{ "win_version": { "query": "select tb1.name, tb1.build_version, (case when (arch like '%-bit') then concat('x', replace(arch,'-bit', '')) else arch end) as arch, 'Microsoft' as publisher, tb2.version from (select name, version as build_version, arch from os_version) tb1,(select data as version from registry where path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion') tb2;", "name": "win_version", "description": "Retrieves the name, version number, build version, and arch of the target Windows system.", "purlType": "swid", "componentType": "operating-system" }, "kernel_info": { "query": "select * from kernel_info;", "name": "os-image", "description": "Retrieves information from the current kernel in the target system.", "purlType": "swid" }, "chrome_extensions": { "query": "select chrome_extensions.* from users join chrome_extensions using (uid);", "description": "Retrieves the list of extensions for Chrome in the target system.", "purlType": "chrome-extension", "componentType": "application" }, "firefox_addons": { "query": "select firefox_addons.* from users join firefox_addons using (uid);", "description": "Retrieves the list of addons for Firefox in the target system.", "purlType": "swid", "componentType": "application" }, "vscode_extensions": { "query": "select vscode_extensions.* from users join vscode_extensions using (uid);", "description": "Lists all vscode extensions.", "purlType": "vscode-extension", "componentType": "application" }, "browser_plugins": { "query": "select browser_plugins.* from users join browser_plugins using (uid);", "description": "Retrieves the list of C/NPAPI browser plugin in the target system.", "purlType": "swid" }, "ie_extensions": { "query": "select * from ie_extensions;", "description": "Retrieves the list of extensions for IE in the target system.", "purlType": "swid" }, "opera_extensions": { "query": "select opera_extensions.* from users join opera_extensions using (uid);", "description": "Retrieves the list of extensions for opera in the target system.", "purlType": "swid" }, "safari_extensions": { "query": "select safari_extensions.* from users join safari_extensions using (uid);", "description": "Retrieves the list of extensions for safari in the target system.", "purlType": "swid" }, "python_packages": { "query": "select * from python_packages;", "description": "Python packages installed on system.", "purlType": "pypi" }, "windows_programs": { "query": "select * from programs;", "description": "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.", "purlType": "swid" }, "windows_patches": { "query": "select * from patches;", "description": "Retrieves all the information for the current windows drivers in the target Windows system.", "purlType": "swid" }, "windows_drivers": { "query": "select * from drivers;", "description": "Retrieves all the information for the current windows drivers in the target Windows system.", "purlType": "swid" }, "windows_shared_resources": { "query": "select * from shared_resources;", "description": "Retrieves the list of shared resources in the target Windows system.", "purlType": "swid", "componentType": "data" }, "appcompat_shims": { "query": "SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');", "description": "Appcompat shims (.sdb files) installed on Windows hosts.", "purlType": "swid", "componentType": "data" }, "system_info_snapshot": { "query": "SELECT * FROM system_info;", "description": "System info snapshot query.", "purlType": "swid", "componentType": "data" }, "users_snapshot": { "query": "SELECT username as name, uuid as version, description, directory, uid, type, gid FROM users;", "description": "Local and domain-backed user account inventory on Windows endpoints.", "purlType": "swid", "componentType": "data" }, "logged_in_users_snapshot": { "query": "SELECT user as name, '' as version, type as description, pid, host, tty, time, sid, registry_hive FROM logged_in_users;", "description": "Interactive and remote user sessions active on the endpoint.", "purlType": "swid", "componentType": "data" }, "logon_sessions": { "query": "SELECT user as name, logon_type as version, authentication_package as description, logon_id, logon_domain, session_id, logon_sid, logon_time, logon_server, dns_domain_name, upn, profile_path, home_directory, home_directory_drive FROM logon_sessions;", "description": "Windows logon session inventory for authentication and identity investigations.", "purlType": "swid", "componentType": "data" }, "pipes_snapshot": { "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);", "description": "Pipes snapshot query.", "purlType": "swid", "componentType": "data" }, "process_open_handles_snapshot": { "query": "SELECT processes.name, process_open_handles.type as version, process_open_handles.name as description, processes.path, processes.cmdline, processes.pid, process_open_handles.value, process_open_handles.type, process_open_handles.name as handle_name, process_open_handles.access, process_open_handles.attributes, process_open_handles.count, process_open_handles.raw_pointer_count, process_open_handles.error_stage, process_open_handles.error_code FROM processes JOIN process_open_handles USING (pid) WHERE process_open_handles.name != '' AND processes.name IN ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe', 'regsvr32.exe', 'wmic.exe', 'certutil.exe', 'bitsadmin.exe') AND ((process_open_handles.type = 'File' AND (lower(process_open_handles.name) LIKE '%\\appdata\\local\\temp\\%' OR lower(process_open_handles.name) LIKE '%\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\windows\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\system32\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\wbem\\repository\\%')) OR (process_open_handles.type = 'Key' AND (lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\run%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\runonce%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\winlogon%' OR lower(process_open_handles.name) LIKE '%\\system\\currentcontrolset\\services\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\schedule\\taskcache\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\wbem\\cimom%')));", "description": "Open handles owned by high-signal scripting and proxy-execution processes, filtered to persistence-oriented file and registry locations on Windows endpoints.", "purlType": "swid", "componentType": "data" }, "services_snapshot": { "query": "SELECT * FROM services;", "description": "Services snapshot query.", "purlType": "swid", "componentType": "data" }, "wmi_cli_event_consumers": { "query": "SELECT * FROM wmi_cli_event_consumers;", "description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.", "purlType": "swid", "componentType": "data" }, "wmi_filter_consumer_binding": { "query": "SELECT * FROM wmi_filter_consumer_binding;", "description": "Lists the relationship between event consumers and filters.", "purlType": "swid", "componentType": "data" }, "wmi_cli_event_consumers_snapshot": { "query": "SELECT * FROM wmi_cli_event_consumers;", "description": "Snapshot query for WMI event consumers.", "purlType": "swid", "componentType": "data" }, "certificates": { "query": "SELECT * FROM certificates WHERE path != 'Other People';", "description": "List all certificates in the trust store.", "purlType": "swid", "componentType": "data" }, "wmi_event_filters": { "query": "SELECT * FROM wmi_event_filters;", "description": "Lists WMI event filters.", "purlType": "swid", "componentType": "data" }, "windows_security_products": { "query": "SELECT * FROM windows_security_products;", "description": "Registered endpoint security products and signature posture.", "purlType": "swid", "componentType": "data" }, "windows_security_center": { "query": "SELECT antivirus as name, firewall as version, autoupdate as description, internet_settings, windows_security_center_service, user_account_control FROM windows_security_center;", "description": "Windows Security Center overall protection health indicators.", "purlType": "swid", "componentType": "data" }, "windows_bitlocker_info": { "query": "SELECT device_id as name, drive_letter as version, encryption_method as description, persistent_volume_id, conversion_status, protection_status, percentage_encrypted, lock_status FROM bitlocker_info;", "description": "BitLocker protection and encryption state for local drives.", "purlType": "swid", "componentType": "data" }, "windows_run_keys": { "query": "SELECT path as name, mtime as version, data as description, key, type FROM registry WHERE (key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%' OR key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%' OR key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%' OR key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%') AND type != 'subkey';", "description": "Registry Run/RunOnce autostart entries commonly abused for persistence.", "purlType": "swid", "componentType": "data" }, "etc_hosts": { "query": "SELECT * FROM etc_hosts;", "description": "List the contents of the Windows hosts file.", "purlType": "swid", "componentType": "data" }, "scheduled_tasks": { "query": "SELECT * FROM scheduled_tasks;", "description": "List all scheduled_tasks.", "purlType": "swid", "componentType": "data" }, "chocolatey_packages": { "query": "SELECT * FROM chocolatey_packages;", "description": "List all chocolatey_packages.", "purlType": "chocolatey" }, "npm_packages": { "query": "SELECT * FROM npm_packages;", "description": "List all npm_packages.", "purlType": "npm" }, "startup_items": { "query": "SELECT * FROM startup_items;", "description": "List all startup_items.", "purlType": "swid", "componentType": "data" }, "routes": { "query": "SELECT * FROM routes;", "description": "List all routes.", "purlType": "swid", "componentType": "data" }, "listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;", "description": "List all processes and their listening_ports.", "purlType": "swid", "componentType": "application" }, "processes": { "query": "SELECT * FROM processes;", "description": "List all processes.", "purlType": "swid", "componentType": "data" }, "process_open_sockets": { "query": "SELECT * FROM process_open_sockets;", "description": "List all process_open_sockets.", "purlType": "swid", "componentType": "data" }, "windows_update_history": { "query": "SELECT * FROM windows_update_history;", "description": "List all windows_update_history.", "purlType": "swid", "componentType": "data" }, "windows_optional_features": { "query": "SELECT * FROM windows_optional_features;", "description": "List all windows_optional_features.", "purlType": "swid", "componentType": "data" }, "windows_firewall_rules": { "query": "SELECT * FROM windows_firewall_rules;", "description": "List all windows_firewall_rules.", "purlType": "swid", "componentType": "data" }, "logical_drives": { "query": "SELECT * FROM logical_drives;", "description": "List all logical_drives.", "purlType": "swid", "componentType": "device" } }