killchain-compendium/misc/threat_intelligence/osquery.md

# Osquery

* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/5.5.1/)

## Usage

* `osqueryi .help` is the overiew

### List available tables

List an overview of all available topics which can be queried.
```sh
.tables
```
* Specify via `.tables <tablename>`

### Show schema

```sh
.schema <table_name>
```
* Show schema for foreign operating systems via `--enable_foreign`

### Queries

* Select 
```sql
select * from <table>;
select * <attr>,<attr>  from <table>;
```

* UPDATE and DELETE is possible on run-time tables

* JOIN
```sql
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```

* Where
```sql
select * from programs where name = 'paint';
```

* Where clause operators
    * `=` [equal]
    * `<>`  [not equal]
    * `>, >=` [greater than, greater than or equal to]
    * `<, <=` [less than or less than or equal to] 
    * `BETWEEN` [between a range]
    * `LIKE` [pattern wildcard searches]
    * `%` [wildcard, multiple characters]
    * `_` [wildcard, one character]

* Matching wildcard rules
    * `%`: Match all files and folders for one level.
    * `%%`: Match all files and folders recursively.
    * `%abc`: Match all within-level ending in "abc".
    * `abc%`: Match all within-level starting with "abc". 

* Table 'userassist' stores executed processes

## Modes

There are multiple modes to select from to show the data

```sh
osqueryi 
osqueryi> .mode .help
```

## Remote Queries via Frontend

* [Repo](https://github.com/fleetdm/fleet.git)

## Extensions

* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)

### Yara

```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)