
Osquery - duck
https://osquery.io/
======
josteink
I realize WMI[1] is a Windows-thing only, but if you're already on the
Windows-platform, WMI comes shipped out of the box and has been for probably a
decade or more, and is overall very well supported.

It has its quirks, but there's practically no part of the system you shouldn't
be able to get information about using WQL[2].

[1] [https://msdn.microsoft.com/en-
us/library/ms186146(vs.80).asp...](https://msdn.microsoft.com/en-
us/library/ms186146\(vs.80\).aspx)

[2] [https://en.m.wikipedia.org/wiki/WQL](https://en.m.wikipedia.org/wiki/WQL)

~~~
Already__Taken
The nice thing osquery can have is disconnecting what's currently turned on
and connected this second from what records you're getting back.

OSquery can pump results into a DB that you look through, WMI I've got to
check for myself what's turned on, did it all report etc.

A driver for wmi in osquery would be a great addition.

------
kbd
Posted because it came up in the discussion of FSQL:

[https://news.ycombinator.com/item?id=14343967](https://news.ycombinator.com/item?id=14343967)

Previous discussions:

Release:
[https://news.ycombinator.com/item?id=8528460](https://news.ycombinator.com/item?id=8528460)

Windows release:
[https://news.ycombinator.com/item?id=12600790](https://news.ycombinator.com/item?id=12600790)

(Links courtesy of
[https://news.ycombinator.com/item?id=14344549](https://news.ycombinator.com/item?id=14344549))

Personally upvoted because it's news to me that it supports Windows now, and
because it still appears to be very actively developed despite existing for
years now.

~~~
nthcolumn
I only heard about this yesterday on that thread. And by facebook? I really
should pay more attention to what they are doing over there... FSQL is pretty
cool too and surprisingly fast.

------
lmeyerov
If you're in a security team adding this to your stack, we're building a
visual playbook & pivoting system, and have been wanting to experiment with
scenarios that include an osquery connector. Can share more @
info@graphistry.com , would love to explore!

~~~
dfc
What is a "visual playbook and pivoting system"?

------
onida
Outside of facebook, what's the largest install base of osquery?

~~~
mavam
We have an ongoing project and existing prototype that combines OSquery with
the Bro network security monitor. This enables correlation of network and host
state in the same framework.

More details here:
[https://www.bro.org//bro4pros2017/Haas_OSquery_Bro4Pros2017....](https://www.bro.org//bro4pros2017/Haas_OSquery_Bro4Pros2017.pdf)

------
usrme
Can anyone shed some light on how exactly Osquery can be used to leverage
checking, for example, of vulnerabilities? I wasn't able to gather information
on how it exactly communicates with the rest of the infrastructure. Am I
correct to understand that I can set up a single host that has Osquery
installed and it can go out and automatically query a heterogeneous set of
other hosts based on pre-existing configuration files, given that (I assume)
some set of ports are open?

~~~
lmeyerov
Indeed -- Osquery, and the commercial precursor Tanium and the native
Microsoft equivalents, can help when you've identified one incident and want
to find active repeats. Ex: "I just cleaned evil.exe from this box, are any
other hosts running the same process? What other processes do they have in
common?". I've seen hunting use cases as well.

Your example is why we're building our visual playbook system. In this case,
query your network scanner for open ports, and then feed the identified hosts
into more targeted osquery calls.

~~~
usrme
Thank you for the reply; however, I am still having a hard time understanding
how exactly Osquery works under the hood. How does it communicate with other
hosts? With what does it query for information once it reaches a remote node?
What kind of overhead does it have in terms of network transfer when querying?
Maybe I am completely off base and am mistaking how this works... Is Osquery
set up on every individual host and I query for that information remotely
using whatever tools I have at my disposal?

~~~
fiorix
You can configure osquery to execute periodic queries (scheduled queries) of
all kinds: computing md5 of your binaries and other files, taking a snapshot
of sockets/connections per process, and so on.

By default, osquery uses glog, which means it'll output the results to a local
file that you can ship anywhere you want. There's also logging plugins to help
you push the results of scheduled queries to other systems.

Once you have that data flowing through your pipelines you can start doing
security/anomaly detection on things.

~~~
anonymousDan
But do you need an installation of osquery on the remote machines too? Or some
kind of remote agent? Or does it just try to login to each remote machine over
e.g. SSH?

~~~
coredog64
It's a remote agent. If you want the scheduled execution, you install the
program and configure it internally to run on a schedule.

I haven't finished the work yet, but my employer will be feeding the log
results into our ELK stack.

There are other frontends like 'doorman' which allow for ad hoc queries. That
is a little more work to stand up.

------
kossmoboleat
I've worked on something similar except that we used a stream database. Today
you might use RethinkDB or something similar.

The osquery events seem to solve these kind of monitoring/alerting problems.
But I didn't find easily find their documentation.

------
dduarte
Can it be used to find Windows machines without MS17-010 installed? :)

~~~
jeremymcanally
Definitely. And you could write queries for the various indicators/files/etc.,
too (or use the built in YARA support and grab the rules from US-CERT).

I just started working at Kolide ([http://kolide.com](http://kolide.com)) a
couple weeks ago where we're building a whole product on top of osquery. I'm
constantly surprised by "can it do (x)" and the answer is almost always yes.
It's pretty solid!

------
DominoTree
Not directly related to Osquery, but we're using Tanium to run queries against
~180,000 endpoints and we get good results back in about a minute.

~~~
rbolla
Tanium says, the max # of endpoints that the "core" can support is 33K. How
did you scaled this to 180 K.

------
burdzwastaken
cannot upvote this enough! seriously great open source project. I have been
able to use it in large scale cross-platform deployments with great success.

------
tlrobinson
How do you issue queries programmatically from another program? Just execute
"osqueryi"? I see mention of a Thrift API but no details.

------
drumttocs8
Can this be used to troubleshoot DPC-related audio latency issues?

------
jvgiuiigvuuc
Useless out of the box:

"If there are no USB devices added or removed to the laptop, this query would
never log a result again. The query would still run every 60 seconds but the
results would match the previous run and thus no state change would be
detected. If a USB memory stick was inserted and left in the laptop for 60
seconds the daemon would log"

So if you unplug your evil USB earlier, this won't tell you.

I wonder if they've heard of udev.

~~~
JosephRedfern
Oh please. It may be useless out of the box at detecting evil USB devices, but
to accuse it of being outright useless is ridiculous.

I'm sure it was sarcastic snark, but of course they have heard of udev:
[https://github.com/facebook/osquery/search?q=udev](https://github.com/facebook/osquery/search?q=udev).

