updated osquery

This commit is contained in:
Stefan Friese 2022-11-08 00:48:19 +01:00
parent c5770dee83
commit 41af4b5b9a
1 changed files with 26 additions and 3 deletions

View File

@ -1,18 +1,22 @@
# Osquery
* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/4.7.0/)
* [Schema Docs](https://osquery.io/schema/5.5.1/)
## Usage
* `.help` is the overiew
* `osqueryi .help` is the overiew
### List available tables
List an overview of all available topics which can be queried.
```sh
.tables
```
* Specify via `.tables <tablename>`
### Show schema
```sh
.schema <table_name>
```
@ -33,6 +37,11 @@ select * <attr>,<attr> from <table>;
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```
* Where
```sql
select * from programs where name = 'paint';
```
* Where clause operators
* `=` [equal]
* `<>` [not equal]
@ -49,14 +58,28 @@ SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
* `%abc`: Match all within-level ending in "abc".
* `abc%`: Match all within-level starting with "abc".
* Table 'userassist' stores executed processes
## Modes
There are multiple modes to select from to show the data
```sh
osqueryi
osqueryi> .mode .help
```
## Remote Queries via Frontend
* [Repo](https://github.com/fleetdm/fleet.git)
## Extensions
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
### Yara
```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```