zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/incident-response/forensics-osquery/references/table-guide.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

10 KiB
Raw Blame History

osquery Table Reference for Forensic Investigations

Comprehensive guide to osquery tables most relevant for incident response and forensic analysis.

Table of Contents

Process Tables

processes

Query running processes with detailed information.

Key columns: pid, name, path, cmdline, cwd, uid, gid, parent, pgroup, state, on_disk, start_time

-- Basic process listing
SELECT pid, name, path, cmdline, uid FROM processes;

-- Processes with deleted executables (malware indicator)
SELECT * FROM processes WHERE on_disk = 0;

-- Process tree
SELECT p1.pid, p1.name, p1.cmdline, p2.pid AS parent_pid, p2.name AS parent_name
FROM processes p1
LEFT JOIN processes p2 ON p1.parent = p2.pid;

process_open_sockets

Network sockets opened by processes.

Key columns: pid, socket, family, protocol, local_address, local_port, remote_address, remote_port, state

-- Active external connections
SELECT p.name, ps.remote_address, ps.remote_port, ps.state, p.cmdline
FROM processes p
JOIN process_open_sockets ps ON p.pid = ps.pid
WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');

process_memory_map

Memory regions mapped by processes (useful for detecting injections).

Key columns: pid, start, end, permissions, path, pseudo

-- Detect suspicious memory mappings
SELECT p.name, pm.path, pm.permissions, p.cmdline
FROM process_memory_map pm
JOIN processes p ON pm.pid = p.pid
WHERE pm.path LIKE '%tmp%' OR pm.pseudo = 1;

process_envs

Environment variables for running processes.

Key columns: pid, key, value

-- Check for suspicious environment variables
SELECT p.name, pe.key, pe.value
FROM process_envs pe
JOIN processes p ON pe.pid = p.pid
WHERE pe.key IN ('LD_PRELOAD', 'DYLD_INSERT_LIBRARIES', 'PATH');

Network Tables

listening_ports

Ports listening for connections.

Key columns: pid, port, protocol, family, address

-- Listening ports mapped to processes
SELECT lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
WHERE lp.address NOT IN ('127.0.0.1', '::1')
ORDER BY lp.port;

interface_addresses

Network interface IP addresses.

Key columns: interface, address, mask, broadcast

-- List all network interfaces and addresses
SELECT interface, address, mask, type FROM interface_addresses;

routes

System routing table.

Key columns: destination, netmask, gateway, source, interface, type

-- Check routing table
SELECT destination, netmask, gateway, interface FROM routes;

arp_cache

ARP table entries (detect ARP spoofing).

Key columns: address, mac, interface, permanent

-- ARP cache analysis
SELECT address, mac, interface FROM arp_cache ORDER BY address;

File System Tables

file

Query file system metadata.

Key columns: path, directory, filename, size, mtime, atime, ctime, mode, uid, gid, type

-- Recently modified files in sensitive directories
SELECT path, filename, mtime, uid, gid, mode
FROM file
WHERE path LIKE '/etc/%'
   OR path LIKE '/usr/bin/%'
   OR path LIKE '/usr/sbin/%'
ORDER BY mtime DESC LIMIT 50;

-- SUID/SGID binaries
SELECT path, filename, mode, uid
FROM file
WHERE (mode LIKE '%4%' OR mode LIKE '%2%')
  AND path LIKE '/usr/%';

hash

File cryptographic hashes (MD5, SHA1, SHA256).

Key columns: path, directory, filename, md5, sha1, sha256, size

-- Hash files in suspicious locations
SELECT path, filename, md5, sha256
FROM hash
WHERE path LIKE '/tmp/%'
   OR path LIKE '/var/tmp/%';

file_events

Real-time file system change monitoring (requires file integrity monitoring).

Key columns: target_path, action, time, pid, uid, gid

-- Recent file modifications
SELECT target_path, action, time, pid
FROM file_events
WHERE action IN ('CREATED', 'UPDATED', 'DELETED')
  AND time > strftime('%s', 'now') - 3600;

User and Authentication Tables

users

System user accounts.

Key columns: uid, gid, username, description, directory, shell

-- Users with login shells
SELECT username, uid, gid, shell, directory
FROM users
WHERE shell NOT LIKE '%nologin%' AND shell NOT LIKE '%false';

-- Recent user additions (requires tracking)
SELECT * FROM users ORDER BY uid DESC LIMIT 10;

logged_in_users

Currently logged-in users.

Key columns: user, tty, host, time, pid

-- Active user sessions
SELECT user, tty, host, time FROM logged_in_users;

last

Login history (last command output).

Key columns: username, tty, pid, type, time, host

-- Recent login history
SELECT username, tty, host, time, type
FROM last
ORDER BY time DESC LIMIT 50;

groups

User groups.

Key columns: gid, groupname

-- List all groups
SELECT gid, groupname FROM groups;

user_groups

User-to-group mappings.

Key columns: uid, gid

-- Users in admin groups
SELECT u.username, g.groupname
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root');

System Information Tables

system_info

System hardware and OS information.

Key columns: hostname, uuid, cpu_type, cpu_brand, physical_memory, hardware_model

-- System information
SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;

os_version

Operating system version details.

Key columns: name, version, major, minor, patch, build, platform

-- OS version
SELECT name, version, platform, build FROM os_version;

kernel_info

Kernel version and parameters.

Key columns: version, arguments, path, device

-- Kernel information
SELECT version, arguments FROM kernel_info;

uptime

System uptime.

Key columns: days, hours, minutes, seconds, total_seconds

-- System uptime
SELECT days, hours, minutes FROM uptime;

Persistence Mechanism Tables

crontab

Scheduled cron jobs (Linux/macOS).

Key columns: event, minute, hour, day_of_month, month, day_of_week, command, path

-- All cron jobs
SELECT event, command, path FROM crontab;

-- Suspicious cron commands
SELECT * FROM crontab
WHERE command LIKE '%curl%'
   OR command LIKE '%wget%'
   OR command LIKE '%/tmp/%'
   OR command LIKE '%base64%';

scheduled_tasks (Windows)

Windows scheduled tasks.

Key columns: name, action, path, enabled, state

-- Enabled scheduled tasks
SELECT name, action, path, state FROM scheduled_tasks WHERE enabled = 1;

startup_items (macOS)

macOS startup items.

Key columns: name, path, args, type, source, status

-- macOS startup items
SELECT name, path, type, source FROM startup_items;

launchd (macOS)

macOS launch agents and daemons.

Key columns: name, path, program, program_arguments, run_at_load, keep_alive

-- Launch agents/daemons that run at load
SELECT name, path, program, program_arguments
FROM launchd
WHERE run_at_load = 1;

registry (Windows)

Windows registry access.

Key columns: key, name, type, data, path

-- Registry Run keys
SELECT key, name, path, data
FROM registry
WHERE key LIKE '%Run%' OR key LIKE '%RunOnce%';

services (Windows)

Windows services.

Key columns: name, display_name, status, path, start_type, user_account

-- Auto-start services
SELECT name, display_name, path, user_account
FROM services
WHERE start_type = 'AUTO_START';

systemd_units (Linux)

Linux systemd services.

Key columns: id, description, load_state, active_state, sub_state, fragment_path

-- Active systemd services
SELECT id, description, active_state, fragment_path
FROM systemd_units
WHERE active_state = 'active';

-- Non-default systemd services
SELECT * FROM systemd_units
WHERE fragment_path NOT LIKE '/usr/lib/systemd/system/%'
  AND fragment_path NOT LIKE '/lib/systemd/system/%';

Platform-Specific Tables

kernel_modules (Linux)

Loaded kernel modules.

Key columns: name, size, used_by, status, address

-- Loaded kernel modules
SELECT name, size, used_by, status FROM kernel_modules;

kernel_extensions (macOS)

macOS kernel extensions (kexts).

Key columns: name, version, path, loaded

-- Loaded kernel extensions
SELECT name, version, path FROM kernel_extensions WHERE loaded = 1;

drivers (Windows)

Windows device drivers.

Key columns: device_id, device_name, image, provider, service, service_key

-- Loaded drivers
SELECT device_name, image, provider, service FROM drivers;

chrome_extensions

Chrome browser extensions.

Key columns: name, identifier, version, description, path, author

-- Installed Chrome extensions
SELECT name, version, description, path FROM chrome_extensions;

firefox_addons

Firefox browser add-ons.

Key columns: name, identifier, version, description, source_url, visible

-- Installed Firefox add-ons
SELECT name, version, description, source_url FROM firefox_addons;

Query Optimization Tips

  1. Use WHERE clauses: Always filter results to reduce query time

    -- Bad: SELECT * FROM processes;
-- Good: SELECT * FROM processes WHERE uid = 0;

  2. Limit results: Use LIMIT for large result sets

    SELECT * FROM file WHERE path LIKE '/usr/%' LIMIT 100;

  3. Index columns: Use indexed columns in WHERE clauses (pid, uid, path)

  4. Join efficiently: Start with smaller tables when joining

    SELECT * FROM listening_ports lp
JOIN processes p ON lp.pid = p.pid;  -- listening_ports is usually smaller

  5. Time filtering: Use time comparisons for event tables

    WHERE time > (strftime('%s', 'now') - 3600)  -- Last hour

Reference

Reference in New Issue View Git Blame Copy Permalink