Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

IMG-20220104-WA0002.jpg

The query should be `WHERE path LIKE` instead of `filename`

Okay, but i want to find the path :sweat_smile:

You cannot recursively crawl the entire disk looking for arbitrary files. You need to have an idea of where items are generally located to use the `file` table while using LIKE statements otherwise you will run into incomplete output due to symlink loops, or onerous runtimes due to the difficulty of crawling the whole disk.

IIRC <@U0JFM04MS> has written up a PoC query for locating vulnerable loaded jar files using yara: <https://blog.fleetdm.com/detect-log4j-with-osquery-and-fleet-e29c9de18ac9>