← ClaudeAtlas

forensics-osquerylisted

SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.
aiskillstore/marketplace · ★ 329 · API & Backend · score 85
Install: claude install-skill aiskillstore/marketplace
# osquery Forensics & Incident Response ## Overview osquery transforms operating systems into queryable relational databases, enabling security analysts to investigate compromises using SQL rather than traditional CLI tools. This skill provides forensic investigation workflows, common detection queries, and incident response patterns for rapid evidence collection across Linux, macOS, and Windows endpoints. **Core capabilities**: - SQL-based system interrogation for process, network, file, and user analysis - Cross-platform forensic artifact collection (Linux, macOS, Windows) - Live system analysis without deploying heavyweight forensic tools - Threat hunting queries mapped to MITRE ATT&CK techniques - Scheduled monitoring with osqueryd for continuous detection - Integration with SIEM and incident response platforms ## Quick Start ### Interactive Investigation (osqueryi) ```bash # Launch interactive shell osqueryi # Check running processes SELECT pid, name, path, cmdline, uid FROM processes WHERE name LIKE '%suspicious%'; # Identify listening network services SELECT DISTINCT processes.name, listening_ports.port, listening_ports.address, processes.pid, processes.path FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address != '127.0.0.1'; # Find processes with deleted executables (potential malware) SELECT name, path, pid, cmdline FROM processes WHERE on_disk = 0; # Check persistence mechanisms (Linux/macOS cron jobs) SELECT command, path FROM cro