/ThreatHunting_with_Osquery

Threat Hunting & Incident Investigation with Osquery

Threat Hunting & Incident Investigation with Osquery

osquerylogo dart

The objective of this repo is to share 100+ hunting queries (osquery) that will help cyber threat analysts (hunter/investigator) in their hunting or investigation exercises. Broadly, I have covered persistence, process interrogation, memory analysis, driver profiling, and other misc categories. Persistence and Process Interrogations queries map to the multiple tactics & techniques/sub-techniques of MITRE ATT&CK framework.

The following are the key highlights under each category. Please have a look at the repo(windows) for the details.

Persistence

  • Registry Run Keys / StartUp Folder
  • RunKeys (with hashvalue)
  • Security Support Provider
  • Service Creation / Modification (auto_start)
  • look for suspicious dlls loaded by any service (with associated username & hash value of the dll)
  • WMI Event Consumers (commandline & script)
  • WMI Process interrogation
  • Application Shimming
  • Print Processors - Reg Keys
  • look for suspicious print drivers
  • Screensaver Backdoor
  • Image File Execution Options Injection (IFEO)(debugger/GolbalFlag)
  • PowerShell Process Interrogation
  • Dynamic Data Exchange (DDE)

Process Interrogation

  • Identify the parent & Grantparent processes for all OR a given process - look for any suspicious parent, child relationships
  • Identifying Suspicious Processes (processes) with usernames (users)
  • Identifying the programs that are running from "TEMP" locations
  • Identify the processes with open pipes (look for suspicious pipe and/or process)
  • Any processes spawning out of wow64 directory
  • Identifying suspicious dlls loaded by any service with user_account associated with it (with hash value)
  • Identify if the binary is signed or not
  • PowerShell Process Interrogation (Parent / children of PowerShell)
  • WMI Process Interrogation (Parent / children of PowerShell)
  • Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (In Bytes)
  • Identifying the processes that makes the remote network connections and look for any suspicious connections

Memory Analysis

Note:I have made an effort to create the queries equivalent to Volatility Plugins

  • pslist equivalent
  • pstree equivalent ( Parent & Child)
  • pstree equivalent ( Grandparent, Parent & Child)
  • dlllist equivalent ( with a specific pid )
  • dlllist - load all the dlls
  • getsids - equivalent
  • svcscan - equivalent
  • netscan - equivalent
  • Code Injection
  • malfind (not exactly) equivalent

Driver Profiling

  • Group By and Order By device_name
  • Drivers without manufacturer name with sign status
  • Unsigned drivers
  • Drivers with no service associated with sign status

Miscellaneous

  • File Profilig - Files with mtime<btime with hash values and sigcheck status in the critical directories
  • Tracking User Changes
  • look for any suspicious domain connection
  • Execution (PS,DDE)
  • Lateral Movement

Linux

Note: I will share "osquery.conf" file and queries related to Linux as I get some time to complete them.