Osquery

阅读文档

osquery是什么?

osquery将操作系统公开为高性能的关系数据库。这允许您编写基于SQL的查询来浏览操作系统数据。使用osquery,SQL表表示抽象概念,如运行的进程、加载的内核模块、开放的网络连接、浏览器插件、硬件事件或文件散列。
SQL表是通过一个简单的插件和扩展API实现的。已经存在各种各样的表,并且正在编写更多的表:https://osquery.io/schema。为了更好地理解osquery为您提供的表达能力,请考虑以下SQL查询:

列出users

  1. SELECT * FROM users;

检查processes具有已删除的可执行文件

  1. SELECT * FROM processes WHERE on_disk = 0;

获取监听所有接口的进程的进程名、端口和PID

  1. SELECT DISTINCT processes.name, listening_ports.port, processes.pid   FROM listening_ports JOIN processes USING (pid)   WHERE listening_ports.address = '0.0.0.0';

找到每个启动可执行文件并保持其运行的macOS LaunchDaemon

  1. SELECT name, program || program_arguments AS executable   FROM launchd   WHERE (run_at_load = 1 AND keep_alive = 1)   AND (program != '' OR program_arguments != '');

从主机的角度检查ARP异常

  1. SELECT address, mac, COUNT(mac) AS mac_count   FROM arp_cache GROUP BY mac   HAVING count(mac) > 1;

或者,您也可以使用SQL子查询来实现相同的结果

  1. SELECT address, mac, mac_count   FROM     (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)   WHERE mac_count > 1;

这些查询可以是:

  • 临时执行,以使用osqueryishell
  • 通过执行scheduler监视一组主机的操作系统状态
  • 使用osquery Thrift APIs从自定义应用程序启动

    下载和安装

    要下载最新的稳定版本,并获取存储库信息和安装说明,请访问https://osquery.io/downloads.

    例子

    OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update

    ```plsql Osquery OceanLotus pack: { “platform”: “darwin”, “version”: “1.4.5”, “queries”: { “OceanLotus_launchagent”: { “query” : “select * from launchd where name = ‘com.google.plugins.plist’;”, “interval” : “86400”, “description” : “OceanLotus Launch Agent”, “value” : “Artifact used by this malware” },

“OceanLotus_dropped_file_1”: { “query” : “select * from file where pattern = ‘/Users/%/Library/Logs/.Logs/corevideosd’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” },

“OceanLotus_dropped_file_2”: { “query” : “select * from file where path = ‘/Library/Logs/.Logs/corevideosd’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_3”: { “query” : “select * from file where pattern = ‘/Users/%/Library/.SystemPreferences/.prev/.ver.txt’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_4”: { “query” : “select * from file where path = ‘/Library/.SystemPreferences/.prev/.ver.txt’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_5”: { “query” : “select * from file where pattern = ‘/Users/%/Library/Parallels/.cfg’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_6”: { “query” : “select * from file where path = ‘/Library/Parallels/.cfg’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_7”: { “query” : “select * from file where pattern = ‘/Users/%/Library/Preferences/.fDTYuRs’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_8”: { “query” : “select * from file where pattern = ‘/Users/%/Library/Hash/.Hashtag/.hash’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_9”: { “query” : “select * from file where path = ‘/Library/Hash/.Hashtag/.hash’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_10”: { “query” : “select * from file where pattern = ‘/Users/%/Library/Hash/.hash’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_11”: { “query” : “select * from file where path = ‘/Library/Hash/.hash’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” }

“OceanLotus_dropped_file_12”: { “query” : “select * from file where path = ‘/tmp/crunzip.temp.%’;”, “interval” : “86400”, “description” : “OceanLotus dropped file”, “value” : “Artifact used by this malware” } } } ```