cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query Exchange

QUERIES

Find potential reverse shell or TTY abuse

Approved 1 Comment Submitted by gallen 2 weeks ago

Description:
This query searches for socat or scripting connections to TTYs as non-root users. T...

Carbon Black Incident Response Linux

1Vote

CVE-2019-18634: sudo 1.7.1 <= version < 1.8.26 vulnerable when pwfeedback set (query for RHEL/CENTOS)

Approved 1 Comment Submitted by gallen 2 weeks ago

Description: This query looks for vulnerable versions of SUDO on rpm-based systems that also have th...

Carbon Black Linux Vulnerability Management

0Votes

Firefox 72 Vulnerability

Under Review 1 Comment Submitted by stympanick a month ago

Source:https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/
Description:This query l...

Carbon Black Vulnerability Management Windows

0Votes

macOS mail.app spawning reverse shells

Approved 1 Comment Submitted by stympanick 01-09-2020

Source:https://holdmybeersecurity.com/2020/01/03/poc-mail-app-the-boomerang-of-reverse-shells-on-mac...

Carbon Black Incident Response Mac

1Vote

Windows services associated with most common remote control tools

Approved 3 Comments Submitted by jaydelcic 01-08-2020

Description: This query looks for service names associated with the most common remote control tools...

Community Incident Response IT Hygiene Windows

1Vote

DB_Rep Size query

Approved 3 Comments Submitted by ryan_manni 01-06-2020

Description: This query looks for the DB_rep file for CB Defense and pulls back the size
What Th...

Community IT Hygiene Windows

0Votes

Check if auth using blank password is possible via Network

Approved 1 Comment Submitted by jaydelcic 12-22-2019

Description: Checks for the value of 'LimitBlankPasswordUse' registry key. Recommendation is for the...

Community Incident Response IT Hygiene Windows

0Votes

HKEY_USERS (NTUSER.DAT) Registry Query

Approved 6 Comments Submitted by creams 12-13-2019

Description:Looking for any PsExec Registry keys in an organization.
What The Data Shows:We're t...

Community Incident Response Windows

2Votes

macOS LaunchDaemon's that keep running

Approved 1 Comment Submitted by stympanick 10-31-2019

Description:macOS LaunchDaemon's
What The Data Shows: Find every macOS LaunchDaemon that launche...

Carbon Black IT Hygiene Mac

5Votes

All versions of Powershell Core

Approved 3 Comments Submitted by ksnihur 10-09-2019

Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed ...

Community Compliance IT Hygiene Linux Windows

1Vote

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.