{
  "platform": "all",
  "version": "1.0.0",
  "description": "Hunt for persistence mechanisms across all platforms",
  "queries": {
    "crontab_monitoring": {
      "query": "SELECT event, minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;",
      "interval": 3600,
      "description": "Monitor cron jobs for persistence",
      "platform": "posix"
    },
    "suspicious_cron_commands": {
      "query": "SELECT * FROM crontab WHERE command LIKE '%curl%' OR command LIKE '%wget%' OR command LIKE '%/tmp/%' OR command LIKE '%bash -i%' OR command LIKE '%python%socket%' OR command LIKE '%nc%';",
      "interval": 1800,
      "description": "Detect suspicious cron job commands",
      "platform": "posix"
    },
    "systemd_units": {
      "query": "SELECT name, description, load_state, active_state, sub_state, fragment_path, source FROM systemd_units WHERE active_state = 'active';",
      "interval": 3600,
      "description": "Active systemd services",
      "platform": "linux"
    },
    "non_standard_systemd": {
      "query": "SELECT name, fragment_path, active_state FROM systemd_units WHERE active_state = 'active' AND fragment_path NOT LIKE '/usr/lib/systemd/system/%' AND fragment_path NOT LIKE '/lib/systemd/system/%';",
      "interval": 1800,
      "description": "Non-standard systemd units (potential persistence)",
      "platform": "linux"
    },
    "launchd_monitoring": {
      "query": "SELECT name, label, path, program, program_arguments, run_at_load, keep_alive FROM launchd WHERE run_at_load = 1;",
      "interval": 3600,
      "description": "macOS launch agents and daemons",
      "platform": "darwin"
    },
    "suspicious_launchd": {
      "query": "SELECT * FROM launchd WHERE run_at_load = 1 AND (path LIKE '%/tmp/%' OR path LIKE '%/Users/%/Library/LaunchAgents/%' OR program LIKE '%curl%' OR program LIKE '%bash%');",
      "interval": 1800,
      "description": "Suspicious launch agents",
      "platform": "darwin"
    },
    "startup_items_mac": {
      "query": "SELECT name, path, args, type, source, status FROM startup_items;",
      "interval": 3600,
      "description": "macOS startup items",
      "platform": "darwin"
    },
    "registry_run_keys": {
      "query": "SELECT key, name, path, data, mtime FROM registry WHERE (key LIKE '%\\\\Run' OR key LIKE '%\\\\RunOnce') AND key NOT LIKE '%\\\\RunOnceEx';",
      "interval": 1800,
      "description": "Windows registry Run keys",
      "platform": "windows"
    },
    "suspicious_registry_entries": {
      "query": "SELECT key, name, path, data FROM registry WHERE (key LIKE '%Run%' OR key LIKE '%RunOnce%') AND (data LIKE '%AppData%' OR data LIKE '%Temp%' OR data LIKE '%ProgramData%' OR data LIKE '%.vbs' OR data LIKE '%.js');",
      "interval": 1800,
      "description": "Suspicious registry persistence entries",
      "platform": "windows"
    },
    "scheduled_tasks": {
      "query": "SELECT name, action, path, enabled, state, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1;",
      "interval": 3600,
      "description": "Windows scheduled tasks",
      "platform": "windows"
    },
    "suspicious_scheduled_tasks": {
      "query": "SELECT name, action, path, enabled FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%powershell%' OR action LIKE '%cmd%' OR action LIKE '%wscript%' OR action LIKE '%mshta%' OR action LIKE '%AppData%' OR action LIKE '%Temp%');",
      "interval": 1800,
      "description": "Suspicious scheduled tasks",
      "platform": "windows"
    },
    "windows_services": {
      "query": "SELECT name, display_name, status, path, start_type, user_account FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START') ORDER BY status;",
      "interval": 3600,
      "description": "Windows services configuration",
      "platform": "windows"
    },
    "wmi_event_consumers": {
      "query": "SELECT name, command_line_template, executable_path, script_file_name FROM wmi_cli_event_consumers;",
      "interval": 1800,
      "description": "WMI event consumers (persistence mechanism)",
      "platform": "windows"
    },
    "kernel_modules": {
      "query": "SELECT name, size, used_by, status FROM kernel_modules;",
      "interval": 3600,
      "description": "Loaded Linux kernel modules",
      "platform": "linux"
    },
    "kernel_extensions_mac": {
      "query": "SELECT name, version, path, linked_against FROM kernel_extensions WHERE loaded = 1;",
      "interval": 3600,
      "description": "Loaded macOS kernel extensions",
      "platform": "darwin"
    },
    "bash_profile_modifications": {
      "query": "SELECT path, filename, mtime, ctime, size FROM file WHERE path IN ('/etc/profile', '/etc/bash.bashrc', '/etc/zshrc') OR path LIKE '/home/%/.bashrc' OR path LIKE '/home/%/.bash_profile' OR path LIKE '/home/%/.zshrc' OR path LIKE '/Users/%/.bashrc' OR path LIKE '/Users/%/.bash_profile' OR path LIKE '/Users/%/.zshrc';",
      "interval": 3600,
      "description": "Shell profile file modifications",
      "platform": "posix"
    },
    "browser_extensions_chrome": {
      "query": "SELECT name, identifier, version, description, path, author FROM chrome_extensions;",
      "interval": 3600,
      "description": "Chrome browser extensions"
    },
    "browser_extensions_firefox": {
      "query": "SELECT name, identifier, version, description, source_url, visible FROM firefox_addons WHERE visible = 1;",
      "interval": 3600,
      "description": "Firefox browser add-ons"
    }
  }
}