In this video walkthrough, we demonstrated incident response and investigation using osquery on Windows and Linux endpoints.

Room Introduction

Osquery is an open-source tool created by Facebook. With Osquery, Security Analysts, Incident Responders, Threat Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.

Many well-known companies, besides Facebook, either use Osquery, utilize osquery within their tools, and/or look for individuals who know Osquery.

Some of the tools (open-source and commercial) that utilize Osquery are listed below.

  • Alienvault: The AlienVault agent is based on Osquery.
  • Cisco: Cisco AMP (Advanced Malware Protection) for endpoints utilize Osquery in Cisco Orbital.

Learning Osquery will be beneficial if you are looking to enter into this field or if you’re already in the field and you’re looking to level up your skills.

Note: It is highly beneficial if you’re already familiar with SQL queries. If not, check out this SQL Tutorial.

Room Link:

Room Answers

What is the Osquery version?

What is the SQLite version?

What is the default output mode?

What is the meta-command to set the output to show one value per line?

What are the 2 meta-commands to exit osqueryi?

What table would you query to get the version of Osquery installed on the Windows endpoint?

How many tables are there for this version of Osquery?

How many of the tables for this version are compatible with Windows?

How many tables are compatible with Linux?

What is the first table listed that is compatible with both Linux and Windows?

What is the query to show the username field from the users table where the username is 3 characters long and ends with ‘en’? (use single quotes in your answer)
What is the Osquery Enroll Secret?

What is the Osquery version?

What is the path for the running osqueryd.exe process?

According to the polylogyx readme, how many ‘features’ does the plug-in add to the Osquery core?
What is the ‘current_value’ for kernel.osrelease?

What is the uid for the bravo user?

One of the users performed a ‘Binary Padding’ attack. What was the target file in the attack?

What is the hash value for this file?

Check all file hashes in the home directory for each user. One file will not show any hashes. Which file is that?

There is a file that is categorized as malicious in one of the home directories. Query the Yara table to find this file. Use the sigfile which is saved in ‘/var/osquery/yara/scanner.yara’. Which file is it?

What were the ‘matches’?

Scan the file from Q#3 with the same Yara file. What is the entry for ‘strings’?

What is the description for the Windows Defender Service?

There is another security agent on the Windows endpoint. What is the name of this agent?

What is required with win_event_log_data?

How many sources are returned for win_event_log_channels?

What is the schema for win_event_log_data?

The previous file scanned on the Linux endpoint with Yara is on the Windows endpoint.  What date/time was this file first detected? (Answer format: YYYY-MM-DD HH:MM:SS)

What is the query to find the first Sysmon event? Select only the event id, order by date/time, and limit the output to only 1 entry.

What is the Sysmon event id?

Video Walk-through

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles