Osquery

This is absolutely hands down my favorite "blue team" security tool. It is an extremely versatile and powerful, that allows you to quickly gather a wealth of information from a single endpoint or every endpoint in your fleet.

Queries

Libreoffice (CVE-2018-16858) - Remote Code Execution via Macro/Event execution

Additional information about the vulnerablity can be found in this The Hacker News article.

macOS

SELECT * FROM apps WHERE bundle_name like 'LibreOffice%' and (bundle_short_version = '6.0.7003');

Windows

SELECT * FROM programs WHERE name like 'LibreOffice%' and (version = '6.0.7.3');

Linux

SELECT * FROM deb_packages where name like 'libreoffice-core%' and (version like `1:6.0.7%`);

Extensions

Detect Responder (LLMNR, NBT-NS, MDNS poisoner) with osquery

Blogs and Such

Osquery Windows Process Event Auditing by Dennis Griffin

Community

Osquery Slack The Osquery Blog - Community Articles