Or even find programs installed in non-standard Windows locations. SELECT name, version, identifying_number FROM programs When pooling these results the identifying_number will help identify unique versions of installed programs. Windows Programs Installed windows programs can be queried using the following query.
#OSQUERY USECASES FOR MAC OS X#
Showing application information for Mac OS X Setting up the process_events table does require some additional command flags which we covered in the fore-mentioned blog post. The process_events table is helpful to capture every process that’s been spawned as the processes table is only a snapshot in time. One thing to note with this query is that if the parent process has exited, you won’t be able to iterate through the process tree. The process table also includes a column called on_disk which might help identify suspicious processes spawned from memory. You can use query recursion to iterate through parent processes to identify a given processes execution path. WITH RECURSIVE rc(pid, parent, name) AS ( SELECT pid, parent, name FROM processes WHERE pid = 55334 UNION ALL SELECT p.pid, p.parent, p.name FROM processes AS p, rc WHERE p.pid = rc.parent AND p.pid != 0 ) SELECT pid, parent, name FROM rc LIMIT 20 However, I want to cover a few neat tricks taking advantage of the SQLite engine used by OSquery. We published a previous post on this which covers collecting process information from the processes table and the corresponding application hashes as well as event information from process_events table.
SELECT name, version, build, platform FROM os_version Processes and process events This is useful for identifying systems that may not be running the latest OS release. The os_version table provides operating system information and the current patch level. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, physical_memory, hardware_vendor, hardware_model FROM system_info
#OSQUERY USECASES SERIAL NUMBER#
A serial number in the case of Apple or Dell service tag. The hardware_serial column will also provide the manufactures hardware identifier. The system_info table also provides the system UUID to help uniquely identify the asset within your IT estate. The system_info table will provide basic system information around the CPU and available memory. The following system queries will run across all platforms. Osquery provides access to several tables relating to various aspects of system information. Information captured from systems using Osquery System information
0 kommentar(er)
