https://github.com/osquery/osquery logo
#core
Title
# core
j

JanRC

11/29/2022, 12:03 PM
Hello, is there an option to run osquery on windows without without installing it? E.g. using powershell (winRM) to invoke portable osquery without installing it on target servers.
s

Stefano Bonicatti

11/29/2022, 12:55 PM
Yes, the MSI just uncompresses files into a folder, setting some strict ACLs for safety, but that’s it. With recent builds we also provide the base .zip files used to create the MSI, like https://github.com/osquery/osquery/releases/download/5.6.0/osquery-5.6.0.windows_x86_64.zip In there you have the osquery executable, which can run on its own, if you want to extract it from there.
j

JanRC

11/29/2022, 1:01 PM
So if I use invoke-command to run it on a remote machine, could I redirect the output of scan to some temporary file to download it?
s

Stefano Bonicatti

11/29/2022, 1:05 PM
Sure, you can use it in shell mode with
-S --json "<query>"
and it will output the results in json, which you can then redirect to a file.
j

JanRC

11/29/2022, 1:06 PM
thank you
Btw, have you considered a use case in which osquery would scan a remote windows server e.g. via wmi or other ways without a need to having it present on scanned system?
s

Stefano Bonicatti

11/29/2022, 3:01 PM
Not exactly; that would be more territory of extensions. osquery tries to avoid to cause network traffic unless is strictly necessary and caused by calling local APIs.
j

JanRC

11/29/2022, 3:09 PM
Scanning a server remotely could be a territory of osquery extensions? I'm not sure I understand the scenario.
s

Stefano Bonicatti

11/29/2022, 3:10 PM
What I mean is that osquery has some self imposed restrictions for core tables and how osquery should work.
Among those there is not generating network traffic; the extension is something custom/external to core, so it’s not subject to those restrictions
Something like that also complicates a bit the performance impact that the table has, because now there are 2 (or more) systems to track
j

JanRC

11/29/2022, 3:24 PM
I meant that it would just be used as a one time scanner, meaning it would scan the selected target system, dump the output and forget about it. Then next machine ...
s

Stefano Bonicatti

11/29/2022, 4:24 PM
It’s still osquery contacting a remote server and causing work on that, network traffic and so on.
Unless I’m missing something?
j

JanRC

11/29/2022, 4:56 PM
Yes. But no need for taking care of managing multiple servers as after dumping the data from datacollection of particular server to a file, everything would be "forgotten". I understand that this use case is not in line with how osquery is designed to be used. You do local scan.
f

FG

12/02/2022, 12:08 AM
if you want to "scan hosts remotely" the supported way is to use an orchestration server such as fleet, and have your clients call home to that for tasking. the results can be shipped to your central server.
2 Views