├── .github
    ├── mergify.yml
    └── workflows
    │   └── ci.yml
├── .gitignore
├── LICENSE.txt
├── Makefile
├── README.md
├── detection
    ├── c2
    │   ├── 1-unexpected-dns-traffic-events.sql
    │   ├── 1-unexpected-dns-traffic.sql
    │   ├── 1-unexpected-https-linux.sql
    │   ├── 1-unexpected-https-macos.sql
    │   ├── 1-unexpected-talker-events.sql
    │   ├── 1-unexpected-talkers-linux.sql
    │   ├── 1-unexpected-talkers-macos.sql
    │   ├── 2-unexpected-icmp-socket-events.sql
    │   ├── 2-unexpected-icmp-socket.sql
    │   ├── 2-unexpected-root-libcurl-proc-linux.sql
    │   └── 3-unexpected-root-libcurl-proc-macos.sql
    ├── collection
    │   ├── 1-high-disk-bytes-written.sql
    │   ├── 2-excess-google-drive-downloads-macos.sql
    │   ├── 2-excess-google-drive-folder-exports-macos.sql
    │   └── 2-spotlight-database-export-macos.sql
    ├── credentials
    │   ├── 1-unexpected-dev-opener-linux.sql
    │   ├── 1-unexpected-dev-opener-macos.sql
    │   ├── 2-macos_keyboard_sniffer.sql
    │   ├── 2-unexpected-sensitive-file-access-linux.sql
    │   ├── 2-unexpected-sensitive-file-access-macos.sql
    │   └── 3-yara-mounted-stealer.sql
    ├── discovery
    │   ├── 1-unexpected-netutil-calls-linux.sql
    │   ├── 1-unexpected-netutil-calls-macos.sql
    │   ├── 2-unexpected-bpf-user.sql
    │   ├── 2-unexpected-pcap-user-linux.sql
    │   └── 2-unexpected-pcap-user-macos.sql
    ├── evasion
    │   ├── 0-touched-executable-linux.sql
    │   ├── 1-empty_root_environ_linux.sql
    │   ├── 1-empty_root_environ_macos.sql
    │   ├── 1-hidden-cwd.sql
    │   ├── 1-hidden-home-libappsupport.sql
    │   ├── 1-missing-from-disk-linux.sql
    │   ├── 1-missing-from-disk-macos.sql
    │   ├── 1-old-binaries-running.sql
    │   ├── 1-touched-executable-macos.sql
    │   ├── 1-unexpected-alf-exceptions-macos.sql
    │   ├── 1-unexpected-etc-executables.sql
    │   ├── 1-unexpected-ld-so-files-linux.sql
    │   ├── 1-unexpected-process-extension-linux.sql
    │   ├── 1-unexpected-tmp-executables-linux.sql
    │   ├── 1-unexpected-tmp-executables-macos.sql
    │   ├── 1-unexpected-var-run-linux.sql
    │   ├── 1-unusual-executable-name-linux.sql
    │   ├── 1-unusual-executable-name-macos.sql
    │   ├── 1-unusual-process-name-linux.sql
    │   ├── 1-unusual-process-name-macos.sql
    │   ├── 2-executables-from-the-future.sql
    │   ├── 2-hidden-cwd-events-linux.sql
    │   ├── 2-hidden-executable.sql
    │   ├── 2-hidden-home-config-dir.sql
    │   ├── 2-hidden-home-library-dir.sql
    │   ├── 2-name_path_mismatch.sql
    │   ├── 2-parent-missing-from-disk-linux.sql
    │   ├── 2-parent-missing-from-disk-macos.sql
    │   ├── 2-ssh-notty.sql
    │   ├── 2-unexpected-dev-entries.sql
    │   ├── 2-unexpected-hidden-system-paths.sql
    │   ├── 2-unexpected-kernel-extensions-macos.sql
    │   ├── 2-unexpected-kernel-modules-linux.sql
    │   ├── 2-unexpected-library-entries-macos.sql
    │   ├── 2-unexpected-public-files_macos.sql
    │   ├── 2-unexpected-user-executables-macos.sql
    │   ├── 2-unexpected-user-shared-entries.sql
    │   ├── 2-unexpected-var-executables-linux.sql
    │   ├── 2-unexpected-var-run-macos.sql
    │   ├── 2-unusually-tainted-kernel-linux.sql
    │   ├── 3-hidden-launchd-files-macos.sql
    │   ├── 3-overwritten-memory-map-ddexec-linux.sql
    │   ├── 3-parent-pid-missing-from-procfs.sql
    │   ├── 3-pid-hidden-by-rootkit.sql
    │   ├── 3-unexpected-dev-executables-linux.sql
    │   └── 3-unexpected-var-executables-macos.sql
    ├── execution
    │   ├── 1-exotic-command-events-linux.sql
    │   ├── 1-exotic-command-events-macos.sql
    │   ├── 1-exotic-commands-linux.sql
    │   ├── 1-exotic-commands-macos.sql
    │   ├── 1-recently-created-executables-long-lived-linux.sql
    │   ├── 1-recently-created-executables-long-lived-macos.sql
    │   ├── 1-sketchy-fetcher-events.sql
    │   ├── 1-sketchy-fetcher.sql
    │   ├── 1-tiny-executable-events.sql
    │   ├── 1-unexpected-env-values-linux.sql
    │   ├── 1-unexpected-execdir-linux.sql
    │   ├── 1-unexpected-execdir-macos.sql
    │   ├── 1-unexpected-executable-permissions.sql
    │   ├── 1-unexpected-fetcher-parent-events.sql
    │   ├── 1-unexpected-fetcher-parents.sql
    │   ├── 1-unexpected-gatekeeper-approvals-macos.sql
    │   ├── 1-unexpected-osascript-calls.sql
    │   ├── 1-unexpected-setuid-binaries.sql
    │   ├── 1-unexpected-sysutils-linux.sql
    │   ├── 1-unexpected-sysutils-macos.sql
    │   ├── 1-unexpected-xattr-calls-macos.sql
    │   ├── 2-exec-failed-launch-constraint-violation.sql
    │   ├── 2-tiny-executable.sql
    │   ├── 2-unexpected-chmod-exec-event-linux.sql
    │   ├── 2-unexpected-chmod-exec-event-macos.sql
    │   ├── 2-unexpected-env-values-macos.sql
    │   ├── 2-unexpected-execdir-events-linux.sql
    │   ├── 2-unexpected-execdir-events-macos.sql
    │   ├── 2-unexpected-long-running-security-framework-macos.sql
    │   ├── 2-unexpected-packet-sniffer.sql
    │   ├── 2-unexpected-root-signer-events-macos.sql
    │   ├── 3-relative-exec-low-uid-events.sql
    │   ├── 3-relative-exec-low-uid.sql
    │   ├── 3-reverse-shell-socket.sql
    │   ├── 3-unexpected-mounts.sql
    │   ├── 3-xprotect-reports.sql
    │   ├── 3-yara-unexpected-miner-process.sql
    │   └── 3-yara-unexpected-upx-process.sql
    ├── exfil
    │   ├── 0-salesforce-large-download-generic.sql
    │   ├── 0-salesforce-large-download-spotlight.sql
    │   ├── 1-high_disk_bytes_read.sql
    │   ├── 2-yara-exec-connect-process-linux.sql
    │   └── 3-yara-unexpected-rust-http-exec-process.sql
    ├── impact
    │   ├── 1-evenly-timestomped.sql
    │   └── 1-unexpected-etc-hosts.sql
    ├── initial_access
    │   ├── 1-unexpected-diskimage-source-macos.sql
    │   ├── 1-unexpected-shell-parent-events.sql
    │   ├── 1-unexpected-shell-parents.sql
    │   ├── 1-unexpected-webmail-downloads.sql
    │   ├── 2-sketchy-download-name.sql
    │   ├── 2-sketchy-mounted-diskimage.sql
    │   ├── 2-unexpected-diskimage-name-macos.sql
    │   ├── 2-unexpected-volume-contents.sql
    │   ├── 3-yara-recently-downloaded-miner.sql
    │   ├── 3-yara-recently-downloaded-packed.sql
    │   ├── 3-yara-recently-downloaded-ransom.sql
    │   └── 3-yara-recently-downloaded-stealer.sql
    ├── persistence
    │   ├── 1-unexpected-active-systemd-units.sql
    │   ├── 1-unexpected-chrome-extensions.sql
    │   ├── 1-unexpected-device-linux.sql
    │   ├── 1-unexpected-global-lock.sql
    │   ├── 1-unexpected-listening-port-linux.sql
    │   ├── 1-unexpected-systemctl-calls-linux.sql
    │   ├── 1-unexpected-uid0-daemon-linux.sql
    │   ├── 2-listening-from-unusual-location.sql
    │   ├── 2-low-fd-socket.sql
    │   ├── 2-minimal-socket-client-linux.sql
    │   ├── 2-minimal-socket-client-macos.sql
    │   ├── 2-shady-chrome-extension-author.sql
    │   ├── 2-suspicious-systemd-unit.sql
    │   ├── 2-unexpected-cron-entries.sql
    │   ├── 2-unexpected-launchd-program-arguments.sql
    │   ├── 2-unexpected-launchd-program-macos.sql
    │   ├── 2-unexpected-listening-port-macos.sql
    │   ├── 2-unexpected-lock-opener.sql
    │   ├── 2-unexpected-uid0-daemon-macos.sql
    │   ├── 3-fake-apple-launchd.sql
    │   ├── 3-suspicious-udev-runner-linux.sql
    │   ├── 3-unexpected-ssh-authorized-keys.sql
    │   ├── 3-yara-libtomcrypt-process.sql
    │   └── 3-yara-suspicious-strings-process-linux.sql
    └── privesc
    │   ├── 1-setxid-env-overflow-attempt.sql
    │   ├── 1-unexpected-privileged-containers.sql
    │   ├── 1-unexpected-setxid-process.sql
    │   ├── 2-docker-container-mounting-root.sql
    │   ├── 2-setxid-cmdline-overflow-attempt.sql
    │   ├── 2-unexpected-elevated-children-events_linux.sql
    │   ├── 2-unexpected-elevated-children-events_macos.sql
    │   ├── 2-unexpected-privilege-escalation_linux.sql
    │   ├── 2-unexpected-privilege-escalation_macos.sql
    │   └── 3-sketchy-docker-image-creator.sql
├── fragments
    ├── README.md
    ├── process_event_parents.sql
    ├── process_event_parents_macos.sql
    ├── process_parents.sql
    └── process_parents_macos.sql
├── images
    ├── logo-small.png
    └── logo.png
├── incident_response
    ├── README.md
    ├── account_policy_data-macos.sql
    ├── alf.sql
    ├── alf_exceptions_macos.sql
    ├── alf_explicit_auths_macos.sql
    ├── alf_services.sql
    ├── app_schemes.sql
    ├── apps.sql
    ├── authorization_mechanisms-macos.sql
    ├── authorizations-macos.sql
    ├── authorized_keys.sql
    ├── block_devices.sql
    ├── certificates.sql
    ├── chrome_extension_content_scripts.sql
    ├── chrome_extensions.sql
    ├── crashes-macos.sql
    ├── crontab.sql
    ├── deb_packages.sql
    ├── disk_encryption.sql
    ├── disk_events_macos.sql
    ├── dns_resolvers.sql
    ├── docker_container_mounts.sql
    ├── docker_container_ports.sql
    ├── docker_container_processes.sql
    ├── docker_containers.sql
    ├── docker_image_history.sql
    ├── docker_images.sql
    ├── es_process_events.sql
    ├── etc_hosts.sql
    ├── event_taps_macos.sql
    ├── file_events.sql
    ├── files-dev.sql
    ├── files-downloads.sql
    ├── files-etc.sql
    ├── files-recently-written.sql
    ├── firefox_addons.sql
    ├── gatekeeper_approved_apps_macos.sql
    ├── groups.sql
    ├── hardware_events.sql
    ├── homebrew-packages-macos.sql
    ├── interface_addresses.sql
    ├── interface_details.sql
    ├── interface_ipv6.sql
    ├── iokit-registry-macos.sql
    ├── ip_forwarding.sql
    ├── iptables.sql
    ├── kernel_info.sql
    ├── kernel_modules_linux.sql
    ├── kernel_panics-macos.sql
    ├── kextstat_macos.sql
    ├── known_hosts.sql
    ├── last.sql
    ├── launchd_macos.sql
    ├── launchd_overrides_macos.sql
    ├── listening_ports.sql
    ├── logged_in_users.sql
    ├── loginwindow1.sql
    ├── loginwindow2.sql
    ├── loginwindow3.sql
    ├── loginwindow4.sql
    ├── memory_map.sql
    ├── mounts.sql
    ├── npm_packages.sql
    ├── nvram-macos.sql
    ├── open_files.sql
    ├── open_sockets.sql
    ├── os_version.sql
    ├── package_install_history_macos.sql
    ├── package_receipts_macos.sql
    ├── platform_info.sql
    ├── preferences_macos.sql
    ├── process_env.sql
    ├── process_events.sql
    ├── process_memory_map.sql
    ├── process_open_files.sql
    ├── process_open_pipes.sql
    ├── process_open_sockets.sql
    ├── processes.sql
    ├── recent_items_macos.sql
    ├── rpm_packages.sql
    ├── running_apps_macos.sql
    ├── safari_extensions_macos.sql
    ├── sandboxes_macos.sql
    ├── seccomp_events.sql
    ├── selinux_events.sql
    ├── shadow.sql
    ├── shared_memory.sql
    ├── shell_history.sql
    ├── sip_config.sql
    ├── socket_events.sql
    ├── ssh_configs.sql
    ├── startup_items.sql
    ├── suid_bin.sql
    ├── syslog_events.sql
    ├── system_controls.sql
    ├── systemd_units.sql
    ├── unified_log_macos.sql
    ├── usb_devices.sql
    ├── user_events.sql
    ├── user_ssh_keys.sql
    ├── users.sql
    └── xprotect_reports.sql
├── osquery.conf
├── policy
    ├── gcp-service-account-keys-mdfind.sql
    ├── gcp-service-account-keys.sql
    ├── unexpected-rsa-keys-mdfind.sql
    ├── unexpected-rsa-keys.sql
    └── unusually-long-uptime-likely-missing-patches.sql
└── vulnerabilities
    └── 2-vulnerable-acrobat-reader.sql


/.github/mergify.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/.github/mergify.yml


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/.github/workflows/ci.yml


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/.gitignore


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/LICENSE.txt


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/Makefile


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/README.md


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-dns-traffic-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-dns-traffic-events.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-dns-traffic.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-dns-traffic.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-https-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-https-linux.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-https-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-https-macos.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-talker-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-talker-events.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-talkers-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-talkers-linux.sql


--------------------------------------------------------------------------------
/detection/c2/1-unexpected-talkers-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/1-unexpected-talkers-macos.sql


--------------------------------------------------------------------------------
/detection/c2/2-unexpected-icmp-socket-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/2-unexpected-icmp-socket-events.sql


--------------------------------------------------------------------------------
/detection/c2/2-unexpected-icmp-socket.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/2-unexpected-icmp-socket.sql


--------------------------------------------------------------------------------
/detection/c2/2-unexpected-root-libcurl-proc-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/2-unexpected-root-libcurl-proc-linux.sql


--------------------------------------------------------------------------------
/detection/c2/3-unexpected-root-libcurl-proc-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/c2/3-unexpected-root-libcurl-proc-macos.sql


--------------------------------------------------------------------------------
/detection/collection/1-high-disk-bytes-written.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/collection/1-high-disk-bytes-written.sql


--------------------------------------------------------------------------------
/detection/collection/2-excess-google-drive-downloads-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/collection/2-excess-google-drive-downloads-macos.sql


--------------------------------------------------------------------------------
/detection/collection/2-excess-google-drive-folder-exports-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/collection/2-excess-google-drive-folder-exports-macos.sql


--------------------------------------------------------------------------------
/detection/collection/2-spotlight-database-export-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/collection/2-spotlight-database-export-macos.sql


--------------------------------------------------------------------------------
/detection/credentials/1-unexpected-dev-opener-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/1-unexpected-dev-opener-linux.sql


--------------------------------------------------------------------------------
/detection/credentials/1-unexpected-dev-opener-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/1-unexpected-dev-opener-macos.sql


--------------------------------------------------------------------------------
/detection/credentials/2-macos_keyboard_sniffer.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/2-macos_keyboard_sniffer.sql


--------------------------------------------------------------------------------
/detection/credentials/2-unexpected-sensitive-file-access-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/2-unexpected-sensitive-file-access-linux.sql


--------------------------------------------------------------------------------
/detection/credentials/2-unexpected-sensitive-file-access-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/2-unexpected-sensitive-file-access-macos.sql


--------------------------------------------------------------------------------
/detection/credentials/3-yara-mounted-stealer.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/credentials/3-yara-mounted-stealer.sql


--------------------------------------------------------------------------------
/detection/discovery/1-unexpected-netutil-calls-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/discovery/1-unexpected-netutil-calls-linux.sql


--------------------------------------------------------------------------------
/detection/discovery/1-unexpected-netutil-calls-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/discovery/1-unexpected-netutil-calls-macos.sql


--------------------------------------------------------------------------------
/detection/discovery/2-unexpected-bpf-user.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/discovery/2-unexpected-bpf-user.sql


--------------------------------------------------------------------------------
/detection/discovery/2-unexpected-pcap-user-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/discovery/2-unexpected-pcap-user-linux.sql


--------------------------------------------------------------------------------
/detection/discovery/2-unexpected-pcap-user-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/discovery/2-unexpected-pcap-user-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/0-touched-executable-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/0-touched-executable-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-empty_root_environ_linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-empty_root_environ_linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-empty_root_environ_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-empty_root_environ_macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-hidden-cwd.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-hidden-cwd.sql


--------------------------------------------------------------------------------
/detection/evasion/1-hidden-home-libappsupport.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-hidden-home-libappsupport.sql


--------------------------------------------------------------------------------
/detection/evasion/1-missing-from-disk-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-missing-from-disk-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-missing-from-disk-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-missing-from-disk-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-old-binaries-running.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-old-binaries-running.sql


--------------------------------------------------------------------------------
/detection/evasion/1-touched-executable-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-touched-executable-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-alf-exceptions-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-alf-exceptions-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-etc-executables.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-etc-executables.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-ld-so-files-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-ld-so-files-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-process-extension-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-process-extension-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-tmp-executables-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-tmp-executables-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-tmp-executables-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-tmp-executables-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unexpected-var-run-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unexpected-var-run-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unusual-executable-name-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unusual-executable-name-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unusual-executable-name-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unusual-executable-name-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unusual-process-name-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unusual-process-name-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/1-unusual-process-name-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/1-unusual-process-name-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-executables-from-the-future.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-executables-from-the-future.sql


--------------------------------------------------------------------------------
/detection/evasion/2-hidden-cwd-events-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-hidden-cwd-events-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/2-hidden-executable.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-hidden-executable.sql


--------------------------------------------------------------------------------
/detection/evasion/2-hidden-home-config-dir.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-hidden-home-config-dir.sql


--------------------------------------------------------------------------------
/detection/evasion/2-hidden-home-library-dir.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-hidden-home-library-dir.sql


--------------------------------------------------------------------------------
/detection/evasion/2-name_path_mismatch.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-name_path_mismatch.sql


--------------------------------------------------------------------------------
/detection/evasion/2-parent-missing-from-disk-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-parent-missing-from-disk-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/2-parent-missing-from-disk-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-parent-missing-from-disk-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-ssh-notty.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-ssh-notty.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-dev-entries.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-dev-entries.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-hidden-system-paths.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-hidden-system-paths.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-kernel-extensions-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-kernel-extensions-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-kernel-modules-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-kernel-modules-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-library-entries-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-library-entries-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-public-files_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-public-files_macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-user-executables-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-user-executables-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-user-shared-entries.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-user-shared-entries.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-var-executables-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-var-executables-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unexpected-var-run-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unexpected-var-run-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/2-unusually-tainted-kernel-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/2-unusually-tainted-kernel-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/3-hidden-launchd-files-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-hidden-launchd-files-macos.sql


--------------------------------------------------------------------------------
/detection/evasion/3-overwritten-memory-map-ddexec-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-overwritten-memory-map-ddexec-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/3-parent-pid-missing-from-procfs.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-parent-pid-missing-from-procfs.sql


--------------------------------------------------------------------------------
/detection/evasion/3-pid-hidden-by-rootkit.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-pid-hidden-by-rootkit.sql


--------------------------------------------------------------------------------
/detection/evasion/3-unexpected-dev-executables-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-unexpected-dev-executables-linux.sql


--------------------------------------------------------------------------------
/detection/evasion/3-unexpected-var-executables-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/evasion/3-unexpected-var-executables-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-exotic-command-events-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-exotic-command-events-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-exotic-command-events-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-exotic-command-events-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-exotic-commands-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-exotic-commands-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-exotic-commands-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-exotic-commands-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-recently-created-executables-long-lived-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-recently-created-executables-long-lived-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-recently-created-executables-long-lived-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-recently-created-executables-long-lived-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-sketchy-fetcher-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-sketchy-fetcher-events.sql


--------------------------------------------------------------------------------
/detection/execution/1-sketchy-fetcher.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-sketchy-fetcher.sql


--------------------------------------------------------------------------------
/detection/execution/1-tiny-executable-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-tiny-executable-events.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-env-values-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-env-values-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-execdir-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-execdir-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-execdir-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-execdir-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-executable-permissions.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-executable-permissions.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-fetcher-parent-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-fetcher-parent-events.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-fetcher-parents.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-fetcher-parents.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-gatekeeper-approvals-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-gatekeeper-approvals-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-osascript-calls.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-osascript-calls.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-setuid-binaries.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-setuid-binaries.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-sysutils-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-sysutils-linux.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-sysutils-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-sysutils-macos.sql


--------------------------------------------------------------------------------
/detection/execution/1-unexpected-xattr-calls-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/1-unexpected-xattr-calls-macos.sql


--------------------------------------------------------------------------------
/detection/execution/2-exec-failed-launch-constraint-violation.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-exec-failed-launch-constraint-violation.sql


--------------------------------------------------------------------------------
/detection/execution/2-tiny-executable.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-tiny-executable.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-chmod-exec-event-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-chmod-exec-event-linux.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-chmod-exec-event-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-chmod-exec-event-macos.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-env-values-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-env-values-macos.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-execdir-events-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-execdir-events-linux.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-execdir-events-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-execdir-events-macos.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-long-running-security-framework-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-long-running-security-framework-macos.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-packet-sniffer.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-packet-sniffer.sql


--------------------------------------------------------------------------------
/detection/execution/2-unexpected-root-signer-events-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/2-unexpected-root-signer-events-macos.sql


--------------------------------------------------------------------------------
/detection/execution/3-relative-exec-low-uid-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-relative-exec-low-uid-events.sql


--------------------------------------------------------------------------------
/detection/execution/3-relative-exec-low-uid.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-relative-exec-low-uid.sql


--------------------------------------------------------------------------------
/detection/execution/3-reverse-shell-socket.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-reverse-shell-socket.sql


--------------------------------------------------------------------------------
/detection/execution/3-unexpected-mounts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-unexpected-mounts.sql


--------------------------------------------------------------------------------
/detection/execution/3-xprotect-reports.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-xprotect-reports.sql


--------------------------------------------------------------------------------
/detection/execution/3-yara-unexpected-miner-process.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-yara-unexpected-miner-process.sql


--------------------------------------------------------------------------------
/detection/execution/3-yara-unexpected-upx-process.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/execution/3-yara-unexpected-upx-process.sql


--------------------------------------------------------------------------------
/detection/exfil/0-salesforce-large-download-generic.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/exfil/0-salesforce-large-download-generic.sql


--------------------------------------------------------------------------------
/detection/exfil/0-salesforce-large-download-spotlight.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/exfil/0-salesforce-large-download-spotlight.sql


--------------------------------------------------------------------------------
/detection/exfil/1-high_disk_bytes_read.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/exfil/1-high_disk_bytes_read.sql


--------------------------------------------------------------------------------
/detection/exfil/2-yara-exec-connect-process-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/exfil/2-yara-exec-connect-process-linux.sql


--------------------------------------------------------------------------------
/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql


--------------------------------------------------------------------------------
/detection/impact/1-evenly-timestomped.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/impact/1-evenly-timestomped.sql


--------------------------------------------------------------------------------
/detection/impact/1-unexpected-etc-hosts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/impact/1-unexpected-etc-hosts.sql


--------------------------------------------------------------------------------
/detection/initial_access/1-unexpected-diskimage-source-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/1-unexpected-diskimage-source-macos.sql


--------------------------------------------------------------------------------
/detection/initial_access/1-unexpected-shell-parent-events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/1-unexpected-shell-parent-events.sql


--------------------------------------------------------------------------------
/detection/initial_access/1-unexpected-shell-parents.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/1-unexpected-shell-parents.sql


--------------------------------------------------------------------------------
/detection/initial_access/1-unexpected-webmail-downloads.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/1-unexpected-webmail-downloads.sql


--------------------------------------------------------------------------------
/detection/initial_access/2-sketchy-download-name.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/2-sketchy-download-name.sql


--------------------------------------------------------------------------------
/detection/initial_access/2-sketchy-mounted-diskimage.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/2-sketchy-mounted-diskimage.sql


--------------------------------------------------------------------------------
/detection/initial_access/2-unexpected-diskimage-name-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/2-unexpected-diskimage-name-macos.sql


--------------------------------------------------------------------------------
/detection/initial_access/2-unexpected-volume-contents.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/2-unexpected-volume-contents.sql


--------------------------------------------------------------------------------
/detection/initial_access/3-yara-recently-downloaded-miner.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/3-yara-recently-downloaded-miner.sql


--------------------------------------------------------------------------------
/detection/initial_access/3-yara-recently-downloaded-packed.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/3-yara-recently-downloaded-packed.sql


--------------------------------------------------------------------------------
/detection/initial_access/3-yara-recently-downloaded-ransom.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/3-yara-recently-downloaded-ransom.sql


--------------------------------------------------------------------------------
/detection/initial_access/3-yara-recently-downloaded-stealer.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/initial_access/3-yara-recently-downloaded-stealer.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-active-systemd-units.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-active-systemd-units.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-chrome-extensions.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-chrome-extensions.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-device-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-device-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-global-lock.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-global-lock.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-listening-port-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-listening-port-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-systemctl-calls-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-systemctl-calls-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/1-unexpected-uid0-daemon-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/1-unexpected-uid0-daemon-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/2-listening-from-unusual-location.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-listening-from-unusual-location.sql


--------------------------------------------------------------------------------
/detection/persistence/2-low-fd-socket.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-low-fd-socket.sql


--------------------------------------------------------------------------------
/detection/persistence/2-minimal-socket-client-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-minimal-socket-client-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/2-minimal-socket-client-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-minimal-socket-client-macos.sql


--------------------------------------------------------------------------------
/detection/persistence/2-shady-chrome-extension-author.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-shady-chrome-extension-author.sql


--------------------------------------------------------------------------------
/detection/persistence/2-suspicious-systemd-unit.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-suspicious-systemd-unit.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-cron-entries.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-cron-entries.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-launchd-program-arguments.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-launchd-program-arguments.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-launchd-program-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-launchd-program-macos.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-listening-port-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-listening-port-macos.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-lock-opener.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-lock-opener.sql


--------------------------------------------------------------------------------
/detection/persistence/2-unexpected-uid0-daemon-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/2-unexpected-uid0-daemon-macos.sql


--------------------------------------------------------------------------------
/detection/persistence/3-fake-apple-launchd.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/3-fake-apple-launchd.sql


--------------------------------------------------------------------------------
/detection/persistence/3-suspicious-udev-runner-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/3-suspicious-udev-runner-linux.sql


--------------------------------------------------------------------------------
/detection/persistence/3-unexpected-ssh-authorized-keys.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/3-unexpected-ssh-authorized-keys.sql


--------------------------------------------------------------------------------
/detection/persistence/3-yara-libtomcrypt-process.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/3-yara-libtomcrypt-process.sql


--------------------------------------------------------------------------------
/detection/persistence/3-yara-suspicious-strings-process-linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/persistence/3-yara-suspicious-strings-process-linux.sql


--------------------------------------------------------------------------------
/detection/privesc/1-setxid-env-overflow-attempt.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/1-setxid-env-overflow-attempt.sql


--------------------------------------------------------------------------------
/detection/privesc/1-unexpected-privileged-containers.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/1-unexpected-privileged-containers.sql


--------------------------------------------------------------------------------
/detection/privesc/1-unexpected-setxid-process.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/1-unexpected-setxid-process.sql


--------------------------------------------------------------------------------
/detection/privesc/2-docker-container-mounting-root.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-docker-container-mounting-root.sql


--------------------------------------------------------------------------------
/detection/privesc/2-setxid-cmdline-overflow-attempt.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-setxid-cmdline-overflow-attempt.sql


--------------------------------------------------------------------------------
/detection/privesc/2-unexpected-elevated-children-events_linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-unexpected-elevated-children-events_linux.sql


--------------------------------------------------------------------------------
/detection/privesc/2-unexpected-elevated-children-events_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-unexpected-elevated-children-events_macos.sql


--------------------------------------------------------------------------------
/detection/privesc/2-unexpected-privilege-escalation_linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-unexpected-privilege-escalation_linux.sql


--------------------------------------------------------------------------------
/detection/privesc/2-unexpected-privilege-escalation_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/2-unexpected-privilege-escalation_macos.sql


--------------------------------------------------------------------------------
/detection/privesc/3-sketchy-docker-image-creator.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/detection/privesc/3-sketchy-docker-image-creator.sql


--------------------------------------------------------------------------------
/fragments/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/fragments/README.md


--------------------------------------------------------------------------------
/fragments/process_event_parents.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/fragments/process_event_parents.sql


--------------------------------------------------------------------------------
/fragments/process_event_parents_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/fragments/process_event_parents_macos.sql


--------------------------------------------------------------------------------
/fragments/process_parents.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/fragments/process_parents.sql


--------------------------------------------------------------------------------
/fragments/process_parents_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/fragments/process_parents_macos.sql


--------------------------------------------------------------------------------
/images/logo-small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/images/logo-small.png


--------------------------------------------------------------------------------
/images/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/images/logo.png


--------------------------------------------------------------------------------
/incident_response/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/README.md


--------------------------------------------------------------------------------
/incident_response/account_policy_data-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/account_policy_data-macos.sql


--------------------------------------------------------------------------------
/incident_response/alf.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/alf.sql


--------------------------------------------------------------------------------
/incident_response/alf_exceptions_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/alf_exceptions_macos.sql


--------------------------------------------------------------------------------
/incident_response/alf_explicit_auths_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/alf_explicit_auths_macos.sql


--------------------------------------------------------------------------------
/incident_response/alf_services.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/alf_services.sql


--------------------------------------------------------------------------------
/incident_response/app_schemes.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/app_schemes.sql


--------------------------------------------------------------------------------
/incident_response/apps.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/apps.sql


--------------------------------------------------------------------------------
/incident_response/authorization_mechanisms-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/authorization_mechanisms-macos.sql


--------------------------------------------------------------------------------
/incident_response/authorizations-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/authorizations-macos.sql


--------------------------------------------------------------------------------
/incident_response/authorized_keys.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/authorized_keys.sql


--------------------------------------------------------------------------------
/incident_response/block_devices.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/block_devices.sql


--------------------------------------------------------------------------------
/incident_response/certificates.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/certificates.sql


--------------------------------------------------------------------------------
/incident_response/chrome_extension_content_scripts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/chrome_extension_content_scripts.sql


--------------------------------------------------------------------------------
/incident_response/chrome_extensions.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/chrome_extensions.sql


--------------------------------------------------------------------------------
/incident_response/crashes-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/crashes-macos.sql


--------------------------------------------------------------------------------
/incident_response/crontab.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/crontab.sql


--------------------------------------------------------------------------------
/incident_response/deb_packages.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/deb_packages.sql


--------------------------------------------------------------------------------
/incident_response/disk_encryption.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/disk_encryption.sql


--------------------------------------------------------------------------------
/incident_response/disk_events_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/disk_events_macos.sql


--------------------------------------------------------------------------------
/incident_response/dns_resolvers.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/dns_resolvers.sql


--------------------------------------------------------------------------------
/incident_response/docker_container_mounts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_container_mounts.sql


--------------------------------------------------------------------------------
/incident_response/docker_container_ports.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_container_ports.sql


--------------------------------------------------------------------------------
/incident_response/docker_container_processes.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_container_processes.sql


--------------------------------------------------------------------------------
/incident_response/docker_containers.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_containers.sql


--------------------------------------------------------------------------------
/incident_response/docker_image_history.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_image_history.sql


--------------------------------------------------------------------------------
/incident_response/docker_images.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/docker_images.sql


--------------------------------------------------------------------------------
/incident_response/es_process_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/es_process_events.sql


--------------------------------------------------------------------------------
/incident_response/etc_hosts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/etc_hosts.sql


--------------------------------------------------------------------------------
/incident_response/event_taps_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/event_taps_macos.sql


--------------------------------------------------------------------------------
/incident_response/file_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/file_events.sql


--------------------------------------------------------------------------------
/incident_response/files-dev.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/files-dev.sql


--------------------------------------------------------------------------------
/incident_response/files-downloads.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/files-downloads.sql


--------------------------------------------------------------------------------
/incident_response/files-etc.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/files-etc.sql


--------------------------------------------------------------------------------
/incident_response/files-recently-written.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/files-recently-written.sql


--------------------------------------------------------------------------------
/incident_response/firefox_addons.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/firefox_addons.sql


--------------------------------------------------------------------------------
/incident_response/gatekeeper_approved_apps_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/gatekeeper_approved_apps_macos.sql


--------------------------------------------------------------------------------
/incident_response/groups.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/groups.sql


--------------------------------------------------------------------------------
/incident_response/hardware_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/hardware_events.sql


--------------------------------------------------------------------------------
/incident_response/homebrew-packages-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/homebrew-packages-macos.sql


--------------------------------------------------------------------------------
/incident_response/interface_addresses.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/interface_addresses.sql


--------------------------------------------------------------------------------
/incident_response/interface_details.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/interface_details.sql


--------------------------------------------------------------------------------
/incident_response/interface_ipv6.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/interface_ipv6.sql


--------------------------------------------------------------------------------
/incident_response/iokit-registry-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/iokit-registry-macos.sql


--------------------------------------------------------------------------------
/incident_response/ip_forwarding.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/ip_forwarding.sql


--------------------------------------------------------------------------------
/incident_response/iptables.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/iptables.sql


--------------------------------------------------------------------------------
/incident_response/kernel_info.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/kernel_info.sql


--------------------------------------------------------------------------------
/incident_response/kernel_modules_linux.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/kernel_modules_linux.sql


--------------------------------------------------------------------------------
/incident_response/kernel_panics-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/kernel_panics-macos.sql


--------------------------------------------------------------------------------
/incident_response/kextstat_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/kextstat_macos.sql


--------------------------------------------------------------------------------
/incident_response/known_hosts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/known_hosts.sql


--------------------------------------------------------------------------------
/incident_response/last.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/last.sql


--------------------------------------------------------------------------------
/incident_response/launchd_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/launchd_macos.sql


--------------------------------------------------------------------------------
/incident_response/launchd_overrides_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/launchd_overrides_macos.sql


--------------------------------------------------------------------------------
/incident_response/listening_ports.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/listening_ports.sql


--------------------------------------------------------------------------------
/incident_response/logged_in_users.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/logged_in_users.sql


--------------------------------------------------------------------------------
/incident_response/loginwindow1.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/loginwindow1.sql


--------------------------------------------------------------------------------
/incident_response/loginwindow2.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/loginwindow2.sql


--------------------------------------------------------------------------------
/incident_response/loginwindow3.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/loginwindow3.sql


--------------------------------------------------------------------------------
/incident_response/loginwindow4.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/loginwindow4.sql


--------------------------------------------------------------------------------
/incident_response/memory_map.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/memory_map.sql


--------------------------------------------------------------------------------
/incident_response/mounts.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/mounts.sql


--------------------------------------------------------------------------------
/incident_response/npm_packages.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/npm_packages.sql


--------------------------------------------------------------------------------
/incident_response/nvram-macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/nvram-macos.sql


--------------------------------------------------------------------------------
/incident_response/open_files.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/open_files.sql


--------------------------------------------------------------------------------
/incident_response/open_sockets.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/open_sockets.sql


--------------------------------------------------------------------------------
/incident_response/os_version.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/os_version.sql


--------------------------------------------------------------------------------
/incident_response/package_install_history_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/package_install_history_macos.sql


--------------------------------------------------------------------------------
/incident_response/package_receipts_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/package_receipts_macos.sql


--------------------------------------------------------------------------------
/incident_response/platform_info.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/platform_info.sql


--------------------------------------------------------------------------------
/incident_response/preferences_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/preferences_macos.sql


--------------------------------------------------------------------------------
/incident_response/process_env.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_env.sql


--------------------------------------------------------------------------------
/incident_response/process_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_events.sql


--------------------------------------------------------------------------------
/incident_response/process_memory_map.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_memory_map.sql


--------------------------------------------------------------------------------
/incident_response/process_open_files.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_open_files.sql


--------------------------------------------------------------------------------
/incident_response/process_open_pipes.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_open_pipes.sql


--------------------------------------------------------------------------------
/incident_response/process_open_sockets.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/process_open_sockets.sql


--------------------------------------------------------------------------------
/incident_response/processes.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/processes.sql


--------------------------------------------------------------------------------
/incident_response/recent_items_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/recent_items_macos.sql


--------------------------------------------------------------------------------
/incident_response/rpm_packages.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/rpm_packages.sql


--------------------------------------------------------------------------------
/incident_response/running_apps_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/running_apps_macos.sql


--------------------------------------------------------------------------------
/incident_response/safari_extensions_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/safari_extensions_macos.sql


--------------------------------------------------------------------------------
/incident_response/sandboxes_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/sandboxes_macos.sql


--------------------------------------------------------------------------------
/incident_response/seccomp_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/seccomp_events.sql


--------------------------------------------------------------------------------
/incident_response/selinux_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/selinux_events.sql


--------------------------------------------------------------------------------
/incident_response/shadow.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/shadow.sql


--------------------------------------------------------------------------------
/incident_response/shared_memory.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/shared_memory.sql


--------------------------------------------------------------------------------
/incident_response/shell_history.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/shell_history.sql


--------------------------------------------------------------------------------
/incident_response/sip_config.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/sip_config.sql


--------------------------------------------------------------------------------
/incident_response/socket_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/socket_events.sql


--------------------------------------------------------------------------------
/incident_response/ssh_configs.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/ssh_configs.sql


--------------------------------------------------------------------------------
/incident_response/startup_items.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/startup_items.sql


--------------------------------------------------------------------------------
/incident_response/suid_bin.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/suid_bin.sql


--------------------------------------------------------------------------------
/incident_response/syslog_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/syslog_events.sql


--------------------------------------------------------------------------------
/incident_response/system_controls.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/system_controls.sql


--------------------------------------------------------------------------------
/incident_response/systemd_units.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/systemd_units.sql


--------------------------------------------------------------------------------
/incident_response/unified_log_macos.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/unified_log_macos.sql


--------------------------------------------------------------------------------
/incident_response/usb_devices.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/usb_devices.sql


--------------------------------------------------------------------------------
/incident_response/user_events.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/user_events.sql


--------------------------------------------------------------------------------
/incident_response/user_ssh_keys.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/user_ssh_keys.sql


--------------------------------------------------------------------------------
/incident_response/users.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/users.sql


--------------------------------------------------------------------------------
/incident_response/xprotect_reports.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/incident_response/xprotect_reports.sql


--------------------------------------------------------------------------------
/osquery.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/osquery.conf


--------------------------------------------------------------------------------
/policy/gcp-service-account-keys-mdfind.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/policy/gcp-service-account-keys-mdfind.sql


--------------------------------------------------------------------------------
/policy/gcp-service-account-keys.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/policy/gcp-service-account-keys.sql


--------------------------------------------------------------------------------
/policy/unexpected-rsa-keys-mdfind.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/policy/unexpected-rsa-keys-mdfind.sql


--------------------------------------------------------------------------------
/policy/unexpected-rsa-keys.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/policy/unexpected-rsa-keys.sql


--------------------------------------------------------------------------------
/policy/unusually-long-uptime-likely-missing-patches.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/policy/unusually-long-uptime-likely-missing-patches.sql


--------------------------------------------------------------------------------
/vulnerabilities/2-vulnerable-acrobat-reader.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chainguard-dev/osquery-defense-kit/HEAD/vulnerabilities/2-vulnerable-acrobat-reader.sql


--------------------------------------------------------------------------------