09 January 2020

OSQUERY - Exercise No. 1

“consider JOINing against the users table”
osquery> select * from shell_history WHERE shell_history.uid IN (SELECT uid from users);

Who has stored the SSH private keys on the machine?
osquery> select * from shell_history WHERE shell_history.uid IN (SELECT uid from users) and shell_history.command like '%rsa%';

The path of the ftp service daemon running.
osquery> select path from  processes where name='vsftpd';

The complete path of a specific binary run as root.
osquery> select * from shell_history WHERE shell_history.uid IN (SELECT uid from users) and shell_history.command like '%sudo%';

Sources:
https://www.attackdefense.com
https://www.first.org/resources/papers/conf2018/Wilson-Doug_FIRST_20180629.pdf
-
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Open Source Information Gathering using Windows Command Line Utilities

 How to Find the Maximum Frame Size Packet needs to be fragmented but DF set, means that the frame is too large to be on the network and ne...