Using Osquery with Virtyx
Virtyx has the full power of Osquery baked in, letting you run queries to gain visibility across your entire fleet of computers and servers.
To run a query on your agents, go to https://app.virtyx.com/query, enter the query, and click Run. You can choose to run queries on all your agents, or only a subset. You can also easily run a query directly from an agent page by entering it in the query box.
Here are a few macOS-focused queries that you may find useful:
- List processes that are listening for external connections.
select processes.name, listening_ports.port, listening_ports.address from processes, listening_ports where listening_ports.port != 0 and listening_ports.pid = processes.pid and address != '127.0.0.1';
- Find any installed third-party kernel extensions. Kernel extensions have
low-level access to the operating system. As such, you should be suspicious of
any kernel extensions you aren’t expecting to see.
select * from kernel_extensions where name not like 'com.apple%';
- Locate attempts to spoof corporate WiFi. This query will report any WiFi
access points that are being advertised to your agents that use your company
WiFi name but are not in your approved list of access points (fill in your
select * from wifi_survey where network_name = 'Company WiFi Network' and bssid not in ('00:00:00:00:00:00', '11:11:11:11:11:11');
- Get a list of unsecured WiFi networks that have been joined.
select ssid, network_name from wifi_networks where security_type = 'Open';
- Find outdated macOS installations.
select version, build from os_version where platform = 'darwin' and (major < 10 or minor < 13);
- List installer packages that have been run by a user.
select package_id, name from package_install_history where source = 'installer';
- List System Updates. Check to see when the latest version of an
application was installed.
select name, time, version from package_install_history where source = 'softwareupdated';
- Check Sharing Preferences. You might want to check that file sharing is
turned off, or Remote Access (SSH) is disabled.
select * from sharing_preferences;
- Check whether full-disk encryption is enabled.
select * from disk_encryption where encrypted = 0;
- Check whether System Integrity Protection (SIP) is enabled.
select * from sip_config where config_flag = 'sip' and (enabled = 0 or enabled_nvram = 0);
- Review recent shell commands.
select username, command from shell_history join users on shell_history.uid = users.uid order by time desc limit 10;
Let us know if you find other useful queries that you’d like us to add to this page! You can always reach us at email@example.com.