OSQUERY

Basis

osqueryi
Enter Osquery console.

.help
Show help.
.version
Show version

.tables
List all available tables.
.schema [TABLE_NAME]
Display schema of the table.

.tables [TABLE_NAME]
Display table content.

Tables Examples

.tables processes
Processes table.
SELECT * FROM kernel_info;
Kernel Info table.
SELECT * FROM shell_history;
Shell history table.

Query Examples (SQL like)

SELECT * FROM processes;
SELECT pid, name, path FROM processes;
SELECT count(*) from processes;
SELECT pid, name, path FROM processes WHERE name='lsass.exe';

WHERE Operators & Wildcards

=
Equal.
<>
Not Equal.
>
Greater than.
>=
Greater than or equal to.
<
Less than.
<=
Less than or equal to.

BETWEEN
Between a range.
LIKE
Pattern wildcard searches.
%
Multiple characters wildcard.
_
One character wildcard.

With YARA

https://osquery.readthedocs.io/en/stable/deployment/yara/

SELECT * FROM yara WHERE path LIKE '/home/%%' AND sigfile='/var/osquery/yara/scanner.yara';
Execute Yara scan on all files returned by Osquery.

Basis#

Tables Examples#

Query Examples (SQL like)#

WHERE Operators & Wildcards#

With YARA#

Basis

Tables Examples

Query Examples (SQL like)

WHERE Operators & Wildcards

With YARA