Osquery
Interacting with the Osquery Shell
What is the Osquery version?
What is the SQLite version?
What is the default output mode?
What is the meta-command to set the output to show one value per line?
What are the 2 meta-commands to exit osqueryi?
quit;exit;Schema Documentation
What table would you query to get the version of Osquery installed on the Windows endpoint?
osquery_infoHow many tables are there for this version of Osquery?
266How many of the tables for this version are compatible with Windows?
How many tables are compatible with Linux?
What is the first table listed that is compatible with both Linux and Windows?
Creating queries
Process List -
select pid,name,path from processes;Count -
select count(*) from processes;First 3 in ascending -
select pid,name,path,cmdline from processes order by name limit 3;Name exect -
select pid,name,path from process where name='lsass.exe';Use the JOIN clause to join these 2 tables USING PID column -
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
What is the query to show the username field from the users table where the username is 3 characters long and ends with 'en'? (use single quotes in your answer).
Here is Documentation https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/.
select username from users where username like '%en';Using Kolide Fleet
What is the Osquery Enroll Secret?
What is the Osquery version?
What is the path for the running osqueryd.exe process?
Osquery extensions
According to the polylogyx readme, how many 'features' does the plug-in add to the Osquery core?
23Linux and Osquery
What is the 'current_value' for kernel.osrelease?
What is the uid for the bravo user?
One of the users performed a 'Binary Padding' attack. What was the target file in the attack?
tryhackme@WIN-FG4Q5UQP406:~$ ls -al
total 104624
drwxr-xr-x 1 tryhackme tryhackme 512 Apr 1 2021 .
drwxr-xr-x 1 root root 512 Mar 31 2021 ..
-rw------- 1 tryhackme tryhackme 909 May 18 02:23 .bash_history
-rw-r--r-- 1 tryhackme tryhackme 220 Mar 31 2021 .bash_logout
-rw-r--r-- 1 tryhackme tryhackme 3771 Mar 31 2021 .bashrc
drwxrwxrwx 1 tryhackme tryhackme 512 Mar 31 2021 fleet
-rw-rw-rw- 1 tryhackme tryhackme 107104869 Oct 8 2020 fleet.zip
-rw------- 1 tryhackme tryhackme 84 Mar 31 2021 .mysql_history
-rw-r--r-- 1 tryhackme tryhackme 69 Apr 1 2021 notsus
drwxrwxrwx 1 tryhackme tryhackme 512 Apr 1 2021 .osquery
-rw-r--r-- 1 tryhackme tryhackme 655 Mar 31 2021 .profile
-rw------- 1 tryhackme tryhackme 1024 Mar 31 2021 .rnd
-rw-r--r-- 1 root root 1753 Mar 31 2021 server.cert
-rw-rw-rw- 1 tryhackme tryhackme 1626 Mar 31 2021 server.csr
-rw-rw-rw- 1 tryhackme tryhackme 3247 Mar 31 2021 server.key
-rw-r--r-- 1 tryhackme tryhackme 0 Mar 31 2021 .sudo_as_admin_successful
-rw-rw-rw- 1 tryhackme tryhackme 229 Mar 31 2021 .wget-hsts
tryhackme@WIN-FG4Q5UQP406:~$What is the hash value for this file?
Check all file hashes in the home directory for each user. One file will not show any hashes. Which file is that?
There is a file that is categorized as malicious in one of the home directories. Query the Yara table to find this file. Use the sigfile which is saved in '/var/osquery/yara/scanner.yara'. Which file is it?
What were the 'matches'?
tryhackme@WIN-FG4Q5UQP406:~$ yara /var/osquery/yara/scanner.yara /home/charlie/notes
eicar_av_test /home/charlie/notes
eicar_substring_test /home/charlie/notesScan the file from Q#3 with the same Yara file. What is the entry for 'strings'?
Windows and Osquery
What is the description for the Windows Defender Service?
There is another security agent on the Windows endpoint. What is the name of this agent?
What is required with win_event_log_data?
How many sources are returned for win_event_log_channels?
What is the schema for win_event_log_data?
The previous file scanned on the Linux endpoint with Yara is on the Windows endpoint. What date/time was this file first detected? (Answer format: YYYY-MM-DD HH:MM:SS)
What is the query to find the first Sysmon event? Select only the event id, order by date/time, and limit the output to only 1 entry.
What is the Sysmon event id?
16Last updated
Was this helpful?