For several years I have always wanted to write an Osquery extension to perform memory dumps and analysis. I never got the time to do a deep into my idea but since I have been creating some Osquery-go extensions lately I decided to take a whack at my idea. This blog post will provide a high overview of the architecture of this Osquery extension, how to generate memory dumps with Osquery, and how to remotely analyze these memory dumps with Osquery. Follow me another threat detection engineering experience with osquery-go.
go mod init github.com/CptOfEvilMinions/osquery-memory-forensics
go get
go get -u github.com/go-bindata/go-bindata/...
go install github.com/go-bindata/go-bindata/...
~/go/bin/go-bindata -o assets/dump/bindata.go -pkg dump bins/dump/...
ls -lh assets/dump/bindata.go
GOOS=windows go build -o osquery_memory_forensic_dump.exe cmd/dump/osquery-memory-forensics-dump.go
- Download Volatility v3
- Copy binary do
bins/analyze
asvolatility.exe
- Copy binary do
bins/analyze
asvolatility.exe
~/go/bin/go-bindata -o assets/analyze/bindata.go -pkg analyze bins/analyze/...
ls -lh assets/analyze/bindata.go
GOOS=windows go build -o osquery_memory_forensic_analyze.exe cmd/osquery-memory-forensics-analysis/osquery-memory-forensics-analyze.go
- Modify
pkg/dumpers/dumpers.go
- Copy new binary to
bins/analyze
- Follow instructions above to make new go-bindata
- Modify
pkg/volatility/volatility.go
to support your tool with the proper commands
- Combine absolute path and relative path to get a new absolute path
- Go by Example: Epoch
- PsExec gets stuck on licence prompt when running non-interactively
- Package strconv
- ProcDump v9.0
- Go and file perms on Windows
- Hash checksums: MD5, SHA-1, SHA-256
- Github - getlantern/byteexec
- package byteexec
- Embedding data in Go executables
- Github - go-bindata/go-bindata
- StackOverFlow - How can I get the user's AppData folder path with golang?
- Golang hash sum and checksum to string tutorial and examples
- Package sha256
- Go: Read a whole file into a string (byte slice)
- Self-hosting Sentry With Docker and Docker-compose
- Kolide - Configuring The Fleet Binary
- DockerHub - MySQL
- DockerHub - Kolide
- Go Date and Time Formatting
- NGINX as a WebSocket Proxy
- DockerHub - NGINX
- Powershell Set-Content
- WinPmem