diff --git a/misc/threat_intelligence/osquery.md b/misc/threat_intelligence/osquery.md index 4993ba5..ccb3a8e 100644 --- a/misc/threat_intelligence/osquery.md +++ b/misc/threat_intelligence/osquery.md @@ -1,18 +1,22 @@ # Osquery * [Documentation](https://osquery.readthedocs.io/en/stable/) -* [Schema Docs](https://osquery.io/schema/4.7.0/) +* [Schema Docs](https://osquery.io/schema/5.5.1/) ## Usage -* `.help` is the overiew + +* `osqueryi .help` is the overiew ### List available tables + +List an overview of all available topics which can be queried. ```sh .tables ``` * Specify via `.tables ` ### Show schema + ```sh .schema ``` @@ -20,7 +24,7 @@ ### Queries -* Select +* Select ```sql select * from ; select * , from
; @@ -33,6 +37,11 @@ select * , from
; SELECT pid, name, path FROM osquery_info JOIN processes USING (pid); ``` +* Where +```sql +select * from programs where name = 'paint'; +``` + * Where clause operators * `=` [equal] * `<>` [not equal] @@ -49,14 +58,28 @@ SELECT pid, name, path FROM osquery_info JOIN processes USING (pid); * `%abc`: Match all within-level ending in "abc". * `abc%`: Match all within-level starting with "abc". +* Table 'userassist' stores executed processes + +## Modes + +There are multiple modes to select from to show the data + +```sh +osqueryi +osqueryi> .mode .help +``` + ## Remote Queries via Frontend + * [Repo](https://github.com/fleetdm/fleet.git) ## Extensions + * [osquery-extensions](https://github.com/trailofbits/osquery-extensions) * [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin) ### Yara + ```sql select * from yara where sigfile='' and path like '/home/%%'; ```