OS analysis tool osquery finally available for Windows

Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

Osquery is an extremely popular operating system analysis tool for OS X and Linux. It exposes the OS as a high-performance relational database, and allows users to write SQL-based queries to explore OS data.

“With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes,” Facebook security engineer Nick Anderson noted in the announcement.

For example, and among other things, Facebook uses it for keeping an eye on all the browser extensions running on their corporate network, so that they can quickly spot and remove malicious ones.

The port of osquery to Windows was performed with the help of engineers from independent infosec company Trail of Bits. They have documented the process and shared insight into the issues they’ve encountered and solutions they’ve come up with. They promised to write more about it for those that are interested in the technicalities of the process.

The port was worth the effort, they noted, as a similar solution for Windows was non-existent, despite the ubiquitousness of the OS in enterprise networks.

“To gather [operating system information] information, you’d have to cobble together a manual solution, or pay for a commercial product, which would be expensive, force vendor reliance, and lock your organization into using a proprietary – and potentially buggy – agent. Since most of these services are cloud-based, you’d also risk exposing potentially sensitive data,” they noted.

To start using the developer kit on Windows, follow this guide.