Osquery can be installed on multiple platforms: Windows, Linux, macOS, and Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. With Osquery, Security Analysts, Incident Responders, Threat
#Tryhackme osquery full#
Question 6.6 – What is the full path of the batch file found in the above question? (Last in the List)Īnswer 6.6 – C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.Osquery is an open-source tool created byįacebook. bat)?Įxplanation 6.5 – select * from autoexec where path LIKE '%.bat' What is the name of that batch file (with the extension. There seems to be a batch file that runs automatically. Question 6.5 – A table autoexec contains the list of executables that are automatically executed on the target machine. Question 6.4 – How many services are running on this host?Įxplanation 6.4 – select count(*) from services What is name of the software?Įxplanation 6.3 – select name,version,install_location,install_date from programs where name LIKE '%vpn%' Question 6.3 – Create a search query to identify the VPN installed on this host. Question 6.2 – One of the users seems to have executed a program to remove traces from the disk what is the name of that program?Įxplanation 6.2 – select * from userassist
#Tryhackme osquery windows#
Question 6.1 – Which table stores the evidence of process execution in Windows OS?
Question 5.5 – After running the following query, what is the full name of the program returned? Query: select name,install_location from programs where name LIKE '%wireshark%' Īnswer 5.5 – Wireshark 3.6.8 64-bit Task 6: Challenge and Conclusion
Question 5.4 – When we run the following search query, what is the Internet Explorer browser extension installed on this machine? Query: select * from ie_extensions Īnswer 5.4 – C:\Windows\System32\ieframe.dll Question 5.3 – When we run the following search query, what is the full SID of the user with RID 1009? Query: select path, key, name from registry where key = 'HKEY_USERS' Īnswer 5.3 – S-1-5-21-1966530601-3185510712-10604624-1009 Question 5.2 – Using Osquery, what is the description for the user James? Question 5.1 – Using Osquery, how many programs are installed on this host?Įxplanation 5.1 – select count(*) from programs Question 4.4 – In Windows Operating system, which column contains the registry value within the registry table?Īnswer 4.4 – data Task 5: Creating SQL queries Question 4.3 – In the Windows Operating system, which table is used to display the installed programs?
#Tryhackme osquery for mac os#
Question 4.2 – In Osquery version 5.5.1, how many tables for MAC OS are available? Question 4.1 – In Osquery version 5.5.1, how many common tables are returned, when we select both Linux and Window Operating system? mode command?Īnswer 2.3 – 5 Task 4: Schema Documentation help command, how many output display modes are available for the. Question 2.2 – Looking at the schema of the processes table, which column displays the process id for the particular process? Question 2.1 – How many tables are returned when we query “table process” in the interactive mode of Osquery? Task 2.2 – Click Show Split View at the top of the page to connect to the machine. Task 1: IntroductionĪnswer 1.1 – Click the Completed button to progress to the next task. If you would like to subscribe to TryHackMe, sign up here. NOTE: only subscribers to TryHackMe are allowed to access this room. This room was created as an introduction to Osquery and its use cases. I will also include any additional notes along the way. This article will contain answers to the questions provided along with the thought process as to how I obtained them. The purpose of this article is to document my journey through the TryHackMe platform.
0 kommentar(er)
