Title
#general
Bala

Bala

09/08/2020, 1:18 AM
Hello, I am new to osquery and have installed it to solve my own problem. I've been ratted recently which AVs are not detecting. Basically someone is remotely connected to my laptop. I am learning osquery to solve this problem. Please let me know if you can suggest tools/tips to help me. Many thanks
theopolis

theopolis

09/08/2020, 3:47 AM
Hi Bala, sorry to hear about that. I do not think osquery is going to solve this problem for you.
Bala

Bala

09/08/2020, 5:50 AM
Hi Ted, Any suggestions to overcome this problem? I understand it is out of scope from this group's perspective. But if you have any suggestions please let me know. Thanks
Mike Myers

Mike Myers

09/08/2020, 7:13 PM
if macOS or Linux, you could try the
last
table to check if there have been logins at suspicious times, or
logon_sessions
on Windows to see if there are other users connected. There is also the
listening_ports
table which you could check for unknown or suspicious processes (although malware doesn't need to do this for an attacker to connect, so you can also check
process_open_sockets
).
Bala

Bala

09/10/2020, 8:55 AM
Thanks a lot @Mike Myers. Will try these options. Yes, its MacBook.