--- apiVersion: v1 kind: pack spec: name: mac-pack queries: - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' interval: 3600 name: emond platform: darwin query: emond - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' interval: 28800 name: emond_snapshot platform: darwin query: emond_snapshot snapshot: true - description: Track time/action changes to files specified in configuration data. interval: 300 name: file_events platform: darwin query: file_events removed: false - description: The installed homebrew package database. interval: 28800 name: homebrew_packages_snapshot platform: darwin query: homebrew_packages_snapshot snapshot: true - description: List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple) interval: 3600 name: macosx_kextstat platform: darwin query: macosx_kextstat - description: Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence. interval: 3600 name: rc.common platform: darwin query: rc.common - description: Returns information about installed event taps. Can be used to detect keyloggers interval: 300 name: event_taps platform: darwin query: event_taps - description: LaunchAgents and LaunchDaemons from default search paths. interval: 3600 name: launchd platform: darwin query: launchd - description: Snapshot query for launchd interval: 28800 name: launchd_snapshot platform: darwin query: launchd_snapshot snapshot: true - description: Detect the presence of the LD_PRELOAD environment variable interval: 60 name: ld_preload platform: darwin query: ld_preload removed: false - description: USB devices that are actively plugged into the host system. interval: 300 name: usb_devices platform: darwin query: usb_devices - description: System mounted devices and filesystems (not process specific). interval: 3600 name: mounts platform: darwin query: mounts removed: false - description: Apple NVRAM variable listing. interval: 3600 name: nvram platform: darwin query: nvram removed: false - description: Line parsed values from system and user cron/tab. interval: 3600 name: crontab platform: darwin query: crontab - description: Hardware (PCI/USB/HID) events from UDEV or IOKit. interval: 300 name: hardware_events platform: darwin query: hardware_events removed: false - description: The installed homebrew package database. interval: 3600 name: homebrew_packages platform: darwin query: homebrew_packages - description: OS X applications installed in known search paths (e.g., /Applications). interval: 3600 name: installed_applications platform: darwin query: installed_applications - description: System logins and logouts. interval: 3600 name: last platform: darwin query: last removed: false - description: Snapshot query for macosx_kextstat interval: 28800 name: macosx_kextstat_snapshot platform: darwin query: macosx_kextstat_snapshot snapshot: true - description: Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence. interval: 28800 name: rc.common_snapshot platform: darwin query: rc.common_snapshot snapshot: true - description: Safari browser extension details for all users. interval: 3600 name: safari_extensions platform: darwin query: safari_extensions - description: suid binaries in common locations. interval: 28800 name: suid_bin platform: darwin query: suid_bin removed: false - description: Local system users. interval: 28800 name: users platform: darwin query: users - description: List authorized_keys for each user on the system interval: 28800 name: authorized_keys platform: darwin query: authorized_keys - description: Application, System, and Mobile App crash logs. interval: 3600 name: crashes platform: darwin query: crashes removed: false - description: Displays the percentage of free space available on the primary disk partition interval: 3600 name: disk_free_space_pct platform: darwin query: disk_free_space_pct snapshot: true - description: Retrieve the interface name, IP address, and MAC address for all interfaces on the host. interval: 600 name: network_interfaces_snapshot platform: darwin query: network_interfaces_snapshot snapshot: true - description: Information about EFI/UEFI/ROM and platform/boot. interval: 28800 name: platform_info platform: darwin query: platform_info removed: false - description: System uptime interval: 1800 name: uptime platform: darwin query: uptime snapshot: true - description: MD5 hash of boot.efi interval: 28800 name: boot_efi_hash platform: darwin query: boot_efi_hash - description: Snapshot query for Chrome extensions interval: 28800 name: chrome_extensions_snapshot platform: darwin query: chrome_extensions_snapshot - description: Snapshot query for installed_applications interval: 28800 name: installed_applications_snapshot platform: darwin query: installed_applications_snapshot snapshot: true - description: NFS shares exported by the host. interval: 3600 name: nfs_shares platform: darwin query: nfs_shares removed: false - description: List the version of the resident operating system interval: 28800 name: os_version platform: darwin query: os_version - description: Applications and binaries set as user/login startup items. interval: 3600 name: startup_items platform: darwin query: startup_items - description: All C/NPAPI browser plugin details for all users. interval: 3600 name: browser_plugins platform: darwin query: browser_plugins - description: List installed Firefox addons for all users interval: 3600 name: firefox_addons platform: darwin query: firefox_addons - description: Discover hosts that have IP forwarding enabled interval: 28800 name: ip_forwarding_enabled platform: darwin query: ip_forwarding_enabled removed: false - description: Platform info snapshot query interval: 28800 name: platform_info_snapshot platform: darwin query: platform_info_snapshot - description: Python packages installed in a system. interval: 3600 name: python_packages platform: darwin query: python_packages - description: List installed Chrome Extensions for all users interval: 3600 name: chrome_extensions platform: darwin query: chrome_extensions - description: Disk encryption status and information. interval: 3600 name: disk_encryption platform: darwin query: disk_encryption - description: Local system users. interval: 28800 name: users_snapshot platform: darwin query: users_snapshot - description: OS X known/remembered Wi-Fi networks list. interval: 28800 name: wireless_networks platform: darwin query: wireless_networks removed: false - description: Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) interval: 28800 name: efigy platform: darwin query: efigy snapshot: true - description: List the contents of /etc/hosts interval: 28800 name: etc_hosts platform: darwin query: etc_hosts - description: Operating system version snapshot query interval: 28800 name: os_version_snapshot platform: darwin query: os_version_snapshot snapshot: true - description: Information about the resident osquery process interval: 28800 name: osquery_info platform: darwin query: osquery_info snapshot: true - description: Apple's System Integrity Protection (rootless) status. interval: 3600 name: sip_config platform: darwin query: sip_config - description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. interval: 3600 name: user_ssh_keys platform: darwin query: user_ssh_keys removed: false targets: labels: null --- apiVersion: v1 kind: query spec: description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' name: emond query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); --- apiVersion: v1 kind: query spec: description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' name: emond_snapshot query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); --- apiVersion: v1 kind: query spec: description: Track time/action changes to files specified in configuration data. name: file_events query: SELECT * FROM file_events; --- apiVersion: v1 kind: query spec: description: The installed homebrew package database. name: homebrew_packages_snapshot query: SELECT name, version FROM homebrew_packages; --- apiVersion: v1 kind: query spec: description: List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple) name: macosx_kextstat query: SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing'; --- apiVersion: v1 kind: query spec: description: Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence. name: rc.common query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!=''; --- apiVersion: v1 kind: query spec: description: Returns information about installed event taps. Can be used to detect keyloggers name: event_taps query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE '%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber' AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd' AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%' AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' AND event_taps.enabled=1; --- apiVersion: v1 kind: query spec: description: LaunchAgents and LaunchDaemons from default search paths. name: launchd query: SELECT * FROM launchd; --- apiVersion: v1 kind: query spec: description: Snapshot query for launchd name: launchd_snapshot query: SELECT path, name, label, program, run_at_load, program_arguments FROM launchd WHERE run_at_load=1; --- apiVersion: v1 kind: query spec: description: Detect the presence of the LD_PRELOAD environment variable name: ld_preload query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD'; --- apiVersion: v1 kind: query spec: description: USB devices that are actively plugged into the host system. name: usb_devices query: SELECT * FROM usb_devices; --- apiVersion: v1 kind: query spec: description: System mounted devices and filesystems (not process specific). name: mounts query: SELECT device, device_alias, path, type, blocks_size FROM mounts; --- apiVersion: v1 kind: query spec: description: Apple NVRAM variable listing. name: nvram query: SELECT * FROM nvram; --- apiVersion: v1 kind: query spec: description: Line parsed values from system and user cron/tab. name: crontab query: SELECT * FROM crontab; --- apiVersion: v1 kind: query spec: description: Hardware (PCI/USB/HID) events from UDEV or IOKit. name: hardware_events query: SELECT * FROM hardware_events; --- apiVersion: v1 kind: query spec: description: The installed homebrew package database. name: homebrew_packages query: SELECT * FROM homebrew_packages; --- apiVersion: v1 kind: query spec: description: OS X applications installed in known search paths (e.g., /Applications). name: installed_applications query: SELECT * FROM apps; --- apiVersion: v1 kind: query spec: description: System logins and logouts. name: last query: SELECT * FROM last; --- apiVersion: v1 kind: query spec: description: Snapshot query for macosx_kextstat name: macosx_kextstat_snapshot query: SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing'; --- apiVersion: v1 kind: query spec: description: Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence. name: rc.common_snapshot query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!=''; --- apiVersion: v1 kind: query spec: description: Safari browser extension details for all users. name: safari_extensions query: SELECT * FROM users JOIN safari_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: suid binaries in common locations. name: suid_bin query: SELECT * FROM suid_bin; --- apiVersion: v1 kind: query spec: description: Local system users. name: users query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: List authorized_keys for each user on the system name: authorized_keys query: SELECT * FROM users JOIN authorized_keys USING (uid); --- apiVersion: v1 kind: query spec: description: Application, System, and Mobile App crash logs. name: crashes query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users JOIN crashes USING (uid); --- apiVersion: v1 kind: query spec: description: Displays the percentage of free space available on the primary disk partition name: disk_free_space_pct query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1'; --- apiVersion: v1 kind: query spec: description: Retrieve the interface name, IP address, and MAC address for all interfaces on the host. name: network_interfaces_snapshot query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface); --- apiVersion: v1 kind: query spec: description: Information about EFI/UEFI/ROM and platform/boot. name: platform_info query: SELECT * FROM platform_info; --- apiVersion: v1 kind: query spec: description: System uptime name: uptime query: SELECT * FROM uptime; --- apiVersion: v1 kind: query spec: description: MD5 hash of boot.efi name: boot_efi_hash query: SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi'; --- apiVersion: v1 kind: query spec: description: Snapshot query for Chrome extensions name: chrome_extensions_snapshot query: SELECT * FROM users JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: Snapshot query for installed_applications name: installed_applications_snapshot query: SELECT name, path, bundle_short_version, bundle_version, display_name FROM apps; --- apiVersion: v1 kind: query spec: description: NFS shares exported by the host. name: nfs_shares query: SELECT * FROM nfs_shares; --- apiVersion: v1 kind: query spec: description: List the version of the resident operating system name: os_version query: SELECT * FROM os_version; --- apiVersion: v1 kind: query spec: description: Applications and binaries set as user/login startup items. name: startup_items query: SELECT * FROM startup_items; --- apiVersion: v1 kind: query spec: description: All C/NPAPI browser plugin details for all users. name: browser_plugins query: SELECT * FROM users JOIN browser_plugins USING (uid); --- apiVersion: v1 kind: query spec: description: List installed Firefox addons for all users name: firefox_addons query: SELECT * FROM users JOIN firefox_addons USING (uid); --- apiVersion: v1 kind: query spec: description: Discover hosts that have IP forwarding enabled name: ip_forwarding_enabled query: SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE '%ip%' AND current_value=1; --- apiVersion: v1 kind: query spec: description: Platform info snapshot query name: platform_info_snapshot query: SELECT vendor, version, date, revision from platform_info; --- apiVersion: v1 kind: query spec: description: Python packages installed in a system. name: python_packages query: SELECT * FROM python_packages; --- apiVersion: v1 kind: query spec: description: List installed Chrome Extensions for all users name: chrome_extensions query: SELECT * FROM users JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: Disk encryption status and information. name: disk_encryption query: SELECT * FROM disk_encryption; --- apiVersion: v1 kind: query spec: description: Local system users. name: users_snapshot query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: OS X known/remembered Wi-Fi networks list. name: wireless_networks query: SELECT ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile FROM wifi_networks; --- apiVersion: v1 kind: query spec: description: Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) name: efigy query: SELECT * FROM efigy; --- apiVersion: v1 kind: query spec: description: List the contents of /etc/hosts name: etc_hosts query: SELECT * FROM etc_hosts; --- apiVersion: v1 kind: query spec: description: Operating system version snapshot query name: os_version_snapshot query: SELECT * FROM os_version; --- apiVersion: v1 kind: query spec: description: Information about the resident osquery process name: osquery_info query: SELECT * FROM osquery_info; --- apiVersion: v1 kind: query spec: description: Apple's System Integrity Protection (rootless) status. name: sip_config query: SELECT * FROM sip_config; --- apiVersion: v1 kind: query spec: description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. name: user_ssh_keys query: SELECT * FROM users JOIN user_ssh_keys USING (uid);