osquery¶
osquery is a multi-platform tool that exposes your operating system as a relational database. You can use SQL-like queries to explore system state and detect suspicious or malicious behaviour in real time.
Personal Experience¶
N/A
Tools & Software Integrations¶
N/A
Recommended Plugins¶
N/A
Resources¶
osquery website: https://osquery.io/
Notes and Troubleshooting¶
Below are some essential queries for identifying potential threats, persistence mechanisms, and malware indicators across macOS, Windows, and Linux systems.
Finding Unwanted or Suspicious Services¶
List all processes with open listening ports — useful for detecting rogue daemons or C2 (command-and-control) listeners.
SELECT DISTINCT p.name, l.port, l.address, p.pid FROM processes p JOIN listening_ports l ON p.pid = l.pid;
Tip: Review unusual services bound to high-numbered or non-standard ports.
Review Startup Processes (Persistence Mechanisms)¶
Enumerate startup items, which are often used by malware to persist after reboot.
SELECT source, name, path FROM startup_items;
Check for:
- Startup entries pointing to temporary directories
- Executables in user profile folders (AppData, /tmp, etc.)
- Unsigned binaries or unknown publishers
Scheduled Tasks (Windows Persistence)¶
Malware frequently abuses scheduled tasks to maintain persistence or execute payloads periodically.
SELECT name, action, path, enabled, next_run_time FROM scheduled_tasks;
Look for: - Suspicious task names or executables - Tasks triggered at login or at system boot - Tasks running scripts from user directories
Processes Not on Disk (In-Memory Execution)¶
Some malware runs entirely in memory to evade detection. This query identifies processes that no longer exist on disk.
SELECT name, path, pid FROM processes WHERE on_disk = 0;
Indicators:
- Process binary missing or deleted
- Suspicious child processes spawned from PowerShell or cmd.exe
Processes Using Non-Standard Ports¶
Detect connections on unexpected or uncommon ports — often used by malware for exfiltration or C2 communication.
SELECT s.pid, p.name, s.local_address, s.remote_address, s.family, s.protocol, s.local_port, s.remote_port FROM process_open_sockets s JOIN processes p ON s.pid = p.pid WHERE s.remote_port NOT IN (80, 443) AND s.family = 2;
Watch for: - Encrypted traffic on non-HTTPS ports - Connections to foreign or suspicious IP addresses
Detect Unsigned or Untrusted Binaries¶
Unsigned executables are often an indicator of untrusted or custom malware binaries.
SELECT path, signing_id, team_identifier, authority FROM signature WHERE authority NOT LIKE '%Microsoft%' AND authority NOT LIKE '%Apple%' AND authority NOT LIKE '%Google%';
Detect Hidden or Renamed System Processes¶
Malware may attempt to masquerade as legitimate system processes (e.g., svch0st.exe instead of svchost.exe).
SELECT name, path, pid, parent FROM processes WHERE name LIKE '%svch%' OR name LIKE '%explor%' OR name LIKE '%lsass%';
Ensure paths match expected system directories (e.g., C:\Windows\System32\ or /usr/bin/).
Detect Suspicious Parent-Child Relationships¶
Find processes launched by unexpected parent processes (e.g., Word spawning PowerShell).
SELECT child.pid, child.name AS child_name, parent.name AS parent_name, parent.pid AS parent_pid FROM processes AS child JOIN processes AS parent ON child.parent = parent.pid WHERE (parent.name LIKE '%word%' OR parent.name LIKE '%excel%' OR parent.name LIKE '%outlook%') AND child.name LIKE '%powershell%';
Detect Recently Created Executables¶
Malware often drops new executables into user directories. This query surfaces newly created binaries.
SELECT path, ctime, atime, mtime FROM file WHERE directory LIKE '/Users/%/Downloads/%' OR directory LIKE '/tmp/%' OR directory LIKE 'C:\Users\%\AppData\%';
Use case: Correlate file timestamps with suspicious process activity.