Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.

List authorized_keys for each user on the system.

Retrieve application, system, and mobile app crash logs.

List installed Chrome Extensions for all users.

Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.

Retrieves the list of installed Safari Extensions for all users in the target system.

Lists all laptops with under-performing or failing batteries.

Get current users with active shell/console on the system and associated process

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable

Line-parsed /etc/hosts

Network interfaces MAC address

Local user accounts (including domain accounts that have logged on locally (Windows)).

Get Nmap scanner process, as well as its user, parent, and process details.

Docker containers Processes, can be used on normal systems or a kubenode.

Collects the local user accounts and their respective user group.

Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)

The query allows you to check macOS systems for local administrator accounts.

Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)

Returns the running Docker containers

Returns top 10 applications or processes hogging memory the most.

Returns servers with root login in the last 24 hours and the time the users were logged in.

Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely.

Returns applications that were opened within the last 24 hours starting with the last opened application.

Returns applications that are not in the `/Applications` directory

Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.

Returns the operating system name and version on the device.

Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists

Lists the currently enabled applications configured to handle mailto, http and ftp schemes.

Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier.

Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery).

Get the status of the Crowdstrike Falcon network content filter (as in "System Settings" > "Network > "Filters").

Get a list of installed VS Code extensions (requires osquery > 5.11.0).

List all table names in the schema of the currently installed version of osquery

Retrieves the OpenSSL version.

Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.

Detect any processes that run with LD_PRELOAD environment variable

Domain Joined environments normally have root or other service only accounts and users are SSH-ing using their Domain Accounts.

Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.

List ports that are listening on all interfaces, along with the process to which they are attached.

Selects the clamd and freshclam processes to ensure AV and its updater are running

Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.

Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.

Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.

Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.

Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.

Checks for artifacts from the Floxif trojan on Windows machines.

Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.

Selects the antivirus and signatures status from Windows Security Center.