We demonstrated incident response and investigation using osquery on Windows and Linux endpoints.
Let’s cover the basics of Osquery.
Osquery is an open-source agent created by Facebook in 2014. It converts the operating system into a relational database. It allows us to ask questions from the tables using SQL queries, like returning the list of running processes, a user account created on the host, and the process of communicating with certain suspicious domains. It is widely used by Security Analysts, Incident Responders, Threat Hunters, etc. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.
The SQL language implemented in Osquery is not an entire SQL language that you might be accustomed to, but rather it’s a superset of SQLite.
Realistically all your queries will start with a SELECT statement. This makes sense because, with Osquery, you are only querying information on an endpoint. You won’t be updating or deleting any information/data on the endpoint.
The exception to the rule: Using other SQL statements, such as UPDATE and DELETE, is possible, but only if you’re creating run-time tables (views) or using an extension if the extension supports them.
Your queries will also include a FROM clause and end with a semicolon.
Looking at the schema of the processes table, which column displays the process id for the particular process?
Examine the .help command, how many output display modes are available for the .mode command?
In Osquery version 5.5.1, how many tables for MAC OS are available?
In the Windows Operating system, which table is used to display the installed programs?
In Windows Operating system, which column contains the registry value within the registry table?
When we run the following search query, what is the full SID of the user with RID ‘1009’?
Query: select path, key, name from registry where key = ‘HKEY_USERS’;
When we run the following search query, what is the Internet Explorer browser extension installed on this machine?
Query: select * from ie_extensions;
After running the following query, what is the full name of the program returned?
Query: select name,install_location from programs where name LIKE ‘%wireshark%’;
Which table stores the evidence of process execution in Windows OS?
One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?
Create a search query to identify the VPN installed on this host. What is name of the software?
How many services are running on this host?
A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?
What is the full path of the batch file found in the above question? (Last in the List)