OSquery : Select data, path from registry where key = ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders’ OSquery – Malware Startup on BootĬheck the windows processes that are starting on boot as malware persistence behaviors. Preparing a query & save your incident response time and know the persistence of malware in the registry. To exclude the ipv6, we have used ‘::’ this will the exclude ipv6 IP address from the results console.As we are using != ( not-equal-to operator ) OSquery – Registry Analysis for suspicious behaviorsĬheck for suspicious registry key value modifications and find interesting artifacts. OSquery :select * from process_open_sockets where local_port=138 and remote_address !=’0.0.0.0′ and remote_address !=’::’ Build your SQL statements according to your incidents. OSquery Statements :Select * from Process_open_sockets where remote_address ‘ ‘ and remote_address !=’0.0.0.0’ limit 3 OSquery – Open Connections to Remote IP Address on Specific PortĬheck for the open connections of external/internal with the table name process_open_sockets for a specific port, Here we are checking for NETBIOS. Now, we have changed the SQL statements to filter out with ‘ ‘ ( Less than or Greater than null ) which returns some numbers, Also logical gates ( AND ) with != ( not-equal-to operator ) to return suspicious connections. OSquery Statements : select * from process_open_sockets limit 3 Detected Listen connections for some of the process ( PID )Ībove Screen Dump shows the connections state is listening, We are interested to look more on well-established connections for any relevant IP addresses. tables process Windows process tables explorerīuild your SQL statements and check for possible outbound / inbound connections from the infected machine. OSquery – Network connections of active processesĬheck for suspicious network sockets and hunt for connections established from local to remote IP addresses.Before that explore the windows process tables by typing. Removing the “limit” will provide all the list of processes currently running for all users.
Osquery Statement : Select p.pid,p.name,u.username from processes p join users u on u.uid=p.uid limit 5 Processes currently used by user or system OSquery Statements for processes Retrieval : SELECT * from Processes limit 5 īelow query to merge the username and their respective running processes. Here we are exploring the list of processes up and running and using “limit” to pull the specific number of records on the console. List the number of processes running on the user machine and filter them accordingly to find the bad actor. Osquery Statement: Select * from users WHERE description like ‘%windows%’ OSquery – List of processes OSquery Statements:Select uid,username from users List of user names with their uid levelsĪbove query is to perform an sting operation on the database with syntax, like ‘% Hunt your data Here%’ OSquery Statements: Select uid from users Above Figure shows, Retrieval of list of UIDīelow is the query to list usernames with uid. OSquery Statements: Select Count(*) from users Above screen dump illustrates, Counting the list of user accountsīelow is the query to list users UID ( Unique Identifier ) OSquery Statements : Select * from users limit 8 Above screen dump illustrates ,List of active user accounts,User’s UID & GIDīelow query, Provide the stats count of user accounts created on this machine. Hunt for possible UID & GID for users rights, Check for users having administrator rights, and more. To enumerate the list of users on the machine. Interesting values to hunt on windows operating system Extended list of table valuesĪbove is the list of table names explored by osquery on this operating system.Let us pick, Some interesting table names with SQL queries.
tables which will provide the list of operating systems functions and we will query some of them to retrieve possible data from the affected machine. Explore the Tables on WindowsĮxploring the table by typing. Let us explore some of them and query them on the operating system to get possible results. help which will provide you the list of functionality and use of this tool. \osqueryi.exe Above screen dump illustrates, Osquery is installed on windows operating system Osquery Help Menu
#Saltstack osquery download
Please download your favorite version here, Here I have downloaded & installed it for windows.Īfter installation, Start the Powershell as administrator > Navigate to the Osquery download path >Start the osquery with. Osquery can be used to explore various operating systems such as Windows, Linux, and Mac.
#Saltstack osquery free
It works with relational databases and it is completely free to install. Osquery is a great tool that helps cybersecurity responders to explore the operating system’s malicious behaviors such as running processes, network sockets, user anomalies, and more.
0 kommentar(er)
