Osquery Detection Queries Every Security Team Should Deploy

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Osquery exposes your entire fleet as a SQL-queryable database. Every running process, network connection, loaded kernel module, scheduled task, and cron job becomes a row in a table you can query with SQL. The result is endpoint detection that is fast, scriptable, auditable, and free. This guide covers the detection queries that security teams consistently wish they had deployed before their last incident, covering the most common attack techniques mapped to MITRE ATT&CK and tuned for production environments with thousands of endpoints.
Osquery Fleet Deployment Patterns
Before the queries, a note on deployment. Osquery is most powerful in a managed fleet configuration where scheduled queries run automatically and ship results to a central SIEM.
Fleet management options
Kolide Fleet (now Fleet by Fleet DM) is the recommended open-source osquery fleet manager. Uptycs, Doorman, and Carbon Black all offer managed osquery backends. For AWS-native environments, AWS Systems Manager with osquery installed via SSM Run Command gives central query execution without additional tooling.
osquery.conf scheduled query pattern
All queries below can be added to osquery.conf under schedule. Example: {"schedule": {"detect_launchagents": {"query": "SELECT...", "interval": 3600, "snapshot": true, "description": "Detect unusual LaunchAgents"}}}. Use snapshot: true for detection queries to ship full result sets rather than differential diffs.
SIEM integration
osquery ships results in JSON to stdout or a configured logger plugin. Use the filesystem logger to write to /var/log/osquery/osqueryd.results.log, then ship with Filebeat/Fluentd to Elastic, Splunk, or Microsoft Sentinel. Fleet DM provides native webhook and S3 export.
Performance tuning
Resource-intensive queries (process file opens, module loads) should run at 3600s or higher. High-signal persistence queries (LaunchAgents, cron, services) can run at 300s. Network queries at 60s. Configure watchdog_memory_limit (200MB default) and watchdog_utilization_limit (10% default) to prevent fleet-wide performance impact.
Persistence Detection Queries
Persistence is the highest-priority detection category, an attacker who survives a reboot has time on their side. These queries cover the most common persistence mechanisms across macOS, Linux, and Windows.
macOS LaunchAgents and LaunchDaemons (T1543.001, T1543.004)
SELECT la.name, la.path, la.program, la.program_arguments, s.username FROM launchd la LEFT JOIN (SELECT uid, username FROM users) s ON la.uid = s.uid WHERE la.path LIKE '/Users/%/Library/LaunchAgents/%' OR la.path LIKE '/Library/LaunchAgents/%' OR la.path LIKE '/Library/LaunchDaemons/%' ORDER BY la.path. Alert on entries with program_arguments containing curl, bash -c, python, or base64-encoded strings, or paths under /tmp.
Linux cron and suspicious commands (T1053.003)
SELECT c.command, c.path, c.minute, c.hour, u.username FROM crontab c LEFT JOIN users u ON c.path LIKE '/var/spool/cron/' || u.username || '%' WHERE c.command LIKE '%curl%' OR c.command LIKE '%wget%' OR c.command LIKE '%nc %' OR c.command LIKE '%/tmp/%' OR c.command LIKE '%-e bash%'. Alert on any cron entry invoking network utilities or shell evaluators.
Windows Run keys and startup folders (T1547.001)
SELECT name, path, source, status, username FROM startup_items WHERE type IN ('startup_items', 'run_keys') AND (path LIKE '%\\Temp\\%' OR path LIKE '%\\AppData\\Roaming\\%' OR path LIKE '%\\AppData\\Local\\%' OR path LIKE '%.ps1' OR path LIKE '%.vbs' OR path LIKE '%.js'). Alert on script-based entries in user-writable locations.
Malicious npm global installs creating persistence
SELECT f.path, f.ctime, f.mtime, f.uid FROM file f WHERE f.path LIKE '/usr/local/lib/node_modules/%/postinstall%' OR f.path LIKE '/usr/lib/node_modules/%/postinstall%' OR f.path LIKE '%/.npm/_npx/%/*.sh' ORDER BY f.ctime DESC LIMIT 50. Postinstall scripts in recently installed npm packages are a primary supply chain persistence vector.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Credential Access Detection Queries
Credential access is stage 2 or 3 in most attacks. These queries detect the most common credential dumping and harvesting techniques.
macOS keychain access outside expected apps (T1555.001)
SELECT p.name, p.pid, p.cmdline, po.name AS parent_process FROM processes p JOIN processes po ON p.parent = po.pid JOIN process_open_files pof ON p.pid = pof.pid WHERE pof.path LIKE '%/Library/Keychains/%' AND p.name NOT IN ('Keychain Access', 'securityd', 'Safari', 'Chrome', 'Firefox', '1Password', 'Bitwarden') ORDER BY p.start_time DESC.
SSH private key access (T1552.004)
SELECT p.name, p.pid, p.cmdline, f.path FROM processes p JOIN process_open_files pof ON p.pid = pof.pid JOIN file f ON pof.path = f.path WHERE f.path LIKE '%/.ssh/id_%' AND f.path NOT LIKE '%.pub' AND p.name NOT IN ('ssh', 'ssh-agent', 'scp', 'sftp', 'git') ORDER BY p.start_time DESC. Alert on any process reading SSH private keys that is not an expected SSH client.
Browser credential database access (T1555.003)
SELECT p.name, p.pid, p.cmdline, f.path, f.ctime FROM processes p JOIN process_open_files pof ON p.pid = pof.pid JOIN file f ON pof.path = f.path WHERE (f.path LIKE '%/Chrome/Default/Login Data%' OR f.path LIKE '%/Firefox/Profiles/%logins.json%' OR f.path LIKE '%/Cookies%') AND p.name NOT IN ('Google Chrome', 'firefox', 'msedge', 'chromium') ORDER BY f.ctime DESC.
Network and Lateral Movement Detection
These queries surface unexpected network connections, reverse shells, and lateral movement indicators.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Supply Chain and Developer Environment Detection
These queries are specifically tuned for developer endpoints where supply chain attacks are most impactful.
Recently modified npm package scripts
SELECT f.path, f.mtime, f.size, f.uid FROM file f WHERE (f.path LIKE '/usr/local/lib/node_modules/%/package.json' OR f.path LIKE '%/node_modules/.bin/%') AND f.mtime > (strftime('%s', 'now') - 3600) ORDER BY f.mtime DESC LIMIT 100. Package.json or .bin symlinks modified in the last hour on a developer workstation warrant immediate investigation.
Processes spawned from node_modules (T1195.002)
SELECT p.pid, p.name, p.cmdline, p.cwd, po.name AS parent, po.cmdline AS parent_cmdline FROM processes p JOIN processes po ON p.parent = po.pid WHERE p.path LIKE '%/node_modules/%' OR p.cmdline LIKE '%/node_modules/.bin/%' OR (po.name = 'node' AND p.name IN ('bash', 'sh', 'python', 'curl', 'wget', 'nc')) ORDER BY p.start_time DESC LIMIT 50. Shell or network utilities spawned as children of node processes are a primary signal for malicious postinstall scripts.
Git credential helper access
SELECT p.name, p.pid, p.cmdline, po.name AS parent FROM processes p JOIN processes po ON p.parent = po.pid WHERE p.name LIKE 'git-credential%' OR p.cmdline LIKE '%credential.helper%' OR (p.name = 'git' AND p.cmdline LIKE '%config --global%' AND p.cmdline LIKE '%credential%') ORDER BY p.start_time DESC. Unexpected git credential helper invocations outside normal development workflows indicate credential harvesting, the exact vector used in the TanStack supply chain attack.
Fleet-Wide Hunting Queries
These queries are designed for periodic fleet-wide threat hunting rather than continuous scheduled detection.
Processes without corresponding disk binaries (T1055, T1620)
SELECT p.name, p.pid, p.path, p.cmdline, p.parent FROM processes p LEFT JOIN file f ON p.path = f.path WHERE f.path IS NULL AND p.path != '' AND p.name NOT IN ('kworker', 'kthread', 'ksoftirqd') ORDER BY p.start_time DESC. Running processes without a corresponding file on disk indicate process injection, fileless malware, or deleted-after-launch executables.
Unsigned executables in user-writable paths (macOS)
SELECT cs.path, cs.signed, cs.identifier, cs.authority, p.pid FROM processes p JOIN signature cs ON p.path = cs.path WHERE (p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' OR p.path LIKE '/Users/%/Downloads/%' OR p.path LIKE '/Users/%/Library/Application Support/%') AND cs.signed != 1 ORDER BY p.start_time DESC. Unsigned executables running from user-writable or temp paths are a persistent red flag.
The bottom line
Deploy the persistence and credential access queries this week. The investment is hours; the detection capability is immediate and persistent across your entire fleet. Every endpoint becomes a sensor you can query in SQL.
Frequently asked questions
How does osquery compare to an EDR solution like CrowdStrike or SentinelOne?
Osquery is a query framework, not a detection engine, it doesn't provide real-time behavioral analysis, machine learning-based anomaly detection, or automated response. EDR solutions are significantly more capable for real-time threat detection. The value of osquery is in custom deep-dive queries: checking specific configuration states, hunting for indicators your EDR doesn't have signatures for, or interrogating endpoints during incident response.
Can osquery detect fileless malware?
Osquery can detect indicators associated with fileless malware, processes without corresponding disk binaries, unexpected DLL loads, suspicious memory-mapped regions via the process_memory_map table. It cannot perform kernel-level memory scanning like a traditional EDR antimalware engine. For fileless malware detection at scale, osquery should complement rather than replace EDR with memory protection capabilities.
What is the performance impact of running all these queries?
Heavy queries (process_open_files JOINs, process_open_sockets JOINs) can be CPU-intensive on busy systems. Best practice: start with high-value, low-cost queries (persistence mechanism tables, startup_items, launchd) at 300s intervals, then gradually add process join queries at 3600s intervals while monitoring CPU usage via the osquery_info table. A well-tuned deployment typically uses under 1% sustained CPU.
How do I deploy osquery to thousands of endpoints?
For macOS: distribute via your MDM (Jamf, Kandji, Mosyle) as a custom package with osquery.conf and launchd plist. For Windows: deploy via Intune or SCCM with osquery MSI + configuration registry keys. For Linux: use your configuration management tool (Puppet, Chef, Ansible) with the osquery package and /etc/osquery/osquery.conf. Fleet DM provides centralized management with a UI, query scheduling, and live query capability across all platforms.
Can osquery be used for incident response and forensic investigation?
Yes. Osquery's live query capability (via Fleet DM or osqueryi locally) makes it effective for rapid forensic triage during IR. Key IR queries: SELECT * FROM processes WHERE on_disk = 0 (processes with no backing executable -- injected code); SELECT * FROM listening_ports WHERE address NOT IN ('127.0.0.1', '::1') (internet-facing services); SELECT * FROM users WHERE shell NOT IN ('/bin/false', '/sbin/nologin') (active user accounts); SELECT * FROM startup_items (persistence mechanisms); SELECT * FROM logged_in_users (current sessions). Osquery is read-only -- it cannot modify system state, which is appropriate for forensic work. For fleet-wide hunting during an incident, Fleet DM's live query allows running these queries across all endpoints simultaneously and returning results within seconds.
How do I tune osquery scheduled queries to minimize false positives in a SIEM?
Start with snapshot queries rather than differential queries for detection use cases. Snapshot mode ships the full result set every interval, giving your SIEM a consistent view rather than just changes, which reduces missed detections when agents restart or queries are edited. In your SIEM, build an allowlist of known-good process and path combinations per operating system before enabling alerting on results -- for example, populate an allowed list of valid LaunchDaemon plists by running the query across your fleet in the first week and reviewing every entry. For network-heavy queries (process_open_sockets joins), apply suppression rules for well-known application processes and internal IP ranges. The goal is a per-query false positive rate under 0.5% before you enable on-call alerting; otherwise alert fatigue causes queries to be disabled entirely.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
