Next, we can run the following commands to check who is currently logged in, and what user accounts exist on the endpoint. Windows: SELECT hotfix_id, installed_on, caption FROM patches To obtain more details on what patches have been implemented throughout Windows endpoints, use the ‘patches’ table this will determine if any recent patches have not been installed yet. The output of the following command will demonstrate whether endpoints have recently been patched, running an outdated version, or an unsupported operating system (such as Windows Server 2003, Windows 7).Īll OS Types: SELECT name, version, major, minor, patch, build FROM os_version These queries can provide some quick wins to determine whether malicious actors are already in your network. There are some simple OSQuery commands you can run to get a better idea of your environment. OSQuery is pretty particular with the type of apostrophes used too if you are given an error with any of the queries below, be sure to check this syntax. For example, if you wanted to query for all currently running processes, you would use OSQuery’s ‘processes’ table.įor more information, you can find the SQL explanation here, and the full list of OSQuery tables here. This is how we can use SQL queries, as the tables defined by OSQuery’s schema represent core operating system concepts and then pull out that data for us to analyse. Identifying Potentially Unwanted ProgramsĪs a quick primer before we jump into the queries, OSQuery works by treating the target computer as a relational database. ![]()
0 Comments
Leave a Reply. |