Osquery TryHackMe Walkthrough

Rich
6 min readSep 10, 2023

TL;DR walkthrough of one way to complete the osquery room on TryHackMe, part of the Cyber Defense pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

Much like the ZeroLogon room, we did not find the answers the way TryHackMe intended. I messed around with osquery just enough to get a feel for it, but I wanted to query the raw data so to speak and see where osquery was getting its answers.

One has to use PowerShell to run osqueryi, it did not function in PowerShell_ISE. Along with PowerCat.ps1 and Invoke-PowerShellTcp.ps1, osqueryi is one of the very few things I have tried out in the lab like this.

As always, we start by connecting to the VM with xfreerdp:

xfreerdp /v:10.10.176.143 /u:James /p:thm_4n6 /dynamic-resolution

— Task 3 —

How many tables are returned when we query “table process” in the interactive mode of Osquery?

.table process

3

Looking at the schema of the processes table, which column displays the process id for the particular process?

.schema process

PID

Examine the .help command, how many output display modes are available for the .mode command?

.help

.mode MODE

— Task 4 —

All Task 4 answers are found on https://osquery.io/schema/5.5.1/

In Osquery version 5.5.1, how many common tables are returned, when we select both Linux and Window Operating system?

56

In Osquery version 5.5.1, how many tables for MAC OS are available?

180

In the Windows Operating system, which table is used to display the installed programs?

programs

In Windows Operating system, which column contains the registry value within the registry table?

Data

— Task 5 —

I only used osquery to find the answer to one of these.

Using Osquery, how many programs are installed on this host?

PS C:\Users\James> (Get-Package | Where-Object {($_.ProviderName -eq “Programs”) -or ($_.ProviderName -eq “msi”)}).Count

19

Using Osquery, what is the description for the user James?

PS C:\Users\James> (Get-LocalUser James).Description

Creative Artist

When we run the following search query, what is the full SID of the user with RID ‘1009’?

PS C:\Users\James> (Get-LocalUser | Where-Object {$_.SID -like “*1009”}).SID.Value

S-1–5–21–1966530601–3185510712–10604624–1009

Alt:

PS C:\Users\James> (Get-ChildItem “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” | Where-Object {$_.Name -like “*1009”}).Name.Split(“\”)[6]

S-1–5–21–1966530601–3185510712–10604624–1009

When we run the following search query, what is the Internet Explorer browser extension installed on this machine?

osquieryi

select * from ie_extensions;

C:\Windows\System32\ieframe.dll

Alt:

PS C:\Users\James> Get-ItemProperty "Registry::HKEY_USERS\S-1–5–21–1966530601–3185510712–10604624–1009\Software\Classes\Local Settings\MuiCache\70\52C64B7E" | Out-File Testing.txt

PS C:\Users\James> Get-Content .\Testing.txt | Select-String "Internet Explorer" -Context 1

@C:\Windows\System32\ie4uinit.exe,-731 : Internet Explorer

@C:\Windows\System32\ieframe.dll,-55175 : Internet Explorer

This seems to be where osquery is getting it from. This one was tricky to find as I don’t use Internet Explorer anymore and hadn’t tried to query its extensions. I was curious where osquery was getting its data though.

After running the following query, what is the full name of the program returned?

Query: select name,install_location from programs where name LIKE ‘%wireshark%’;

PS C:\Users\James> (Get-Package | Where-Object {$_.Name -like “*wireshark*”}).Meta.Attributes.Values[0]

Wireshark 3.6.8 64-bit

— Task 6 —

Which table stores the evidence of process execution in Windows OS?

This one is found on https://osquery.io/schema/5.5.1/ , just like Task 4’s questions.

userassist

One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?

I couldn’t find this one in the Application log. In the end I gave up and did it the osquery way.

osquery way:

select sid,path from userassist where sid=’S-1–5–21–1966530601–3185510712–10604624–1009';

DiskWipe.exe

PowerShell way:

Get-Childitem –Path C:\Users\James -Include “*.exe” -File -Recurse -ErrorAction SilentlyContinue

Both methods make an educated guess that the user is James as that is the user who is in all the other questions. I didn’t think to just check James’s user folder for any *.exe files until after I gave up checking the logs and tried osquery. Had I simply checked their folder I would have found this one in seconds. Live and learn.

Create a search query to identify the VPN installed on this host. What is name of the software?

PS C:\Windows\system32> (Get-Package | Where-Object {($_.Name -like “*VPN*”) -and ($_.ProviderName -eq “Programs”)}).Name

ProtonVPN

How many services are running on this host?

TryHackMe kinda made an error on this one, much like their booboo regarding the “local admin” on a DC in the ZeroLogon room. It’s all good though, I learned more in the process.

PS C:\Windows\system32> (Get-Service | Where-Object {$_.Status -eq “Running”}).Count

73

PS C:\Windows\system32> (Get-Service).Count

214

TryHackMe wants 214, the question is poorly worded. Luckily their answer boxes let you know how many characters the answer should have.

A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?

PS C:\Windows\system32> wmic startup get caption,command

batstartup.bat

What is the full path of the batch file found in the above question? (Last in the List)

Get-Childitem –Path C:\ -Include *batstartup.bat* -File -Recurse -ErrorAction SilentlyContinue

Directory: C:\AtomicRedTeam\atomics\T1547.001\src

There’s another copy in:

Directory: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

TryHackMe wants the second copy that’s in James’ folder. In fact, all the questions regarding a given user were about James. Hence I simply used Explorer to search their folder on this one.

Summary

Just in case anyone was curious like I was, the content of the *.bat file was

TryHackMe put some other legacy file types in there that attackers like to use as well with the same content.

I have nothing against osquery, I was just curious where it was pulling the data from. Hence I ran almost all the queries to find the answers in this room without using osquery.

There are numerous other walkthroughs for this room already out there on Google, however the ones I saw either didn’t show their work or only used osquery, so I figured I’d post my notes on how we found the answers using builtin PowerShell.

References

Good writeup that used osquery: https://classroom.anir0y.in/post/tryhackme-osquerythebasics/

Find installed programs: https://devblogs.microsoft.com/scripting/use-powershell-to-quickly-find-installed-software/

Show startup programs: https://www.online-tech-tips.com/computer-tips/list-windows-startup-programs/

Find a file: https://devblogs.microsoft.com/scripting/use-windows-powershell-to-search-for-files/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.