killchain-compendium/misc/threat_intelligence/osquery.md

Osquery

• Documentation
• Schema Docs

Usage

• osqueryi .help is the overiew

List available tables

List an overview of all available topics which can be queried.

.tables

• Specify via .tables <tablename>

Show schema

.schema <table_name>

• Show schema for foreign operating systems via --enable_foreign

Queries

• Select

select * from <table>;
select * <attr>,<attr>  from <table>;

• UPDATE and DELETE is possible on run-time tables

• JOIN

SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);

• Where

select * from programs where name = 'paint';

• Where clause operators

  • = [equal]
  • <> [not equal]
  • >, >= [greater than, greater than or equal to]
  • <, <= [less than or less than or equal to]
  • BETWEEN [between a range]
  • LIKE [pattern wildcard searches]
  • % [wildcard, multiple characters]
  • _ [wildcard, one character]

• Matching wildcard rules

  • %: Match all files and folders for one level.
  • %%: Match all files and folders recursively.
  • %abc: Match all within-level ending in "abc".
  • abc%: Match all within-level starting with "abc".

• Table 'userassist' stores executed processes

Modes

There are multiple modes to select from to show the data

osqueryi 
osqueryi> .mode .help

Remote Queries via Frontend

• Repo

Extensions

• osquery-extensions
• osq-ext-bin

Yara

select * from yara where sigfile='<sigfile>' and path like '/home/%%';

• Docs