iamtheky Posted January 31, 2019 Posted January 31, 2019 The snippets in this thread require the free tool osquery Hopefully I get better as this goes and the thread turns out useful. Lets begin. ptrex, gcriaco and argumentum 3 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
iamtheky Posted January 31, 2019 Author Posted January 31, 2019 (edited) Top 10 most active processes: $pid = run('cmd /c c:\ProgramData\osquery\osqueryi "select count(pid) as total, name from processes group by name order by total desc limit 10;"' , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error ConsoleWrite($out) started out by automating one of the commands here (as i will primarily be exploring it for DFIR purposes): https://blog.rapid7.com/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/ Edited January 31, 2019 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
iamtheky Posted January 31, 2019 Author Posted January 31, 2019 Another example from the Rapid7 link, output into csv, and then split into an array. #include<array.au3> $pid = run('cmd /c c:\ProgramData\osquery\osqueryi --csv "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"' , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error local $arr[0][4] _ArrayAdd($arr , $out, 0 , "|" , @CRLF , 0) _ArrayDisplay($arr) ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
iamtheky Posted February 5, 2019 Author Posted February 5, 2019 playing with the LIKE syntax and quotes this is processes that are running from the C:\Users\* directory *also notice that you merely have to precede select with a double quote, you do not have to close that quote nor close the statement with a semicolon, osqueryi just fires it. #include<array.au3> $pid = run('cmd /c c:\ProgramData\osquery\osqueryi --csv "select * FROM processes Where path LIKE ' & "'c:\users\%'" , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error local $arr[0][27] _ArrayAdd($arr , stringtrimright($out , 1), 0 , "|" , @CRLF , 0) _ArrayDisplay($arr) ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now