What date/time was this file first detected? (Answer format: YYYY-MM-DD HH:MM:SS)
Osquery on alpine windows#
The previous file scanned on the Linux endpoint with Yara is on the Windows endpoint. schema win_event_log_data.Īnswer: CREATE TABLE win_event_log_data(`time` BIGINT, `datetime` TEXT, `source` TEXT, `provider_name` TEXT, `provider_guid` TEXT, `eventid` INTEGER, `task` INTEGER, `level` INTEGER, `keywords` BIGINT, `data` TEXT, `eid` TEXT HIDDEN) ` What is the schema for win_event_log_data?įrom the documentation, we can see the table schema.įrom within Osquery, we can get the schema with the. Select count(*) from win_event_log_channels
How many sources are returned for win_event_log_channels? What is required with win_event_log_data?įrom the documentation we gather that the source field is required. There is another security agent on the Windows endpoint.
Osquery on alpine software#
Select name, description from services where name like 'WinDef%' Īnswer: Helps protect users from malware and other potentially unwanted software Question 2 What is the description for the Windows Defender Service? Select * from yara where path='/home/tryhackme/notsus' and sigfile='/var/osquery/yara/scanner.yara' Īnswer: $eicar_substring:1b Task 9 Question 1 Yara /var/osquery/yara/scanner.yara /home/tryhackme Scan the file from Q#3 with the same Yara file.
Select * from yara where path='/home/charlie/notes' and sigfile='/var/osquery/yara/scanner.yara' Īnswer: eicar_av_test,eicar_substring_test Question 8 Yara /var/osquery/yara/scanner.yara /home/charlie Use the sigfile which is saved in '/var/osquery/yara/scanner.yara'. There is a file that is categorized as malicious in one of the home directories. Select * from hash where path='/home/tryhackme' and directory = '/home/tryhackme' Select command from shell_history limit 12 (I added the limit to cleanly wrap the image)Īnswer: 3df6a21c6d0c554719cffa6ee2ae0df7 Question 5Ĭheck all file hashes in the home directory for each user. One of the users performed a 'Binary Padding' attack. Select username, uid from users where username = 'bravo' What is the 'current_value' for kernel.osrelease? The current README shows 25, but the correct answer is 23 (looking at edits over time, also accessible by "guessing" backwards). Go to Task Manager, find the osquery daemon and shell process, select Properties and then copy the Location and append osqueryd.exe.Īnswer: C:\Users\Administrator\Desktop\launcher\windows\osqueryd.exe Task 7 Question 1Īccording to the polylogyx readme, how many 'features' does the plug-in add to the Osquery core? What is the path for the running osqueryd.exe process? Navigate to the bottom of the Admin, App SettingsĪnswer: k3hFh30bUrU7nAC3DmsCCyb1mT8HoDkt Question 2 What is the query to show the username field from the users table where the username is 3 characters long and ends with 'en'? (use single quotes in your answer)Īnswer: select username from users where username like '_en' Task 6 Question 1 What is the first table listed that is compatible with both Linux and Windows? How many tables are compatible with Linux? How many tables are there for this version of Osquery? What table would you query to get the version of Osquery installed on the Windows endpoint? I used the Osquery documentation accessible here and set it to version 4.6.0. What are the 2 meta-commands to exit osquery? What is the meta-command to set the output to show one value per line? Ready to proceed.Īnswer: No answer needed Task 3 Question 1 Link: Osquery Room on TryHackMe Task 1 Question 1Īnswer: No answer needed Task 2 Question 1Īttached VM was started. For this box I used Remmina on Kali Linux while connected to the TryHackMe VPN.
0 kommentar(er)
