Introduction
We covered the basics and introduction of Osquery For CyberSecurity. We went over querying Windows, MacOs and Linux SQL tables. This was part of TryHackMe Osquery: The Basics
🔹 What is OSQuery?
- OSQuery turns an operating system into a relational database, allowing users to query system data using SQL.
- It provides visibility into processes, network connections, registry keys, and more.
- Mainly used for cybersecurity investigations and system monitoring.
- Works on Windows, Linux, and macOS.
🔹 Basic Commands in OSQuery
- To start OSQuery interactive mode:
osqueryi
Commands in OSQuery start with a dot (.):
.help→ Displays all available commands..tables→ Lists all available tables..schema table_name→ Shows the structure (columns) of a table.
🔹 Working with OSquery Tables
- OSQuery has hundreds of tables that represent different system components.
- Example:
users→ User account details.processes→ Running processes.programs→ Installed programs.
- To list all tables:
.tables
To search for tables related to “user”:
.tables | grep user
🔹 SQL Queries in OSQuery
- To view all installed programs:
SELECT * FROM programs;
To search for installed VPN software:
SELECT name FROM programs WHERE name LIKE '%VPN%';
To count installed programs:
SELECT COUNT(*) FROM programs;
To list running services:
SELECT COUNT(*) FROM services;
🔹 TryHackMe OSQuery Challenge
The video also covers an interactive challenge where:
- The user searches for programs executed by a user.
- Finds registry values related to specific processes.
- Investigates auto-executing batch files.
- Queries browser extensions for Internet Explorer.
Example:
- Finding evidence of process execution in Windows:
SELECT * FROM user_assist;
Identifying VPN software installed on the system:
SELECT name FROM programs WHERE name LIKE '%VPN%';
TryHackMe Osquery: The Basics | Room Answers
Looking at the schema of the processes table, which column displays the process id for the particular process?
Examine the .help command, how many output display modes are available for the .mode command?
In Osquery version 5.5.1, how many tables for MAC OS are available?
In the Windows Operating system, which table is used to display the installed programs?
In Windows Operating system, which column contains the registry value within the registry table?
When we run the following search query, what is the full SID of the user with RID ‘1009’?
Query: select path, key, name from registry where key = ‘HKEY_USERS’;
When we run the following search query, what is the Internet Explorer browser extension installed on this machine?
Query: select * from ie_extensions;
After running the following query, what is the full name of the program returned?
Query: select name,install_location from programs where name LIKE ‘%wireshark%’;
Which table stores the evidence of process execution in Windows OS?
One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?
Create a search query to identify the VPN installed on this host. What is name of the software?
How many services are running on this host?
A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?
What is the full path of the batch file found in the above question? (Last in the List)
Video Walk-through
🔹 Key Takeaways
- OSQuery is a powerful tool for security monitoring and system analysis.
- SQL knowledge is essential to extract useful information.
- Useful for forensic investigations, system audits, and monitoring threats.
- OSQuery documentation helps explore available tables.
