Skip to content

Kirtar22/ThreatHunting_with_Osquery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
Linux
Linux
 
 
windows
windows
 
 
OIP.bmp
OIP.bmp
 
 
README.md
README.md
 
 
osquery.png
osquery.png
 
 
wp.png
wp.png
 
 

Repository files navigation

Threat Hunting & Incident Investigation with Osquery

osquerylogo dart

The objective of this repo is to share 100+ hunting queries (osquery) that will help cyber threat analysts (hunter/investigator) in their hunting or investigation exercises. Broadly, I have covered persistence, process interrogation, memory analysis, driver profiling, and other misc categories. Persistence and Process Interrogations queries map to the multiple tactics & techniques/sub-techniques of MITRE ATT&CK framework.

The following are the key highlights under each category. Please have a look at the repo(windows) for the details.

Persistence

  • Registry Run Keys / StartUp Folder
  • RunKeys (with hashvalue)
  • Security Support Provider
  • Service Creation / Modification (auto_start)
  • look for suspicious dlls loaded by any service (with associated username & hash value of the dll)
  • WMI Event Consumers (commandline & script)
  • WMI Process interrogation
  • Application Shimming
  • Print Processors - Reg Keys
  • look for suspicious print drivers
  • Screensaver Backdoor
  • Image File Execution Options Injection (IFEO)(debugger/GolbalFlag)
  • PowerShell Process Interrogation
  • Dynamic Data Exchange (DDE)

Process Interrogation

  • Identify the parent & Grantparent processes for all OR a given process - look for any suspicious parent, child relationships
  • Identifying Suspicious Processes (processes) with usernames (users)
  • Identifying the programs that are running from "TEMP" locations
  • Identify the processes with open pipes (look for suspicious pipe and/or process)
  • Any processes spawning out of wow64 directory
  • Identifying suspicious dlls loaded by any service with user_account associated with it (with hash value)
  • Identify if the binary is signed or not
  • PowerShell Process Interrogation (Parent / children of PowerShell)
  • WMI Process Interrogation (Parent / children of PowerShell)
  • Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (In Bytes)
  • Identifying the processes that makes the remote network connections and look for any suspicious connections

Memory Analysis

Note:I have made an effort to create the queries equivalent to Volatility Plugins

  • pslist equivalent
  • pstree equivalent ( Parent & Child)
  • pstree equivalent ( Grandparent, Parent & Child)
  • dlllist equivalent ( with a specific pid )
  • dlllist - load all the dlls
  • getsids - equivalent
  • svcscan - equivalent
  • netscan - equivalent
  • Code Injection
  • malfind (not exactly) equivalent

Driver Profiling

  • Group By and Order By device_name
  • Drivers without manufacturer name with sign status
  • Unsigned drivers
  • Drivers with no service associated with sign status

Miscellaneous

  • File Profilig - Files with mtime<btime with hash values and sigcheck status in the critical directories
  • Tracking User Changes
  • look for any suspicious domain connection
  • Execution (PS,DDE)
  • Lateral Movement

Linux

Note: I will share "osquery.conf" file and queries related to Linux as I get some time to complete them.

About

Threat Hunting & Incident Investigation with Osquery

Topics

incident-response forensics dfir cybersecurity threat-hunting osquery

Resources

Readme
Activity

Stars

198 stars

Watchers

11 watching

Forks

30 forks
Report repository

Releases

No releases published

Packages

No packages published