osquery 5.11 – Query your devices like a database.
osquery uses basic SQL commands to leverage a relational data-model to describe a device.
Processes running without a binary on disk
Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.
Three things you should know about osquery
It’s fast and tested: Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.
It runs everywhere: Windows, macOS, CentOS, FreeBSD, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.
It’s open source: Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.
Bug Fixes
Add stricter checks to JSON parsing (#8229)
Fix signed/unsigned mismatch in powershell_events (#8225)
Fix a crash in firefox_addons (#8227)
Correct the aws_sts_region behavior (#8184)
Full list of changes available here