Osquery examples

Below we’ve provided a list of some cool queries of what Osquery can do. You can copy and paste there directly into your Zercurity workbench to try out on your running Assets.

You can find more information about Osquery’s schema /osquery_3.3.0 here.

Get hashes of running binaries

This query returns a list of the running processes on a given system. It also provides a SHA256 of the running binary.

SELECT h.sha256, p.pid, p.name, p.parent AS ppid, p2.name AS parent,
  u.username, (time.unix_time-(uptime.total_seconds-p.start_time)) AS execution_time,
  p.path, p.state, u.uid_signed AS uid
FROM processes AS p, uptime, time
 INNER JOIN processes AS p2 ON ppid = p2.pid
 INNER JOIN hash AS h ON h.path = p.path
 INNER JOIN users AS u ON u.uid = p.uid
 WHERE h.sha256 <> '' ORDER BY execution_time ASC;

Get open process sockets

This query returns a list of the open remote connections by a process running on the given host.

SELECT
  s.pid,
  p.name,
  local_address,
  remote_address,
  family,
  protocol,
  local_port,
  remote_port
FROM
  process_open_sockets AS s
  JOIN processes AS p ON s.pid = p.pid
WHERE
  remote_port NOT IN (0, 80, 443)
  AND remote_address NOT IN ("127.0.0.1")
  AND family = 2;

Mac OSX Firewall enabled

This query checks whether that for a given Mac OSX host the firewall is enabled. It does this by checking whether the globalstate key in com.apple.alf.plist has the value 1.

SELECT
  *
FROM
  plist
WHERE
  path = '/Library/Preferences/com.apple.alf.plist'
  AND KEY = 'globalstate'
  AND value <> '1';