Osquery is an open-source tool created by Facebook. With Osquery, Security Analysts, Incident Responders, Threat Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.
- https://osquery.io/
Interacting with the Osquery Shell
What is the Osquery version?
Answer: 4.6.0.2
Context: Type .summary to get the details.
What is the SQLite version?
Answer: 3.34.0
Context: It will be found under the Osquery version
What is the default output mode?
Answer: Pretty
Context: Found under shell settings and mode under .summary
What is the meta-command to set the output to show one value per line?
Answer: .mode line
Context: Looking into .help you will see .mode line states one value per line
What are the 2 meta-commands to exit osqueryi?
Answer: .exit, .quit
Context: Both commands listed in .help to exit the program
Schema Documentation
What table would you query to get the version of Osquery installed on the Windows endpoint?
Answer: osquery_info
How many tables are there for this version of Osquery?
Answer:266
How many of the tables for this version are compatible with Windows?
Answer: 96
Context: Click Show only Tables compatible with and select windows
How many tables are compatible with Linux?
Answer: 155
What is the first table listed that is compatible with both Linux and Windows?
Answer: arp_cache
Context: Select both windows and Linux
Creating queries
What is the query to show the username field from the users table where the username is 3 characters long and ends with ‘en’? (use single quotes in your answer)
Answer: Select username from users where username like ‘_en’;
Using Kolide Fleet
What is the Osquery Enroll Secret?
Answer: k3hFh30bUrU7nAC3DmsCCyb1mT8HoDkt
Context: When Adding a new host, they secret is provided
What is the Osquery version?
Answer: 4.2.0
Context: Click New query and use the default one already provided (select * from osquery_info). Scroll to the right under the column Version.
What is the path for the running osqueryd.exe process?
Answer: C:\Users\Administrator\Desktop\launcher\windows\osqueryd.exe
Context: You will need to build the following query SELECT * FROM file where path LIKE ‘%osqueryd.exe’ .
Osquery extensions
According to the polylogyx readme, how many ‘features’ does the plug-in add to the Osquery core?
Answer: 25
Context: Read the readme https://github.com/polylogyx/osq-ext-bin and it list the number of features.
What is the ‘current_value’ for kernel.osrelease?
Answer: 4.4.0-17763-Microsoft
Context: In UBUTU run the query select * from kernel_info; or select version from kernel_info;
What is the uid for the bravo user?
Answer: 1002
Context: run the query select * from users where username=’bravo’;
One of the users performed a ‘Binary Padding’ attack. What was the target file in the attack?
Answer: notsus
Context: Look at the table shell_history
What is the hash value for this file?
Answer: 3df6a21c6d0c554719cffa6ee2ae0df7
Context: Run the query select * from hash where path like ‘/home/tryhackme/notsus’; this will return the hashes for the file including md5
Check all file hashes in the home directory for each user. One file will not show any hashes. Which file is that?
Answer: fleet.zip
Context: run the query Select * From hash where directory LIKE ‘/home/tryhackme/%’;
There is a file that is categorized as malicious in one of the home directories. Query the Yara table to find this file. Use the sigfile which is saved in ‘/var/osquery/yara/scanner.yara’. Which file is it?
Answer: Notes
Context: run the query select * from yara where path like ‘/home/%/%’ and sigfile=’/var/osquery/yara/scanner.yara’; and under matches you will see the first on the list has a match .
What were the ‘matches’?
Answer: eicar_av_test,eicar_substring_test
Context: Look under the column matches
Scan the file from Q#3 with the same Yara file. What is the entry for ‘strings’?
Answer: $eicar_substring:1b
Context: If you ran the query from the above answer, the second match will be included for the notus file. The answer in the strings column.