For example: select * from processes where name = 'svchost.exe' and path like '%evil%' This is extremely useful in scope investigation. This is the simple line you can run to find processes that listening on network: select DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.id = listening.pid įind processes that are running but binary was deleted select name, path, pid from processes where on_disk = 0 įind specific process of indicators(IOCs) in memory or hard disk. These IOCs could come from any threat intelligence field. Hence, discovering new process listening on certain ports is very useful in investigation. In a typical environment, it is very unlikely to see new process to start connecting out. In command and control attack scenarios, malware could commonly communicate to remote server or inject to other processes to make connections to remote server. List of all the logged_in users: select * from logged_in_users Here are several examples on security investigations:
Which file is it?Ĭontext: run the query select * from yara where path like ‘/home/%/%’ and sigfile=’/var/osquery/yara/scanner.yara’ and under matches you will see the first on the list has a match. Use the sigfile which is saved in ‘/var/osquery/yara/scanner.yara’.
There is a file that is categorized as malicious in one of the home directories. Which file is that?Ĭontext: run the query Select * From hash where directory LIKE ‘/home/tryhackme/%’ What was the target file in the attack?Ĭontext: Run the query select * from hash where path like ‘/home/tryhackme/notsus’ this will return the hashes for the file including md5Ĭheck all file hashes in the home directory for each user. One of the users performed a ‘Binary Padding’ attack. What is the ‘current_value’ for kernel.osrelease?Ĭontext: In UBUTU run the query select * from kernel_info or select version from kernel_info Ĭontext: run the query select * from users where username=’bravo’ Īccording to the polylogyx readme, how many ‘features’ does the plug-in add to the Osquery core?Ĭontext: Read the readme and it list the number of features. What is the path for the running osqueryd.exe process?Īnswer: C:\Users\Administrator\Desktop\launcher\windows\osqueryd.exeĬontext: You will need to build the following query SELECT * FROM file where path LIKE ‘%osqueryd.exe’. Scroll to the right under the column Version. What is the query to show the username field from the users table where the username is 3 characters long and ends with ‘en’? (use single quotes in your answer)Īnswer: Select username from users where username like ‘_en’ Ĭontext: When Adding a new host, they secret is providedĬontext: Click New query and use the default one already provided (select * from osquery_info). What is the first table listed that is compatible with both Linux and Windows? How many tables are compatible with Linux?
Osquery mac windows#
How many of the tables for this version are compatible with Windows?Ĭontext: Click Show only Tables compatible with and select windows How many tables are there for this version of Osquery? What table would you query to get the version of Osquery installed on the Windows endpoint? What are the 2 meta-commands to exit osqueryi?Ĭontext: Both commands listed in. What is the meta-command to set the output to show one value per line?Ĭontext: Looking into. summary to get the details.Ĭontext: It will be found under the Osquery versionĬontext: Found under shell settings and mode under. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.Ĭontext: Type.
With Osquery, Security Analysts, Incident Responders, Threat Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. Osquery is an open-source tool created by Facebook.
0 kommentar(er)
