zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-agentsecops-secopsagentkit/skills/incident-response/forensics-osquery/references/platform-differences.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

8.4 KiB
Raw Permalink Blame History

Platform-Specific osquery Tables and Queries

Guide to platform-specific tables and query variations across Linux, macOS, and Windows.

Table of Contents

Cross-Platform Tables

These tables work across all platforms with consistent schemas:

  • processes - Running processes
  • users - User accounts
  • groups - User groups
  • file - File system metadata
  • hash - File hashing
  • system_info - System information
  • os_version - OS version details
  • interface_addresses - Network interfaces
  • routes - Routing table
  • listening_ports - Listening network ports

Linux-Specific Tables

Process and System

Table Description
kernel_modules Loaded kernel modules
kernel_info Kernel version and boot parameters
memory_info System memory information
process_namespaces Linux namespace information
seccomp_events Seccomp filter events
selinux_events SELinux audit events
apparmor_events AppArmor audit events

Package Management

Table Description
deb_packages Debian/Ubuntu packages (dpkg)
rpm_packages RPM packages (yum/dnf)
portage_packages Gentoo Portage packages
pacman_packages Arch Linux packages

Persistence

Table Description
crontab Cron scheduled jobs
systemd_units Systemd services and units

Example Linux Queries

-- Check kernel modules
SELECT name, size, used_by, status FROM kernel_modules;

-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';

-- Recently installed packages (Debian/Ubuntu)
SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC LIMIT 20;

-- SELinux denials
SELECT * FROM selinux_events WHERE denied = 1;

macOS-Specific Tables

System and Kernel

Table Description
kernel_extensions Loaded kernel extensions (kexts)
system_extensions macOS system extensions
signature Code signature verification
quarantine Quarantine database entries

Persistence

Table Description
launchd Launch agents and daemons
startup_items Startup items
periodic_items Periodic script executions

Applications

Table Description
apps Installed macOS applications
safari_extensions Safari browser extensions
authorization_mechanisms Authorization plugin mechanisms

Security

Table Description
extended_attributes File extended attributes (xattr)
keychain_items macOS Keychain items
firewall macOS firewall settings

Example macOS Queries

-- Launch agents that run at load
SELECT name, path, program, program_arguments, run_at_load
FROM launchd
WHERE run_at_load = 1
  AND path NOT LIKE '/System/%';

-- Loaded kernel extensions
SELECT name, version, path, linked_against
FROM kernel_extensions
WHERE loaded = 1;

-- Quarantined files
SELECT path, description, data_url
FROM quarantine
WHERE path LIKE '/Users/%/Downloads/%';

-- Unsigned executables in Applications
SELECT path, signed FROM signature
WHERE path LIKE '/Applications/%' AND signed = 0;

-- Code signing status
SELECT path, authority, signed, identifier
FROM signature
WHERE path = '/Applications/Suspicious.app/Contents/MacOS/Suspicious';

Windows-Specific Tables

System and Registry

Table Description
registry Windows registry access
drivers Device drivers
services Windows services
wmi_cli_event_consumers WMI event consumers
wmi_filter_consumer_binding WMI filter bindings

Persistence

Table Description
scheduled_tasks Windows scheduled tasks
autoexec Auto-execution entries
startup_items Startup folder items

Security

Table Description
windows_eventlog Windows Event Log
authenticode Authenticode signature verification
windows_security_products Installed security products
bitlocker_info BitLocker encryption status

Processes

Table Description
process_memory_map Process memory mappings
process_handles Open process handles

Example Windows Queries

-- Registry Run keys
SELECT key, name, path, data, mtime
FROM registry
WHERE (key LIKE '%\\Run' OR key LIKE '%\\RunOnce')
  AND key NOT LIKE '%\\RunOnceEx';

-- Scheduled tasks
SELECT name, action, path, enabled, last_run_time, next_run_time
FROM scheduled_tasks
WHERE enabled = 1
ORDER BY next_run_time;

-- WMI persistence
SELECT name, command_line_template, executable_path
FROM wmi_cli_event_consumers;

-- Windows services
SELECT name, display_name, status, path, start_type, user_account
FROM services
WHERE start_type IN ('AUTO_START', 'DEMAND_START')
ORDER BY status;

-- Event log security events
SELECT datetime, eventid, source, data
FROM windows_eventlog
WHERE channel = 'Security'
  AND eventid IN (4624, 4625, 4648, 4672)
ORDER BY datetime DESC LIMIT 100;

-- Authenticode signature verification
SELECT path, result, subject_name, issuer_name
FROM authenticode
WHERE path LIKE 'C:\Users\%'
  AND result != 'trusted';

Query Translation Examples

Persistence Mechanisms

Linux:

-- Cron jobs
SELECT * FROM crontab;

-- Systemd services
SELECT name, fragment_path, active_state
FROM systemd_units
WHERE active_state = 'active';

macOS:

-- Launch agents/daemons
SELECT name, path, program, run_at_load
FROM launchd
WHERE run_at_load = 1;

-- Startup items
SELECT name, path, type, source
FROM startup_items;

Windows:

-- Registry Run keys
SELECT key, name, path
FROM registry
WHERE key LIKE '%Run%';

-- Scheduled tasks
SELECT name, action, enabled
FROM scheduled_tasks
WHERE enabled = 1;

Package/Application Inventory

Linux (Debian/Ubuntu):

SELECT name, version, install_time
FROM deb_packages
ORDER BY install_time DESC;

Linux (RHEL/CentOS):

SELECT name, version, install_time
FROM rpm_packages
ORDER BY install_time DESC;

macOS:

SELECT name, path, bundle_version, last_opened_time
FROM apps
ORDER BY last_opened_time DESC;

Windows:

SELECT name, version, install_location, install_date
FROM programs
ORDER BY install_date DESC;

Network Connections

All Platforms:

-- Active connections
SELECT p.name, p.cmdline, ps.remote_address, ps.remote_port, ps.state
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.state = 'ESTABLISHED';

Platform-specific filtering:

-- Linux: Filter by network namespace
SELECT * FROM process_open_sockets
WHERE pid IN (SELECT pid FROM processes WHERE root != '/');

-- macOS: Include code signature
SELECT p.name, ps.remote_address, s.authority
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN signature s ON p.path = s.path;

-- Windows: Include service name
SELECT p.name, s.name AS service_name, ps.remote_address
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
LEFT JOIN services s ON p.path = s.path;

Platform Detection in Queries

Use os_version table to detect platform:

-- Get current platform
SELECT platform, name, version FROM os_version;

-- Platform-specific queries
SELECT CASE
  WHEN platform = 'darwin' THEN (SELECT COUNT(*) FROM launchd)
  WHEN platform LIKE '%linux%' THEN (SELECT COUNT(*) FROM systemd_units)
  WHEN platform LIKE '%windows%' THEN (SELECT COUNT(*) FROM services)
  ELSE 0
END AS persistence_count
FROM os_version;

Best Practices for Cross-Platform Queries

  1. Check table availability before querying:

    osqueryi ".tables" | grep <table_name>

  2. Use platform detection for conditional logic

  3. Test queries on each platform - column names may vary slightly

  4. Document platform requirements in query comments

  5. Create platform-specific query packs for osqueryd

Reference

Reference in New Issue View Git Blame Copy Permalink