├── Artefacts ├── Appcompat │ └── Program Compatibility Assistant.sql ├── BAM │ └── Background Activity Moderator - file execution from BAM.sql ├── Browser │ ├── browser.01.0 - Chrome browsing history.sql │ ├── browser.02.0 - Firefox browser extensions installed.sql │ ├── browser.03.0 - Chromium based browser extensions installed.sql │ ├── browser.04.0 - High risk Chrome browser extensions.sql │ ├── browser.05.0 - typed URL IE-Edge.sql │ └── browser.06.0 - Internet Explorer browser extensions installed.sql ├── Detection │ ├── detection.01.0 - Antivirus detections.sql │ ├── detection.02.0 - Defender detections.sql │ ├── detection.03.0 - Kaspersky detections.sql │ ├── detection.04.0 - Sophos detection events.sql │ ├── detection.05.0 - Windows runtime indicators of compromise events.sql │ ├── detection.06.0 - Antimalware scan interface (AMSI) events.sql │ └── detection.07.0 - Investigating Creds_4h (T1003.002) events.sql ├── Device │ ├── Device.01.0 - Identify Domain Controllers.sql │ ├── Device.03.0 - Drives and shared folders.sql │ ├── Device.09.0 - Shodan API Lookup.sql │ ├── device.02.0 - Device last restart time.sql │ ├── device.04.0 - Installed programs.sql │ ├── device.05.0 - Device details (hostname, OS version, and timezone).sql │ ├── device.06.0 - NT Domain information.sql │ ├── device.07.0 - Devices with Active Directory PowerShell module.sql │ └── device.08.0 - Installed MacOS applications.sql ├── EVTX │ ├── evtx.01.0 - Event log string search.sql │ ├── evtx.02.0 -Windows event log cleared.sql │ ├── evtx.03.0 - Potential dcsync attack.sql │ ├── evtx.04.0 - Potential LSASS shtinkering.sql │ ├── evtx.05.0 - New ntds.dit database created.sql │ ├── evtx.06.0 - Metasploit authentications events.sql │ ├── evtx.07.0 - Potential pass-the-hash events.sql │ ├── evtx.08.0 - Files transfered via screenconnect.sql │ ├── evtx.09.0 - Kerberos service ticket request using rc4.sql │ ├── evtx.10.0 - Kerberos RelayUp events.sql │ ├── evtx.11.0 - Virtual disk mount events.sql │ ├── evtx.12.0 - Bits job start events.sql │ ├── evtx.13.0 - Application crashes events.sql │ ├── evtx.14.0 - MSI package installs on device.sql │ ├── evtx.15.0 - Remote execution with PsExec.sql │ └── evtx.16.0 - Blocking events by Software Restriction Policy.sql ├── Exfiltration │ ├── MASV.01.0 - installed_application_masv.sql │ ├── MASV.02.0 - masv_artifacts_on_disk.sql │ └── MASV.03.0 - masv_upload.sql ├── File │ ├── File.05.0 - Check file interactions.sql │ ├── File.06.0 - File access history.sql │ ├── File.07.0 - Shortcut files.sql │ ├── File.08.0 - Ransom note and encrypted file search.sql │ ├── file.01.0 - Files on disk (path).sql │ ├── file.01.1 - Files on disk (path-timestamp).sql │ ├── file.01.2 - Files on disk (path-size).sql │ ├── file.01.3 - Files on disk (path-filename).sql │ ├── file.01.4 - Files on disk (path-hash).sql │ ├── file.02.0 - File certificate information.sql │ ├── file.03.0 - File hash lookup (SHA-256).sql │ ├── file.04.0 - Common malware locations (excluding windows directories).sql │ ├── file.04.1 - Common malware locations (windows directories only).sql │ ├── file.09.0 - File change events in file journals.sql │ ├── file.09.1 - File events activity in file journals.sql │ ├── file.10.0 - File details of deleted file.sql │ ├── file.11.0 - Hidden files and directories on linux unix.sql │ ├── file.12.0 - PsExec key file on disk.sql │ └── file.13.0 - NTFS alternate data streams.sql ├── GPO │ └── GPO.01.0 - List Group Policy Objects.sql ├── Grep │ └── Grep.01.0 - Search file content using grep.sql ├── Logins │ ├── Logins.01.4 - RDP Logins from External IPs.sql │ ├── Logins.02.0 - Authentications in time range.sql │ ├── Logins.04.0 - Logins with explicit credentials.sql │ ├── Logins.07.0 - RDP time bias.sql │ ├── logins.01.0 - RDP login events from Terminal Services.sql │ ├── logins.01.1 - Login events 4624 4625 from Security event log.sql │ ├── logins.01.2 - RDP login events from Local Session.sql │ ├── logins.01.3 - All logins events.sql │ ├── logins.03.0 - Currently logged in users.sql │ ├── logins.05.0 - Authentications from RDP gateway.sql │ ├── logins.06.0 - User account locked events.sql │ ├── logins.08.0 - RDP connections from NTUSER.sql │ └── logins.09.0 - RDP connections from remote desktop application.sql ├── Network │ ├── Network.04.0 - All Traffic Sent.sql │ ├── Network.05.0 - URL activity.sql │ ├── Network.06.0 - Network Traffic to IP.sql │ ├── Network.07.0 - High volume data sent to external IP.sql │ ├── network.01.0 - Network traffic from network, IP, DNS, and HTTP journals.sql │ ├── network.02.0 - IOC search in the network, IP, DNS, and HTTP journals.sql │ ├── network.03.0 - Network interactions for a SophosPID.sql │ ├── network.08.0 - SSH tools and port proxies detection.sql │ └── network.09.0 - URL and user agent search.sql ├── Office │ ├── office.01.0 - Recently opened MS Office documents.sql │ ├── office.02.0 - MS Office diagnostic logs.sql │ └── office.03.0 - MS Office server cache.sql ├── PowerShell │ ├── powershell.01.0 - PowerShell commands and scripts.sql │ ├── powershell.01.1 - PowerShell commands and scripts.sql │ └── powershell.02.0 - PowerShell consolehost history.sql ├── Prefetch │ └── prefetch.01.0 - File execution metadata from Prefetch.sql ├── Process │ ├── Process.01.0 - List running processes.sql │ ├── Process.02.0 - Process tree.sql │ ├── Process.02.1 - Process tree for a Sophos PID.sql │ ├── Process.03.0 - Processes listening on ports.sql │ ├── Process.05.0 - All Process Journal data.sql │ ├── Process.08.0 - Processes with Open Sockets.sql │ ├── Process.09.0 - Suspicious named pipe.sql │ ├── Process.10.0 - Process execution in audit logs.sql │ ├── Process.11.0 - Possible Impacket commands.sql │ ├── Process.12.0 - Possible Rclone commands.sql │ ├── process.01.1 - List running processes with parent details.sql │ ├── process.01.2 - List running processes with certificate details.sql │ ├── process.04.0 - Processes spawned from Word, Excel or PowerShell.sql │ ├── process.06.0 - IOC search in Process Journals.sql │ ├── process.07.0 - Specific time Process Journal data.sql │ └── process.13.0 - Possible webshell activity.sql ├── RMM Tools │ ├── rmm-tools.01.0 - Installed remote access software.sql │ ├── rmm-tools.02.0 - Splashtop logs.sql │ ├── rmm-tools.03.0 - Atera integrator login.sql │ └── rmm-tools.04.0 - Details for commonly abused rmm tools.sql ├── Registry │ ├── Registry.01.0 - Look at registry keys.sql │ ├── Registry.03.0 - Executed commands in run dialog box.sql │ ├── registry.02.0 - Compressed archives.sql │ ├── registry.04.0 - Folders accessed via file explorer.sql │ ├── registry.05.0 - Muicache.sql │ ├── registry.06.0 - Taskbar feature usage.sql │ ├── registry.07.0 - wdigest.sql │ ├── registry.08.0 - wordwheel.sql │ ├── registry.09.0 - reg keys using powershell.sql │ └── registry.10.0 - Safe mode boot.sql ├── Running │ └── running.01.0 - List anything running or attempting to run on a device.sql ├── Services │ ├── Services.01.0 - List Services.sql │ ├── Services.02.0 - Services being installed 7045.sql │ ├── Services.02.1 - Suspicious Services being installed 7045.sql │ ├── Services.03.0 - Services Events.sql │ └── services.02.2 - Services being installed 7045.sql ├── Shell History │ ├── shell-history.01.0 - Bash history.sql │ └── shell-history.02.0 - Bash history for WSL.sql ├── Shellbags │ └── Shellbags.01.0 - List shellbags information.sql ├── Shimcache │ └── shimcache.01.0 - List-executions-recorded-in-shimcache.sql ├── Sophos │ ├── Sophos.01.0 - Check Tamper Protection.sql │ ├── Sophos.02.0 - Journals first created.sql │ ├── Sophos.03.0 - Earliest Journals.sql │ ├── Sophos.04.0 - Sophos Forensic Snapshots.sql │ ├── Sophos.05.0 - sophos_scan_status.sql │ └── Sophos.06.0 - Data Lake events first created.sql ├── Startup │ ├── Autostart Execution.sql │ └── Startup.01.0 - Startup items.sql ├── Tasks │ ├── Tasks.01.0 - Scheduled Tasks.sql │ ├── Tasks.02.0 - Scheduled Tasks Events.sql │ └── Tasks.03.0 - Crontab.sql ├── User │ ├── User.01.0 - Collect user details.sql │ ├── User.02.0 - User and Group changes.sql │ ├── User.03.0 - Account in special groups.sql │ └── User.04.0 - User Account Profile.sql ├── UserAssist │ └── UserAssist.01.0 - UserAssist information.sql ├── WMI │ ├── WMI.01.0 - List WMI Entries.sql │ ├── WMI.02.0 - Permanent Event Consumer.sql │ └── WMI.03.0 - Suspicious WMI event.sql └── Yara │ └── yara.01.0 - rclone, ngrok and tor in the filesystem.sql ├── NDR └── Devices without InterceptX.sql ├── README.md ├── Testing ├── Browser │ ├── RR - Browser Addons.txt │ └── RR - Chrome browsing history.txt ├── MITRE │ ├── Execution │ │ └── RR - Process Journal.txt │ ├── Exfiltration │ │ ├── RR - Common command line strings.txt │ │ └── RR - DNS Exfiltration to common services.txt │ └── Lateral Movement │ │ └── RR - All logins.txt ├── Odin │ ├── IOC-Filename-Background_Activity_Moderator.txt │ ├── IOC-Filename-Files_On_Disk1.txt │ ├── IOC-Filename-Files_On_Disk2.txt │ ├── IOC-Filename-Files_On_Disk3.txt │ ├── IOC-Filename-Files_On_Disk4.txt │ ├── IOC-Filename-Files_On_Disk5.txt │ ├── IOC-Filename-Files_On_Disk6.txt │ ├── IOC-Filename-Files_On_Disk7.txt │ ├── IOC-Filename-Running_Processes.txt │ ├── IOC-Filename-Scheduled_Tasks.txt │ ├── IOC-Filename-Shimcache.txt │ ├── IOC-Filename_File-Journal_not working.txt │ └── IOC-Filename_Services.txt ├── PowerShell │ └── RR - PowerShell Console logs.txt ├── Quick Wins │ ├── RR - Encoded PowerShell.txt │ ├── RR - Red team hunting.txt │ ├── RR - Suspicious services.txt │ └── RR - User details.txt ├── TTPs │ ├── Hafnium │ │ ├── RR - ASPX Files.txt │ │ └── RR - Patched or not.txt │ └── REvil │ │ ├── files_iocs.csv │ │ ├── iocs.csv │ │ └── test.txt ├── Testing area.txt ├── test.txt └── test.yara └── Vulnerabilities ├── 3CX ├── 3CX DesktopApp - Execution and Network Traffic.sql ├── 3CX DesktopApp - Files on Disk.sql ├── 3CXDesktopApp - Run Keys.sql ├── Devices Connecting to 3CX Beacons - DATALAKE.sql ├── Devices Connecting to 3CX Beacons.sql └── Installed 3CX Destopt APP.sql ├── Exchange ├── exchange.01.0 - Suspicious file download on Exchange servers.sql ├── exchange.02.0 - SSRF Autodiscover PowerShell.sql ├── exchange.03.0 - Exchange server OAB VirtualDirectory exploitation.sql └── exchange.03.1 - Exchange server VirtualDirectory attributes in evtx.sql ├── Follina └── Follina - Suspicious command line execution.sql ├── MOVEit └── MOVEit.01.0 - MOVEit logs in EVTX.sql ├── MonikerLink └── Possible MonikerLink exploitation.sql ├── Papercut └── PaperCut_0.1_ CVE-2023-27350 MF-NG Vulnerability.sql ├── ProxyShell ├── ProxyShell.05.0 - HealthMailbox logins.sql ├── ProxyShell.06.0 - New HealthMailbox accounts.sql ├── proxyshell.01.0 - Check exchange server version.sql ├── proxyshell.02.0 - Check for new mailboxes and web shells on exchange server.sql ├── proxyshell.03.0 - Check for autodiscover json abuse.sql └── proxyshell.04.0 - Look for potential aspx web shells.sql ├── REvil_Kaseya └── Kaseya.01.0 - REvil Kaseya Files on disk.sql ├── ScreenConnect ├── ScreenConnect.01.0 - Check version of ScreenConnect Server.sql ├── ScreenConnect.01.1 - Check version of ScreenConnect Server.sql ├── ScreenConnect.02.0 - ScreenConnect Relay IP.sql ├── ScreenConnect.03.0 - SetupWizard.aspx in IIS logs.sql ├── ScreenConnect.04.0 - Checks user.xml file for new users created.sql ├── ScreenConnect.05.0 - Evidence of temporary User File creation.sql ├── ScreenConnect.06.0 - Check for .ASPX .ASHX files in App_Extensions folder.sql ├── ScreenConnect.07.0 - Identify shells being spawned from ScreenConnect.sql └── ScreenConnect.08.0 - Static detection of user.xml exploitation.sql ├── ServiceDesk └── ServiceDesk msiexec vulnerability.sql ├── TeamCity ├── TeamCity.01.0 - team-city-access-token-creation.sql ├── TeamCity.02.0 - team-city-disabled-plugins.sql ├── TeamCity.03.0 - team-city-malicious-plugin-upload-disk-artifacts.sql ├── TeamCity.04.0 - team-city-malicious-plugin-upload.sql ├── TeamCity.05.0 - team-city-token-deleted.sql └── TeamCity.06.0 - team-city-user-account-creation.sql ├── WSO2 ├── WSO2.01.0 - Webserver logs.sql ├── WSO2.02.0 - Webshells in the filesystem.sql └── WSO2.03.0 - Service.sql ├── XZ_Utils └── XZ-Utils.sql └── Zerologon └── Possible Zerologon exploitation.sql /Artefacts/Appcompat/Program Compatibility Assistant.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Appcompat/Program Compatibility Assistant.sql -------------------------------------------------------------------------------- /Artefacts/BAM/Background Activity Moderator - file execution from BAM.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/BAM/Background Activity Moderator - file execution from BAM.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.01.0 - Chrome browsing history.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.01.0 - Chrome browsing history.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.02.0 - Firefox browser extensions installed.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.02.0 - Firefox browser extensions installed.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.03.0 - Chromium based browser extensions installed.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.03.0 - Chromium based browser extensions installed.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.04.0 - High risk Chrome browser extensions.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.04.0 - High risk Chrome browser extensions.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.05.0 - typed URL IE-Edge.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.05.0 - typed URL IE-Edge.sql -------------------------------------------------------------------------------- /Artefacts/Browser/browser.06.0 - Internet Explorer browser extensions installed.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Browser/browser.06.0 - Internet Explorer browser extensions installed.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.01.0 - Antivirus detections.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.01.0 - Antivirus detections.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.02.0 - Defender detections.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.02.0 - Defender detections.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.03.0 - Kaspersky detections.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.03.0 - Kaspersky detections.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.04.0 - Sophos detection events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.04.0 - Sophos detection events.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.05.0 - Windows runtime indicators of compromise events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.05.0 - Windows runtime indicators of compromise events.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.06.0 - Antimalware scan interface (AMSI) events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.06.0 - Antimalware scan interface (AMSI) events.sql -------------------------------------------------------------------------------- /Artefacts/Detection/detection.07.0 - Investigating Creds_4h (T1003.002) events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Detection/detection.07.0 - Investigating Creds_4h (T1003.002) events.sql -------------------------------------------------------------------------------- /Artefacts/Device/Device.01.0 - Identify Domain Controllers.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/Device.01.0 - Identify Domain Controllers.sql -------------------------------------------------------------------------------- /Artefacts/Device/Device.03.0 - Drives and shared folders.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/Device.03.0 - Drives and shared folders.sql -------------------------------------------------------------------------------- /Artefacts/Device/Device.09.0 - Shodan API Lookup.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/Device.09.0 - Shodan API Lookup.sql -------------------------------------------------------------------------------- /Artefacts/Device/device.02.0 - Device last restart time.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.02.0 - Device last restart time.sql -------------------------------------------------------------------------------- /Artefacts/Device/device.04.0 - Installed programs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.04.0 - Installed programs.sql -------------------------------------------------------------------------------- /Artefacts/Device/device.05.0 - Device details (hostname, OS version, and timezone).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.05.0 - Device details (hostname, OS version, and timezone).sql -------------------------------------------------------------------------------- /Artefacts/Device/device.06.0 - NT Domain information.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.06.0 - NT Domain information.sql -------------------------------------------------------------------------------- /Artefacts/Device/device.07.0 - Devices with Active Directory PowerShell module.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.07.0 - Devices with Active Directory PowerShell module.sql -------------------------------------------------------------------------------- /Artefacts/Device/device.08.0 - Installed MacOS applications.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Device/device.08.0 - Installed MacOS applications.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.01.0 - Event log string search.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.01.0 - Event log string search.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.02.0 -Windows event log cleared.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.02.0 -Windows event log cleared.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.03.0 - Potential dcsync attack.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.03.0 - Potential dcsync attack.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.04.0 - Potential LSASS shtinkering.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.04.0 - Potential LSASS shtinkering.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.05.0 - New ntds.dit database created.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.05.0 - New ntds.dit database created.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.06.0 - Metasploit authentications events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.06.0 - Metasploit authentications events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.07.0 - Potential pass-the-hash events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.07.0 - Potential pass-the-hash events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.08.0 - Files transfered via screenconnect.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.08.0 - Files transfered via screenconnect.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.09.0 - Kerberos service ticket request using rc4.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.09.0 - Kerberos service ticket request using rc4.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.10.0 - Kerberos RelayUp events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.10.0 - Kerberos RelayUp events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.11.0 - Virtual disk mount events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.11.0 - Virtual disk mount events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.12.0 - Bits job start events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.12.0 - Bits job start events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.13.0 - Application crashes events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.13.0 - Application crashes events.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.14.0 - MSI package installs on device.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.14.0 - MSI package installs on device.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.15.0 - Remote execution with PsExec.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.15.0 - Remote execution with PsExec.sql -------------------------------------------------------------------------------- /Artefacts/EVTX/evtx.16.0 - Blocking events by Software Restriction Policy.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/EVTX/evtx.16.0 - Blocking events by Software Restriction Policy.sql -------------------------------------------------------------------------------- /Artefacts/Exfiltration/MASV.01.0 - installed_application_masv.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Exfiltration/MASV.01.0 - installed_application_masv.sql -------------------------------------------------------------------------------- /Artefacts/Exfiltration/MASV.02.0 - masv_artifacts_on_disk.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Exfiltration/MASV.02.0 - masv_artifacts_on_disk.sql -------------------------------------------------------------------------------- /Artefacts/Exfiltration/MASV.03.0 - masv_upload.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Exfiltration/MASV.03.0 - masv_upload.sql -------------------------------------------------------------------------------- /Artefacts/File/File.05.0 - Check file interactions.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/File.05.0 - Check file interactions.sql -------------------------------------------------------------------------------- /Artefacts/File/File.06.0 - File access history.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/File.06.0 - File access history.sql -------------------------------------------------------------------------------- /Artefacts/File/File.07.0 - Shortcut files.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/File.07.0 - Shortcut files.sql -------------------------------------------------------------------------------- /Artefacts/File/File.08.0 - Ransom note and encrypted file search.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/File.08.0 - Ransom note and encrypted file search.sql -------------------------------------------------------------------------------- /Artefacts/File/file.01.0 - Files on disk (path).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.01.0 - Files on disk (path).sql -------------------------------------------------------------------------------- /Artefacts/File/file.01.1 - Files on disk (path-timestamp).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.01.1 - Files on disk (path-timestamp).sql -------------------------------------------------------------------------------- /Artefacts/File/file.01.2 - Files on disk (path-size).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.01.2 - Files on disk (path-size).sql -------------------------------------------------------------------------------- /Artefacts/File/file.01.3 - Files on disk (path-filename).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.01.3 - Files on disk (path-filename).sql -------------------------------------------------------------------------------- /Artefacts/File/file.01.4 - Files on disk (path-hash).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.01.4 - Files on disk (path-hash).sql -------------------------------------------------------------------------------- /Artefacts/File/file.02.0 - File certificate information.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.02.0 - File certificate information.sql -------------------------------------------------------------------------------- /Artefacts/File/file.03.0 - File hash lookup (SHA-256).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.03.0 - File hash lookup (SHA-256).sql -------------------------------------------------------------------------------- /Artefacts/File/file.04.0 - Common malware locations (excluding windows directories).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.04.0 - Common malware locations (excluding windows directories).sql -------------------------------------------------------------------------------- /Artefacts/File/file.04.1 - Common malware locations (windows directories only).sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.04.1 - Common malware locations (windows directories only).sql -------------------------------------------------------------------------------- /Artefacts/File/file.09.0 - File change events in file journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.09.0 - File change events in file journals.sql -------------------------------------------------------------------------------- /Artefacts/File/file.09.1 - File events activity in file journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.09.1 - File events activity in file journals.sql -------------------------------------------------------------------------------- /Artefacts/File/file.10.0 - File details of deleted file.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.10.0 - File details of deleted file.sql -------------------------------------------------------------------------------- /Artefacts/File/file.11.0 - Hidden files and directories on linux unix.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.11.0 - Hidden files and directories on linux unix.sql -------------------------------------------------------------------------------- /Artefacts/File/file.12.0 - PsExec key file on disk.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.12.0 - PsExec key file on disk.sql -------------------------------------------------------------------------------- /Artefacts/File/file.13.0 - NTFS alternate data streams.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/File/file.13.0 - NTFS alternate data streams.sql -------------------------------------------------------------------------------- /Artefacts/GPO/GPO.01.0 - List Group Policy Objects.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/GPO/GPO.01.0 - List Group Policy Objects.sql -------------------------------------------------------------------------------- /Artefacts/Grep/Grep.01.0 - Search file content using grep.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Grep/Grep.01.0 - Search file content using grep.sql -------------------------------------------------------------------------------- /Artefacts/Logins/Logins.01.4 - RDP Logins from External IPs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/Logins.01.4 - RDP Logins from External IPs.sql -------------------------------------------------------------------------------- /Artefacts/Logins/Logins.02.0 - Authentications in time range.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/Logins.02.0 - Authentications in time range.sql -------------------------------------------------------------------------------- /Artefacts/Logins/Logins.04.0 - Logins with explicit credentials.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/Logins.04.0 - Logins with explicit credentials.sql -------------------------------------------------------------------------------- /Artefacts/Logins/Logins.07.0 - RDP time bias.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/Logins.07.0 - RDP time bias.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.01.0 - RDP login events from Terminal Services.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.01.0 - RDP login events from Terminal Services.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.01.1 - Login events 4624 4625 from Security event log.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.01.1 - Login events 4624 4625 from Security event log.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.01.2 - RDP login events from Local Session.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.01.2 - RDP login events from Local Session.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.01.3 - All logins events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.01.3 - All logins events.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.03.0 - Currently logged in users.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.03.0 - Currently logged in users.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.05.0 - Authentications from RDP gateway.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.05.0 - Authentications from RDP gateway.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.06.0 - User account locked events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.06.0 - User account locked events.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.08.0 - RDP connections from NTUSER.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.08.0 - RDP connections from NTUSER.sql -------------------------------------------------------------------------------- /Artefacts/Logins/logins.09.0 - RDP connections from remote desktop application.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Logins/logins.09.0 - RDP connections from remote desktop application.sql -------------------------------------------------------------------------------- /Artefacts/Network/Network.04.0 - All Traffic Sent.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/Network.04.0 - All Traffic Sent.sql -------------------------------------------------------------------------------- /Artefacts/Network/Network.05.0 - URL activity.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/Network.05.0 - URL activity.sql -------------------------------------------------------------------------------- /Artefacts/Network/Network.06.0 - Network Traffic to IP.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/Network.06.0 - Network Traffic to IP.sql -------------------------------------------------------------------------------- /Artefacts/Network/Network.07.0 - High volume data sent to external IP.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/Network.07.0 - High volume data sent to external IP.sql -------------------------------------------------------------------------------- /Artefacts/Network/network.01.0 - Network traffic from network, IP, DNS, and HTTP journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/network.01.0 - Network traffic from network, IP, DNS, and HTTP journals.sql -------------------------------------------------------------------------------- /Artefacts/Network/network.02.0 - IOC search in the network, IP, DNS, and HTTP journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/network.02.0 - IOC search in the network, IP, DNS, and HTTP journals.sql -------------------------------------------------------------------------------- /Artefacts/Network/network.03.0 - Network interactions for a SophosPID.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/network.03.0 - Network interactions for a SophosPID.sql -------------------------------------------------------------------------------- /Artefacts/Network/network.08.0 - SSH tools and port proxies detection.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/network.08.0 - SSH tools and port proxies detection.sql -------------------------------------------------------------------------------- /Artefacts/Network/network.09.0 - URL and user agent search.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Network/network.09.0 - URL and user agent search.sql -------------------------------------------------------------------------------- /Artefacts/Office/office.01.0 - Recently opened MS Office documents.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Office/office.01.0 - Recently opened MS Office documents.sql -------------------------------------------------------------------------------- /Artefacts/Office/office.02.0 - MS Office diagnostic logs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Office/office.02.0 - MS Office diagnostic logs.sql -------------------------------------------------------------------------------- /Artefacts/Office/office.03.0 - MS Office server cache.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Office/office.03.0 - MS Office server cache.sql -------------------------------------------------------------------------------- /Artefacts/PowerShell/powershell.01.0 - PowerShell commands and scripts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/PowerShell/powershell.01.0 - PowerShell commands and scripts.sql -------------------------------------------------------------------------------- /Artefacts/PowerShell/powershell.01.1 - PowerShell commands and scripts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/PowerShell/powershell.01.1 - PowerShell commands and scripts.sql -------------------------------------------------------------------------------- /Artefacts/PowerShell/powershell.02.0 - PowerShell consolehost history.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/PowerShell/powershell.02.0 - PowerShell consolehost history.sql -------------------------------------------------------------------------------- /Artefacts/Prefetch/prefetch.01.0 - File execution metadata from Prefetch.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Prefetch/prefetch.01.0 - File execution metadata from Prefetch.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.01.0 - List running processes.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.01.0 - List running processes.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.02.0 - Process tree.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.02.0 - Process tree.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.02.1 - Process tree for a Sophos PID.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.02.1 - Process tree for a Sophos PID.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.03.0 - Processes listening on ports.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.03.0 - Processes listening on ports.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.05.0 - All Process Journal data.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.05.0 - All Process Journal data.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.08.0 - Processes with Open Sockets.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.08.0 - Processes with Open Sockets.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.09.0 - Suspicious named pipe.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.09.0 - Suspicious named pipe.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.10.0 - Process execution in audit logs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.10.0 - Process execution in audit logs.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.11.0 - Possible Impacket commands.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.11.0 - Possible Impacket commands.sql -------------------------------------------------------------------------------- /Artefacts/Process/Process.12.0 - Possible Rclone commands.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/Process.12.0 - Possible Rclone commands.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.01.1 - List running processes with parent details.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.01.1 - List running processes with parent details.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.01.2 - List running processes with certificate details.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.01.2 - List running processes with certificate details.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.04.0 - Processes spawned from Word, Excel or PowerShell.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.04.0 - Processes spawned from Word, Excel or PowerShell.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.06.0 - IOC search in Process Journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.06.0 - IOC search in Process Journals.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.07.0 - Specific time Process Journal data.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.07.0 - Specific time Process Journal data.sql -------------------------------------------------------------------------------- /Artefacts/Process/process.13.0 - Possible webshell activity.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Process/process.13.0 - Possible webshell activity.sql -------------------------------------------------------------------------------- /Artefacts/RMM Tools/rmm-tools.01.0 - Installed remote access software.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/RMM Tools/rmm-tools.01.0 - Installed remote access software.sql -------------------------------------------------------------------------------- /Artefacts/RMM Tools/rmm-tools.02.0 - Splashtop logs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/RMM Tools/rmm-tools.02.0 - Splashtop logs.sql -------------------------------------------------------------------------------- /Artefacts/RMM Tools/rmm-tools.03.0 - Atera integrator login.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/RMM Tools/rmm-tools.03.0 - Atera integrator login.sql -------------------------------------------------------------------------------- /Artefacts/RMM Tools/rmm-tools.04.0 - Details for commonly abused rmm tools.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/RMM Tools/rmm-tools.04.0 - Details for commonly abused rmm tools.sql -------------------------------------------------------------------------------- /Artefacts/Registry/Registry.01.0 - Look at registry keys.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/Registry.01.0 - Look at registry keys.sql -------------------------------------------------------------------------------- /Artefacts/Registry/Registry.03.0 - Executed commands in run dialog box.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/Registry.03.0 - Executed commands in run dialog box.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.02.0 - Compressed archives.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.02.0 - Compressed archives.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.04.0 - Folders accessed via file explorer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.04.0 - Folders accessed via file explorer.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.05.0 - Muicache.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.05.0 - Muicache.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.06.0 - Taskbar feature usage.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.06.0 - Taskbar feature usage.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.07.0 - wdigest.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.07.0 - wdigest.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.08.0 - wordwheel.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.08.0 - wordwheel.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.09.0 - reg keys using powershell.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.09.0 - reg keys using powershell.sql -------------------------------------------------------------------------------- /Artefacts/Registry/registry.10.0 - Safe mode boot.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Registry/registry.10.0 - Safe mode boot.sql -------------------------------------------------------------------------------- /Artefacts/Running/running.01.0 - List anything running or attempting to run on a device.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Running/running.01.0 - List anything running or attempting to run on a device.sql -------------------------------------------------------------------------------- /Artefacts/Services/Services.01.0 - List Services.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Services/Services.01.0 - List Services.sql -------------------------------------------------------------------------------- /Artefacts/Services/Services.02.0 - Services being installed 7045.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Services/Services.02.0 - Services being installed 7045.sql -------------------------------------------------------------------------------- /Artefacts/Services/Services.02.1 - Suspicious Services being installed 7045.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Services/Services.02.1 - Suspicious Services being installed 7045.sql -------------------------------------------------------------------------------- /Artefacts/Services/Services.03.0 - Services Events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Services/Services.03.0 - Services Events.sql -------------------------------------------------------------------------------- /Artefacts/Services/services.02.2 - Services being installed 7045.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Services/services.02.2 - Services being installed 7045.sql -------------------------------------------------------------------------------- /Artefacts/Shell History/shell-history.01.0 - Bash history.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Shell History/shell-history.01.0 - Bash history.sql -------------------------------------------------------------------------------- /Artefacts/Shell History/shell-history.02.0 - Bash history for WSL.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Shell History/shell-history.02.0 - Bash history for WSL.sql -------------------------------------------------------------------------------- /Artefacts/Shellbags/Shellbags.01.0 - List shellbags information.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Shellbags/Shellbags.01.0 - List shellbags information.sql -------------------------------------------------------------------------------- /Artefacts/Shimcache/shimcache.01.0 - List-executions-recorded-in-shimcache.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Shimcache/shimcache.01.0 - List-executions-recorded-in-shimcache.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.01.0 - Check Tamper Protection.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.01.0 - Check Tamper Protection.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.02.0 - Journals first created.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.02.0 - Journals first created.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.03.0 - Earliest Journals.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.03.0 - Earliest Journals.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.04.0 - Sophos Forensic Snapshots.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.04.0 - Sophos Forensic Snapshots.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.05.0 - sophos_scan_status.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.05.0 - sophos_scan_status.sql -------------------------------------------------------------------------------- /Artefacts/Sophos/Sophos.06.0 - Data Lake events first created.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Sophos/Sophos.06.0 - Data Lake events first created.sql -------------------------------------------------------------------------------- /Artefacts/Startup/Autostart Execution.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Startup/Autostart Execution.sql -------------------------------------------------------------------------------- /Artefacts/Startup/Startup.01.0 - Startup items.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Startup/Startup.01.0 - Startup items.sql -------------------------------------------------------------------------------- /Artefacts/Tasks/Tasks.01.0 - Scheduled Tasks.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Tasks/Tasks.01.0 - Scheduled Tasks.sql -------------------------------------------------------------------------------- /Artefacts/Tasks/Tasks.02.0 - Scheduled Tasks Events.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Tasks/Tasks.02.0 - Scheduled Tasks Events.sql -------------------------------------------------------------------------------- /Artefacts/Tasks/Tasks.03.0 - Crontab.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Tasks/Tasks.03.0 - Crontab.sql -------------------------------------------------------------------------------- /Artefacts/User/User.01.0 - Collect user details.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/User/User.01.0 - Collect user details.sql -------------------------------------------------------------------------------- /Artefacts/User/User.02.0 - User and Group changes.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/User/User.02.0 - User and Group changes.sql -------------------------------------------------------------------------------- /Artefacts/User/User.03.0 - Account in special groups.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/User/User.03.0 - Account in special groups.sql -------------------------------------------------------------------------------- /Artefacts/User/User.04.0 - User Account Profile.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/User/User.04.0 - User Account Profile.sql -------------------------------------------------------------------------------- /Artefacts/UserAssist/UserAssist.01.0 - UserAssist information.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/UserAssist/UserAssist.01.0 - UserAssist information.sql -------------------------------------------------------------------------------- /Artefacts/WMI/WMI.01.0 - List WMI Entries.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/WMI/WMI.01.0 - List WMI Entries.sql -------------------------------------------------------------------------------- /Artefacts/WMI/WMI.02.0 - Permanent Event Consumer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/WMI/WMI.02.0 - Permanent Event Consumer.sql -------------------------------------------------------------------------------- /Artefacts/WMI/WMI.03.0 - Suspicious WMI event.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/WMI/WMI.03.0 - Suspicious WMI event.sql -------------------------------------------------------------------------------- /Artefacts/Yara/yara.01.0 - rclone, ngrok and tor in the filesystem.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Artefacts/Yara/yara.01.0 - rclone, ngrok and tor in the filesystem.sql -------------------------------------------------------------------------------- /NDR/Devices without InterceptX.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/NDR/Devices without InterceptX.sql -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/README.md -------------------------------------------------------------------------------- /Testing/Browser/RR - Browser Addons.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Browser/RR - Browser Addons.txt -------------------------------------------------------------------------------- /Testing/Browser/RR - Chrome browsing history.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Browser/RR - Chrome browsing history.txt -------------------------------------------------------------------------------- /Testing/MITRE/Execution/RR - Process Journal.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/MITRE/Execution/RR - Process Journal.txt -------------------------------------------------------------------------------- /Testing/MITRE/Exfiltration/RR - Common command line strings.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/MITRE/Exfiltration/RR - Common command line strings.txt -------------------------------------------------------------------------------- /Testing/MITRE/Exfiltration/RR - DNS Exfiltration to common services.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/MITRE/Exfiltration/RR - DNS Exfiltration to common services.txt -------------------------------------------------------------------------------- /Testing/MITRE/Lateral Movement/RR - All logins.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/MITRE/Lateral Movement/RR - All logins.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Background_Activity_Moderator.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Background_Activity_Moderator.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk1.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk2.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk3.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk3.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk4.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk5.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk5.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk6.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk6.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Files_On_Disk7.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Files_On_Disk7.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Running_Processes.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Running_Processes.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Scheduled_Tasks.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Scheduled_Tasks.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename-Shimcache.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename-Shimcache.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename_File-Journal_not working.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename_File-Journal_not working.txt -------------------------------------------------------------------------------- /Testing/Odin/IOC-Filename_Services.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Odin/IOC-Filename_Services.txt -------------------------------------------------------------------------------- /Testing/PowerShell/RR - PowerShell Console logs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/PowerShell/RR - PowerShell Console logs.txt -------------------------------------------------------------------------------- /Testing/Quick Wins/RR - Encoded PowerShell.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Quick Wins/RR - Encoded PowerShell.txt -------------------------------------------------------------------------------- /Testing/Quick Wins/RR - Red team hunting.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Quick Wins/RR - Red team hunting.txt -------------------------------------------------------------------------------- /Testing/Quick Wins/RR - Suspicious services.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Quick Wins/RR - Suspicious services.txt -------------------------------------------------------------------------------- /Testing/Quick Wins/RR - User details.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/Quick Wins/RR - User details.txt -------------------------------------------------------------------------------- /Testing/TTPs/Hafnium/RR - ASPX Files.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/TTPs/Hafnium/RR - ASPX Files.txt -------------------------------------------------------------------------------- /Testing/TTPs/Hafnium/RR - Patched or not.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/TTPs/Hafnium/RR - Patched or not.txt -------------------------------------------------------------------------------- /Testing/TTPs/REvil/files_iocs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/TTPs/REvil/files_iocs.csv -------------------------------------------------------------------------------- /Testing/TTPs/REvil/iocs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/TTPs/REvil/iocs.csv -------------------------------------------------------------------------------- /Testing/TTPs/REvil/test.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/TTPs/REvil/test.txt -------------------------------------------------------------------------------- /Testing/Testing area.txt: -------------------------------------------------------------------------------- 1 | Hello World! -------------------------------------------------------------------------------- /Testing/test.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/test.txt -------------------------------------------------------------------------------- /Testing/test.yara: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Testing/test.yara -------------------------------------------------------------------------------- /Vulnerabilities/3CX/3CX DesktopApp - Execution and Network Traffic.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/3CX DesktopApp - Execution and Network Traffic.sql -------------------------------------------------------------------------------- /Vulnerabilities/3CX/3CX DesktopApp - Files on Disk.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/3CX DesktopApp - Files on Disk.sql -------------------------------------------------------------------------------- /Vulnerabilities/3CX/3CXDesktopApp - Run Keys.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/3CXDesktopApp - Run Keys.sql -------------------------------------------------------------------------------- /Vulnerabilities/3CX/Devices Connecting to 3CX Beacons - DATALAKE.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/Devices Connecting to 3CX Beacons - DATALAKE.sql -------------------------------------------------------------------------------- /Vulnerabilities/3CX/Devices Connecting to 3CX Beacons.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/Devices Connecting to 3CX Beacons.sql -------------------------------------------------------------------------------- /Vulnerabilities/3CX/Installed 3CX Destopt APP.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/3CX/Installed 3CX Destopt APP.sql -------------------------------------------------------------------------------- /Vulnerabilities/Exchange/exchange.01.0 - Suspicious file download on Exchange servers.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Exchange/exchange.01.0 - Suspicious file download on Exchange servers.sql -------------------------------------------------------------------------------- /Vulnerabilities/Exchange/exchange.02.0 - SSRF Autodiscover PowerShell.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Exchange/exchange.02.0 - SSRF Autodiscover PowerShell.sql -------------------------------------------------------------------------------- /Vulnerabilities/Exchange/exchange.03.0 - Exchange server OAB VirtualDirectory exploitation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Exchange/exchange.03.0 - Exchange server OAB VirtualDirectory exploitation.sql -------------------------------------------------------------------------------- /Vulnerabilities/Exchange/exchange.03.1 - Exchange server VirtualDirectory attributes in evtx.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Exchange/exchange.03.1 - Exchange server VirtualDirectory attributes in evtx.sql -------------------------------------------------------------------------------- /Vulnerabilities/Follina/Follina - Suspicious command line execution.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Follina/Follina - Suspicious command line execution.sql -------------------------------------------------------------------------------- /Vulnerabilities/MOVEit/MOVEit.01.0 - MOVEit logs in EVTX.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/MOVEit/MOVEit.01.0 - MOVEit logs in EVTX.sql -------------------------------------------------------------------------------- /Vulnerabilities/MonikerLink/Possible MonikerLink exploitation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/MonikerLink/Possible MonikerLink exploitation.sql -------------------------------------------------------------------------------- /Vulnerabilities/Papercut/PaperCut_0.1_ CVE-2023-27350 MF-NG Vulnerability.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Papercut/PaperCut_0.1_ CVE-2023-27350 MF-NG Vulnerability.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/ProxyShell.05.0 - HealthMailbox logins.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/ProxyShell.05.0 - HealthMailbox logins.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/ProxyShell.06.0 - New HealthMailbox accounts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/ProxyShell.06.0 - New HealthMailbox accounts.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/proxyshell.01.0 - Check exchange server version.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/proxyshell.01.0 - Check exchange server version.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/proxyshell.02.0 - Check for new mailboxes and web shells on exchange server.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/proxyshell.02.0 - Check for new mailboxes and web shells on exchange server.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/proxyshell.03.0 - Check for autodiscover json abuse.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/proxyshell.03.0 - Check for autodiscover json abuse.sql -------------------------------------------------------------------------------- /Vulnerabilities/ProxyShell/proxyshell.04.0 - Look for potential aspx web shells.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ProxyShell/proxyshell.04.0 - Look for potential aspx web shells.sql -------------------------------------------------------------------------------- /Vulnerabilities/REvil_Kaseya/Kaseya.01.0 - REvil Kaseya Files on disk.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/REvil_Kaseya/Kaseya.01.0 - REvil Kaseya Files on disk.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.01.0 - Check version of ScreenConnect Server.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.01.0 - Check version of ScreenConnect Server.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.01.1 - Check version of ScreenConnect Server.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.01.1 - Check version of ScreenConnect Server.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.02.0 - ScreenConnect Relay IP.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.02.0 - ScreenConnect Relay IP.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.03.0 - SetupWizard.aspx in IIS logs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.03.0 - SetupWizard.aspx in IIS logs.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.04.0 - Checks user.xml file for new users created.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.04.0 - Checks user.xml file for new users created.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.05.0 - Evidence of temporary User File creation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.05.0 - Evidence of temporary User File creation.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.06.0 - Check for .ASPX .ASHX files in App_Extensions folder.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.06.0 - Check for .ASPX .ASHX files in App_Extensions folder.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.07.0 - Identify shells being spawned from ScreenConnect.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.07.0 - Identify shells being spawned from ScreenConnect.sql -------------------------------------------------------------------------------- /Vulnerabilities/ScreenConnect/ScreenConnect.08.0 - Static detection of user.xml exploitation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ScreenConnect/ScreenConnect.08.0 - Static detection of user.xml exploitation.sql -------------------------------------------------------------------------------- /Vulnerabilities/ServiceDesk/ServiceDesk msiexec vulnerability.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/ServiceDesk/ServiceDesk msiexec vulnerability.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.01.0 - team-city-access-token-creation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.01.0 - team-city-access-token-creation.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.02.0 - team-city-disabled-plugins.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.02.0 - team-city-disabled-plugins.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.03.0 - team-city-malicious-plugin-upload-disk-artifacts.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.03.0 - team-city-malicious-plugin-upload-disk-artifacts.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.04.0 - team-city-malicious-plugin-upload.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.04.0 - team-city-malicious-plugin-upload.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.05.0 - team-city-token-deleted.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.05.0 - team-city-token-deleted.sql -------------------------------------------------------------------------------- /Vulnerabilities/TeamCity/TeamCity.06.0 - team-city-user-account-creation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/TeamCity/TeamCity.06.0 - team-city-user-account-creation.sql -------------------------------------------------------------------------------- /Vulnerabilities/WSO2/WSO2.01.0 - Webserver logs.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/WSO2/WSO2.01.0 - Webserver logs.sql -------------------------------------------------------------------------------- /Vulnerabilities/WSO2/WSO2.02.0 - Webshells in the filesystem.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/WSO2/WSO2.02.0 - Webshells in the filesystem.sql -------------------------------------------------------------------------------- /Vulnerabilities/WSO2/WSO2.03.0 - Service.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/WSO2/WSO2.03.0 - Service.sql -------------------------------------------------------------------------------- /Vulnerabilities/XZ_Utils/XZ-Utils.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/XZ_Utils/XZ-Utils.sql -------------------------------------------------------------------------------- /Vulnerabilities/Zerologon/Possible Zerologon exploitation.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SophosRapidResponse/OSQuery/HEAD/Vulnerabilities/Zerologon/Possible Zerologon exploitation.sql --------------------------------------------------------------------------------