The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Query Exchange

QUERIES

Query to check for vulnerable versions of Google Chrome (CVE-2023-6345)

Approved 1 Comment Submitted by DK 11-29-2023

Description: Edit: The query has been updated to report on specific versions of Chrome that are vuln...

Carbon Black Vulnerability Management Windows

0Votes

Sensor Host IP&MAC (auto -dhcp- or manual)

Approved 1 Comment Submitted by roromarti 11-10-2023

Description: Show a list of host sensor's IP and MAC address autoassigned by <dhcp> or manualy...

Community IT Hygiene Linux Mac Windows

0Votes

Sensor Host IP (auto -dhcp- or manual)

Approved 1 Comment Submitted by roromarti 11-07-2023

Description: Show a list of host sensor's IP autoassigned by <dhcp> or manualy assigned labele...

Community Help Desk Operations IT Hygiene Linux Mac Windows

0Votes

Using YARA rules to detect webshell

Under Review 1 Comment Submitted by GerAbm01 06-18-2023

Description:Attempts to find PHP webshell type malware in the systemWhat The Data Shows: report if t...

Community IT Hygiene Windows

1Vote

Status of Fast Startup

Approved 1 Comment Submitted by dvollendorf 06-12-2023

Description: This query checks a registry key to see if Fast Startup is enabled or disabled on the c...

Carbon Black Compliance Windows

2Votes

Telnet Client Enabled, Disabled or Absent

Approved 1 Comment Submitted by Tom-Houpt 06-09-2023

Description: Whether theTelnet Client Enabled, Disabled or Absent
What The Data Shows: Telnet is...

Carbon Black Compliance Help Desk Operations IT Hygiene Windows

2Votes

Trivial File Transfer Protocol (TFTP) On, Off or Absent

Approved 1 Comment Submitted by Tom-Houpt 06-08-2023

Description:Shows if you have TFTP enabled, disabled or absent in your windows environment.
What...

Carbon Black Compliance Help Desk Operations IT Hygiene Windows

1Vote

CVE-2022-32168 Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking

Approved 1 Comment Submitted by marc_gamet 03-31-2023

Description: Creates a report of endpoints with Notepad++ installed, including application version, ...

Community Compliance Vulnerability Management Windows

2Votes

Detect Static IP

Approved 1 Comment Submitted by rsotomayor 12-22-2022

Description: This query looks for any system that has a static IP set.
What The Data Shows: The ...

Carbon Black Compliance Help Desk Operations IT Hygiene Linux Windows

2Votes

Webshells on Microsoft Exchange Servers

Approved 2 Comments Submitted by TAR2 11-17-2022

Description: This query looks for suspected webshells in the locations they are commonly located, wh...

Community Incident Response IT Hygiene Windows

3Votes

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.