Hi, not directly related to your question, but this article was pretty interesting for me
https://clo.ng/blog/osquery_reverse_shell/
Also, evented tables like process_events or socket_events are my favorite ways to track suspicious outbound connections or processes that run for a very short time and can't be detected using something like "ps" or "netstat" commands.