Threat hunting with osquery

Introduction

In this article, we take a look at osquery and how it can be used to query the security, reliability and compliance information of systems within your network environment. This is not a complete beginner’s tutorial to cover the basic installation process; rather, it serves as an overview of the capabilities of the tool for security professionals.

Overview

For us to bring to perspective the power of osquery, we will need to analyze the activities of a malware sample and look at how various malicious activities such as persistence and the installation of root certificates are achieved. We will also, where necessary, leverage on other tools to support osquery.

Obtaining the malware sample

We will need to obtain a malware sample to work with. In this case, we will be working with the famous Emotet banking Trojan. The way Emotet spreads is by email, where the malicious dropper runs and downloads the virus through a malicious Word macro. The sandbox report detailing the activities of Emotet can be found here. You can also find the VirusTotal malware summary here.

We will create a Windows 7 environment on VirtualBox and intentionally infect it with Emotet. We will then make osquery queries to retrieve the events generated by PowerShell from the powershell_events table. We will also need to enable script block logging in order to read the PowerShell event log channel. You can see how to enable that here.

Understanding the malware activities

Once the malware is run in our sandbox environment, we can view the PowerShell events using the following osquery command: [CLICK IMAGES TO ENLARGE]

Sponsorships Available

Sponsorships Available

Sponsorships Available

select time, script_text from powershell_events;

Figure 1. Exposing PowerShell scripts used during malware execution

The two lines below the PowerShell command above are the script texts that we get once the PowerShell command above (Read more...)