OSQuery

Browse the OSQuery mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.

Download CSV Download STIX Open in ATT&CK Navigator

Enterprise

EVENT

ATT&CK MAPPING

account_policy_data

Additional OS X user account data from the AccountPolicy section of OpenDirectory.
Data Source: User Account
Data Component: User Account Metadata
acpi_tables

Firmware ACPI functional table common metadata and content.
Data Source: Firmware
Data Component: Firmware Metadata
ad_config

OS X Active Directory configuration.
Data Source: Active Directory
Data Component: Active Directory Metadata
alf

OS X application layer firewall (ALF) service details.
Data Source: Firewall
Data Component: Firewall Metadata
alf_exceptions

OS X application layer firewall (ALF) service exceptions
Data Source: Firewall
Data Component: Firewall Rule Modification
alf_explicit_auths

ALF services explicitly allowed to perform networking.
Data Source: Firewall
Data Component: Firewall Enumeration
app_schemes

OS X application schemes and handlers (e.g., http, file, mailto).
Data Source: Sensor Health
Data Component: Host Status
apparmor_events

Track AppArmor (security auditing) events.
Data Source: Sensor Health
Data Component: Host Status
apparmor_profiles

Track active AppArmor profiles.
Data Source: Sensor Health
Data Component: Host Status
appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.
Data Source: Windows Registry
Data Component: Windows Registry Key Access
apps

OS X applications installed in known search paths (e.g., /Applications)
Data Source: Sensor Health
Data Component: Host Status
apt_sources

Current list of APT repositories or software channels.
Data Source: Sensor Health
Data Component: Host Status
arp_cache

Address resolution cache, both static and dynamic (from ARP, NDP)
Data Source: Sensor Health
Data Component: Network Status
asl

Queries the Apple System Log data structure for system events
Data Source: Sensor Health
Data Component: Host Status
augeas

Configuration files parsed by augeas
Data Source: File
Data Component: File Access
authenticode

File (executable, bundle, installer, disk) code signing status.
Data Source: File
Data Component: File Metadata
authorization_mechanisms

OS X Authorization mechanisms database.
Data Source: Kernel
Data Component: Kernel Module Load
authorizations

OS X Authorization rights database.
Data Source: User Account
Data Component: User Account Metadata
authorized_keys

A line-delimited authorized_keys table
Data Source: User Account
Data Component: User Account Metadata
autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.
Data Source: Windows Registry
Data Component: Windows Registry Key Access
background_activities_moderator

Background Activities Moderator (BAM) tracks application execution.
Data Source: Process
Data Component: Process Metadata
battery

Provides information about the internal battery of a Macbook.
Data Source: Sensor Health
Data Component: Host Status
bitlocker_info

Retrieve bitlocker status of the machine.
Data Source: Driver
Data Component: Driver Metadata
block_devices

Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.
Data Source: Sensor Health
Data Component: Host Status
browser_plugins

All C/NPAPI browser plugin details for all users.
Data Source: Application Log
Data Component: Application Log Content
certificates

Certificate Authorities installed in Keychains/ca-bundles.
Data Source: Certificate
Data Component: Certificate Registration
chassis_info

Display information pertaining to the chassis and its security status.
Data Source: Sensor Health
Data Component: Host Status
chrome_extension_content_scripts

Content scripts associated with Chrome extensions
Data Source: Application Log
Data Component: Application Log Content
chrome_extensions

Chrome browser extensions
Data Source: Application Log
Data Component: Application Log Content
connectivity

Booleans about Windows network connectivity.
Data Source: Sensor Health
Data Component: Host Status
cpu_info

Info about the CPU running on the machine.
Data Source: Sensor Health
Data Component: Host Status
cpu_time

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.
Data Source: Sensor Health
Data Component: Host Status
cpuid

Useful CPU features from the cpuid ASM call.
Data Source: Sensor Health
Data Component: Host Status
crashes

Application, System, and Mobile App crash logs.
Data Source: Sensor Health
Data Component: Host Status
crontab

Line parsed values from system and user cron/tab.
Data Source: Scheduled Job
Data Component: Scheduled Job Metadata
cups_destinations

Returns all configured printers.
Data Source: Sensor Health
Data Component: Host Status
cups_jobs

Returns all completed print jobs from cups.
Data Source: Sensor Health
Data Component: Host Status
deb_packages

The installed DEB package database.
Data Source: Sensor Health
Data Component: Host Status
default_environment

Default environment variables and values.
Data Source: Sensor Health
Data Component: Host Status
device_file

Similar to the file table, but use TSK and allow block address access
Data Source: Drive
Data Component: Drive Access
device_firmware

A best-effort list of discovered firmware versions.
Data Source: Sensor Health
Data Component: Host Status
device_hash

Similar to the hash table, but use TSK and allow block address access
Data Source: File
Data Component: File Metadata
device_partitions

Use TSK to enumerate details about partitions on a disk device.
Data Source: Drive
Data Component: Drive Access
disk_encryption

Disk encryption status and information.
Data Source: Drive
Data Component: Drive Access
disk_events

Track DMG disk image events (appearance/disappearance) when opened
Data Source: Drive
Data Component: Drive Access
disk_info

Retrieve basic information about the physical disks of a system.
Data Source: Drive
Data Component: Drive Access
dns_cache

Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.
Data Source: Sensor Health
Data Component: Network Status
dns_resolvers

Resolvers used by this host.
Data Source: Sensor Health
Data Component: Network Status
drivers

Details for in-use Windows device drivers. This does not display installed but unused drivers.
Data Source: Driver
Data Component: Driver Metadata
elf_dynamic

ELF dynamic section information.
Data Source: File
Data Component: File Metadata
elf_info

ELF file information.
Data Source: File
Data Component: File Metadata
elf_sections

ELF section information.
Data Source: File
Data Component: File Metadata
elf_segments

ELF segments information.
Data Source: File
Data Component: File Metadata
elf_symbols

ELF symbol list.
Data Source: File
Data Component: File Metadata
etc_hosts

Line-parsed /etc/hosts.
Data Source: Sensor Health
Data Component: Network Status
etc_protocols

Line-parsed /etc/protocols.
Data Source: Sensor Health
Data Component: Network Status
etc_services

Line-parsed /etc/services.
Data Source: Sensor Health
Data Component: Network Status
event_taps

Returns information about installed event taps.
Data Source: Sensor Health
Data Component: Host Status
extended_attributes

Returns the extended attributes for files (similar to Windows ADS).
Data Source: File
Data Component: File Metadata
fan_speed_sensors

Fan speeds.
Data Source: Sensor Health
Data Component: Host Status
fbsd_kmods

Loaded FreeBSD kernel modules.
Data Source: Kernel
Data Component: Kernel Module Load
file

Interactive filesystem attributes and metadata.
Data Source: File
Data Component: File Metadata
file_events

Track time/action changes to files specified in configuration data.
Data Source: File
Data Component: File Creation
file_events

Track time/action changes to files specified in configuration data.
Data Source: File
Data Component: File Deletion
file_events

Track time/action changes to files specified in configuration data.
Data Source: File
Data Component: File Modification
firefox_addons

Firefox browser extensions, webapps, and addons.
Data Source: Application Log
Data Component: Application Log Content
gatekeeper

OS X Gatekeeper Details.
Data Source: Service
Data Component: Service Metadata
gatekeeper_apps

Gatekeeper apps a user has allowed to run.
Data Source: Service
Data Component: Service Metadata
groups

Local system groups.
Data Source: Group
Data Component: Group Metadata
hardware_events

Hardware (PCI/USB/HID) events from UDEV or IOKit.
Data Source: Sensor Health
Data Component: Host Status
hash

Filesystem hash data.
Data Source: Driver
Data Component: Drive Metadata
homebrew_packages

The installed homebrew package database.
Data Source: Application Log
Data Component: Application Log Content
hvci_status

Retrieve HVCI info of the machine.
Data Source: Sensor Health
Data Component: Host Status
ibridge_info

Information about the Apple iBridge hardware controller.
Data Source: Sensor Health
Data Component: Host Status
ie_extensions

Internet Explorer browser extensions.
Data Source: Application Log
Data Component: Application Log Content
intel_me_info

Intel ME/CSE Info.
Data Source: Sensor Health
Data Component: Host Status
interface_details

Detailed information and stats of network interfaces.
Data Source: Sensor Health
Data Component: Network Status
interface_ipv6

IPv6 configuration and stats of network interfaces.
Data Source: Sensor Health
Data Component: Network Status
interfaces

Network interfaces and relevant metadata.
Data Source: Sensor Health
Data Component: Network Status
iokit_devicetree

The IOKit registry matching the DeviceTree plane.
Data Source: Driver
Data Component: Driver Metadata
iokit_registry

The full IOKit registry without selecting a plane.
Data Source: Driver
Data Component: Driver Metadata
iptables

Linux IP packet filtering and NAT tool.
Data Source: Firewall
Data Component: Firewall Enumeration
kernel_extensions

OS X’s kernel extensions, both loaded and within the load search path.
Data Source: Kernel
Data Component: Kernel Metadata
kernel_info

Basic active kernel information.
Data Source: Kernel
Data Component: Kernel Metadata
kernel_modules

Linux kernel modules both loaded and within the load search path.
Data Source: Kernel
Data Component: Kernel Module Load
kernel_panics

System kernel panic logs.
Data Source: Sensor Health
Data Component: Host Status
keychain_acls

Applications that have ACL entries in the keychain.
Data Source: Sensor Health
Data Component: Host Status
keychain_items

Generic details about keychain items.
Data Source: Sensor Health
Data Component: Host Status
known_hosts

A line-delimited known_hosts table.
Data Source: Sensor Health
Data Component: Network Status
kva_speculative_info

Display kernel virtual address and speculative execution information for the system.
Data Source: Kernel
Data Component: Kernel Metadata
last

System logins and logouts.
Data Source: Logon Session
Data Component: Logon Session Metadata
launchd

LaunchAgents and LaunchDaemons from default search paths.
Data Source: Scheduled Job
Data Component: Scheduled Job Metadata
launchd_overrides

Override keys, per user, for LaunchDaemons and Agents.
Data Source: Scheduled Job
Data Component: Scheduled Job Metadata
listening_ports

Processes with listening (bound) network sockets/ports.
Data Source: Sensor Health
Data Component: Network Status
lldp_neighbors

LLDP neighbors of interfaces.
Data Source: Sensor Health
Data Component: Network Status
logged_in_users

Users with an active shell on the system.
Data Source: Logon Session
Data Component: Logon Session Metadata
logical_drives

Details for logical drives on the system. A logical drive generally represents a single partition.
Data Source: Drive
Data Component: Drive Access
logon_sessions

Windows Logon Session.
Data Source: Logon Session
Data Component: Logon Session Metadata
magic

Magic number recognition library table.
Data Source: File
Data Component: File Metadata
managed_policies

The managed configuration policies from AD, MDM, MCX, etc.
Data Source: Active Directory
Data Component: Active Directory Object Access
mdfind

Run searches against the spotlight database.
Data Source: File
Data Component: File Metadata
mdls

Query file metadata in the Spotlight database.
Data Source: File
Data Component: File Metadata
memory_array_mapped_addresses

Data associated for address mapping of physical memory arrays.
Data Source: Kernel
Data Component: Kernel Metadata
memory_arrays

Data associated with collection of memory devices that operate to form a memory address.
Data Source: Kernel
Data Component: Kernel Metadata
memory_device_mapped_addresses

Data associated for address mapping of physical memory devices.
Data Source: Kernel
Data Component: Kernel Metadata
memory_devices

Physical memory device (type 17) information retrieved from SMBIOS.
Data Source: Kernel
Data Component: Kernel Metadata
memory_error_info

Data associated with errors of a physical memory array.
Data Source: Sensor Health
Data Component: Host Status
memory_info

Main memory information in bytes.
Data Source: Sensor Health
Data Component: Host Status
memory_map

OS memory region map.
Data Source: Sensor Health
Data Component: Host Status
mounts

System mounted devices and filesystems (not process specific).
Data Source: Network Share
Data Component: Network Share Access
nfs_shares

NFS shares exported by the host.
Data Source: Network Share
Data Component: Network Share Access
npm_packages

Lists all npm packages in a directory or globally installed in a system.
Data Source: Sensor Health
Data Component: Host Status
ntdomains

Display basic NT domain information of a Windows machine.
Data Source: Sensor Health
Data Component: Host Status
ntfs_acl_permissions

Retrieve NTFS ACL permission information for files and directories.
Data Source: File
Data Component: File Metadata
ntfs_journal_events

Track time/action changes to files specified in configuration data.
Data Source: File
Data Component: File Metadata
oem_strings

OEM defined strings retrieved from SMBIOS.
Data Source: Firmware
Data Component: Firmware Metadata
office_mru

View recently opened Office documents.
Data Source: File
Data Component: File Access
opera_extensions

Opera browser extensions.
Data Source: Application Log
Data Component: Application Log Content
os_version

A single row containing the operating system name and version.
Data Source: Sensor Health
Data Component: Host Status
package_bom

OS X package bill of materials (BOM) file list.
Data Source: File
Data Component: File Metadata
package_receipts

OS X package receipt details.
Data Source: Process
Data Component: Process Metadata
patches

Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).
Data Source: Sensor Health
Data Component: Host Status
pci_devices

PCI devices active on the host system.
Data Source: Firmware
Data Component: Firmware Metadata
pipes

Named and Anonymous pipes.
Data Source: Named Pipe
Data Component: Named Pipe Enumeration
platform_info

Information about EFI/UEFI/ROM and platform/boot.
Data Source: Firmware
Data Component: Firmware Metadata
plist

Read and parse a plist file.
Data Source: File
Data Component: File Access
portage_keywords

A summary about portage configurations like keywords, mask and unmask.
Data Source: Sensor Health
Data Component: Host Status
portage_packages

List of currently installed packages.
Data Source: Sensor Health
Data Component: Host Status
portage_use

List of enabled portage USE values for specific package.
Data Source: Sensor Health
Data Component: Host Status
powershell_events

Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.
Data Source: Script
Data Component: Script Execution
preferences

OS X defaults and managed preferences.
Data Source: Sensor Health
Data Component: Host Status
process_envs

A key/value table of environment variables for each process.
Data Source: Process
Data Component: Process Metadata
process_events

Track time/action process executions.
Data Source: Process
Data Component: Process Metadata
process_file_events

A File Integrity Monitor implementation using the audit service.
Data Source: File
Data Component: File Metadata
process_memory_map

Process memory mapped files and pseudo device/regions.
Data Source: Process
Data Component: Process Metadata
process_namespaces

Linux namespaces for processes running on the host system.
Data Source: Process
Data Component: Process Metadata
process_open_files

File descriptors for each process.
Data Source: Process
Data Component: Process Metadata
process_open_pipes

Pipes and partner processes for each process.
Data Source: Process
Data Component: Process Metadata
process_open_sockets

Processes which have open network sockets on the system.
Data Source: Process
Data Component: Process Metadata
processes

All running processes on the host system.
Data Source: Process
Data Component: Process Enumeration
programs

Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.
Data Source: Sensor Health
Data Component: Host Status
python_packages

Python packages installed in a system.
Data Source: Sensor Health
Data Component: Host Status
quicklook_cache

Files and thumbnails within OS X’s Quicklook Cache.
Data Source: File
Data Component: File Metadata
registry

All of the Windows registry hives.
Data Source: Windows Registry
Data Component: Windows Registry Key Access
routes

The active route table for the host system.
Data Source: Sensor Health
Data Component: Network Status
rpm_package_files

RPM packages that are currently installed on the host system.
Data Source: Sensor Health
Data Component: Host Status
rpm_packages

RPM packages that are currently installed on the host system.
Data Source: Sensor Health
Data Component: Host Status
running_apps

macOS applications currently running on the host system.
Data Source: Process
Data Component: Process Creation
safari_extensions

Safari browser extension details for all users.
Data Source: Application Log
Data Component: Application Log Content
sandboxes

OS X application sandboxes container details.
Data Source: Image
Data Component: Image Metadata
scheduled_tasks

Lists all of the tasks in the Windows task scheduler.
Data Source: Scheduled Task
Data Component: Scheduled Task Enumeration
screenlock

macOS screenlock status for the current logged in user context.
Data Source: User Interface
Data Component: System Settings
selinux_events

Track SELinux events.
Data Source: Sensor Health
Data Component: Host Status
selinux_settings

Track active SELinux settings.
Data Source: Sensor Health
Data Component: Host Status
services

Lists all installed Windows services and their relevant data.
Data Source: Service
Data Component: Service Enumeration
shadow

Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access /etc/shadow.
Data Source: User Account
Data Component: User Account Metadata
shared_folders

Folders available to others via SMB or AFP.
Data Source: Network Share
Data Component: Network Share Access
shared_memory

OS shared memory regions.
Data Source: Kernel
Data Component: Kernel Metadata
shared_resources

Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.
Data Source: Sensor Health
Data Component: Host Status
sharing_preferences

OS X Sharing preferences.
Data Source: Network Share
Data Component: Network Share Access
shell_history

A line-delimited (command) table of per-user .*_history data.
Data Source: Command
Data Component: Command Metadata
shimcache

Application Compatibility Cache, contains artifacts of execution.
Data Source: File
Data Component: File Metadata
signature

File (executable, bundle, installer, disk) code signing status.
Data Source: File
Data Component: File Metadata
sip_config

Apple’s System Integrity Protection (rootless) status.
Data Source: Sensor Health
Data Component: Host Status
smbios_tables

BIOS (DMI) structure common details and content.
Data Source: Firmware
Data Component: Firmware Metadata
socket_events

Track network socket opens and closes.
Data Source: Network Traffic
Data Component: Network Traffic Content
ssh_configs

A table of parsed ssh_configs.
Data Source: Sensor Health
Data Component: Network Status
startup_items

Applications and binaries set as user/login startup items.
Data Source: Windows Registry
Data Component: Windows Registry Key Access
sudoers

Rules for running commands as other users via sudo.
Data Source: Sensor Health
Data Component: Host Status
suid_bin

suid binaries in common locations.
Data Source: File
Data Component: File Metadata
syslog_events

Linux syslog events.
Data Source: Sensor Health
Data Component: Host Status
system_controls

sysctl names, values, and settings information.
Data Source: Sensor Health
Data Component: Host Status
system_info

System information for identification.
Data Source: Sensor Health
Data Component: Host Status
time_machine_backups

Backups to drives using TimeMachine.
Data Source: Drive
Data Component: Drive Modification
time_machine_destinations

Locations backed up to using Time Machine.
Data Source: Drive
Data Component: Drive Metadata
ulimit_info

System resource usage limits.
Data Source: Sensor Health
Data Component: Host Status
usb_devices

USB devices that are actively plugged into the host system.
Data Source: Drive
Data Component: Drive Creation
user_events

Track user events from the audit framework.
Data Source: User Account
Data Component: User Account Authentication
user_groups

Local system user group relationships.
Data Source: Group
Data Component: Group Metadata
user_ssh_keys

Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.
Data Source: User Account
Data Component: User Account Metadata
userassist

UserAssist Registry Key tracks when a user executes an application from Windows Explorer.
Data Source: Windows Registry
Data Component: Windows Registry Key Access
users

Local user accounts (including domain accounts that have logged on locally (Windows)).
Data Source: User Account
Data Component: User Account Access
video_info

Retrieve video card information of the machine.
Data Source: Sensor Health
Data Component: Host Status
virtual_memory_info

Darwin Virtual Memory statistics.
Data Source: Kernel
Data Component: Kernel Metadata
wifi_status

OS X current WiFi status.
Data Source: Sensor Health
Data Component: Network Status
winbaseobj

Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.
Data Source: Sensor Health
Data Component: Host Status
windows_crashes

Extracted information from Windows crash logs (Minidumps).
Data Source: Sensor Health
Data Component: Host Status
windows_optional_features

Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.
Data Source: Sensor Health
Data Component: Host Status
windows_security_center

The health status of Window Security features. Health values can be “Good”, “Poor”. “Snoozed”, “Not Monitored”, and “Error”.
Data Source: Sensor Health
Data Component: Host Status
windows_security_products

Enumeration of registered Windows security products.
Data Source: Sensor Health
Data Component: Host Status
wmi_bios_info

Lists important information from the system bios.
Data Source: Firmware
Data Component: Firmware Metadata
wmi_cli_event_consumers

Data Source: WMI
Data Component: WMI Creation
wmi_event_filters

Lists WMI event filters.
Data Source: WMI
Data Component: WMI Enumeration
wmi_filter_consumer_binding

Lists the relationship between event consumers and filters.
Data Source: WMI
Data Component: WMI Enumeration
wmi_script_event_consumers

Data Source: WMI
Data Component: WMI Creation
xprotect_entries

Database of the machine’s XProtect signatures.
Data Source: Sensor Health
Data Component: Host Status
xprotect_meta

Database of the machine’s XProtect browser-related signatures.
Data Source: Sensor Health
Data Component: Host Status
xprotect_reports

Database of XProtect matches (if user generated/sent an XProtect report).
Data Source: Sensor Health
Data Component: Host Status