Osquery Tour

Since the sophistication of cyber-attacks is increasing every day, it is vital for organizations and individuals to keep track of their systems activity and ever-changing state. Attackers will try to keep their traffic under the hood and can blend their activities inside a huge Operating System(OS) profile easily. How about a tool that can query the OS objects and attributes just like a SQL query? Well, that is what Osquery is all about. It was developed by Facebook and introduced in 2014.However I have not seen much of its usage organization-wide, and even if the organizations deploy it, they are not using it to its full extent. In this article, we will review how Osquery can be beneficial in forensics, anomalies, and detection.

Before we investigate the specific cases of Osquery concerning security, it is essential to understand the components that make up Osquery

  • Osqueryi: It is an interactive shell and used for ad-hoc queries. It is located inside the main Osqueryi.exe. It does not need to run as admin to query the end user. In this article, we will focus on Osquery to see what all we can get from this tool. Below is a snippet of the Osqueryi help command.

  • Osqueryd: This is the Osquery daemon, which runs in the background to support scheduled queries and record the system changes over time.
  • Osqueryctl: It helps in deployment and testing of configurations.

As I said above, it resembles the syntax of SQL (it is a superset of SQLite). So, let’s look at the tables it supports:

There is a reason why I have introduced tables right away. Osquery will interact with tables to get the current state of the system. It is beneficial for persistent processes, but it can lose some artifacts when queried (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/tzHnsvKCbOs/