Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
News Ask around Share your story COMPANY
The handbook What people are saying

Pricing Schedule a demo
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Schedule a demo Share your story COMPANY The handbook What people are saying
Pricing Try it yourself

Queries

A collection of optional queries you can run anytime. Contributions welcome over on GitHub.

macOS Apple

Linux Linux

Windows Windows

Detect if Apple Intelligence is enabled

Detects if Apple Intelligence has been enabled. Value = 1 is on, 0 is off.

Read more

Get authorized SSH keys

Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.

Read more

Get authorized keys for Domain Joined Accounts

List authorized_keys for each user on the system.

Read more

Get crashes

Retrieve application, system, and mobile app crash logs.

Read more

Get installed Chrome Extensions

List installed Chrome Extensions for all users.

Read more

Get installed macOS software

Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.

Read more

Get installed Safari extensions

Retrieves the list of installed Safari Extensions for all users in the target system.

Read more

Get laptops with failing batteries

Lists all laptops with under-performing or failing batteries.

Read more

Get current users with active shell/console on the system

Get current users with active shell/console on the system and associated process

Read more

Get unencrypted SSH keys for local accounts

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

Read more

Get unencrypted SSH keys for domain-joined accounts

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

Read more

Get dynamic linker hijacking on macOS (MITRE. T1574.006)

Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable

Read more

Get etc hosts entries

Line-parsed /etc/hosts

Read more

Get network interfaces

Network interfaces MAC address

Read more

Get local user accounts

Local user accounts (including domain accounts that have logged on locally (Windows)).

Read more

Get Nmap scanner

Get Nmap scanner process, as well as its user, parent, and process details.

Read more

Get Docker contained processes on a system

Docker containers Processes, can be used on normal systems or a kubenode.

Read more

Get local users and their privileges

Collects the local user accounts and their respective user group.

Read more

Get user files matching a specific hash

Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)

Read more

Get local administrator accounts on macOS

The query allows you to check macOS systems for local administrator accounts.

Read more

Get malicious Python backdoors

Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)

Read more

Get running docker containers

Returns the running Docker containers

Read more

Get applications hogging memory

Returns top 10 applications or processes hogging memory the most.

Read more

Get servers with root login in the last 24 hours

Returns servers with root login in the last 24 hours and the time the users were logged in.

Read more

Detect active processes with Log4j running

Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely.

Read more

Get applications that were opened within the last 24 hours

Returns applications that were opened within the last 24 hours starting with the last opened application.

Read more

Get applications that are not in the Applications directory

Returns applications that are not in the `/Applications` directory

Read more

Get subscription-based applications that have not been opened for the last 30 days

Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.

Read more

Get operating system information

Returns the operating system name and version on the device.

Read more

Get built-in antivirus status on macOS

Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists

Read more

Identify the default mail, http and ftp applications

Lists the currently enabled applications configured to handle mailto, http and ftp schemes.

Read more

Identify Apple development secrets

Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier.

Read more

Geolocate via ipapi.co

Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery).

Read more

Get Crowdstrike Falcon network content filter status

Get the status of the Crowdstrike Falcon network content filter (as in "System Settings" > "Network > "Filters").

Read more

Get a list of Visual Studio Code extensions

Get a list of installed VS Code extensions (requires osquery > 5.11.0).

Read more

List osquery table names

List all table names in the schema of the currently installed version of osquery

Read more

Get OpenSSL versions

Retrieves the OpenSSL version.

Read more

Get installed Linux software

Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.

Read more

Get dynamic linker hijacking on Linux (MITRE. T1574.006)

Detect any processes that run with LD_PRELOAD environment variable

Read more

Get active user accounts on servers

Domain Joined environments normally have root or other service only accounts and users are SSH-ing using their Domain Accounts.

Read more

Get processes that no longer exist on disk

Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.

Read more

Get all listening ports, by process

List ports that are listening on all interfaces, along with the process to which they are attached.

Read more

Get antivirus (ClamAV/clamd) and updater (freshclam) process status

Selects the clamd and freshclam processes to ensure AV and its updater are running

Read more

Discover TLS certificates

Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.

Read more

Discover Python Packages from Running Python Interpreters

Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.

Read more

Get installed Windows software

Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.

Read more

Get Windows print spooler remote code execution vulnerability

Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.

Read more

Get whether TeamViewer is installed/running

Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.

Read more

Check for artifacts of the Floxif trojan

Checks for artifacts from the Floxif trojan on Windows machines.

Read more

Get Shimcache table

Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.

Read more

Get antivirus status from the Windows Security Center

Selects the antivirus and signatures status from Windows Security Center.

Read more
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×