10/04/2022, 11:13 PM
For those of you who have used osqueryd|i for incident response, do you have an initial set of queries that you like to run against a possibly compromised host? Would you be willing to share them?

Thomas Stromberg

10/05/2022, 7:31 PM
To prepare for an eventual compromise, we've got a handful of queries that we collect the output from every 15 minutes, but before that we had these queries listed in our incident response guide as reasonable ones to build confidence before accessing the host in question: • SELECT * FROM processes; • SELECT * FROM process_envs; • SELECT * FROM process_events; • SELECT * FROM process_open_files; • SELECT * FROM launchd; • SELECT * FROM listening_ports; • SELECT * FROM process_open_sockets It's worth noting that we're a Linux/macOS shop, you may have different interesting tables on Windows.