/usr/bin/fleet serve \-mysql_address=127.0.0.1:3306 \-mysql_database=kolide \-mysql_username=root \-mysql_password=tryhackme \-redis_address=127.0.0.1:6379 \-server_cert=/home/tryhackme/server.cert \-server_key=/home/tryhackme/server.key \-auth_jwt_key=JB+wEDR4V3bbhU4OlIMcXpcBQAaZc+4r \-logging_json.To start Kolide on the VM execute the following commands in an Ubuntu shell (sudo password is tryhackme): Kolide Fleet is an open-source Osquery Fleet Manager for querying multiple endpoints from Kolide Fleet’s UI. Solution: SELECT username FROM users WHERE username LIKE '%en' Task 6: Using Kolide Fleet Question 13) What is the query to show the username field from the users table where the username is 3 characters long and ends with ’en’? (use single quotes in your answer) Refer to the documentation to learn more about Osquery’s SQL syntax. Or WHERE clauses to be more specific SELECT pid, name, path FROM processes WHERE name='lsass.exe'.You can use aggregation statements like SELECT count(*) FROM processes.SELECT pid, name, path FROM processes only retrieves the pid, name and path columns.SELECT * FROM processes Retrieves all information from the processes table.Other than that querying Osquery is as easy as writing SQL statements for a database. Most statements will be SELECT statements as you will rarely ever need UPDATE or DELETE statements unless you are dealing with extensions or run-time tables. Osquery can be queried using a simpler version of SQL. Solution: arp_cache Task 5: Creating Queries Solution: 155 Question 12) What is the first table listed that is compatible with both Linux and Windows? Solution: 96 Question 11) How many tables are compatible with Linux? Solution: 266 Question 10) How many of the tables for this version are compatible with Windows? Solution: osquery_info Question 9) How many tables are there for this version of Osquery? Question 8) What table would you query to get the version of Osquery installed on the Windows endpoint? The schema documentation needed to solve the next questions can be found here. mode line Question 7) What are the 2 meta-commands to exit osqueryi? Solution: pretty Question 6) What is the meta-command to set the output to show one value per line?Ĭan also be found in the output of. Solution: 3.34.0 Question 5) What is the default output mode? Solution: 4.6.0.2 Question 4) What is the SQLite version?Ĭan also be found in the output of. schema table_name to list the table’s schema. Once you found a table you want to examine call. tables command e.g.tables process queries all tables associated with processes. Make sure to check out the help menu by calling. To interact with Osquery open CMD or PowerShell and run osqueryi. Task 3: Interacting with the Osquery Shell To install Osquery on your local machine follow the installation instructions.Īlso make sure to look into the documentation. Read the introductory text and click the Completed button. Osquery is a popular tool for host and network level detection used by well-known companies like Facebook, Github or AT&T, which is why it is a good idea to familiarize yourself with it, if you are looking to enter the field or just want to up your knowledge. In this room we are familiarizing ourselves with Osquery, an open-source tool developed by Facebook for querying endpoints using SQL syntax. This write up refers to the Osquery room on TryHackMe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |