Ravi Shah
05/04/2020, 5:44 PMfritz
05/13/2020, 4:43 PMJulia Oliveira
05/14/2020, 9:59 PMVijay
05/18/2020, 9:48 PMfritz
05/20/2020, 7:36 PMkolide_wmi
table:
WITH
optional_features AS (
SELECT
parent,
key,
value,
class
FROM kolide_wmi WHERE class = 'Win32_OptionalFeature'
AND properties = 'name,installstate,caption'),
identify_parent AS (
SELECT
DISTINCT(parent) AS parent
FROM optional_features
WHERE value LIKE '%Powershell%'),
reduce_to_powershell AS (
SELECT * FROM optional_features, identify_parent USING (parent)),
eav_pivot AS (
SELECT
MAX(CASE WHEN key = 'name' THEN value END) AS name,
MAX(CASE WHEN key = 'installstate' THEN value END) AS install_state,
MAX(CASE WHEN key = 'caption' THEN value END) AS caption
FROM reduce_to_powershell
GROUP BY parent),
win32_powershell_v2 AS (
SELECT
name, caption,
CASE
WHEN install_state = '1' THEN 'enabled'
WHEN install_state = '2' THEN 'disabled'
WHEN install_state = '3' THEN 'absent'
WHEN install_state = '4' THEN 'unknown'
END AS install_state
FROM eav_pivot)
SELECT * FROM win32_powershell_v2;
seph
kolide_wmi
William Guilherme
05/20/2020, 8:30 PMSELECT common_name FROM certificates WHERE common_name = 'SGIO Test Root CA - G2' OR 'SGIO Root CA G2' OR 'SGIO ROOT CA' OR 'SGIO Basic Assurance CA2' OR 'SGIO Basic Assurance CA2 G2' OR 'SGIO Basic Assurance CA G2';
Stefano Bonicatti
05/20/2020, 10:03 PMjayakumar
05/25/2020, 1:38 PMZweasta
06/04/2020, 8:07 PMjjerger
06/04/2020, 8:43 PMjjerger
06/05/2020, 12:17 AMDavid
06/12/2020, 5:21 PMShan
06/14/2020, 4:50 AMShan
06/17/2020, 4:13 AMfritz
06/20/2020, 3:42 PMSELECT * FROM windows_security_center
or SELECT * FROM windows_security_products
hilt
06/23/2020, 5:41 AMC:\Program
marked as added yet these files don’t exist on the system whenhimanshu
07/02/2020, 6:25 AMcosine_similarity
shows values in powershell_events tablebinu
07/10/2020, 9:38 AMmanu
07/18/2020, 8:13 AMmanu
07/18/2020, 3:58 PMtheopolis
windows_events
table that collects events in real time, what should this on-demand table be called? Perhaps windows_eventlog
or windows_eventslog
? Other ideas or preference?cstevens
07/30/2020, 9:26 PMfarfella
08/04/2020, 7:45 PMcstevens
08/05/2020, 6:26 PMPS C:\Program Files\osquery> .\osqueryi.exe "SELECT availability_zone AS az, instance_id FROM ec2_instance_metadata;"
.\osqueryi.exe : Error: no such table: ec2_instance_metadata
At line:1 char:1
+ .\osqueryi.exe "SELECT availability_zone AS az, instance_id FROM ec2_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Error: no such ...stance_metadata:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
sean.cavanaugh
08/14/2020, 3:07 PMosqueryctl
-like utility for Windows?farfella
08/25/2020, 12:49 PMfarfella
08/25/2020, 11:06 PMalessandrogario
fritz
08/28/2020, 11:45 PM\\
like the example below:
"path": "C:\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\databases\\chrome-extension_foo\\%"