using the osquery carver to pull files

The osquery carver is a feature of osquery that allows you to pull files back to your distributed endpoint from a client machine. This feature is available in all versions of osquery after 2.5.0.

configuration

The carver is an advanced feature of osquery and requires several flags to be set for it to work properly or at all. These are the flags I'll be working with in this explanation. Note that you must also have flags set up for a distributed endpoint if you intend to run the example commands.