killchain-compendium/misc/threat_intelligence/osquery.md

# Osquery

* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/4.7.0/)

## Usage
* `.help` is the overiew

### List available tables
```sh
.tables
```
* Specify via `.tables <tablename>`

### Show schema
```sh
.schema <table_name>
```
* Show schema for foreign operating systems via `--enable_foreign`

### Queries

* Select
```sql
select * from <table>;
select * <attr>,<attr>  from <table>;
```

* UPDATE and DELETE is possible on run-time tables

* JOIN
```sql
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```

* Where clause operators
    * `=` [equal]
    * `<>`  [not equal]
    * `>, >=` [greater than, greater than or equal to]
    * `<, <=` [less than or less than or equal to] 
    * `BETWEEN` [between a range]
    * `LIKE` [pattern wildcard searches]
    * `%` [wildcard, multiple characters]
    * `_` [wildcard, one character]

* Matching wildcard rules
    * `%`: Match all files and folders for one level.
    * `%%`: Match all files and folders recursively.
    * `%abc`: Match all within-level ending in "abc".
    * `abc%`: Match all within-level starting with "abc". 

## Remote Queries via Frontend
* [Repo](https://github.com/fleetdm/fleet.git)

## Extensions
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)

### Yara
```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)
second commit 2021-08-23 01:13:54 +02:00			`# Osquery`

			`* [Documentation](https://osquery.readthedocs.io/en/stable/)`
			`* [Schema Docs](https://osquery.io/schema/4.7.0/)`

			`## Usage`
			* `.help` is the overiew

			`### List available tables`
			```sh
			`.tables`
			```
			* Specify via `.tables <tablename>`

			`### Show schema`
			```sh
			`.schema <table_name>`
			```
			* Show schema for foreign operating systems via `--enable_foreign`

			`### Queries`

			`* Select`
			```sql
			`select * from <table>;`
			`select * <attr>,<attr> from <table>;`
			```

			`* UPDATE and DELETE is possible on run-time tables`

			`* JOIN`
			```sql
			`SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);`
			```

			`* Where clause operators`
			* `=` [equal]
			* `<>` [not equal]
			* `>, >=` [greater than, greater than or equal to]
			* `<, <=` [less than or less than or equal to]
			* `BETWEEN` [between a range]
			* `LIKE` [pattern wildcard searches]
			* `%` [wildcard, multiple characters]
			* `_` [wildcard, one character]

			`* Matching wildcard rules`
			* `%`: Match all files and folders for one level.
			* `%%`: Match all files and folders recursively.
			* `%abc`: Match all within-level ending in "abc".
			* `abc%`: Match all within-level starting with "abc".

			`## Remote Queries via Frontend`
			`* [Repo](https://github.com/fleetdm/fleet.git)`

			`## Extensions`
			`* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)`
			`* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)`

			`### Yara`
			```sql
			`select * from yara where sigfile='<sigfile>' and path like '/home/%%';`
			```
			`* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)`