Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@U0JA5UETV> Recently ran across your detect-responder ext (<https://github.com/clong/detect-responder>). Outside of this extension, have you/anyone else found any other way to pickup LLMNR-poisoning artifacts with osquery?

Not really. There’s a handful of python and powershell scripts that do this, but im not really aware of how to do this across an enterprise and cover many different networks/subnets at once

i’d really like to rewrite that extension in go so the dependencies are included, but alas, then i’d have to relearn the tiny bit of go that i once knew