-2022-32168 Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking
Approved 1 Comment Submitted by marc_gamet 03-31-2023Description: Creates a report of endpoints with Notepad++ installed, including application version, ...
2Votes
Detect Static IP
Approved 1 Comment Submitted by rsotomayor 12-22-2022Description: This query looks for any system that has a static IP set.What The Data Shows: The ...
Carbon Black Compliance Help Desk Operations IT Hygiene Linux Windows
2Votes
Webshells on Microsoft Exchange Servers
Approved 2 Comments Submitted by TAR2 11-17-2022Description: This query looks for suspected webshells in the locations they are commonly located, wh...
3Votes
Search/Hunt for malicious chrome extensions (w/ Identifiers)
Approved 4 Comments Submitted by M_Kiran_Kumar 09-02-2022Description: This query looks for extensions using known extension identifiers.Replace the extension...
Carbon Black Compliance Incident Response IT Hygiene Windows
6Votes
Search Download Folders for ISO downloads
Approved 2 Comments Submitted by craken-da-ship 08-03-2022Description: This query searches the downloads folder of all computers looking for .iso files. Can b...
3Votes
Powershell Execution Policy inquiry (user)
Approved 1 Comment Submitted by jnelson 06-01-2022Description: This query looks for the 'ExecutionPolicy' registry key under HKEY_USERS hive to provid...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Vulnerability Management Windows
6Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
