Recon Hunt Queries
Welcome to the Recon Hunt Queries repo!
This project is proudly maintained by Recon InfoSec to support the community of osquery users!
Our goal with this project is to have a consolidated place for incident response & threat hunting focused queries for osquery. We've grouped the queries by the MITRE ATT&CK tactics they support, but there are a few "General" categories of queries as well. Use the navigation bar to the left to explore.
These are collections of individual queries for specific use cases, not query packs which are a separate thing altogether.
There are several other great projects that track example queries, be sure to check them out!
Please contribute any queries you've found useful for threat hunting & incident response! Be sure to study the osquery Schema for inspiration.
Notice the "edit" icon at the top right of every page? Click on it, add your stuff, submit a PR -> raise the collective capabilities of osquery hunters everywhere!
The following markdown code produces the example below it.
## List directory contents **Description:** A non-recursive (single level) directory listing. **Author:** [@eric_capuano](https://twitter.com/eric_capuano) **Query:** ```sql tab="Windows" SELECT * FROM file WHERE path LIKE 'C:\Users\%'; ``` ```sql tab="MacOS" SELECT * FROM file WHERE path LIKE '/Users/%'; ``` ```sql tab="Linux" SELECT * FROM file WHERE path LIKE '/home/%'; ```
List directory contents
Description: A non-recursive (single level) directory listing.
SELECT * FROM file WHERE path LIKE 'C:\Users\%';
SELECT * FROM file WHERE path LIKE '/Users/%';
SELECT * FROM file WHERE path LIKE '/home/%';
For a query that is universal across all supported osquery platforms, simply specify "All Platforms" as in the
If your query is only applicable to one platform, feel free to omit the non-applicable tabs.