[THM] Osquery: The Basics
This is a full walkthrough with answers and explanations for the TryHackMe room "Osquery The Basics".
Link to the room: https://tryhackme.com/room/osqueryf8.
“Osquery is an open-source agent created by Facebook in 2014. It converts the operating system into a relational database. It allows us to ask questions from the tables using SQL queries, like returning the list of running processes, a user account created on the host, and the process of communicating with certain suspicious domains. It is widely used by Security Analysts, Incident Responders, Threat Hunters, etc. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.”
[Task 3] Osquery: Interactive Mode?
How many tables are returned when we query “table process” in the interactive mode of Osquery?
.table process
1
3
Looking at the schema of the processes table, which column displays the process id for the particular process?
.schema processes
1
pid
Examine the .help command, how many output display modes are available for the .mode command?
.help
1
5
[Task 4] Schema Documentation
Documentation: https://osquery.io/schema/5.5.1
In Osquery version 5.5.1, how many common tables are returned, when we select both Linux and Window Operating system?
1
56
{: file=”Answer:” }|
In Osquery version 5.5.1, how many tables for MAC OS are available?
1
180
In the Windows Operating system, which table is used to display the installed programs?
1
programs
In Windows Operating system, which column contains the registry value within the registry table?
1
data
[Task 5] Creating SQL queries
Using Osquery, how many programs are installed on this host?
SELECT count(*) from programs;
1
19
Using Osquery, what is the description for the user James?
select * from users where username = ‘James’;
1
Creative Artist
When we run the following search query, what is the full SID of the user with RID ‘1009’?
select path, key, name from registry where key = ‘HKEY_USERS’ and name like ‘%1009’;
1
S-1-5-21-1966530601-3185510712-10604624-1009
When we run the following search query, what is the Internet Explorer browser extension installed on this machine?
select path from ie_extensions;
1
S-1-5-21-1966530601-3185510712-10604624-1009
After running the following query, what is the full name of the program returned?
select name,install_location from programs where name LIKE ‘%wireshark%’;
1
Wireshark 4.4.9 x64
[Task 6] Challenge and Conclusion
Which table stores the evidence of process execution in Windows OS?
Search documentation
1
userassist
One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?
select * from userassist
1
DiskWipe.exe
Create a search query to identify the VPN installed on this host. What is name of the software?
select * from programs where name like ‘%VPN%’;
1
ProtonVPN
How many services are running on this host?
select count(*) from services;
1
215
A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?
select * from autoexec where name like ‘%.bat’;
1
batstartup.bat
What is the full path of the batch file found in the above question? (Last in the List)
select path from autoexec where name like ‘%.bat’;
1
C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat