OSQuery
Browse the OSQuery mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.
Download CSV Download STIX Open in ATT&CK Navigator
Enterprise
EVENT ID |
EVENT DESCRIPTION |
ATT&CK DATA SOURCE |
ATT&CK DATA COMPONENT |
---|---|---|---|
account_policy_data |
Additional OS X user account data from the AccountPolicy section of OpenDirectory. |
User Account |
User Account Metadata |
acpi_tables |
Firmware ACPI functional table common metadata and content. |
Firmware |
Firmware Metadata |
ad_config |
OS X Active Directory configuration. |
Active Directory |
Active Directory Metadata |
alf |
OS X application layer firewall (ALF) service details. |
Firewall |
Firewall Metadata |
alf_exceptions |
OS X application layer firewall (ALF) service exceptions |
Firewall |
Firewall Rule Modification |
alf_explicit_auths |
ALF services explicitly allowed to perform networking. |
Firewall |
Firewall Enumeration |
app_schemes |
OS X application schemes and handlers (e.g., http, file, mailto). |
Sensor Health |
Host Status |
apparmor_events |
Track AppArmor (security auditing) events. |
Sensor Health |
Host Status |
apparmor_profiles |
Track active AppArmor profiles. |
Sensor Health |
Host Status |
appcompat_shims |
Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details. |
Windows Registry |
Windows Registry Key Access |
apps |
OS X applications installed in known search paths (e.g., /Applications) |
Sensor Health |
Host Status |
apt_sources |
Current list of APT repositories or software channels. |
Sensor Health |
Host Status |
arp_cache |
Address resolution cache, both static and dynamic (from ARP, NDP) |
Sensor Health |
Network Status |
asl |
Queries the Apple System Log data structure for system events |
Sensor Health |
Host Status |
augeas |
Configuration files parsed by augeas |
File |
File Access |
authenticode |
File (executable, bundle, installer, disk) code signing status. |
File |
File Metadata |
authorization_mechanisms |
OS X Authorization mechanisms database. |
Kernel |
Kernel Module Load |
authorizations |
OS X Authorization rights database. |
User Account |
User Account Metadata |
authorized_keys |
A line-delimited authorized_keys table |
User Account |
User Account Metadata |
autoexec |
Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more. |
Windows Registry |
Windows Registry Key Access |
background_activities_moderator |
Background Activities Moderator (BAM) tracks application execution. |
Process |
Process Metadata |
battery |
Provides information about the internal battery of a Macbook. |
Sensor Health |
Host Status |
bitlocker_info |
Retrieve bitlocker status of the machine. |
Driver |
Driver Metadata |
block_devices |
Block (buffered access) device file nodes: disks, ramdisks, and DMG containers. |
Sensor Health |
Host Status |
browser_plugins |
All C/NPAPI browser plugin details for all users. |
Application Log |
Application Log Content |
certificates |
Certificate Authorities installed in Keychains/ca-bundles. |
Certificate |
Certificate Registration |
chassis_info |
Display information pertaining to the chassis and its security status. |
Sensor Health |
Host Status |
chrome_extension_content_scripts |
Content scripts associated with Chrome extensions |
Application Log |
Application Log Content |
chrome_extensions |
Chrome browser extensions |
Application Log |
Application Log Content |
connectivity |
Booleans about Windows network connectivity. |
Sensor Health |
Host Status |
cpu_info |
Info about the CPU running on the machine. |
Sensor Health |
Host Status |
cpu_time |
Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system. |
Sensor Health |
Host Status |
cpuid |
Useful CPU features from the cpuid ASM call. |
Sensor Health |
Host Status |
crashes |
Application, System, and Mobile App crash logs. |
Sensor Health |
Host Status |
crontab |
Line parsed values from system and user cron/tab. |
Scheduled Job |
Scheduled Job Metadata |
cups_destinations |
Returns all configured printers. |
Sensor Health |
Host Status |
cups_jobs |
Returns all completed print jobs from cups. |
Sensor Health |
Host Status |
deb_packages |
The installed DEB package database. |
Sensor Health |
Host Status |
default_environment |
Default environment variables and values. |
Sensor Health |
Host Status |
device_file |
Similar to the file table, but use TSK and allow block address access |
Drive |
Drive Access |
device_firmware |
A best-effort list of discovered firmware versions. |
Sensor Health |
Host Status |
device_hash |
Similar to the hash table, but use TSK and allow block address access |
File |
File Metadata |
device_partitions |
Use TSK to enumerate details about partitions on a disk device. |
Drive |
Drive Access |
disk_encryption |
Disk encryption status and information. |
Drive |
Drive Access |
disk_events |
Track DMG disk image events (appearance/disappearance) when opened |
Drive |
Drive Access |
disk_info |
Retrieve basic information about the physical disks of a system. |
Drive |
Drive Access |
dns_cache |
Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll. |
Sensor Health |
Network Status |
dns_resolvers |
Resolvers used by this host. |
Sensor Health |
Network Status |
drivers |
Details for in-use Windows device drivers. This does not display installed but unused drivers. |
Driver |
Driver Metadata |
elf_dynamic |
ELF dynamic section information. |
File |
File Metadata |
elf_info |
ELF file information. |
File |
File Metadata |
elf_sections |
ELF section information. |
File |
File Metadata |
elf_segments |
ELF segments information. |
File |
File Metadata |
elf_symbols |
ELF symbol list. |
File |
File Metadata |
etc_hosts |
Line-parsed /etc/hosts. |
Sensor Health |
Network Status |
etc_protocols |
Line-parsed /etc/protocols. |
Sensor Health |
Network Status |
etc_services |
Line-parsed /etc/services. |
Sensor Health |
Network Status |
event_taps |
Returns information about installed event taps. |
Sensor Health |
Host Status |
extended_attributes |
Returns the extended attributes for files (similar to Windows ADS). |
File |
File Metadata |
fan_speed_sensors |
Fan speeds. |
Sensor Health |
Host Status |
fbsd_kmods |
Loaded FreeBSD kernel modules. |
Kernel |
Kernel Module Load |
file |
Interactive filesystem attributes and metadata. |
File |
File Metadata |
file_events |
Track time/action changes to files specified in configuration data. |
File |
File Creation |
file_events |
Track time/action changes to files specified in configuration data. |
File |
File Deletion |
file_events |
Track time/action changes to files specified in configuration data. |
File |
File Modification |
firefox_addons |
Firefox browser extensions, webapps, and addons. |
Application Log |
Application Log Content |
gatekeeper |
OS X Gatekeeper Details. |
Service |
Service Metadata |
gatekeeper_apps |
Gatekeeper apps a user has allowed to run. |
Service |
Service Metadata |
groups |
Local system groups. |
Group |
Group Metadata |
hardware_events |
Hardware (PCI/USB/HID) events from UDEV or IOKit. |
Sensor Health |
Host Status |
hash |
Filesystem hash data. |
Driver |
Drive Metadata |
homebrew_packages |
The installed homebrew package database. |
Application Log |
Application Log Content |
hvci_status |
Retrieve HVCI info of the machine. |
Sensor Health |
Host Status |
ibridge_info |
Information about the Apple iBridge hardware controller. |
Sensor Health |
Host Status |
ie_extensions |
Internet Explorer browser extensions. |
Application Log |
Application Log Content |
intel_me_info |
Intel ME/CSE Info. |
Sensor Health |
Host Status |
interface_details |
Detailed information and stats of network interfaces. |
Sensor Health |
Network Status |
interface_ipv6 |
IPv6 configuration and stats of network interfaces. |
Sensor Health |
Network Status |
interfaces |
Network interfaces and relevant metadata. |
Sensor Health |
Network Status |
iokit_devicetree |
The IOKit registry matching the DeviceTree plane. |
Driver |
Driver Metadata |
iokit_registry |
The full IOKit registry without selecting a plane. |
Driver |
Driver Metadata |
iptables |
Linux IP packet filtering and NAT tool. |
Firewall |
Firewall Enumeration |
kernel_extensions |
OS X’s kernel extensions, both loaded and within the load search path. |
Kernel |
Kernel Metadata |
kernel_info |
Basic active kernel information. |
Kernel |
Kernel Metadata |
kernel_modules |
Linux kernel modules both loaded and within the load search path. |
Kernel |
Kernel Module Load |
kernel_panics |
System kernel panic logs. |
Sensor Health |
Host Status |
keychain_acls |
Applications that have ACL entries in the keychain. |
Sensor Health |
Host Status |
keychain_items |
Generic details about keychain items. |
Sensor Health |
Host Status |
known_hosts |
A line-delimited known_hosts table. |
Sensor Health |
Network Status |
kva_speculative_info |
Display kernel virtual address and speculative execution information for the system. |
Kernel |
Kernel Metadata |
last |
System logins and logouts. |
Logon Session |
Logon Session Metadata |
launchd |
LaunchAgents and LaunchDaemons from default search paths. |
Scheduled Job |
Scheduled Job Metadata |
launchd_overrides |
Override keys, per user, for LaunchDaemons and Agents. |
Scheduled Job |
Scheduled Job Metadata |
listening_ports |
Processes with listening (bound) network sockets/ports. |
Sensor Health |
Network Status |
lldp_neighbors |
LLDP neighbors of interfaces. |
Sensor Health |
Network Status |
logged_in_users |
Users with an active shell on the system. |
Logon Session |
Logon Session Metadata |
logical_drives |
Details for logical drives on the system. A logical drive generally represents a single partition. |
Drive |
Drive Access |
logon_sessions |
Windows Logon Session. |
Logon Session |
Logon Session Metadata |
magic |
Magic number recognition library table. |
File |
File Metadata |
managed_policies |
The managed configuration policies from AD, MDM, MCX, etc. |
Active Directory |
Active Directory Object Access |
mdfind |
Run searches against the spotlight database. |
File |
File Metadata |
mdls |
Query file metadata in the Spotlight database. |
File |
File Metadata |
memory_array_mapped_addresses |
Data associated for address mapping of physical memory arrays. |
Kernel |
Kernel Metadata |
memory_arrays |
Data associated with collection of memory devices that operate to form a memory address. |
Kernel |
Kernel Metadata |
memory_device_mapped_addresses |
Data associated for address mapping of physical memory devices. |
Kernel |
Kernel Metadata |
memory_devices |
Physical memory device (type 17) information retrieved from SMBIOS. |
Kernel |
Kernel Metadata |
memory_error_info |
Data associated with errors of a physical memory array. |
Sensor Health |
Host Status |
memory_info |
Main memory information in bytes. |
Sensor Health |
Host Status |
memory_map |
OS memory region map. |
Sensor Health |
Host Status |
mounts |
System mounted devices and filesystems (not process specific). |
Network Share |
Network Share Access |
nfs_shares |
NFS shares exported by the host. |
Network Share |
Network Share Access |
npm_packages |
Lists all npm packages in a directory or globally installed in a system. |
Sensor Health |
Host Status |
ntdomains |
Display basic NT domain information of a Windows machine. |
Sensor Health |
Host Status |
ntfs_acl_permissions |
Retrieve NTFS ACL permission information for files and directories. |
File |
File Metadata |
ntfs_journal_events |
Track time/action changes to files specified in configuration data. |
File |
File Metadata |
oem_strings |
OEM defined strings retrieved from SMBIOS. |
Firmware |
Firmware Metadata |
office_mru |
View recently opened Office documents. |
File |
File Access |
opera_extensions |
Opera browser extensions. |
Application Log |
Application Log Content |
os_version |
A single row containing the operating system name and version. |
Sensor Health |
Host Status |
package_bom |
OS X package bill of materials (BOM) file list. |
File |
File Metadata |
package_receipts |
OS X package receipt details. |
Process |
Process Metadata |
patches |
Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs). |
Sensor Health |
Host Status |
pci_devices |
PCI devices active on the host system. |
Firmware |
Firmware Metadata |
pipes |
Named and Anonymous pipes. |
Named Pipe |
Named Pipe Enumeration |
platform_info |
Information about EFI/UEFI/ROM and platform/boot. |
Firmware |
Firmware Metadata |
plist |
Read and parse a plist file. |
File |
File Access |
portage_keywords |
A summary about portage configurations like keywords, mask and unmask. |
Sensor Health |
Host Status |
portage_packages |
List of currently installed packages. |
Sensor Health |
Host Status |
portage_use |
List of enabled portage USE values for specific package. |
Sensor Health |
Host Status |
powershell_events |
Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled. |
Script |
Script Execution |
preferences |
OS X defaults and managed preferences. |
Sensor Health |
Host Status |
process_envs |
A key/value table of environment variables for each process. |
Process |
Process Metadata |
process_events |
Track time/action process executions. |
Process |
Process Metadata |
process_file_events |
A File Integrity Monitor implementation using the audit service. |
File |
File Metadata |
process_memory_map |
Process memory mapped files and pseudo device/regions. |
Process |
Process Metadata |
process_namespaces |
Linux namespaces for processes running on the host system. |
Process |
Process Metadata |
process_open_files |
File descriptors for each process. |
Process |
Process Metadata |
process_open_pipes |
Pipes and partner processes for each process. |
Process |
Process Metadata |
process_open_sockets |
Processes which have open network sockets on the system. |
Process |
Process Metadata |
processes |
All running processes on the host system. |
Process |
Process Enumeration |
programs |
Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author. |
Sensor Health |
Host Status |
python_packages |
Python packages installed in a system. |
Sensor Health |
Host Status |
quicklook_cache |
Files and thumbnails within OS X’s Quicklook Cache. |
File |
File Metadata |
registry |
All of the Windows registry hives. |
Windows Registry |
Windows Registry Key Access |
routes |
The active route table for the host system. |
Sensor Health |
Network Status |
rpm_package_files |
RPM packages that are currently installed on the host system. |
Sensor Health |
Host Status |
rpm_packages |
RPM packages that are currently installed on the host system. |
Sensor Health |
Host Status |
running_apps |
macOS applications currently running on the host system. |
Process |
Process Creation |
safari_extensions |
Safari browser extension details for all users. |
Application Log |
Application Log Content |
sandboxes |
OS X application sandboxes container details. |
Image |
Image Metadata |
scheduled_tasks |
Lists all of the tasks in the Windows task scheduler. |
Scheduled Task |
Scheduled Task Enumeration |
screenlock |
macOS screenlock status for the current logged in user context. |
User Interface |
System Settings |
selinux_events |
Track SELinux events. |
Sensor Health |
Host Status |
selinux_settings |
Track active SELinux settings. |
Sensor Health |
Host Status |
services |
Lists all installed Windows services and their relevant data. |
Service |
Service Enumeration |
shadow |
Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access /etc/shadow. |
User Account |
User Account Metadata |
shared_folders |
Folders available to others via SMB or AFP. |
Network Share |
Network Share Access |
shared_memory |
OS shared memory regions. |
Kernel |
Kernel Metadata |
shared_resources |
Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device. |
Sensor Health |
Host Status |
sharing_preferences |
OS X Sharing preferences. |
Network Share |
Network Share Access |
shell_history |
A line-delimited (command) table of per-user .*_history data. |
Command |
Command Metadata |
shimcache |
Application Compatibility Cache, contains artifacts of execution. |
File |
File Metadata |
signature |
File (executable, bundle, installer, disk) code signing status. |
File |
File Metadata |
sip_config |
Apple’s System Integrity Protection (rootless) status. |
Sensor Health |
Host Status |
smbios_tables |
BIOS (DMI) structure common details and content. |
Firmware |
Firmware Metadata |
socket_events |
Track network socket opens and closes. |
Network Traffic |
Network Traffic Content |
ssh_configs |
A table of parsed ssh_configs. |
Sensor Health |
Network Status |
startup_items |
Applications and binaries set as user/login startup items. |
Windows Registry |
Windows Registry Key Access |
sudoers |
Rules for running commands as other users via sudo. |
Sensor Health |
Host Status |
suid_bin |
suid binaries in common locations. |
File |
File Metadata |
syslog_events |
Linux syslog events. |
Sensor Health |
Host Status |
system_controls |
sysctl names, values, and settings information. |
Sensor Health |
Host Status |
system_info |
System information for identification. |
Sensor Health |
Host Status |
time_machine_backups |
Backups to drives using TimeMachine. |
Drive |
Drive Modification |
time_machine_destinations |
Locations backed up to using Time Machine. |
Drive |
Drive Metadata |
ulimit_info |
System resource usage limits. |
Sensor Health |
Host Status |
usb_devices |
USB devices that are actively plugged into the host system. |
Drive |
Drive Creation |
user_events |
Track user events from the audit framework. |
User Account |
User Account Authentication |
user_groups |
Local system user group relationships. |
Group |
Group Metadata |
user_ssh_keys |
Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. |
User Account |
User Account Metadata |
userassist |
UserAssist Registry Key tracks when a user executes an application from Windows Explorer. |
Windows Registry |
Windows Registry Key Access |
users |
Local user accounts (including domain accounts that have logged on locally (Windows)). |
User Account |
User Account Access |
video_info |
Retrieve video card information of the machine. |
Sensor Health |
Host Status |
virtual_memory_info |
Darwin Virtual Memory statistics. |
Kernel |
Kernel Metadata |
wifi_status |
OS X current WiFi status. |
Sensor Health |
Network Status |
winbaseobj |
Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors. |
Sensor Health |
Host Status |
windows_crashes |
Extracted information from Windows crash logs (Minidumps). |
Sensor Health |
Host Status |
windows_optional_features |
Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class. |
Sensor Health |
Host Status |
windows_security_center |
The health status of Window Security features. Health values can be “Good”, “Poor”. “Snoozed”, “Not Monitored”, and “Error”. |
Sensor Health |
Host Status |
windows_security_products |
Enumeration of registered Windows security products. |
Sensor Health |
Host Status |
wmi_bios_info |
Lists important information from the system bios. |
Firmware |
Firmware Metadata |
wmi_cli_event_consumers |
WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details. |
WMI |
WMI Creation |
wmi_event_filters |
Lists WMI event filters. |
WMI |
WMI Enumeration |
wmi_filter_consumer_binding |
Lists the relationship between event consumers and filters. |
WMI |
WMI Enumeration |
wmi_script_event_consumers |
WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details. |
WMI |
WMI Creation |
xprotect_entries |
Database of the machine’s XProtect signatures. |
Sensor Health |
Host Status |
xprotect_meta |
Database of the machine’s XProtect browser-related signatures. |
Sensor Health |
Host Status |
xprotect_reports |
Database of XProtect matches (if user generated/sent an XProtect report). |
Sensor Health |
Host Status |