PRACTITIONER GUIDE
Practitioner GuideUpdated 15 min read

Osquery Detection Queries Every Security Team Should Deploy

SQL
every running process, network connection, loaded module, scheduled task, and cron job becomes a row you can query
< 1%
sustained CPU usage for a well-tuned osquery deployment across thousands of endpoints
Free
osquery is open-source; Fleet DM fleet manager is also open-source with a hosted option

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Osquery exposes your entire fleet as a SQL-queryable database. Every running process, network connection, loaded kernel module, scheduled task, and cron job becomes a row in a table you can query with SQL. The result is endpoint detection that is fast, scriptable, auditable, and free. This guide covers the detection queries that security teams consistently wish they had deployed before their last incident, covering the most common attack techniques mapped to MITRE ATT&CK and tuned for production environments with thousands of endpoints.

Osquery Fleet Deployment Patterns

Before the queries, a note on deployment. Osquery is most powerful in a managed fleet configuration where scheduled queries run automatically and ship results to a central SIEM.

Fleet management options

Kolide Fleet (now Fleet by Fleet DM) is the recommended open-source osquery fleet manager. Uptycs, Doorman, and Carbon Black all offer managed osquery backends. For AWS-native environments, AWS Systems Manager with osquery installed via SSM Run Command gives central query execution without additional tooling.

osquery.conf scheduled query pattern

All queries below can be added to osquery.conf under schedule. Example: {"schedule": {"detect_launchagents": {"query": "SELECT...", "interval": 3600, "snapshot": true, "description": "Detect unusual LaunchAgents"}}}. Use snapshot: true for detection queries to ship full result sets rather than differential diffs.

SIEM integration

osquery ships results in JSON to stdout or a configured logger plugin. Use the filesystem logger to write to /var/log/osquery/osqueryd.results.log, then ship with Filebeat/Fluentd to Elastic, Splunk, or Microsoft Sentinel. Fleet DM provides native webhook and S3 export.

Performance tuning

Resource-intensive queries (process file opens, module loads) should run at 3600s or higher. High-signal persistence queries (LaunchAgents, cron, services) can run at 300s. Network queries at 60s. Configure watchdog_memory_limit (200MB default) and watchdog_utilization_limit (10% default) to prevent fleet-wide performance impact.

Persistence Detection Queries

Persistence is the highest-priority detection category, an attacker who survives a reboot has time on their side. These queries cover the most common persistence mechanisms across macOS, Linux, and Windows.

macOS LaunchAgents and LaunchDaemons (T1543.001, T1543.004)

SELECT la.name, la.path, la.program, la.program_arguments, s.username FROM launchd la LEFT JOIN (SELECT uid, username FROM users) s ON la.uid = s.uid WHERE la.path LIKE '/Users/%/Library/LaunchAgents/%' OR la.path LIKE '/Library/LaunchAgents/%' OR la.path LIKE '/Library/LaunchDaemons/%' ORDER BY la.path. Alert on entries with program_arguments containing curl, bash -c, python, or base64-encoded strings, or paths under /tmp.

Linux cron and suspicious commands (T1053.003)

SELECT c.command, c.path, c.minute, c.hour, u.username FROM crontab c LEFT JOIN users u ON c.path LIKE '/var/spool/cron/' || u.username || '%' WHERE c.command LIKE '%curl%' OR c.command LIKE '%wget%' OR c.command LIKE '%nc %' OR c.command LIKE '%/tmp/%' OR c.command LIKE '%-e bash%'. Alert on any cron entry invoking network utilities or shell evaluators.

Windows Run keys and startup folders (T1547.001)

SELECT name, path, source, status, username FROM startup_items WHERE type IN ('startup_items', 'run_keys') AND (path LIKE '%\\Temp\\%' OR path LIKE '%\\AppData\\Roaming\\%' OR path LIKE '%\\AppData\\Local\\%' OR path LIKE '%.ps1' OR path LIKE '%.vbs' OR path LIKE '%.js'). Alert on script-based entries in user-writable locations.

Malicious npm global installs creating persistence

SELECT f.path, f.ctime, f.mtime, f.uid FROM file f WHERE f.path LIKE '/usr/local/lib/node_modules/%/postinstall%' OR f.path LIKE '/usr/lib/node_modules/%/postinstall%' OR f.path LIKE '%/.npm/_npx/%/*.sh' ORDER BY f.ctime DESC LIMIT 50. Postinstall scripts in recently installed npm packages are a primary supply chain persistence vector.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Credential Access Detection Queries

Credential access is stage 2 or 3 in most attacks. These queries detect the most common credential dumping and harvesting techniques.

macOS keychain access outside expected apps (T1555.001)

SELECT p.name, p.pid, p.cmdline, po.name AS parent_process FROM processes p JOIN processes po ON p.parent = po.pid JOIN process_open_files pof ON p.pid = pof.pid WHERE pof.path LIKE '%/Library/Keychains/%' AND p.name NOT IN ('Keychain Access', 'securityd', 'Safari', 'Chrome', 'Firefox', '1Password', 'Bitwarden') ORDER BY p.start_time DESC.

SSH private key access (T1552.004)

SELECT p.name, p.pid, p.cmdline, f.path FROM processes p JOIN process_open_files pof ON p.pid = pof.pid JOIN file f ON pof.path = f.path WHERE f.path LIKE '%/.ssh/id_%' AND f.path NOT LIKE '%.pub' AND p.name NOT IN ('ssh', 'ssh-agent', 'scp', 'sftp', 'git') ORDER BY p.start_time DESC. Alert on any process reading SSH private keys that is not an expected SSH client.

Browser credential database access (T1555.003)

SELECT p.name, p.pid, p.cmdline, f.path, f.ctime FROM processes p JOIN process_open_files pof ON p.pid = pof.pid JOIN file f ON pof.path = f.path WHERE (f.path LIKE '%/Chrome/Default/Login Data%' OR f.path LIKE '%/Firefox/Profiles/%logins.json%' OR f.path LIKE '%/Cookies%') AND p.name NOT IN ('Google Chrome', 'firefox', 'msedge', 'chromium') ORDER BY f.ctime DESC.

Network and Lateral Movement Detection

These queries surface unexpected network connections, reverse shells, and lateral movement indicators.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Supply Chain and Developer Environment Detection

These queries are specifically tuned for developer endpoints where supply chain attacks are most impactful.

Recently modified npm package scripts

SELECT f.path, f.mtime, f.size, f.uid FROM file f WHERE (f.path LIKE '/usr/local/lib/node_modules/%/package.json' OR f.path LIKE '%/node_modules/.bin/%') AND f.mtime > (strftime('%s', 'now') - 3600) ORDER BY f.mtime DESC LIMIT 100. Package.json or .bin symlinks modified in the last hour on a developer workstation warrant immediate investigation.

Processes spawned from node_modules (T1195.002)

SELECT p.pid, p.name, p.cmdline, p.cwd, po.name AS parent, po.cmdline AS parent_cmdline FROM processes p JOIN processes po ON p.parent = po.pid WHERE p.path LIKE '%/node_modules/%' OR p.cmdline LIKE '%/node_modules/.bin/%' OR (po.name = 'node' AND p.name IN ('bash', 'sh', 'python', 'curl', 'wget', 'nc')) ORDER BY p.start_time DESC LIMIT 50. Shell or network utilities spawned as children of node processes are a primary signal for malicious postinstall scripts.

Git credential helper access

SELECT p.name, p.pid, p.cmdline, po.name AS parent FROM processes p JOIN processes po ON p.parent = po.pid WHERE p.name LIKE 'git-credential%' OR p.cmdline LIKE '%credential.helper%' OR (p.name = 'git' AND p.cmdline LIKE '%config --global%' AND p.cmdline LIKE '%credential%') ORDER BY p.start_time DESC. Unexpected git credential helper invocations outside normal development workflows indicate credential harvesting, the exact vector used in the TanStack supply chain attack.

Fleet-Wide Hunting Queries

These queries are designed for periodic fleet-wide threat hunting rather than continuous scheduled detection.

Processes without corresponding disk binaries (T1055, T1620)

SELECT p.name, p.pid, p.path, p.cmdline, p.parent FROM processes p LEFT JOIN file f ON p.path = f.path WHERE f.path IS NULL AND p.path != '' AND p.name NOT IN ('kworker', 'kthread', 'ksoftirqd') ORDER BY p.start_time DESC. Running processes without a corresponding file on disk indicate process injection, fileless malware, or deleted-after-launch executables.

Unsigned executables in user-writable paths (macOS)

SELECT cs.path, cs.signed, cs.identifier, cs.authority, p.pid FROM processes p JOIN signature cs ON p.path = cs.path WHERE (p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' OR p.path LIKE '/Users/%/Downloads/%' OR p.path LIKE '/Users/%/Library/Application Support/%') AND cs.signed != 1 ORDER BY p.start_time DESC. Unsigned executables running from user-writable or temp paths are a persistent red flag.

The bottom line

Deploy the persistence and credential access queries this week. The investment is hours; the detection capability is immediate and persistent across your entire fleet. Every endpoint becomes a sensor you can query in SQL.

Frequently asked questions

How does osquery compare to an EDR solution like CrowdStrike or SentinelOne?

Osquery is a query framework, not a detection engine, it doesn't provide real-time behavioral analysis, machine learning-based anomaly detection, or automated response. EDR solutions are significantly more capable for real-time threat detection. The value of osquery is in custom deep-dive queries: checking specific configuration states, hunting for indicators your EDR doesn't have signatures for, or interrogating endpoints during incident response.

Can osquery detect fileless malware?

Osquery can detect indicators associated with fileless malware, processes without corresponding disk binaries, unexpected DLL loads, suspicious memory-mapped regions via the process_memory_map table. It cannot perform kernel-level memory scanning like a traditional EDR antimalware engine. For fileless malware detection at scale, osquery should complement rather than replace EDR with memory protection capabilities.

What is the performance impact of running all these queries?

Heavy queries (process_open_files JOINs, process_open_sockets JOINs) can be CPU-intensive on busy systems. Best practice: start with high-value, low-cost queries (persistence mechanism tables, startup_items, launchd) at 300s intervals, then gradually add process join queries at 3600s intervals while monitoring CPU usage via the osquery_info table. A well-tuned deployment typically uses under 1% sustained CPU.

How do I deploy osquery to thousands of endpoints?

For macOS: distribute via your MDM (Jamf, Kandji, Mosyle) as a custom package with osquery.conf and launchd plist. For Windows: deploy via Intune or SCCM with osquery MSI + configuration registry keys. For Linux: use your configuration management tool (Puppet, Chef, Ansible) with the osquery package and /etc/osquery/osquery.conf. Fleet DM provides centralized management with a UI, query scheduling, and live query capability across all platforms.

Can osquery be used for incident response and forensic investigation?

Yes. Osquery's live query capability (via Fleet DM or osqueryi locally) makes it effective for rapid forensic triage during IR. Key IR queries: SELECT * FROM processes WHERE on_disk = 0 (processes with no backing executable -- injected code); SELECT * FROM listening_ports WHERE address NOT IN ('127.0.0.1', '::1') (internet-facing services); SELECT * FROM users WHERE shell NOT IN ('/bin/false', '/sbin/nologin') (active user accounts); SELECT * FROM startup_items (persistence mechanisms); SELECT * FROM logged_in_users (current sessions). Osquery is read-only -- it cannot modify system state, which is appropriate for forensic work. For fleet-wide hunting during an incident, Fleet DM's live query allows running these queries across all endpoints simultaneously and returning results within seconds.

How do I tune osquery scheduled queries to minimize false positives in a SIEM?

Start with snapshot queries rather than differential queries for detection use cases. Snapshot mode ships the full result set every interval, giving your SIEM a consistent view rather than just changes, which reduces missed detections when agents restart or queries are edited. In your SIEM, build an allowlist of known-good process and path combinations per operating system before enabling alerting on results -- for example, populate an allowed list of valid LaunchDaemon plists by running the query across your fleet in the first week and reviewing every entry. For network-heavy queries (process_open_sockets joins), apply suppression rules for well-known application processes and internal IP ranges. The goal is a per-query false positive rate under 0.5% before you enable on-call alerting; otherwise alert fatigue causes queries to be disabled entirely.

Sources & references

  1. osquery documentation
  2. Fleet DM (osquery fleet manager)
  3. osquery schema reference
  4. MITRE ATT&CK: Persistence

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.