iamtheky Posted January 31, 2019 Share Posted January 31, 2019 The snippets in this thread require the free tool osquery Hopefully I get better as this goes and the thread turns out useful. Lets begin. ptrex, gcriaco and argumentum 3 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted January 31, 2019 Author Share Posted January 31, 2019 (edited) Top 10 most active processes: $pid = run('cmd /c c:\ProgramData\osquery\osqueryi "select count(pid) as total, name from processes group by name order by total desc limit 10;"' , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error ConsoleWrite($out) started out by automating one of the commands here (as i will primarily be exploring it for DFIR purposes): https://blog.rapid7.com/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/ Edited January 31, 2019 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted January 31, 2019 Author Share Posted January 31, 2019 Another example from the Rapid7 link, output into csv, and then split into an array. #include<array.au3> $pid = run('cmd /c c:\ProgramData\osquery\osqueryi --csv "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"' , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error local $arr[0][4] _ArrayAdd($arr , $out, 0 , "|" , @CRLF , 0) _ArrayDisplay($arr) ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted February 5, 2019 Author Share Posted February 5, 2019 playing with the LIKE syntax and quotes this is processes that are running from the C:\Users\* directory *also notice that you merely have to precede select with a double quote, you do not have to close that quote nor close the statement with a semicolon, osqueryi just fires it. #include<array.au3> $pid = run('cmd /c c:\ProgramData\osquery\osqueryi --csv "select * FROM processes Where path LIKE ' & "'c:\users\%'" , @ScriptDir , 0 , 0x02) $out = "" do $out &= StdoutRead($pid) until @error local $arr[0][27] _ArrayAdd($arr , stringtrimright($out , 1), 0 , "|" , @CRLF , 0) _ArrayDisplay($arr) ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now