Introduction

In this walkthrough, we demonstrated incident response and investigation using osquery on Windows and Linux endpoints.

Room Introduction

Osquery is an open-source tool created by Facebook. With Osquery, Security Analysts, Incident Responders, Threat Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.

Many well-known companies, besides Facebook, either use Osquery, utilize osquery within their tools, and/or look for individuals who know Osquery.

Some of the tools (open-source and commercial) that utilize Osquery are listed below.

  • Alienvault: The AlienVault agent is based on Osquery.
  • Cisco: Cisco AMP (Advanced Malware Protection) for endpoints utilize Osquery in Cisco Orbital.

Learning Osquery will be beneficial if you are looking to enter into this field or if you’re already in the field and you’re looking to level up your skills.

Note: It is highly beneficial if you’re already familiar with SQL queries. If not, check out this SQL Tutorial.

Room Link: https://tryhackme.com/room/osqueryf8

Getting Started with Osquery

Once you have Osquery installed, you can start the interactive shell by typing osqueryi. From there, you can use a few helpful commands to get started:

  • .help: Shows you a list of all the available commands.
  • .tables: Lists all the different “tables” you can query. Each table represents a different part of the system, like running processes, installed programs, or user accounts.
  • .show: Displays the current settings, including the version of Osquery you’re running.
  • .quit or .exit: Exits the Osquery shell.

To see all the possible tables and what they contain, you can check out the official Osquery schema documentation online. It’s a great resource for figuring out what you can query and how to do it.

Putting Osquery to Work: Investigation Scenarios

To show you how powerful Osquery can be, I’ll walk you through a couple of investigation scenarios.

Linux Investigation

On a Linux machine, I used Osquery to:

  • Find the kernel version.
  • Get the user ID for a specific user.
  • Look at the shell history to find a suspicious file.
  • Calculate the MD5 hash of a file to check its integrity.
  • Use a YARA rule to scan for a malicious file.

Windows Investigation

On a Windows machine, I used Osquery to:

  • Get the description of the Windows Defender service.
  • List all the installed programs to check for other security agents.
  • Query the Windows event logs to find the first time a malicious file was detected.
  • Find the first Sysmon event to see when it was installed.

Centralized Management with Kolide Fleet

I also showed how you can use Kolide Fleet, a graphical user interface (GUI), to manage and query multiple Osquery endpoints from a single place. This is really useful for security teams that need to monitor a large number of machines.

Technical Commands Used

Here are some of the key commands I used in the terminal during this walkthrough:

Osquery Commands

  • osqueryi: Starts the Osquery interactive shell.
  • .help: Displays help information.
  • .tables: Lists available tables.
  • SELECT * FROM programs;: Lists all installed programs.
  • SELECT * FROM services WHERE name LIKE 'WinD%';: Lists all services starting with “WinD”.
  • SELECT * FROM shell_history;: Shows the command history.
  • SELECT md5 FROM hash WHERE path = '/path/to/file';: Gets the MD5 hash of a file.
  • SELECT * FROM yara WHERE signature_file = '/path/to/yara_rule.yar' AND path = '/path/to/file';: Scans a file with a YARA rule.

System Commands

  • md5sum <filename>: Calculates the MD5 hash of a file on Linux.
  • osqueryd.exe --verbose ...: Enrolls a Windows endpoint with a Fleet server.
  • osqueryi.exe --extension C:\path\to\extension.dll: Loads an Osquery extension on Windows.

Fleet Server Commands

  • sudo systemctl start redis-server: Starts the Redis server.
  • sudo systemctl restart mysql: Restarts the MySQL server.
  • sudo fleet prepare db --config /path/to/config.yml: Prepares the Fleet database.
  • sudo fleet serve --config /path/to/config.yml: Starts the Fleet server.

Room Answers

What is the Osquery version?

What is the SQLite version?

What is the default output mode?

What is the meta-command to set the output to show one value per line?

What are the 2 meta-commands to exit osqueryi?

What table would you query to get the version of Osquery installed on the Windows endpoint?

How many tables are there for this version of Osquery?

How many of the tables for this version are compatible with Windows?

How many tables are compatible with Linux?

What is the first table listed that is compatible with both Linux and Windows?

What is the query to show the username field from the users table where the username is 3 characters long and ends with ‘en’? (use single quotes in your answer)
What is the Osquery Enroll Secret?

What is the Osquery version?

What is the path for the running osqueryd.exe process?

According to the polylogyx readme, how many ‘features’ does the plug-in add to the Osquery core?
What is the ‘current_value’ for kernel.osrelease?

What is the uid for the bravo user?

One of the users performed a ‘Binary Padding’ attack. What was the target file in the attack?

What is the hash value for this file?

Check all file hashes in the home directory for each user. One file will not show any hashes. Which file is that?

There is a file that is categorized as malicious in one of the home directories. Query the Yara table to find this file. Use the sigfile which is saved in ‘/var/osquery/yara/scanner.yara’. Which file is it?

What were the ‘matches’?

Scan the file from Q#3 with the same Yara file. What is the entry for ‘strings’?

What is the description for the Windows Defender Service?

There is another security agent on the Windows endpoint. What is the name of this agent?

What is required with win_event_log_data?

How many sources are returned for win_event_log_channels?

What is the schema for win_event_log_data?

The previous file scanned on the Linux endpoint with Yara is on the Windows endpoint.  What date/time was this file first detected? (Answer format: YYYY-MM-DD HH:MM:SS)

What is the query to find the first Sysmon event? Select only the event id, order by date/time, and limit the output to only 1 entry.

What is the Sysmon event id?

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles