--- apiVersion: v1 kind: pack spec: name: windows-pack queries: - description: System info snapshot query interval: 28800 name: system_info_snapshot platform: windows query: system_info_snapshot snapshot: true - description: List in-use Windows drivers interval: 3600 name: drivers platform: windows query: drivers - description: Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device. interval: 3600 name: shared_resources platform: windows query: shared_resources - description: Lists all the patches applied interval: 3600 name: patches platform: windows query: patches removed: false - description: Pipes snapshot query interval: 28800 name: pipes_snapshot platform: windows query: pipes_snapshot snapshot: true - description: Programs snapshot query interval: 28800 name: programs_snapshot platform: windows query: programs_snapshot snapshot: true - description: Services snapshot query interval: 28800 name: services_snapshot platform: windows query: services_snapshot snapshot: true - description: WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details. interval: 3600 name: wmi_cli_event_consumers platform: windows query: wmi_cli_event_consumers - description: Lists the relationship between event consumers and filters. interval: 3600 name: wmi_filter_consumer_binding platform: windows query: wmi_filter_consumer_binding - description: Snapshot query for Chrome extensions interval: 3600 name: chrome_extensions_snapshot platform: windows query: chrome_extensions_snapshot - description: Retrieve the interface name, IP address, and MAC address for all interfaces on the host. interval: 600 name: network_interfaces_snapshot platform: windows query: network_interfaces_snapshot snapshot: true - description: Local system users. interval: 3600 name: users platform: windows query: users - description: Snapshot query for WMI event consumers. interval: 28800 name: wmi_cli_event_consumers_snapshot platform: windows query: wmi_cli_event_consumers_snapshot snapshot: true - description: List all certificates in the trust store interval: 3600 name: certificates platform: windows query: certificates removed: false - description: Drivers snapshot query interval: 28800 name: drivers_snapshot platform: windows query: drivers_snapshot snapshot: true - description: Lists WMI event filters. interval: 3600 name: wmi_event_filters platform: windows query: wmi_event_filters - description: List installed Internet Explorer extensions interval: 3600 name: ie_extensions platform: windows query: ie_extensions - description: List the kernel path, version, etc. interval: 3600 name: kernel_info platform: windows query: kernel_info - description: List the version of the resident operating system interval: 3600 name: os_version platform: windows query: os_version - description: Patches snapshot query interval: 28800 name: patches_snapshot platform: windows query: patches_snapshot snapshot: true - description: Named and Anonymous pipes. interval: 3600 name: pipes platform: windows query: pipes removed: false - description: Lists installed programs interval: 0 name: programs platform: windows query: programs - description: List all certificates in the trust store (snapshot query) interval: 0 name: certificates_snapshot platform: windows query: certificates_snapshot snapshot: true - description: List the contents of the Windows hosts file interval: 3600 name: etc_hosts platform: windows query: etc_hosts - description: Lists all of the tasks in the Windows task scheduler interval: 3600 name: scheduled_tasks platform: windows query: scheduled_tasks - description: Extracted information from Windows crash logs (Minidumps). interval: 3600 name: windows_crashes platform: windows query: windows_crashes removed: false - description: System uptime interval: 3600 name: uptime platform: windows query: uptime snapshot: true - description: Snapshot query for WMI script event consumers. interval: 3600 name: wmi_script_event_consumers platform: windows query: wmi_script_event_consumers snapshot: true - description: List installed Chocolatey packages interval: 3600 name: chocolatey_packages platform: windows query: chocolatey_packages - description: Shared resources snapshot query interval: 28800 name: shared_resources_snapshot platform: windows query: shared_resources_snapshot snapshot: true - description: Lists all installed services configured to start automatically at boot interval: 3600 name: services platform: windows query: services - description: Users snapshot query interval: 28800 name: users_snapshot platform: windows query: users_snapshot snapshot: true - description: List installed Chrome Extensions for all users interval: 3600 name: chrome_extensions platform: windows query: chrome_extensions - description: Operating system version snapshot query interval: 28800 name: os_version_snapshot platform: windows query: os_version_snapshot snapshot: true - description: System information for identification. interval: 3600 name: system_info platform: windows query: system_info - description: Snapshot query for WMI event filters. interval: 28800 name: wmi_event_filters_snapshot platform: windows query: wmi_event_filters_snapshot snapshot: true - description: Snapshot query for WMI filter consumer bindings. interval: 28800 name: wmi_filter_consumer_binding_snapshot platform: windows query: wmi_filter_consumer_binding_snapshot snapshot: true - description: Information about the resident osquery process interval: 28800 name: osquery_info platform: windows query: osquery_info snapshot: true - description: Scheduled Tasks snapshot query interval: 28800 name: scheduled_tasks_snapshot platform: windows query: scheduled_tasks_snapshot snapshot: true targets: labels: null --- apiVersion: v1 kind: query spec: description: System info snapshot query name: system_info_snapshot query: SELECT * FROM system_info; --- apiVersion: v1 kind: query spec: description: List in-use Windows drivers name: drivers query: SELECT * FROM drivers; --- apiVersion: v1 kind: query spec: description: Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device. name: shared_resources query: SELECT * FROM shared_resources; --- apiVersion: v1 kind: query spec: description: Lists all the patches applied name: patches query: SELECT * FROM patches; --- apiVersion: v1 kind: query spec: description: Pipes snapshot query name: pipes_snapshot query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid); --- apiVersion: v1 kind: query spec: description: Programs snapshot query name: programs_snapshot query: SELECT * FROM programs; --- apiVersion: v1 kind: query spec: description: Services snapshot query name: services_snapshot query: SELECT * FROM services; --- apiVersion: v1 kind: query spec: description: WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details. name: wmi_cli_event_consumers query: SELECT * FROM wmi_cli_event_consumers; --- apiVersion: v1 kind: query spec: description: Lists the relationship between event consumers and filters. name: wmi_filter_consumer_binding query: SELECT * FROM wmi_filter_consumer_binding; --- apiVersion: v1 kind: query spec: description: Snapshot query for Chrome extensions name: chrome_extensions_snapshot query: SELECT * FROM users JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: Retrieve the interface name, IP address, and MAC address for all interfaces on the host. name: network_interfaces_snapshot query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface); --- apiVersion: v1 kind: query spec: description: Local system users. name: users query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: Snapshot query for WMI event consumers. name: wmi_cli_event_consumers_snapshot query: SELECT * FROM wmi_cli_event_consumers; --- apiVersion: v1 kind: query spec: description: List all certificates in the trust store name: certificates query: SELECT * FROM certificates WHERE path != 'Other People'; --- apiVersion: v1 kind: query spec: description: Drivers snapshot query name: drivers_snapshot query: SELECT * FROM drivers; --- apiVersion: v1 kind: query spec: description: Lists WMI event filters. name: wmi_event_filters query: SELECT * FROM wmi_event_filters; --- apiVersion: v1 kind: query spec: description: List installed Internet Explorer extensions name: ie_extensions query: SELECT * FROM ie_extensions; --- apiVersion: v1 kind: query spec: description: List the kernel path, version, etc. name: kernel_info query: SELECT * FROM kernel_info; --- apiVersion: v1 kind: query spec: description: List the version of the resident operating system name: os_version query: SELECT * FROM os_version; --- apiVersion: v1 kind: query spec: description: Patches snapshot query name: patches_snapshot query: SELECT * FROM patches; --- apiVersion: v1 kind: query spec: description: Named and Anonymous pipes. name: pipes query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid); --- apiVersion: v1 kind: query spec: description: Lists installed programs name: programs query: SELECT * FROM programs; --- apiVersion: v1 kind: query spec: description: List all certificates in the trust store (snapshot query) name: certificates_snapshot query: SELECT * FROM certificates WHERE path != 'Other People'; --- apiVersion: v1 kind: query spec: description: List the contents of the Windows hosts file name: etc_hosts query: SELECT * FROM etc_hosts; --- apiVersion: v1 kind: query spec: description: Lists all of the tasks in the Windows task scheduler name: scheduled_tasks query: SELECT * FROM scheduled_tasks; --- apiVersion: v1 kind: query spec: description: Extracted information from Windows crash logs (Minidumps). name: windows_crashes query: SELECT * FROM windows_crashes; --- apiVersion: v1 kind: query spec: description: System uptime name: uptime query: SELECT * FROM uptime; --- apiVersion: v1 kind: query spec: description: Snapshot query for WMI script event consumers. name: wmi_script_event_consumers query: SELECT * FROM wmi_script_event_consumers; --- apiVersion: v1 kind: query spec: description: List installed Chocolatey packages name: chocolatey_packages query: SELECT * FROM chocolatey_packages; --- apiVersion: v1 kind: query spec: description: Shared resources snapshot query name: shared_resources_snapshot query: SELECT * FROM shared_resources; --- apiVersion: v1 kind: query spec: description: Lists all installed services configured to start automatically at boot name: services query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START'; --- apiVersion: v1 kind: query spec: description: Users snapshot query name: users_snapshot query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: List installed Chrome Extensions for all users name: chrome_extensions query: SELECT * FROM users JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: Operating system version snapshot query name: os_version_snapshot query: SELECT * FROM os_version; --- apiVersion: v1 kind: query spec: description: System information for identification. name: system_info query: SELECT * FROM system_info; --- apiVersion: v1 kind: query spec: description: Snapshot query for WMI event filters. name: wmi_event_filters_snapshot query: SELECT * FROM wmi_event_filters; --- apiVersion: v1 kind: query spec: description: Snapshot query for WMI filter consumer bindings. name: wmi_filter_consumer_binding_snapshot query: SELECT * FROM wmi_filter_consumer_binding; --- apiVersion: v1 kind: query spec: description: Information about the resident osquery process name: osquery_info query: SELECT * FROM osquery_info; --- apiVersion: v1 kind: query spec: description: Scheduled Tasks snapshot query name: scheduled_tasks_snapshot query: SELECT * FROM scheduled_tasks;