Skills forensics-osquery

🔍

forensics-osquery

Name: forensics-osquery
Author: AgentSecOps

Safe ⚙️ External commands📁 Filesystem access🌐 Network access

Investigate security incidents with osquery SQL forensics

This skill provides SQL-powered forensic investigation using osquery to query operating systems as databases. Use it to collect forensic evidence, hunt for threats, and respond to incidents across Linux, macOS, and Windows endpoints.

Supports: Claude Codex Code(CC)

🥈 77 Silver

Download the skill ZIP

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

Toggle on and start using

Test it

Using "forensics-osquery". Show me processes with external network connections

Expected outcome:

Process: nginx, PID: 1234, Remote: 203.0.113.50:443
Process: chrome, PID: 5678, Remote: 198.51.100.20:443

Using "forensics-osquery". Find recent file modifications in system directories

Expected outcome:

File: /etc/passwd, Modified: 2 hours ago
File: /usr/bin/suspicious Binary, Modified: 30 minutes ago

Using "forensics-osquery". Check for suspicious scheduled tasks

Expected outcome:

Task: UpdateService, Action: powershell -enc <obfuscated>

Security Audit

Safe

v5 • 1/16/2026

All 810 static findings are FALSE POSITIVES. This is a legitimate DFIR (Digital Forensics and Incident Response) skill using osquery SQL queries to detect malicious activity. The scanner detected detection queries for credential access, PowerShell commands, and suspicious processes - but these are intentionally designed to identify indicators of compromise, not perform malicious actions. Skill includes MITRE ATT&CK mapping and forensic packs for incident response.

Files scanned

3,116

Lines analyzed

findings

Total audits

Risk Factors

⚙️ External commands (2)

assets/forensic-packs/credential-access.conf:91-95 SKILL.md:340

📁 Filesystem access (2)

assets/forensic-packs/credential-access.conf:86 assets/forensic-packs/lateral-movement.conf:54-60

🌐 Network access (2)

assets/forensic-packs/ir-triage.conf:39-44 assets/osquery.conf:53-58

Audited by: claude View Audit History →

Quality Score

Architecture

100

Maintainability

Content

Community

100

Security

100

Spec Compliance

What You Can Build

Incident Response Triage

Rapidly collect system state during security incidents including processes, connections, and user activity.

Hunt for Attack Techniques

Execute MITRE ATT&CK mapped queries to detect adversary techniques across endpoints.

Endpoint Visibility Queries

Query fleets of systems for Indicators of Compromise (IOCs) using SQL-based osquery.

Try These Prompts

Basic Process Query

Show me all running processes with deleted executables using osquery

Network Analysis

Find processes listening on external network interfaces with their full command lines

Persistence Hunt

Query all persistence mechanisms including cron jobs, systemd services, and registry run keys

Credential Access

Detect processes accessing /etc/shadow, SAM database, or browser credential files

Best Practices

Test queries in a lab environment before running on production systems
Use WHERE clauses to limit query scope and reduce performance impact
Export query results for evidence preservation with JSON or CSV output

Avoid

Do not run unbounded queries on production systems without filtering
Do not modify systems during live forensics - use read-only queries
Do not rely solely on osquery for real-time alerting without osqueryd

Frequently Asked Questions

What is osquery?

Osquery is an open-source framework that exposes operating system information as queryable SQL tables for endpoint visibility.

Does this skill perform live forensics?

It collects forensic data through queries but does not perform memory acquisition or disk imaging.

What platforms are supported?

Linux, macOS, and Windows endpoints are supported with platform-specific queries.

Do I need special permissions?

Root or administrator privileges are required for kernel modules, process memory, and sensitive tables.

How is this different from EDR?

Osquery provides ad-hoc SQL queries for investigation; EDR provides continuous monitoring with alerting.

What MITRE ATT&CK techniques can be detected?

Coverage includes Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, and Collection techniques.